I’m getting Network Sheild Alarms about every 4 minutes when my Internet Explorer window is open with the following message:

30.12.2008 21:35:55 Network Shield: blocked access to malicious site 78.110.175.21/cp/x/?u=0A1&i=0+260000493041722f03218a562928f5a693b2e5MILLAR-1++++++++Mozilla/5.0%20(Windows;%20U;%20Windows%20NT%205.1;%20en-US;%20rv:1.8.0.7)%20Gecko/20060909%20Firefox/1.5.0.7 [ C:\Program Files\Internet Explorer\iexplore.exe ]

Same thing over and over again. I’ve seen some posts talking about 78.110.175.21 and it not being a nice place, but I’m not sure where this is coming from.

Anti-virus isn’t detecting anything and I’ve installed Ad-Aware and Spybot Search & Destroy and they don’t see anything either.

Two other points that may help shed some info too…

First, when I do a google search, the first page of results have bogus URL’s inserted in them…typically www.monstermarketplace.com or www.justclickdeals.com, freescan.antivirus.com, etc, etc…the Title of the page and the two-line description are accurate, but the URL that I’m sent to has nothing to do with the search result…this doesn’t seem to occur when I do searches with yahoo.com or other non-google engines.

Lastly, I was doing some searches trying to figure out why this was happening and there was a post about a pop-up that would occur that looked like a normal flash-update message, but really wasn’t…I can’t find that page specifically to post the URL (unfortunately).

Any ideas/help would be appreciated.

Thanks

I suggest SuperAntiSpyware Free or MalwareByte’s AntiMalware.

Download HiJackThis and post a log here.

Hi, I installed the Malware application but it didn’t find anything on a full scan.

Also, I forgot to mention this before, but Microsoft Update won’t work either…it presents a page saying that its only for the latest version of IE and presents a link to download and install the latest rev…I do that, but it still doesn’t think I have the latest rev of the browser…I’m assuming something has hijacked the browser but not sure how to get rid of it…

Attached is the output from the HiJackThis log…thanks for the help

I have exactly the same issue.

Avast alert at the bottom of the screen saying it blocked… 78.110.175.21 and I can’t download the new Microsoft Security updates, as it goes to a website and I can’t then do the usual Windows Update thingy… I also get Google searches that aren’t related to what I’m looking for but are searchclick.com or the like!

Anyway that can help ???

Miss L.

Looks like it maybe a new variant of Win32:Zlob. 78.110.175.21 is a Russian IP address.

I suggest an online scan through
Dr. Web CureIt
Kaspersky Online Scanner
Trend Micro Housecall

Welcome to the forums, mariner.

The IP address 78.110.175.21 is assigned to LIMIT SureHost located in Moscow, Russia.

From your HJT log :

The below entry is related to Windows Live Messenger.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

This next one does not look necessary to me but I hope someone will confirm this for me.

O4 - HKCU..\RunOnce: C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&lan guage=en&product=SymNRT&version=2008.0.2.17&build=Symantec&a=00000082.00000001.0 0000001&b=00000082.0000000f.0000001b&c=00000082.0000001e.0000004a&d=00000082.000 00020.0000004c&e=00000082.00000049.000000b9

To be fixed if the entry ‘’ is unknown. Do you know of or use ByteScout? If yes, then they are ok.

O9 - Extra button: (no name) - {51B035FC-5ABA-471F-A34E-7499E951FF7A} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html

O9 - Extra ‘Tools’ menuitem: Extract Flash Video with Bytescout… - {51B035FC-5ABA-471F-A34E-7499E951FF7A} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html

O9 - Extra button: Extract Flash Video with Bytescout… - {DE4FDA6F-7571-4455-A09F-D205E4DC9C46} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html

The below may be related to either Virtumonde or Smitfraud and I hope someone else can confirm this for me.

O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD}

Do you or have you uploaded photos to CVS Pharmacy, Costco, WalMart, or other such Online Photo Center services? The the below is related to such services through primedia.com

O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD}

Those are the only ones I see in your HJT log that are either questionable or perhaps not needed.

Welcome to the forums, Deaki.

Please start your own thread in order to not confuse the help given in this thread. Use the “New Topic” button near the top right of this section of the forum.

EDIT to correct spelling error.

I just started getting this msg this morning, have no idea what it means or where I picked it up. I ran a full scan with avast an found nothing.

31.12.2008 12:14:28 Network Shield: blocked access to malicious site 78.110.175.21/cp/x/?u=0A1&i=0+e10000494a9707443781920b4b412693924db8BOOK-I9BOMLIG6Q+Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.2;%20.NET%20CLR%201.1.4322;%20.NET%20CLR%202.0.50727;%20.NET%20CLR%203.0.04506.30;%20.NET%20CLR%203.0.04506.648) [ C:\Program Files\Mozilla Firefox\firefox.exe ]

It comes up about every 4 min. Do I have something to worry about?

C4Monk

You could monitor this topic and run the suggested software. But it would be better to start your own new topic so as not to complicate this one.

Please start a New Topic of your own as it will just confuse the topic and we will try to help.

• Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

This site (78.110.175.21) is infected.

Hi,
I did a number of those scans and pulled some of the recommended items from the HiJack list…anyway, I stumbled across what I think is the solution in topic #41423.0

http://forum.avast.com/index.php?topic=41423.0

I deleted the file in question and the avast blocking messages have stopped, the google searches are accurate again and I can run Microsoft Update…

Thanks to all those who put the time in to help

You are welcome, mariner, and it is good to know you now have your problem corrected.

There could be many things thats causing this it could be a cookie ADware PUt up a Hijackthis log up and then we should know whats happening

Hi mariner,

Update your java version, because that could get you infected, but it might be the right version, check. A good way to keep an eye on the latest versions and patches is via this free download: http://secunia.com/PSISetup.exe
If you have to cleanse something in SafeMode, disable Teatimer for the time you are at that, enable later again…
Then you apparently haven’t got a firewall running there, what is making you vulnerable on the Internet.

Survey of Active tasks on your OS
smss.exe

System task

Session Manager Subsystem
winlogon.exe

System task

Microsoft Windows Logon Process
services.exe

System task

Windows Service Controller
lsass.exe

System task

Local Security Authority Service
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
aawservice.exe

Anti Add/Spyware software

Ad-Aware 2007 Service
aswUpdSv.exe

Virusscan

Avast Anti-Virus Component
ashServ.exe

Virusscan

Avast
Explorer.EXE

System task

Microsoft Windows Explorer
SMax4PNP.exe

Background task

SMax4PNP MFC Application
iTunesHelper.exe

Application

Apple Itunes
StatusClient.exe

Background task

Hewlett-Packard Status Client
VM_STI.EXE

Background task

BigDogPath
jusched.exe

Background task

Sun Java Update Scheduler
HOMERunner.exe

Application

Part of TomTom routeplanner software - TML P
ashDisp.exe

Virusscan

Avast AntiVirus
HPWuSchd2.exe

Background task

Hewlett Packard Software Update Scheduler
CTDetect.exe

Background task

Auto-detect and play a DVD when using a Creative Soundblaster Audigy2 soundcard.
ctfmon.exe

System task

Alternative User Input Services re: http://www.howtogeek.com/howto/windows-vista/what-are-wmpnscfgexe-and-wmpnetwkexe-and-why-are-they-running/
WMPNSCFG.exe

Bsckground task

Windows Media Player Network Sharing Service Confi
TeaTimer.exe

Application

Spybot S&D Realtime Scanner
spoolsv.exe

System task

Microsoft Printer Spooler Service
reader_sl.exe

Background task

Adobe Reader Speed Launch
boincmgr.exe

Background task

BOINC manager
WinCinemaMgr.exe

Background task

WinCinema Manager is needed when using the WinDVD Remote Control for WinDVD from Intervideo.
ICQ.exe

Application

ICQ
EasyShare.exe

Background task

Software bundled with Kodak digital cameras to manage the connection between the PC and the Camera.
WindowsSearch.exe

Background task

Windows Desktop Search Tray
boinc.exe

Background task

Berkeley Open Infrastructure for Network Computing
javaw.exe

Application

Sun Java

hadsm3_6.07_windows_intelx86.exe

Unknown task

Unknown task
Hotsync.exe

Background task

HotSync Manager

hadam3_6.01_windows_intelx86.exe

Unknown task

Unknown task
IEXPLORE.EXE

Application

Windows internet explorer
CTsvcCDA.EXE

Background task

Creative CD-ROM Services
cvpnd.exe

Application

Cisco VPN Service

hadsm3_um_6.07_windows_intelx86.exe

Unknown task = ClimatePrediction.net.uk ??

Unknown task
svchost.exe

System task

Microsoft Service Host Process
iaantmon.exe

Background task

Intel Application Accelerator RAID Monitor
nvsvc32.exe

Application

NVIDIA Driver Helper Service
HPZipm12.exe

Driver

HP Taskbar Utility
SMAgent.exe

Background task

Analog Devices magent
svchost.exe

System task

Microsoft Service Host Process
SearchIndexer.exe

System task

Search Indexer
ashMaiSv.exe

Virusscan

Avast Anti-Virus Component
ashWebSv.exe

Virusscan

avast! Web Scanner
iPodService.exe

Background task

Apple iTunes

hadam3_um_6.01_windows_intelx86.exe

Onbekende taak

Onbekende taak
SearchProtocolHost.exe

System task

SearchProtocolHost
WLLoginProxy.exe

Application

Microsoft? Windows Live Login Helper
wuauclt.exe

Systeem taak

AutoUpdate Client
wuauclt.exe

System task

AutoUpdate Client
HijackThis.exe

Application

Hijackthis,

polonus

To whom are you addressing your comment to as there are two posters in this and one has already posted a HJT log and received help on it. So if it is addressed to the other poster, I asked him to start another topic as it would just confuse this one, which he did and his problem has also been resolved.

Also don’t ask for a HJT log to be posted unless you are prepared to do the analysis.

I appreciate you are trying to help but you have to read the topic so we are all working from the same page or it just confuses things.