Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Microsoft Help Centre message (http://www.velocityreviews.com/forums/t304801-microsoft-help-centre-message.html)

Peter James 12-25-2003 10:25 AM

Microsoft Help Centre message
 
On occasions during using Help Centre on Windows XP, I get the
following message from Kerio, my firewall.
"Microsoft Help Centre Hosting Server" from your computer wants to
send UDP datagram to ad.free6.com [127.0.0.1] port 1123.
details about application
C:|windows\pchealth\helpctr\binaries\helphost.exe
ends
Now am I a bit paranoid about this? Why should Windows want to access
ad.free6.com? Up to now I am denying each and every request on an
individual basis. Should I allow Kerio to write a rule and deny
automatically? May thanks.
--

Peter James
Change AT to @ to reply

Kevin 12-26-2003 03:28 AM

Re: Microsoft Help Centre message
 
That's a very good question? Have you done a Google search for
ad.free6.com? I don't think you are paranoid at all, I think you're making
good security decisions. Never allow anything or anyone access to your
system if you have any doubts as to who or what they are. Until you find
out more about ad.free6.com, I would let my firewall do the job you
purchased it to do.

"Peter James" <nospam@petefjames.clara.co.uk> wrote in message
news:jdeluvclpv6jev8mkd8rg6ndn999eaip5s@4ax.com...
> On occasions during using Help Centre on Windows XP, I get the
> following message from Kerio, my firewall.
> "Microsoft Help Centre Hosting Server" from your computer wants to
> send UDP datagram to ad.free6.com [127.0.0.1] port 1123.
> details about application
> C:|windows\pchealth\helpctr\binaries\helphost.exe
> ends
> Now am I a bit paranoid about this? Why should Windows want to access
> ad.free6.com? Up to now I am denying each and every request on an
> individual basis. Should I allow Kerio to write a rule and deny
> automatically? May thanks.
> --
>
> Peter James
> Change AT to @ to reply




sponge 12-26-2003 04:40 AM

Re: Microsoft Help Centre message
 
On Thu, 25 Dec 2003 10:25:07 +0000, Peter James
<nospam@petefjames.clara.co.uk> wrote:

>On occasions during using Help Centre on Windows XP, I get the
>following message from Kerio, my firewall.
>"Microsoft Help Centre Hosting Server" from your computer wants to
>send UDP datagram to ad.free6.com [127.0.0.1] port 1123.
>details about application
>C:|windows\pchealth\helpctr\binaries\helphost.e xe
>ends
>Now am I a bit paranoid about this? Why should Windows want to

access
>ad.free6.com? Up to now I am denying each and every request on an
>individual basis. Should I allow Kerio to write a rule and deny
>automatically? May thanks.


This some kind of hijacker/spyware that just happens to operate
coincident with you access to Microsoft. I checked out www.free6.com
and it is some porn site, so I'm almost certain you have some kind of
spyware. (Even though I would not put it past Microsoft to start
including adware or spyware in their products, I don't think they
dabble in porn.) So the usual advice applies, below. One thing I might
ask - if neither Ad-Aware nor SpyBot find it, and you have to use
HiJackThis! to root out the problem, I'd appreciate a copy of the
malware if you find it so that it can be submitted to Ad-Aware,
SpyBot, and a number of other anti-virus vendor's databases. (Or, if
you want, I can give you instructions on how to do this yourself - the
key thing is all the anti-parasite program vendors need a copy of the
malicious program for analysis.) At any rate, here is the standard
advice:

Run the "Big Four" -- Ad-Aware (http://www.lavasoft.de), SpyBot
(http://security.kolla.de), SpywareBlaster
(http://www.javacoolsoftware.com/spywareblaster.html) and CWShredder
(http://www.merijn.org/files/cwshredder.zip.) The latter won't nuke
eZula, but I recommend keeping it in your toolbox if you are going to
use Internet Explorer, which is probably going to cause you headaches
in the future. Run their updaters (CWS shredder doesn't have an online
update feature, just make sure to have the latest version), restart
them, and let them rip.

If both Ad-Aware and SpyBot -- use them BOTH! -- don't take care of
eZula (they will probably find a few other things, as eZula usually
doesn't travel alone), then run HiJackThis!
(http://tomcoyote.org/hjt). The thing is, no single tool is good at
killing all spyware, but Ad-Aware and SpyBot, when up-to-date versions
of both are run, will take out about 99% of the known stuff out there.
HJT is a good fallback when one is dealing with a new parasite or one
that AAW or SpyBot don't handle properly.

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com

Hairy One Kenobi 12-26-2003 03:08 PM

Re: Microsoft Help Centre message
 
"Peter James" <nospam@petefjames.clara.co.uk> wrote in message
news:jdeluvclpv6jev8mkd8rg6ndn999eaip5s@4ax.com...
> On occasions during using Help Centre on Windows XP, I get the
> following message from Kerio, my firewall.
> "Microsoft Help Centre Hosting Server" from your computer wants to
> send UDP datagram to ad.free6.com [127.0.0.1] port 1123.
> details about application
> C:|windows\pchealth\helpctr\binaries\helphost.exe
> ends
> Now am I a bit paranoid about this? Why should Windows want to access
> ad.free6.com? Up to now I am denying each and every request on an
> individual basis. Should I allow Kerio to write a rule and deny
> automatically? May thanks.


Does the address happen to mean anything?

Don't suppose that you're running.have installed something that attempts to
redirect "nasties" to localhost? It'll probably have something like "spy"
and/or "dns" in the program name.

The first line for 127.0.0.1 in your hosts file should read "localhost".

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!



Peter James 12-26-2003 03:20 PM

Re: Microsoft Help Centre message
 
On 25 Dec 2003 20:40:37 -0800, yosponge@yahoo.com (sponge) wrote:


>snipped
>Run the "Big Four" -- Ad-Aware (http://www.lavasoft.de), SpyBot
>(http://security.kolla.de), SpywareBlaster
>(http://www.javacoolsoftware.com/spywareblaster.html) and CWShredder
>(http://www.merijn.org/files/cwshredder.zip.) The latter won't nuke
>eZula, but I recommend keeping it in your toolbox if you are going to
>use Internet Explorer, which is probably going to cause you headaches
>in the future. Run their updaters (CWS shredder doesn't have an online
>update feature, just make sure to have the latest version), restart
>them, and let them rip.
>
>If both Ad-Aware and SpyBot -- use them BOTH! -- don't take care of
>eZula (they will probably find a few other things, as eZula usually
>doesn't travel alone), then run HiJackThis!
>(http://tomcoyote.org/hjt). The thing is, no single tool is good at
>killing all spyware, but Ad-Aware and SpyBot, when up-to-date versions
>of both are run, will take out about 99% of the known stuff out there.
>HJT is a good fallback when one is dealing with a new parasite or one
>that AAW or SpyBot don't handle properly.
>
>Sponge
>Sponge's Secure Solutions
>www.geocities.com/yosponge
>My new email: yosponge2 att yahoo dott com

I've run the "Big Four" and without any real success. SpyBot,
Ad-Aware, Spywareblaster failed to find anything wrong. Hijac this
produced the following log file:

Logfile of HijackThis v1.97.7
Scan saved at 15:08:35, on 26/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\ggviewer67-57.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Presorium\Frontgate MX\frntgate.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\MozillaFirebird\MozillaFirebird.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\DOCUME~1\Pete\LOCALS~1\Temp\~~PDTEMP\HijackThis .exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = http=localhost:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe
/startup
O4 - HKCU\..\Run: [FG1_00] C:\Program Files\Presorium\Frontgate
MX\frntgate.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - Startup: eDexter.lnk = C:\Program
Files\Pyrenean\eDexter\eDexter.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Packard Bell (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.co...870.4218055556
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446}
(IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
Registry Information Class) -
http://security.symantec.com/SSC/Sha.../bin/cabsa.cab

I'm a bit confused as to the mention of IE6 on line 4. I don't use IE
6, I use Mozilla Firebird set up as per Sponge's Security page using a
proxy setting.
So I am very confused about this. Where is the malware? And how do I
eradicate it? Many thanks for any help given.

--

Peter James
Change AT to @ to reply

Peter James 12-27-2003 07:25 PM

Re: Microsoft Help Centre message
 
On Fri, 26 Dec 2003 15:08:22 -0000, "Hairy One Kenobi"
<abuse@[127.0.0.1]> wrote:

>"Peter James" <nospam@petefjames.clara.co.uk> wrote in message
>news:jdeluvclpv6jev8mkd8rg6ndn999eaip5s@4ax.com.. .
>> On occasions during using Help Centre on Windows XP, I get the
>> following message from Kerio, my firewall.
>> "Microsoft Help Centre Hosting Server" from your computer wants to
>> send UDP datagram to ad.free6.com [127.0.0.1] port 1123.
>> details about application
>> C:|windows\pchealth\helpctr\binaries\helphost.exe
>> ends
>> Now am I a bit paranoid about this? Why should Windows want to access
>> ad.free6.com? Up to now I am denying each and every request on an
>> individual basis. Should I allow Kerio to write a rule and deny
>> automatically? May thanks.

>
>Does the address happen to mean anything?
>
>Don't suppose that you're running.have installed something that attempts to
>redirect "nasties" to localhost? It'll probably have something like "spy"
>and/or "dns" in the program name.
>
>The first line for 127.0.0.1 in your hosts file should read "localhost".

I am getting rather concerned about this ad.free6.com. Just about
every programme I use to access the net causes this message to be
flagged up:
"Microsoft Help Centre Hosting Server" from your computer wants to
send UDP datagram to ad.free6.com [127.0.0.1] port 1123.
details about application
C:|windows\pchealth\helpctr\binaries\helphost.exe
ends
And I have had to get kerio to blanket ban every mention of it. I
have used Ad-aware, Spybot and hijackthis but to no avail. How do I
get rid of it, and where is it hiding on my HD. A search using
Windows Explorer does not find any mention of it.
--

Peter James
Change AT to @ to reply

Hairy One Kenobi 12-27-2003 11:19 PM

Re: Microsoft Help Centre message
 
"Peter James" <nospam@petefjames.clara.co.uk> wrote in message
news:vtmruvcl3dvi6t25nruuhamd0agnr0q2u4@4ax.com...
> On Fri, 26 Dec 2003 15:08:22 -0000, "Hairy One Kenobi"
> <abuse@[127.0.0.1]> wrote:
>
> >"Peter James" <nospam@petefjames.clara.co.uk> wrote in message
> >news:jdeluvclpv6jev8mkd8rg6ndn999eaip5s@4ax.com.. .
> >> On occasions during using Help Centre on Windows XP, I get the
> >> following message from Kerio, my firewall.
> >> "Microsoft Help Centre Hosting Server" from your computer wants to
> >> send UDP datagram to ad.free6.com [127.0.0.1] port 1123.
> >> details about application
> >> C:|windows\pchealth\helpctr\binaries\helphost.exe
> >> ends
> >> Now am I a bit paranoid about this? Why should Windows want to access
> >> ad.free6.com? Up to now I am denying each and every request on an
> >> individual basis. Should I allow Kerio to write a rule and deny
> >> automatically? May thanks.

> >
> >Does the address happen to mean anything?
> >
> >Don't suppose that you're running.have installed something that attempts

to
> >redirect "nasties" to localhost? It'll probably have something like "spy"
> >and/or "dns" in the program name.
> >
> >The first line for 127.0.0.1 in your hosts file should read "localhost".


> I am getting rather concerned about this ad.free6.com. Just about
> every programme I use to access the net causes this message to be
> flagged up:
> "Microsoft Help Centre Hosting Server" from your computer wants to
> send UDP datagram to ad.free6.com [127.0.0.1] port 1123.
> details about application


Did you check the file? If you didn't (perhaps because you don't know what
I'm on about), then please just say.

I suspect that it's an anti-Spyware thing you've installed (stress: just a
hunch) and easy to sort out what you're worrying about.

Part of my logic is that you mentioned Sponge's site which - I believe - has
something that /might/ do this. I'm not familiar enough what the exact tool
to say for certain.. more info, please.

H1K



sponge 12-28-2003 05:24 AM

Re: Microsoft Help Centre message
 
Take a look at your HOSTS file and see if you have an entry called
ad.free6.com. Microsoft products often send UDP to localhost
(127.0.0.1). If you have an entry in HOSTS resolving ad.free6.com to
127.0.0.1, then, when the firewall spots traffic to 127.0.0.1, it will
to a reverse-DNS to find out the name, and may pick up the entry in
your HOSTS.
BTW, nothing stood out in your log file except a reference to Real.com
(RealPlayer, RealJukeBox, etc.)


Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com

Peter James 12-28-2003 05:31 PM

Re: Microsoft Help Centre message
 
On Sat, 27 Dec 2003 23:19:24 -0000, "Hairy One Kenobi"
<abuse@[127.0.0.1]> wrote:


>
>Did you check the file? If you didn't (perhaps because you don't know what
>I'm on about), then please just say.
>
>I suspect that it's an anti-Spyware thing you've installed (stress: just a
>hunch) and easy to sort out what you're worrying about.
>
>Part of my logic is that you mentioned Sponge's site which - I believe - has
>something that /might/ do this. I'm not familiar enough what the exact tool
>to say for certain.. more info, please.
>
>H1K

Yes, I did have a look at the Hosts file, that resides in
C:\windows\system32\drives\etc\ It seems to be an enormous file at
385,495 kb?
The first two lines of the file are:
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.free6.com
The rest of the file is an andless listing of sites, a lot of which
are Sex or "Adult" sites. How the hell do they get there. Should I
edit the file and get rid of them, and should I amend the file for the
first line to read:
127.0.0.1 loclahost
Many thanks for the help.
--

Peter James
Change AT to @ to reply

Peter James 12-28-2003 06:22 PM

Re: Microsoft Help Centre message
 
On 27 Dec 2003 21:24:59 -0800, yosponge@yahoo.com (sponge) wrote:

>Take a look at your HOSTS file and see if you have an entry called
>ad.free6.com. Microsoft products often send UDP to localhost
>(127.0.0.1). If you have an entry in HOSTS resolving ad.free6.com to
>127.0.0.1, then, when the firewall spots traffic to 127.0.0.1, it will
>to a reverse-DNS to find out the name, and may pick up the entry in
>your HOSTS.
>BTW, nothing stood out in your log file except a reference to Real.com
>(RealPlayer, RealJukeBox, etc.)
>
>
>Sponge
>Sponge's Secure Solutions
>www.geocities.com/yosponge
>My new email: yosponge2 att yahoo dott com

Following on from the comments in this thread on the Hosts file, using
Google I came across this site. The suggestion is that I might want
to download this sample hosts file to replace my existing file and
make the file read only. Would you be prepared to comment on this.
Thanks.

--

Peter James
Change AT to @ to reply


All times are GMT. The time now is 02:58 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.