|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-25-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry Help - Hijacked ComputerGo to the Tech-Forums Discussion Home PagePosted by: mb2cotter Operating System Version: XP Pro I somehow managed to have my computer hijacked. Every minute or so a new internet explorer (6.0) window opens up with the following URL: [url]http://81.211.105.49/[/url] When I came into work this morning, there were several dozen of these exploreer windows open. It also changed my homepage, inserted links into my Favorites, put new icons on my desktop, deleted my Goggle toolbar and puts banners (Party Poker) at the top of some pages when I surf. Also, when I go to the task manager, my CPU is always running at 100%. I've tried a virus scan, Adaware and Spybot - all to no avail. Below is the log from Hijack This. I don't understnad most of it, but I can see that there are a lot of search engine links prefaced with "01 - Hosts". Please help! Logfile of HijackThis v1.97.7 Scan saved at 10:16:35 AM, on 4/8/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Prime95\prime95.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINDOWS\svchost.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\desktop weather\desktopweather_1267848.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\mcotter\Local Settings\Temporary Internet Files\Content.IE5\856V89M3\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://freednshost.info/page/[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://freednshost.info/page/[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://freednshost.info/page/[/url] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://freednshost.info/[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://freednshost.info/[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://freednshost.info/page/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = [url]http://freednshost.info/page/[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://freednshost.info/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://freednshost.info/page/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://freednshost.info/page/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://freednshost.info/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://freednshost.info/page/[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]http://213.159.118.226/sp.php[/url] O1 - Hosts: 213.159.118.226 1-se.com O1 - Hosts: 213.159.118.226 58q.com O1 - Hosts: 213.159.118.226 aifind.cc O1 - Hosts: 213.159.118.226 aifind.info O1 - Hosts: 213.159.118.226 allneedsearch.com O1 - Hosts: 213.159.118.226 approvedlinks.com O1 - Hosts: 213.159.118.226 auto.ie.searchforge.com O1 - Hosts: 213.159.118.226 awebfind.biz O1 - Hosts: 213.159.118.226 best.royalsearch.net O1 - Hosts: 213.159.118.226 cracks.am O1 - Hosts: 213.159.118.226 default-homepage-network.com O1 - Hosts: 213.159.118.226 find.microgirls.com O1 - Hosts: 213.159.118.226 find4u.net O1 - Hosts: 213.159.118.226 freshvideogals.com O1 - Hosts: 213.159.118.226 i-lookup.com O1 - Hosts: 213.159.118.226 ie-search.com O1 - Hosts: 213.159.118.226 in.webcounter.cc O1 - Hosts: 213.159.118.226 itseasy.us O1 - Hosts: 213.159.118.226 just.find-itnow.com O1 - Hosts: 213.159.118.226 link.startmake.com O1 - Hosts: 213.159.118.226 mysearchnow.com O1 - Hosts: 213.159.118.226 nativehardcore.com O1 - Hosts: 213.159.118.226 qwertysearch123.biz O1 - Hosts: 213.159.118.226 search.ieplugin.com O1 - Hosts: 213.159.118.226 search.psn.cn O1 - Hosts: 213.159.118.226 searchbar.findthewebsiteyouneed.com O1 - Hosts: 213.159.118.226 searchcentrix.com O1 - Hosts: 213.159.118.226 searchmyrequest.com O1 - Hosts: 213.159.118.226 super-spider.com O1 - Hosts: 213.159.118.226 t.rack.cc O1 - Hosts: 213.159.118.226 teen-biz.com O1 - Hosts: 213.159.118.226 teenhqpics.com O1 - Hosts: 213.159.118.226 tits.hardcore4ever.net O1 - Hosts: 213.159.118.226 webcoolsearch.com O1 - Hosts: 213.159.118.226 wmmse.com O1 - Hosts: 213.159.118.226 [url]www.008i.com[/url] O1 - Hosts: 213.159.118.226 [url]www.2fastsearch.net[/url] O1 - Hosts: 213.159.118.226 [url]www.8095.com[/url] O1 - Hosts: 213.159.118.226 [url]www.alfa-search.com[/url] O1 - Hosts: 213.159.118.226 [url]www.boredlife.com[/url] O1 - Hosts: 213.159.118.226 [url]www.couldnotfind.com[/url] O1 - Hosts: 213.159.118.226 [url]www.cracks.am[/url] O1 - Hosts: 213.159.118.226 [url]www.daum.net[/url] O1 - Hosts: 213.159.118.226 [url]www.dreamwiz.com[/url] O1 - Hosts: 213.159.118.226 [url]www.find-itnow.com[/url] O1 - Hosts: 213.159.118.226 [url]www.find-itnow.com[/url] O1 - Hosts: 213.159.118.226 [url]www.find4u.net[/url] O1 - Hosts: 213.159.118.226 [url]www.firstbookmark.com[/url] O1 - Hosts: 213.159.118.226 [url]www.gajai.com[/url] O1 - Hosts: 213.159.118.226 [url]www.hand-book.com[/url] O1 - Hosts: 213.159.118.226 [url]www.hao123.com[/url] O1 - Hosts: 213.159.118.226 [url]www.hotsearchbox.com[/url] O1 - Hosts: 213.159.118.226 [url]www.hotwebsearch.com[/url] O1 - Hosts: 213.159.118.226 [url]www.hugesearch.net[/url] O1 - Hosts: 213.159.118.226 [url]www.iquicksearch.com[/url] O1 - Hosts: 213.159.118.226 [url]www.lookfor.cc[/url] O1 - Hosts: 213.159.118.226 [url]www.maxxxhosters.com[/url] O1 - Hosts: 213.159.118.226 [url]www.naver.com[/url] O1 - Hosts: 213.159.118.226 [url]www.nkvd.us[/url] O1 - Hosts: 213.159.118.226 [url]www.nova****.com[/url] O1 - Hosts: 213.159.118.226 [url]www.ohcorea.com[/url] O1 - Hosts: 213.159.118.226 [url]www.omega-search.com[/url] O1 - Hosts: 213.159.118.226 [url]www.onet.pl[/url] O1 - Hosts: 213.159.118.226 [url]www.power-search.info[/url] O1 - Hosts: 213.159.118.226 [url]www.rightfinder.net[/url] O1 - Hosts: 213.159.118.226 [url]www.search-1.net[/url] O1 - Hosts: 213.159.118.226 [url]www.search-and-go.com[/url] O1 - Hosts: 213.159.118.226 [url]www.search-dot.com[/url] O1 - Hosts: 213.159.118.226 [url]www.search-space.com[/url] O1 - Hosts: 213.159.118.226 [url]www.searchforge.com[/url] O1 - Hosts: 213.159.118.226 [url]www.searching-the-net.com[/url] O1 - Hosts: 213.159.118.226 [url]www.searchv.com[/url] O1 - Hosts: 213.159.118.226 [url]www.searchxl.com[/url] O1 - Hosts: 213.159.118.226 [url]www.seznam.cz[/url] O1 - Hosts: 213.159.118.226 [url]www.slotch.com[/url] O1 - Hosts: 213.159.118.226 [url]www.spidersearch.com[/url] O1 - Hosts: 213.159.118.226 [url]www.startium.com[/url] O1 - Hosts: 213.159.118.226 [url]www.therealsearch.com[/url] O1 - Hosts: 213.159.118.226 [url]www.ttjj.com[/url] O1 - Hosts: 213.159.118.226 [url]www.viewpornkey.com[/url] O1 - Hosts: 213.159.118.226 [url]www.wazzupnet.com[/url] O1 - Hosts: 213.159.118.226 [url]www.websearch.com[/url] O1 - Hosts: 213.159.118.226 [url]www.windowws.cc[/url] O1 - Hosts: 213.159.118.226 [url]www.xgmm.com[/url] O1 - Hosts: 213.159.118.226 xwebsearch.biz O1 - Hosts: 213.159.118.226 yourbookmarks.ws O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svchost.exe -sr -0 O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\svchost.exe -sr -0 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_1267848.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principia\Schedupd.exe O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Debt Solutions - [url]http://213.159.118.226/tools.php?qq=Debt+Solutions[/url] O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Party Poker - [url]http://213.159.118.226/tools.php?qq=Party+Poker[/url] O8 - Extra context menu item: Party Poker.com - [url]http://213.159.118.226/tools.php?qq=Party+Poker.com[/url] O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Party Poker.com (HKLM) O9 - Extra 'Tools' menuitem: Party Poker (HKLM) O9 - Extra 'Tools' menuitem: Debt Solutions (HKLM) O13 - DefaultPrefix: [url]http://freednshost.info/page/[/url] O13 - WWW Prefix: [url]http://freednshost.info/page/[/url] O15 - Trusted Zone: [url]http://peachtree.saver3.com[/url] O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url] O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\e1189.exe O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - [url]http://www.installshield.com/install/iftwclix.cab[/url] O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe[/url] O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - [url]http://toolbar.google.com/data/GoogleActivate.cab[/url] O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - [url]http://129.123.91.1/activex/AxisCamControl.ocx[/url] O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url] O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [url]https://nfp.webex.com/client/latest/webex/ieatgpc.cab[/url] O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://fdl.msn.com/public/chat/msnchat45.cab[/url] O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spectrumboulder.com O17 - HKLM\Software\..\Telephony: DomainName = spectrumboulder.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spectrumboulder.com Posted by: mobo Download CWShredder: [url]http://www.spywareinfo.com/~merijn/files/cwshredder.zip[/url] Unzip, run and hit the ->fix tab to fix all found problems CWShredder takes advantage of seurity holes in windows so you should install all critical as well as hotfixes available from windows update. Then repost a fresh Hijack this log . Download 'Hijack This!'. [url]http://www.tomcoyote.org/hjt/[/url] and save it to a folder on your desktop. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. Posted by: Tipsi we are still waiting for the next HJT log... regards, Tipsi Posted by: mb2cotter I used the CW Shredder, and then I manually went through the registry and deleted all the references to the unwanted sites. Before I used the CW Shredder, editing the registry did not work - all the deletions I made were just reentered. This time, however, the references have NOT been reinserted in the registry. I reran Hijackthis and there are no signs of the mess anywhere. I have now been problem free for a few days. Thanks alot. Posted by: mobo You're welcome and because it was a cws hijack you must be short on windows updates. You should venture over to windows update and get all critiacl updates asap. Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |