Help - Hijacked Computer

mb2cotter · 04-08-2004, 11:50 AM

Operating System Version: XP Pro

I somehow managed to have my computer hijacked. Every minute or so a new internet explorer (6.0) window opens up with the following URL:
http://81.211.105.49/

When I came into work this morning, there were several dozen of these exploreer windows open. It also changed my homepage, inserted links into my Favorites, put new icons on my desktop, deleted my Goggle toolbar and puts banners (Party Poker) at the top of some pages when I surf. Also, when I go to the task manager, my CPU is always running at 100%.

I've tried a virus scan, Adaware and Spybot - all to no avail. Below is the log from Hijack This. I don't understnad most of it, but I can see that there are a lot of search engine links prefaced with "01 - Hosts". Please help!

Logfile of HijackThis v1.97.7
Scan saved at 10:16:35 AM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Prime95\prime95.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\desktop weather\desktopweather_1267848.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mcotter\Local Settings\Temporary Internet Files\Content.IE5\856V89M3\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freednshost.info/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freednshost.info/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://freednshost.info/page/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freednshost.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freednshost.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://freednshost.info/page/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freednshost.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freednshost.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freednshost.info/page/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://213.159.118.226/sp.php
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
O1 - Hosts: 213.159.118.226 auto.ie.searchforge.com
O1 - Hosts: 213.159.118.226 awebfind.biz
O1 - Hosts: 213.159.118.226 best.royalsearch.net
O1 - Hosts: 213.159.118.226 cracks.am
O1 - Hosts: 213.159.118.226 default-homepage-network.com
O1 - Hosts: 213.159.118.226 find.microgirls.com
O1 - Hosts: 213.159.118.226 find4u.net
O1 - Hosts: 213.159.118.226 freshvideogals.com
O1 - Hosts: 213.159.118.226 i-lookup.com
O1 - Hosts: 213.159.118.226 ie-search.com
O1 - Hosts: 213.159.118.226 in.webcounter.cc
O1 - Hosts: 213.159.118.226 itseasy.us
O1 - Hosts: 213.159.118.226 just.find-itnow.com
O1 - Hosts: 213.159.118.226 link.startmake.com
O1 - Hosts: 213.159.118.226 mysearchnow.com
O1 - Hosts: 213.159.118.226 nativehardcore.com
O1 - Hosts: 213.159.118.226 qwertysearch123.biz
O1 - Hosts: 213.159.118.226 search.ieplugin.com
O1 - Hosts: 213.159.118.226 search.psn.cn
O1 - Hosts: 213.159.118.226 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 213.159.118.226 searchcentrix.com
O1 - Hosts: 213.159.118.226 searchmyrequest.com
O1 - Hosts: 213.159.118.226 super-spider.com
O1 - Hosts: 213.159.118.226 t.rack.cc
O1 - Hosts: 213.159.118.226 teen-biz.com
O1 - Hosts: 213.159.118.226 teenhqpics.com
O1 - Hosts: 213.159.118.226 ****.hardcore4ever.net
O1 - Hosts: 213.159.118.226 webcoolsearch.com
O1 - Hosts: 213.159.118.226 wmmse.com
O1 - Hosts: 213.159.118.226 www.008i.com
O1 - Hosts: 213.159.118.226 www.2fastsearch.net
O1 - Hosts: 213.159.118.226 www.8095.com
O1 - Hosts: 213.159.118.226 www.alfa-search.com
O1 - Hosts: 213.159.118.226 www.boredlife.com
O1 - Hosts: 213.159.118.226 www.couldnotfind.com
O1 - Hosts: 213.159.118.226 www.cracks.am
O1 - Hosts: 213.159.118.226 www.daum.net
O1 - Hosts: 213.159.118.226 www.dreamwiz.com
O1 - Hosts: 213.159.118.226 www.find-itnow.com
O1 - Hosts: 213.159.118.226 www.find-itnow.com
O1 - Hosts: 213.159.118.226 www.find4u.net
O1 - Hosts: 213.159.118.226 www.firstbookmark.com
O1 - Hosts: 213.159.118.226 www.gajai.com
O1 - Hosts: 213.159.118.226 www.hand-book.com
O1 - Hosts: 213.159.118.226 www.hao123.com
O1 - Hosts: 213.159.118.226 www.hotsearchbox.com
O1 - Hosts: 213.159.118.226 www.hotwebsearch.com
O1 - Hosts: 213.159.118.226 www.hugesearch.net
O1 - Hosts: 213.159.118.226 www.iquicksearch.com
O1 - Hosts: 213.159.118.226 www.lookfor.cc
O1 - Hosts: 213.159.118.226 www.maxxxhosters.com
O1 - Hosts: 213.159.118.226 www.naver.com
O1 - Hosts: 213.159.118.226 www.nkvd.us
O1 - Hosts: 213.159.118.226 www.nova****.com
O1 - Hosts: 213.159.118.226 www.ohcorea.com
O1 - Hosts: 213.159.118.226 www.omega-search.com
O1 - Hosts: 213.159.118.226 www.onet.pl
O1 - Hosts: 213.159.118.226 www.power-search.info
O1 - Hosts: 213.159.118.226 www.rightfinder.net
O1 - Hosts: 213.159.118.226 www.search-1.net
O1 - Hosts: 213.159.118.226 www.search-and-go.com
O1 - Hosts: 213.159.118.226 www.search-dot.com
O1 - Hosts: 213.159.118.226 www.search-space.com
O1 - Hosts: 213.159.118.226 www.searchforge.com
O1 - Hosts: 213.159.118.226 www.searching-the-net.com
O1 - Hosts: 213.159.118.226 www.searchv.com
O1 - Hosts: 213.159.118.226 www.searchxl.com
O1 - Hosts: 213.159.118.226 www.seznam.cz
O1 - Hosts: 213.159.118.226 www.slotch.com
O1 - Hosts: 213.159.118.226 www.spidersearch.com
O1 - Hosts: 213.159.118.226 www.startium.com
O1 - Hosts: 213.159.118.226 www.therealsearch.com
O1 - Hosts: 213.159.118.226 www.ttjj.com
O1 - Hosts: 213.159.118.226 www.viewpornkey.com
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svchost.exe -sr -0
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\svchost.exe -sr -0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_1267848.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principia\Schedupd.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Debt Solutions - http://213.159.118.226/tools.php?qq=Debt+Solutions
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Party Poker - http://213.159.118.226/tools.php?qq=Party+Poker
O8 - Extra context menu item: Party Poker.com - http://213.159.118.226/tools.php?qq=Party+Poker.com
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Party Poker.com (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker (HKLM)
O9 - Extra 'Tools' menuitem: Debt Solutions (HKLM)
O13 - DefaultPrefix: http://freednshost.info/page/
O13 - WWW Prefix: http://freednshost.info/page/
O15 - Trusted Zone: http://peachtree.saver3.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\e1189.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/install/iftwclix.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.123.91.1/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nfp.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spectrumboulder.com
O17 - HKLM\Software\..\Telephony: DomainName = spectrumboulder.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spectrumboulder.com

mobo · 04-09-2004, 09:07 PM

Download CWShredder:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
Unzip, run and hit the ->fix tab to fix all found problems

CWShredder takes advantage of seurity holes in windows so you should install all critical as well as hotfixes available from windows update.

Then repost a fresh Hijack this log .

Download 'Hijack This!'. http://www.tomcoyote.org/hjt/ and save it to a folder on your desktop.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

Tipsi · 04-10-2004, 05:33 AM

we are still waiting for the next HJT log...

regards,
Tipsi

mb2cotter · 04-12-2004, 11:26 AM

I used the CW Shredder, and then I manually went through the registry and deleted all the references to the unwanted sites.

Before I used the CW Shredder, editing the registry did not work - all the deletions I made were just reentered. This time, however, the references have NOT been reinserted in the registry.

I reran Hijackthis and there are no signs of the mess anywhere. I have now been problem free for a few days.

Thanks alot.

mobo · 04-12-2004, 05:04 PM

You're welcome and because it was a cws hijack you must be short on windows updates. You should venture over to windows update and get all critiacl updates asap.

04-08-2004, 11:50 AM	#1 (permalink)
mb2cotter Newb Techie Join Date: Apr 2004 Posts: 2	Help - Hijacked Computer Operating System Version: XP Pro I somehow managed to have my computer hijacked. Every minute or so a new internet explorer (6.0) window opens up with the following URL: http://81.211.105.49/ When I came into work this morning, there were several dozen of these exploreer windows open. It also changed my homepage, inserted links into my Favorites, put new icons on my desktop, deleted my Goggle toolbar and puts banners (Party Poker) at the top of some pages when I surf. Also, when I go to the task manager, my CPU is always running at 100%. I've tried a virus scan, Adaware and Spybot - all to no avail. Below is the log from Hijack This. I don't understnad most of it, but I can see that there are a lot of search engine links prefaced with "01 - Hosts". Please help! Logfile of HijackThis v1.97.7 Scan saved at 10:16:35 AM, on 4/8/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Prime95\prime95.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINDOWS\svchost.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\desktop weather\desktopweather_1267848.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\mcotter\Local Settings\Temporary Internet Files\Content.IE5\856V89M3\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freednshost.info/page/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freednshost.info/page/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://freednshost.info/page/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freednshost.info/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freednshost.info/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freednshost.info/page/ R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://freednshost.info/page/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freednshost.info/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freednshost.info/page/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://freednshost.info/page/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freednshost.info/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freednshost.info/page/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://213.159.118.226/sp.php O1 - Hosts: 213.159.118.226 1-se.com O1 - Hosts: 213.159.118.226 58q.com O1 - Hosts: 213.159.118.226 aifind.cc O1 - Hosts: 213.159.118.226 aifind.info O1 - Hosts: 213.159.118.226 allneedsearch.com O1 - Hosts: 213.159.118.226 approvedlinks.com O1 - Hosts: 213.159.118.226 auto.ie.searchforge.com O1 - Hosts: 213.159.118.226 awebfind.biz O1 - Hosts: 213.159.118.226 best.royalsearch.net O1 - Hosts: 213.159.118.226 cracks.am O1 - Hosts: 213.159.118.226 default-homepage-network.com O1 - Hosts: 213.159.118.226 find.microgirls.com O1 - Hosts: 213.159.118.226 find4u.net O1 - Hosts: 213.159.118.226 freshvideogals.com O1 - Hosts: 213.159.118.226 i-lookup.com O1 - Hosts: 213.159.118.226 ie-search.com O1 - Hosts: 213.159.118.226 in.webcounter.cc O1 - Hosts: 213.159.118.226 itseasy.us O1 - Hosts: 213.159.118.226 just.find-itnow.com O1 - Hosts: 213.159.118.226 link.startmake.com O1 - Hosts: 213.159.118.226 mysearchnow.com O1 - Hosts: 213.159.118.226 nativehardcore.com O1 - Hosts: 213.159.118.226 qwertysearch123.biz O1 - Hosts: 213.159.118.226 search.ieplugin.com O1 - Hosts: 213.159.118.226 search.psn.cn O1 - Hosts: 213.159.118.226 searchbar.findthewebsiteyouneed.com O1 - Hosts: 213.159.118.226 searchcentrix.com O1 - Hosts: 213.159.118.226 searchmyrequest.com O1 - Hosts: 213.159.118.226 super-spider.com O1 - Hosts: 213.159.118.226 t.rack.cc O1 - Hosts: 213.159.118.226 teen-biz.com O1 - Hosts: 213.159.118.226 teenhqpics.com O1 - Hosts: 213.159.118.226 **.hardcore4ever.net O1 - Hosts: 213.159.118.226 webcoolsearch.com O1 - Hosts: 213.159.118.226 wmmse.com O1 - Hosts: 213.159.118.226 www.008i.com O1 - Hosts: 213.159.118.226 www.2fastsearch.net O1 - Hosts: 213.159.118.226 www.8095.com O1 - Hosts: 213.159.118.226 www.alfa-search.com O1 - Hosts: 213.159.118.226 www.boredlife.com O1 - Hosts: 213.159.118.226 www.couldnotfind.com O1 - Hosts: 213.159.118.226 www.cracks.am O1 - Hosts: 213.159.118.226 www.daum.net O1 - Hosts: 213.159.118.226 www.dreamwiz.com O1 - Hosts: 213.159.118.226 www.find-itnow.com O1 - Hosts: 213.159.118.226 www.find-itnow.com O1 - Hosts: 213.159.118.226 www.find4u.net O1 - Hosts: 213.159.118.226 www.firstbookmark.com O1 - Hosts: 213.159.118.226 www.gajai.com O1 - Hosts: 213.159.118.226 www.hand-book.com O1 - Hosts: 213.159.118.226 www.hao123.com O1 - Hosts: 213.159.118.226 www.hotsearchbox.com O1 - Hosts: 213.159.118.226 www.hotwebsearch.com O1 - Hosts: 213.159.118.226 www.hugesearch.net O1 - Hosts: 213.159.118.226 www.iquicksearch.com O1 - Hosts: 213.159.118.226 www.lookfor.cc O1 - Hosts: 213.159.118.226 www.maxxxhosters.com O1 - Hosts: 213.159.118.226 www.naver.com O1 - Hosts: 213.159.118.226 www.nkvd.us O1 - Hosts: 213.159.118.226 www.nova**.com O1 - Hosts: 213.159.118.226 www.ohcorea.com O1 - Hosts: 213.159.118.226 www.omega-search.com O1 - Hosts: 213.159.118.226 www.onet.pl O1 - Hosts: 213.159.118.226 www.power-search.info O1 - Hosts: 213.159.118.226 www.rightfinder.net O1 - Hosts: 213.159.118.226 www.search-1.net O1 - Hosts: 213.159.118.226 www.search-and-go.com O1 - Hosts: 213.159.118.226 www.search-dot.com O1 - Hosts: 213.159.118.226 www.search-space.com O1 - Hosts: 213.159.118.226 www.searchforge.com O1 - Hosts: 213.159.118.226 www.searching-the-net.com O1 - Hosts: 213.159.118.226 www.searchv.com O1 - Hosts: 213.159.118.226 www.searchxl.com O1 - Hosts: 213.159.118.226 www.seznam.cz O1 - Hosts: 213.159.118.226 www.slotch.com O1 - Hosts: 213.159.118.226 www.spidersearch.com O1 - Hosts: 213.159.118.226 www.startium.com O1 - Hosts: 213.159.118.226 www.therealsearch.com O1 - Hosts: 213.159.118.226 www.ttjj.com O1 - Hosts: 213.159.118.226 www.viewpornkey.com O1 - Hosts: 213.159.118.226 www.wazzupnet.com O1 - Hosts: 213.159.118.226 www.websearch.com O1 - Hosts: 213.159.118.226 www.windowws.cc O1 - Hosts: 213.159.118.226 www.xgmm.com O1 - Hosts: 213.159.118.226 xwebsearch.biz O1 - Hosts: 213.159.118.226 yourbookmarks.ws O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svchost.exe -sr -0 O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\svchost.exe -sr -0 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_1267848.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principia\Schedupd.exe O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Debt Solutions - http://213.159.118.226/tools.php?qq=Debt+Solutions O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Party Poker - http://213.159.118.226/tools.php?qq=Party+Poker O8 - Extra context menu item: Party Poker.com - http://213.159.118.226/tools.php?qq=Party+Poker.com O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Party Poker.com (HKLM) O9 - Extra 'Tools' menuitem: Party Poker (HKLM) O9 - Extra 'Tools' menuitem: Debt Solutions (HKLM) O13 - DefaultPrefix: http://freednshost.info/page/ O13 - WWW Prefix: http://freednshost.info/page/ O15 - Trusted Zone: http://peachtree.saver3.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\e1189.exe O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/install/iftwclix.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.123.91.1/activex/AxisCamControl.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nfp.webex.com/client/latest/webex/ieatgpc.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spectrumboulder.com O17 - HKLM\Software\..\Telephony: DomainName = spectrumboulder.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spectrumboulder.com

04-12-2004, 11:26 AM	#4 (permalink)
mb2cotter Newb Techie Join Date: Apr 2004 Posts: 2	Fixed I used the CW Shredder, and then I manually went through the registry and deleted all the references to the unwanted sites. Before I used the CW Shredder, editing the registry did not work - all the deletions I made were just reentered. This time, however, the references have NOT been reinserted in the registry. I reran Hijackthis and there are no signs of the mess anywhere. I have now been problem free for a few days. Thanks alot.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

04-09-2004, 09:07 PM	#2 (permalink)
mobo True Techie Join Date: May 2003 Posts: 221	Download CWShredder: http://www.spywareinfo.com/~merijn/files/cwshredder.zip Unzip, run and hit the ->fix tab to fix all found problems CWShredder takes advantage of seurity holes in windows so you should install all critical as well as hotfixes available from windows update. Then repost a fresh Hijack this log . Download 'Hijack This!'. http://www.tomcoyote.org/hjt/ and save it to a folder on your desktop. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

04-10-2004, 05:33 AM	#3 (permalink)
Tipsi Newb Techie Join Date: Jan 2004 Posts: 31	we are still waiting for the next HJT log... regards, Tipsi

04-12-2004, 05:04 PM	#5 (permalink)
mobo True Techie Join Date: May 2003 Posts: 221	You're welcome and because it was a cws hijack you must be short on windows updates. You should venture over to windows update and get all critiacl updates asap.