Hijacking of homepage etc.

[Robodo]

On visiting a website, my homepage was changed to
freednshost.info.

This change added many R0 and R1 values to the registry.
I removed them using Hijack This and Spybot, along with
the 013 and 016 entries.

A folder was added to the Start Up menu listing 'debt
solutions' 'party poker' and 'party poker.com' and this
was showing in the Hijack This log too, which I deleted.

I reset the homepage using Spybot, and ran Ad Aware which
couldn't find anything.

The registry keys for the default page and prefix were
reset.

However, this homepage keeps returning. It adds items to
the tools list on Internet Explorer and nothing seems to
remove it.

Does anyone have any ideas? The web page opens on its own
when I am online at regular intervals, and when I am not
online, it resets the homepage etc. so deleting them with
Hijack This is not working.

 

[Jason Tsang]

You'll probably need to get cwshredder. You've probably been hit by some
variant of the coolworldsearch parasite.

See this page for information about what spyware is, how to scan for and
remove spyware and how to prevent spyware from getting on your machine.

The Parasite Fight
http://aumha.org/a/parasite.htm

 

[dglock]

use spyware blaster, it not only removes that junk but
protects your system from it happening again.
are you running a firewall and virus program?
don

 

[Guest]

Here is the Hijack This log file:

The R0, R1, O1 files are all added by this hijacker.

Logfile of HijackThis v1.97.7
Scan saved at 02:35:47, on 10/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\rundll32.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and
Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://freednshost.info/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://freednshost.info/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://freednshost.info/page/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://freednshost.info/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://freednshost.info/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL
= http://freednshost.info/page/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://freednshost.info/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://freednshost.info/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://freednshost.info/page/
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://213.159.118.226/sp.php
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
O1 - Hosts: 213.159.118.226 auto.ie.searchforge.com
O1 - Hosts: 213.159.118.226 awebfind.biz
O1 - Hosts: 213.159.118.226 best.royalsearch.net
O1 - Hosts: 213.159.118.226 cracks.am
O1 - Hosts: 213.159.118.226 default-homepage-network.com
O1 - Hosts: 213.159.118.226 find.microgirls.com
O1 - Hosts: 213.159.118.226 find4u.net
O1 - Hosts: 213.159.118.226 freshvideogals.com
O1 - Hosts: 213.159.118.226 i-lookup.com
O1 - Hosts: 213.159.118.226 ie-search.com
O1 - Hosts: 213.159.118.226 in.webcounter.cc
O1 - Hosts: 213.159.118.226 itseasy.us
O1 - Hosts: 213.159.118.226 just.find-itnow.com
O1 - Hosts: 213.159.118.226 link.startmake.com
O1 - Hosts: 213.159.118.226 mysearchnow.com
O1 - Hosts: 213.159.118.226 nativehardcore.com
O1 - Hosts: 213.159.118.226 qwertysearch123.biz
O1 - Hosts: 213.159.118.226 search.ieplugin.com
O1 - Hosts: 213.159.118.226 search.psn.cn
O1 - Hosts: 213.159.118.226
searchbar.findthewebsiteyouneed.com
O1 - Hosts: 213.159.118.226 searchcentrix.com
O1 - Hosts: 213.159.118.226 searchmyrequest.com
O1 - Hosts: 213.159.118.226 super-spider.com
O1 - Hosts: 213.159.118.226 t.rack.cc
O1 - Hosts: 213.159.118.226 teen-biz.com
O1 - Hosts: 213.159.118.226 teenhqpics.com
O1 - Hosts: 213.159.118.226 tits.hardcore4ever.net
O1 - Hosts: 213.159.118.226 webcoolsearch.com
O1 - Hosts: 213.159.118.226 wmmse.com
O1 - Hosts: 213.159.118.226 www.008i.com
O1 - Hosts: 213.159.118.226 www.2fastsearch.net
O1 - Hosts: 213.159.118.226 www.8095.com
O1 - Hosts: 213.159.118.226 www.alfa-search.com
O1 - Hosts: 213.159.118.226 www.boredlife.com
O1 - Hosts: 213.159.118.226 www.couldnotfind.com
O1 - Hosts: 213.159.118.226 www.cracks.am
O1 - Hosts: 213.159.118.226 www.daum.net
O1 - Hosts: 213.159.118.226 www.dreamwiz.com
O1 - Hosts: 213.159.118.226 www.find-itnow.com
O1 - Hosts: 213.159.118.226 www.find-itnow.com
O1 - Hosts: 213.159.118.226 www.find4u.net
O1 - Hosts: 213.159.118.226 www.firstbookmark.com
O1 - Hosts: 213.159.118.226 www.gajai.com
O1 - Hosts: 213.159.118.226 www.hand-book.com
O1 - Hosts: 213.159.118.226 www.hao123.com
O1 - Hosts: 213.159.118.226 www.hotsearchbox.com
O1 - Hosts: 213.159.118.226 www.hotwebsearch.com
O1 - Hosts: 213.159.118.226 www.hugesearch.net
O1 - Hosts: 213.159.118.226 www.iquicksearch.com
O1 - Hosts: 213.159.118.226 www.lookfor.cc
O1 - Hosts: 213.159.118.226 www.maxxxhosters.com
O1 - Hosts: 213.159.118.226 www.naver.com
O1 - Hosts: 213.159.118.226 www.nkvd.us
O1 - Hosts: 213.159.118.226 www.novafuck.com
O1 - Hosts: 213.159.118.226 www.ohcorea.com
O1 - Hosts: 213.159.118.226 www.omega-search.com
O1 - Hosts: 213.159.118.226 www.onet.pl
O1 - Hosts: 213.159.118.226 www.power-search.info
O1 - Hosts: 213.159.118.226 www.rightfinder.net
O1 - Hosts: 213.159.118.226 www.search-1.net
O1 - Hosts: 213.159.118.226 www.search-and-go.com
O1 - Hosts: 213.159.118.226 www.search-dot.com
O1 - Hosts: 213.159.118.226 www.search-space.com
O1 - Hosts: 213.159.118.226 www.searchforge.com
O1 - Hosts: 213.159.118.226 www.searching-the-net.com
O1 - Hosts: 213.159.118.226 www.searchv.com
O1 - Hosts: 213.159.118.226 www.searchxl.com
O1 - Hosts: 213.159.118.226 www.seznam.cz
O1 - Hosts: 213.159.118.226 www.slotch.com
O1 - Hosts: 213.159.118.226 www.spidersearch.com
O1 - Hosts: 213.159.118.226 www.startium.com
O1 - Hosts: 213.159.118.226 www.therealsearch.com
O1 - Hosts: 213.159.118.226 www.ttjj.com
O1 - Hosts: 213.159.118.226 www.viewpornkey.com
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1
\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32
\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32
\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv]
c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz]
nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common
Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Service]
C:\WINDOWS\svchost.exe -sr -1
O4 - HKCU\..\Run: [NVIEW] rundll32.exe
nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Network Service]
C:\WINDOWS\svchost.exe -sr -1
O8 - Extra context menu item: Debt Solutions -
http://213.159.118.226/tools.php?qq=Debt+Solutions
O8 - Extra context menu item: Party Poker -
http://213.159.118.226/tools.php?qq=Party+Poker
O8 - Extra context menu item: Party Poker.com -
http://213.159.118.226/tools.php?qq=Party+Poker.com
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker.com (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Debt Solutions (HKLM)
O13 - DefaultPrefix: http://freednshost.info/page/
O13 - WWW Prefix: http://freednshost.info/page/
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B}
(GameControl Class) -
http://www.midasplayer.com/midasa.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director
/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/Av
Sniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bi
n/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp
Control) -
http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?38069.3154513889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/
swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CBD6F16-7DF3-
4E64-A70F-BEA155C01C19}: NameServer = 194.168.4.100
194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CBD6F16-7DF3-
4E64-A70F-BEA155C01C19}: NameServer = 194.168.4.100
194.168.8.100

 

[Robodo]

Ok, I tried cwshredder but this didnt fix it. I shall try
spyware blaster now.

Would a non destructive system recovery get rid of this?

 

[Robodo]

Yes, I have a firewall on the internet connection and
Norton is running.

 

[Adam Turner]

It's associated with a P2P software application such as Kazaa. You need to unistall the P2P software to remove the hijacker entirely.

 

[Kelly]

Try line 63 (right hand side)
http://www.kellys-korner-xp.com/xp_tweaks.htm

 

[DIE-HARD]

Try line 63 (right hand side)
http://www.kellys-korner-xp.com/xp_tweaks.htm

/taskbarplus!.htm

I have done everything as well, AD-Aware, CWShredder, hijackthis, and
i still cant get this to go away. I dont get popup's but there are
many websites i cant go to because insted of bringing up the site it
brings up this stupid page http://213.159.118.226 and it is really
pissing me off!!

I cant even go to http://www.xbox.com because it shows that address in
the address bar but that is not the page it is displaying!

PLEASE HELP!!!!!!!!!!
I have no idea how this Parisite got on my PC or what it even is
because everyone tells me it is easy to reamove and i have tried
everyhing!!!

 

[Kelly]

Hi,

Those programs, surely would have corrected this for you. There are many
keys involved here (I can list them for you, if you prefer to do this
manually via the registry).

Per your notes: These need to be removed from Start/Run/Msconfig and the
Runkeys, not the Startup folder.

 

[1]

I had the same problem. the latest Ad-Aware reference file (01R296
16.04.2004) did not detect it nor did the latest Norton anti virus
definitions.

I am running windows XP professional

From the evidence that was left behind on my PC the following is how I
think my system was hijacked:

1) some how I was redirected to the following link ( don't load link
unless you have Norton Anti virus with latest the latest virus
definition file loaded)
http://www.caxa.ru/saved/%F0%F3%F1%...E4%EB%FF+Nero+6%2C+%F1%EA%E0%F7%E0%F2%FC.html

2) that page loads another web page with the following address:
http://213.159.118.226/counter_6288.htm
a file called 6288.exe downloaded in Internet Explorer/downloaded
Files directory and it is ran
it creates and runs a file called CMD.exe
a copy of it is placed here: c:\WINDOWS\Prefetch\CMD.EXE-1DC04744.pf
6288.exe is moved here: C:\Program Files\Internet Explorer\6288.exe

file E6288.exe is created in c:\ directory and most likely ran
CMD.exe erases E6288.exe
batch file is also created I think e6288.bat which checks for the
existence of E6288.exe and deletes it if ti exists and then deletes
itself.

downloaded Trojan is now loaded and running.
A file called x.exe is downloaded and ran

registry keys are modified hijacking Internet explorer.

to make sure its ran upon startup svchost.exe is loaded from
c:\windows by registry key data

What I did to clean my PC
:
1) disconnect form the Internet to prevent re- infection.

2) run task manager and find the "svchost.exe" process that IS NOT
started by NETWORK SERVICE, SYSTEM, or LOCAL SERVICE. It will most
likely have your current user name as the process owner. Kill that
process. This should stop hijacking and the re-appearing web link
icons on your desk top.

3) load NAV with latest definition and do a full scan. This will get
rid of the downloader Trojan but will not fix the hijack (as of yet)

4) Run Ad-aware with latest definitions and the "Scan host file"
option turned on. You must customize your scan options to do this.
This will flag all the cookies created during the hijack and will
flag hijack attempts with your hosts file (in my case I just deleted
my host file instead of letting ad aware fix it). Delete them.

5) run hijack this and delete any registry entry containing
http://freednshost.info/page/ in it

6) delete any leftover entries with "Hosts: 213.159.118.226..."

7) delete references with "C:\WINDOWS\svchost.exe -sr -1"


8) delete or rename file "c:\windows\svchost.exe"
Note: the legitimate svchost.exe file exists in "C:\windows\system32\"
and C:\windows\system32\ddlcashe\" DO NOT DELETE THESE FILES

9) clean out you start menu, delete those pesky desktop icons, reset
your start page, and reset your Internet explorer options to the way
they were. The hijacker probably set your browser to blindly accept
and install other virus and hijack programs.

Hope this helps... It worked for me.

Here is the Hijack This log file:

The R0, R1, O1 files are all added by this hijacker.

Logfile of HijackThis v1.97.7
Scan saved at 02:35:47, on 10/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\rundll32.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and
Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://freednshost.info/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://freednshost.info/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://freednshost.info/page/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://freednshost.info/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://freednshost.info/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL
= http://freednshost.info/page/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://freednshost.info/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://freednshost.info/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://freednshost.info/page/
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://213.159.118.226/sp.php
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
O1 - Hosts: 213.159.118.226 auto.ie.searchforge.com
O1 - Hosts: 213.159.118.226 awebfind.biz
O1 - Hosts: 213.159.118.226 best.royalsearch.net
O1 - Hosts: 213.159.118.226 cracks.am
O1 - Hosts: 213.159.118.226 default-homepage-network.com
O1 - Hosts: 213.159.118.226 find.microgirls.com
O1 - Hosts: 213.159.118.226 find4u.net
O1 - Hosts: 213.159.118.226 freshvideogals.com
O1 - Hosts: 213.159.118.226 i-lookup.com
O1 - Hosts: 213.159.118.226 ie-search.com
O1 - Hosts: 213.159.118.226 in.webcounter.cc
O1 - Hosts: 213.159.118.226 itseasy.us
O1 - Hosts: 213.159.118.226 just.find-itnow.com
O1 - Hosts: 213.159.118.226 link.startmake.com
O1 - Hosts: 213.159.118.226 mysearchnow.com
O1 - Hosts: 213.159.118.226 nativehardcore.com
O1 - Hosts: 213.159.118.226 qwertysearch123.biz
O1 - Hosts: 213.159.118.226 search.ieplugin.com
O1 - Hosts: 213.159.118.226 search.psn.cn
O1 - Hosts: 213.159.118.226
searchbar.findthewebsiteyouneed.com
O1 - Hosts: 213.159.118.226 searchcentrix.com
O1 - Hosts: 213.159.118.226 searchmyrequest.com
O1 - Hosts: 213.159.118.226 super-spider.com
O1 - Hosts: 213.159.118.226 t.rack.cc
O1 - Hosts: 213.159.118.226 teen-biz.com
O1 - Hosts: 213.159.118.226 teenhqpics.com
O1 - Hosts: 213.159.118.226 tits.hardcore4ever.net
O1 - Hosts: 213.159.118.226 webcoolsearch.com
O1 - Hosts: 213.159.118.226 wmmse.com
O1 - Hosts: 213.159.118.226 www.008i.com
O1 - Hosts: 213.159.118.226 www.2fastsearch.net
O1 - Hosts: 213.159.118.226 www.8095.com
O1 - Hosts: 213.159.118.226 www.alfa-search.com
O1 - Hosts: 213.159.118.226 www.boredlife.com
O1 - Hosts: 213.159.118.226 www.couldnotfind.com
O1 - Hosts: 213.159.118.226 www.cracks.am
O1 - Hosts: 213.159.118.226 www.daum.net
O1 - Hosts: 213.159.118.226 www.dreamwiz.com
O1 - Hosts: 213.159.118.226 www.find-itnow.com
O1 - Hosts: 213.159.118.226 www.find-itnow.com
O1 - Hosts: 213.159.118.226 www.find4u.net
O1 - Hosts: 213.159.118.226 www.firstbookmark.com
O1 - Hosts: 213.159.118.226 www.gajai.com
O1 - Hosts: 213.159.118.226 www.hand-book.com
O1 - Hosts: 213.159.118.226 www.hao123.com
O1 - Hosts: 213.159.118.226 www.hotsearchbox.com
O1 - Hosts: 213.159.118.226 www.hotwebsearch.com
O1 - Hosts: 213.159.118.226 www.hugesearch.net
O1 - Hosts: 213.159.118.226 www.iquicksearch.com
O1 - Hosts: 213.159.118.226 www.lookfor.cc
O1 - Hosts: 213.159.118.226 www.maxxxhosters.com
O1 - Hosts: 213.159.118.226 www.naver.com
O1 - Hosts: 213.159.118.226 www.nkvd.us
O1 - Hosts: 213.159.118.226 www.novafuck.com
O1 - Hosts: 213.159.118.226 www.ohcorea.com
O1 - Hosts: 213.159.118.226 www.omega-search.com
O1 - Hosts: 213.159.118.226 www.onet.pl
O1 - Hosts: 213.159.118.226 www.power-search.info
O1 - Hosts: 213.159.118.226 www.rightfinder.net
O1 - Hosts: 213.159.118.226 www.search-1.net
O1 - Hosts: 213.159.118.226 www.search-and-go.com
O1 - Hosts: 213.159.118.226 www.search-dot.com
O1 - Hosts: 213.159.118.226 www.search-space.com
O1 - Hosts: 213.159.118.226 www.searchforge.com
O1 - Hosts: 213.159.118.226 www.searching-the-net.com
O1 - Hosts: 213.159.118.226 www.searchv.com
O1 - Hosts: 213.159.118.226 www.searchxl.com
O1 - Hosts: 213.159.118.226 www.seznam.cz
O1 - Hosts: 213.159.118.226 www.slotch.com
O1 - Hosts: 213.159.118.226 www.spidersearch.com
O1 - Hosts: 213.159.118.226 www.startium.com
O1 - Hosts: 213.159.118.226 www.therealsearch.com
O1 - Hosts: 213.159.118.226 www.ttjj.com
O1 - Hosts: 213.159.118.226 www.viewpornkey.com
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1
\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32
\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32
\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv]
c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz]
nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common
Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Service]
C:\WINDOWS\svchost.exe -sr -1
O4 - HKCU\..\Run: [NVIEW] rundll32.exe
nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Network Service]
C:\WINDOWS\svchost.exe -sr -1
O8 - Extra context menu item: Debt Solutions -
http://213.159.118.226/tools.php?qq=Debt+Solutions
O8 - Extra context menu item: Party Poker -
http://213.159.118.226/tools.php?qq=Party+Poker
O8 - Extra context menu item: Party Poker.com -
http://213.159.118.226/tools.php?qq=Party+Poker.com
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker.com (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Debt Solutions (HKLM)
O13 - DefaultPrefix: http://freednshost.info/page/
O13 - WWW Prefix: http://freednshost.info/page/
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B}
(GameControl Class) -
http://www.midasplayer.com/midasa.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director
/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/Av
Sniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bi
n/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp
Control) -
http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?38069.3154513889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/
swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CBD6F16-7DF3-
4E64-A70F-BEA155C01C19}: NameServer = 194.168.4.100
194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CBD6F16-7DF3-
4E64-A70F-BEA155C01C19}: NameServer = 194.168.4.100
194.168.8.100

 

[Kelly]

It takes more that one, rule of thumb is to run them all! It works.

Ad-Aware
http://www.lavasoftusa.com/

Spybot
http://tinyurl.com/btf8

CWShredder (Line 313)
http://www.kellys-korner-xp.com/xp_tweaks.htm

Hijack This
http://www.spychecker.com/program/hijackthis.html

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

I had the same problem. the latest Ad-Aware reference file (01R296
16.04.2004) did not detect it nor did the latest Norton anti virus
definitions.

I am running windows XP professional

From the evidence that was left behind on my PC the following is how I
think my system was hijacked:

1) some how I was redirected to the following link ( don't load link
unless you have Norton Anti virus with latest the latest virus
definition file loaded)
http://www.caxa.ru/saved/%F0%F3%F1%...E4%EB%FF+Nero+6%2C+%F1%EA%E0%F7%E0%F2%FC.html

2) that page loads another web page with the following address:
http://213.159.118.226/counter_6288.htm
a file called 6288.exe downloaded in Internet Explorer/downloaded
Files directory and it is ran
it creates and runs a file called CMD.exe
a copy of it is placed here: c:\WINDOWS\Prefetch\CMD.EXE-1DC04744.pf
6288.exe is moved here: C:\Program Files\Internet Explorer\6288.exe

file E6288.exe is created in c:\ directory and most likely ran
CMD.exe erases E6288.exe
batch file is also created I think e6288.bat which checks for the
existence of E6288.exe and deletes it if ti exists and then deletes
itself.

downloaded Trojan is now loaded and running.
A file called x.exe is downloaded and ran

registry keys are modified hijacking Internet explorer.

to make sure its ran upon startup svchost.exe is loaded from
c:\windows by registry key data

What I did to clean my PC
:
1) disconnect form the Internet to prevent re- infection.

2) run task manager and find the "svchost.exe" process that IS NOT
started by NETWORK SERVICE, SYSTEM, or LOCAL SERVICE. It will most
likely have your current user name as the process owner. Kill that
process. This should stop hijacking and the re-appearing web link
icons on your desk top.

3) load NAV with latest definition and do a full scan. This will get
rid of the downloader Trojan but will not fix the hijack (as of yet)

4) Run Ad-aware with latest definitions and the "Scan host file"
option turned on. You must customize your scan options to do this.
This will flag all the cookies created during the hijack and will
flag hijack attempts with your hosts file (in my case I just deleted
my host file instead of letting ad aware fix it). Delete them.

5) run hijack this and delete any registry entry containing
http://freednshost.info/page/ in it

6) delete any leftover entries with "Hosts: 213.159.118.226..."

7) delete references with "C:\WINDOWS\svchost.exe -sr -1"


8) delete or rename file "c:\windows\svchost.exe"
Note: the legitimate svchost.exe file exists in "C:\windows\system32\"
and C:\windows\system32\ddlcashe\" DO NOT DELETE THESE FILES

9) clean out you start menu, delete those pesky desktop icons, reset
your start page, and reset your Internet explorer options to the way
they were. The hijacker probably set your browser to blindly accept
and install other virus and hijack programs.

Hope this helps... It worked for me.

Here is the Hijack This log file:

The R0, R1, O1 files are all added by this hijacker.

Logfile of HijackThis v1.97.7
Scan saved at 02:35:47, on 10/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\rundll32.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and
Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://freednshost.info/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://freednshost.info/page/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://freednshost.info/page/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://freednshost.info/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://freednshost.info/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL
= http://freednshost.info/page/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://freednshost.info/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = http://freednshost.info/page/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://freednshost.info/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://freednshost.info/page/
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://213.159.118.226/sp.php
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
O1 - Hosts: 213.159.118.226 auto.ie.searchforge.com
O1 - Hosts: 213.159.118.226 awebfind.biz
O1 - Hosts: 213.159.118.226 best.royalsearch.net
O1 - Hosts: 213.159.118.226 cracks.am
O1 - Hosts: 213.159.118.226 default-homepage-network.com
O1 - Hosts: 213.159.118.226 find.microgirls.com
O1 - Hosts: 213.159.118.226 find4u.net
O1 - Hosts: 213.159.118.226 freshvideogals.com
O1 - Hosts: 213.159.118.226 i-lookup.com
O1 - Hosts: 213.159.118.226 ie-search.com
O1 - Hosts: 213.159.118.226 in.webcounter.cc
O1 - Hosts: 213.159.118.226 itseasy.us
O1 - Hosts: 213.159.118.226 just.find-itnow.com
O1 - Hosts: 213.159.118.226 link.startmake.com
O1 - Hosts: 213.159.118.226 mysearchnow.com
O1 - Hosts: 213.159.118.226 nativehardcore.com
O1 - Hosts: 213.159.118.226 qwertysearch123.biz
O1 - Hosts: 213.159.118.226 search.ieplugin.com
O1 - Hosts: 213.159.118.226 search.psn.cn
O1 - Hosts: 213.159.118.226
searchbar.findthewebsiteyouneed.com
O1 - Hosts: 213.159.118.226 searchcentrix.com
O1 - Hosts: 213.159.118.226 searchmyrequest.com
O1 - Hosts: 213.159.118.226 super-spider.com
O1 - Hosts: 213.159.118.226 t.rack.cc
O1 - Hosts: 213.159.118.226 teen-biz.com
O1 - Hosts: 213.159.118.226 teenhqpics.com
O1 - Hosts: 213.159.118.226 tits.hardcore4ever.net
O1 - Hosts: 213.159.118.226 webcoolsearch.com
O1 - Hosts: 213.159.118.226 wmmse.com
O1 - Hosts: 213.159.118.226 www.008i.com
O1 - Hosts: 213.159.118.226 www.2fastsearch.net
O1 - Hosts: 213.159.118.226 www.8095.com
O1 - Hosts: 213.159.118.226 www.alfa-search.com
O1 - Hosts: 213.159.118.226 www.boredlife.com
O1 - Hosts: 213.159.118.226 www.couldnotfind.com
O1 - Hosts: 213.159.118.226 www.cracks.am
O1 - Hosts: 213.159.118.226 www.daum.net
O1 - Hosts: 213.159.118.226 www.dreamwiz.com
O1 - Hosts: 213.159.118.226 www.find-itnow.com
O1 - Hosts: 213.159.118.226 www.find-itnow.com
O1 - Hosts: 213.159.118.226 www.find4u.net
O1 - Hosts: 213.159.118.226 www.firstbookmark.com
O1 - Hosts: 213.159.118.226 www.gajai.com
O1 - Hosts: 213.159.118.226 www.hand-book.com
O1 - Hosts: 213.159.118.226 www.hao123.com
O1 - Hosts: 213.159.118.226 www.hotsearchbox.com
O1 - Hosts: 213.159.118.226 www.hotwebsearch.com
O1 - Hosts: 213.159.118.226 www.hugesearch.net
O1 - Hosts: 213.159.118.226 www.iquicksearch.com
O1 - Hosts: 213.159.118.226 www.lookfor.cc
O1 - Hosts: 213.159.118.226 www.maxxxhosters.com
O1 - Hosts: 213.159.118.226 www.naver.com
O1 - Hosts: 213.159.118.226 www.nkvd.us
O1 - Hosts: 213.159.118.226 www.novafuck.com
O1 - Hosts: 213.159.118.226 www.ohcorea.com
O1 - Hosts: 213.159.118.226 www.omega-search.com
O1 - Hosts: 213.159.118.226 www.onet.pl
O1 - Hosts: 213.159.118.226 www.power-search.info
O1 - Hosts: 213.159.118.226 www.rightfinder.net
O1 - Hosts: 213.159.118.226 www.search-1.net
O1 - Hosts: 213.159.118.226 www.search-and-go.com
O1 - Hosts: 213.159.118.226 www.search-dot.com
O1 - Hosts: 213.159.118.226 www.search-space.com
O1 - Hosts: 213.159.118.226 www.searchforge.com
O1 - Hosts: 213.159.118.226 www.searching-the-net.com
O1 - Hosts: 213.159.118.226 www.searchv.com
O1 - Hosts: 213.159.118.226 www.searchxl.com
O1 - Hosts: 213.159.118.226 www.seznam.cz
O1 - Hosts: 213.159.118.226 www.slotch.com
O1 - Hosts: 213.159.118.226 www.spidersearch.com
O1 - Hosts: 213.159.118.226 www.startium.com
O1 - Hosts: 213.159.118.226 www.therealsearch.com
O1 - Hosts: 213.159.118.226 www.ttjj.com
O1 - Hosts: 213.159.118.226 www.viewpornkey.com
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1
\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32
\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32
\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv]
c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz]
nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common
Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Service]
C:\WINDOWS\svchost.exe -sr -1
O4 - HKCU\..\Run: [NVIEW] rundll32.exe
nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Network Service]
C:\WINDOWS\svchost.exe -sr -1
O8 - Extra context menu item: Debt Solutions -
http://213.159.118.226/tools.php?qq=Debt+Solutions
O8 - Extra context menu item: Party Poker -
http://213.159.118.226/tools.php?qq=Party+Poker
O8 - Extra context menu item: Party Poker.com -
http://213.159.118.226/tools.php?qq=Party+Poker.com
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker.com (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Debt Solutions (HKLM)
O13 - DefaultPrefix: http://freednshost.info/page/
O13 - WWW Prefix: http://freednshost.info/page/
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B}
(GameControl Class) -
http://www.midasplayer.com/midasa.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director
/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/Av
Sniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bi
n/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp
Control) -
http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?38069.3154513889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/
swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CBD6F16-7DF3-
4E64-A70F-BEA155C01C19}: NameServer = 194.168.4.100
194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CBD6F16-7DF3-
4E64-A70F-BEA155C01C19}: NameServer = 194.168.4.100
194.168.8.100