Yeah I noticed those but I figured you knew they were open and some of them were for your ISP, or something you opened recently.
Everyone make sure to delete any email that you dont recognize....there are a ton of worms going around right now and they are a pain to fix. Some of the newer ones (as stated in other threads here) are hidden jpeg and mpeg files that plant the worm immediately after clicking. Then it clones itself to like 20 locations in your registry and winblows drive....and then the real fun begins.

F~

I had the Google redirect problem, it was annoying as hell and tried all the usual programs to hopefully get rid of it.  But nothing worked.  I deleted the O17s in HiJackThis and now it's fixed.  THANKS.

you can't just delete stuff from a HJT log lol you are lucky it worked. you shouldn't really be letting us "do" them too. you really have to be reading HJT logs every day to be able to do them right.

First off, I'm a n00b. Hi, great site, I'm impressed!

Okay, more fun for you guys here. I'm a victim of the Google redirect as well. When I'm being redirected, the title bar says "Refresh Page". This affects the domains listed above and more, of course, but the main two that a considerable bulk of PeachyForum's links point to are kinghost and freepornofreeporn.com.

In addition to this, some of the domains sometimes redirect me to spoofed TGPs whose URLs are indicative of product searches and whose links take you to product websites.

For instance, http://www.wannawatch.com/hosted/index.php?ws/kramerika/barefootmaniacs101 takes me to Google searches sometimes, and spoofed TGPs other times. I just tested it, and it took me to http://marketingrealsearch.com/search.php?q=adult%20friend%20finder, the title bar said "Bunny Teens - 31 Fresh Hot Teen Girls Every Day!" and the page displayed was exactly like http://www.bunnyteens.com might be. But, of course, every thumb linked to http://marketingrealsearch.com/click.php?q=adult%20friend%20finder&PHPSESSID=98dad4d8ab055b066655f80917b7ce32. It's also recently taken me to a spoof of http://www.teenax.com/, and the real TeenAx has been redesigned recently -- the spoof showed the old layout.

I've also had Windows Picture and Fax Viewer open up during sessions to try and access "xxx[1].wmf", but I never quite got my head around the whole WMF thing.

In addition to *this*, some domains sometimes take me to one certain fake spyware advert from back in the day, the type that claims it's reading your memory and your desktop and tells you what your ISP and browser are. I know some domains just do that if they've been bought by sly evildoers, but there's clearly spyware or a hijacker of some sort somewhere, and it's getting hard for me to tell what's being hijacked and what's just not there anymore.

Now for solution info. I'm running XP with SP2, and browsing with IE6 (yeah, I know...Firefox...I'm getting round to it!). I use Norton Systemworks 2004 and have Antivirus Auto-Protect and Internet Security enabled most of the time. I check for Spyware using Spybot S&D and have its Resident running, have been removing dodgy HijackThis entries for a while now, and on the advice of this thread now also have ewido. However on running Spybot, ewido, Antivirus and Hijackthis in safe mode and rebooting the problem still occurs.

I was interested in the idea of it being the HOSTS file, but "hosts" in c:\windows\ is completely empty. Is there any way a spyware HOSTS file could have been set up somewhere else and Windows be redirected to use that one instead? Is there a registry entry that tells Windows the path of the HOSTS file? Does anybody know what it is?

Sorry to drag this topic back into the open, but I'm really trying a lot of things here and nothing seems to be working. I can post a HijackThis log if you think it's be of any use...

Please help, I'd love normal browsing to resume!

Animus wrote:

I've also had Windows Picture and Fax Viewer open up during sessions to try and access "xxx[1].wmf", but I never quite got my head around the whole WMF thing.

Hi Animus, welcome to peachy's,

you probably saw the thread on WMF-files as it is in this forum, too.
http://www.peachyforum.com/forums/181476/ShowPost.aspx

Little update on that is:

A few days ago the servers for the help-pages of chip manufacturer AMD were hacked and pics with WMF-exploits and other IE-trojans inserted. So it is now obvious that you can get the stuff also from "clean" or normal pages and not only by surfing the vicious nude and porn sites.....

Oh joy. Thanks for the info. Well, I've definitely applied at least one official Microsoft patch for the vulnerability, but is the patch designed as a fix for machines already affected or a failsafe against future attacks? Or both? Either way, I think I may be getting Firefox sooner than I thought.

It's nice to see a zero-day gaping Microsoft security hole that can be lurking in the most common image file format. You gotta wonder what they're doing all day there.

Anyway, still no access to the affected domains. Nobody seems to know what exactly it is, and even the people who've fixed the problem haven't pinpointed it...

Grrr!

 Animus wrote:

It's nice to see a zero-day gaping Microsoft security hole that can be lurking in the most common image file format. You gotta wonder what they're doing all day there.

90% of their time is now taken by Windows Vista and IE7....the other 10% they are counting their stacks of cash.
I don't think they really care too much (or ever did) about older products like XP or 2000.

F~

I have deleted O17 - HKLM\System\CCS\Services\Tcpip but I still m redirected on the sites described above. Do I need to delete other files in Hijack list? The red items I don't have a clue what it is.

Logfile of HijackThis v1.99.1
Scan saved at 17:30:14, on 4-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Download\Virus Adware\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Stardock\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

 

I have read somewhere that it can also change your Host entries.

127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 www.dkrx.net #DK
127.0.0.1 x.bonch.net #DK
127.0.0.1 www.altnetp2p.com #DK
127.0.0.1 tss.altnet.com #DK

127.0.0.1 localhost

 

Thanks in advance for any help.

 

 

Hi there,

Had the same problems, and found out this solution:

Check start-> control panel -> network collections:
LocalAreaConnection -> properties:
There you find "Internet Protocol (TCP/IP)" -> properties.

Your value in Prefered DNS-Server has been changed by "them" ,
replace it with the values you got from your Service Provider.
Thats it.

ByMyself:

You have ended almost 6 months of screwing around for me. I can't thank you enough. Revel in the knowledge that you are almighty.

 

Thank you

ByMyself, you are THE MAN.

Mad props for the help.

 Well, this problem is still around and it affects everybody around me and myself. I have a Mac and these computers are immune to spybots and trojans made for windows (though they can send them to windows systems unknowingly) so I wonder if the problem is in some router somewhere or a server realying the information.

 I first thought that for the first time a trojan for windows actually could infest a Macintosh system when what I call the "kinghost problem" first appeared in January 2008 but when my other computer, a windows computer, showed the exact same problem, even being spun to the same sites, I thought that it must be something in my router. But that is clean so I now wonder whether there is a server somewhere that has been hijacked for this purpose. I doesn't affect any of the other sites I have bookmarked.

 

The result is that I no longer can see Kinghost, Teenminx and most xfreehosting pages.