HijackThis Help (Browser hijacked) - Can Be closed

[jasignhagj]

I am having serious problems with my internet. Whenever i search for something on Google, and i click on one of the results, i am redirected to some other site. normally it is one of those search engines no one uses. i also was unable to go to any site involving spyware removal. downloading and running Hotspot Sheild stops this from happening. That was fine for a while, but soon i found out that it sometimes redirects me to uh... naughty sites. this is a shared computer, and it would be impossible to explain proxys to my mom. if my mom ever got redirected to one ofthose sites, i would be in so much crap i would drown.

 

 

 

i tried using IE 7, but it closes after about 5 minutes of running. i downloaded Spybot S&D, but i am unable to open the interface. i know it is working because it still detects and warns me about registry edits. My computer is also running unusually slugishly. Its a dell dimension 8200 running with 512 MB RAM and windows XP 32bit SP2.

 

 

 

please help

[Nadril]

Restart in safe mode with networking options (boot up PC and hit F9). Then download:

 

 

 

- Ad aware http://www.lavasoft.com/

 

- Avira http://www.avira.com/

 

 

 

Run both of their scans while in safe mode and see if it picks up anything. The reason why I recommend safe mode is chances are the virus won't work and won't be able to block anything from happening there.

[l0rd]

Its actually F8 that brings you to safe-mode.

 

 

 

If that doesn't work, and you can't do a virus scan or can't get it to update you have two practical options:

 

 

 

Reinstall OS: Backup any files you need before hand, put in a new OS disc, format the drives and presto - default'd computer.

 

or

 

Buy a external hard drive hub, SATA or IDE depending on what type of bus your hard-drive is. Hook the infected hard drive into a different computer at your house then scan it individually, attempting to eradicate all malware.

[SomeWelshGuy]

Also, check your hosts file.

 

 

 

Go to Windows Explorer, and navigate to "C:\WINDOWS\SYSTEM32\DRIVERS\ETC". Double click to open the "hosts" file. When it prompts you to ask what you want to open it with, choose "Notepad". Then either copy and paste the contents into your post, or into a PM and send it to me if you feel uncomfortable showing it in public.

[jasignhagj]

I dont know if this is right...

 

 

 

# Copyright © 1993-1999 Microsoft Corp.

 

#

 

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

 

#

 

 

 

 

 

# This file contains the mappings of IP addresses to host names. Each

 

# entry should be kept on an individual line. The IP address should

 

# be placed in the first column followed by the corresponding host name.

 

# The IP address and the host name should be separated by at least one

 

# space.

 

#

 

# Additionally, comments (such as these) may be inserted on individual

 

# lines or following the machine name denoted by a '#' symbol.

 

#

 

# For example:

 

#

 

# 102.54.94.97 rhino.acme.com # source server

 

# 38.25.63.10 x.acme.com # x client host

 

 

 

127.0.0.1 localhost

[Nadril]

Its actually F8 that brings you to safe-mode.

 

 

 

Yeah you're right. I can never remember between F8/F9 >_<.

[jasignhagj]

I tried running those programs, but they picked up nothing. is it possible the virus is in my router?

[Your Grandpa]

I had something similar a few months ago, it's a particularly nasty piece of spyware. To get rid of it, I used something called "hijackthis", which shows you recent registry changes and allows you to undo them. It's a very dangerous tool, so if you don't know how to use it, go get help on one of the many forums out there that will offer it.

[jasignhagj]

This virus has been on for a couple of months, will hijack this still work

[Sbrideau]

Well, might still work, post a log here.

[jasignhagj]

Logfile of Trend Micro HijackThis v2.0.2

 

Scan saved at 2:26:17 PM, on 6/21/2009

 

Platform: Windows XP SP3 (WinNT 5.01.2600)

 

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

 

Boot mode: Normal

 

 

 

Running processes:

 

C:\WINDOWS\System32\smss[Caution: Executable File]

 

C:\WINDOWS\system32\winlogon[Caution: Executable File]

 

C:\WINDOWS\system32\services[Caution: Executable File]

 

C:\WINDOWS\system32\lsass[Caution: Executable File]

 

C:\WINDOWS\system32\svchost[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\WINDOWS\system32\spoolsv[Caution: Executable File]

 

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService[Caution: Executable File]

 

C:\PROGRA~1\AVG\AVG8\avgwdsvc[Caution: Executable File]

 

C:\Program Files\Bonjour\mDNSResponder[Caution: Executable File]

 

C:\WINDOWS\System32\cisvc[Caution: Executable File]

 

C:\Program Files\Hotspot Shield\bin\openvpnas[Caution: Executable File]

 

C:\Program Files\Hotspot Shield\HssWPR\hsssrv[Caution: Executable File]

 

C:\Program Files\iPod Access for Windows\iPAHelper[Caution: Executable File]

 

C:\PROGRA~1\AVG\AVG8\avgrsx[Caution: Executable File]

 

C:\PROGRA~1\AVG\AVG8\avgnsx[Caution: Executable File]

 

C:\Program Files\Java\jre6\bin\jqs[Caution: Executable File]

 

C:\Program Files\Kodak\printer\center\KodakSvc[Caution: Executable File]

 

C:\WINDOWS\system32\nvsvc32[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\PROGRA~1\AVG\AVG8\avgemc[Caution: Executable File]

 

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc[Caution: Executable File]

 

C:\Program Files\AVG\AVG8\avgcsrvx[Caution: Executable File]

 

C:\Program Files\Canon\CAL\CALMAIN[Caution: Executable File]

 

C:\WINDOWS\Explorer[Caution: Executable File]

 

C:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\Program Files\Common Files\InstallShield\UpdateService\issch[Caution: Executable File]

 

C:\Program Files\Microsoft IntelliPoint\ipoint[Caution: Executable File]

 

C:\Program Files\Common Files\Real\Update_OB\realsched[Caution: Executable File]

 

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2[Caution: Executable File]

 

C:\PROGRA~1\AVG\AVG8\avgtray[Caution: Executable File]

 

C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor[Caution: Executable File]

 

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI[Caution: Executable File]

 

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth[Caution: Executable File]

 

C:\Program Files\Pure Networks\Network Magic\nmapp[Caution: Executable File]

 

C:\Program Files\iTunes\iTunesHelper[Caution: Executable File]

 

C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: Executable File]

 

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem[Caution: Executable File]

 

C:\Program Files\Hotspot Shield\bin\openvpntray[Caution: Executable File]

 

C:\Program Files\iPod\bin\iPodService[Caution: Executable File]

 

C:\WINDOWS\system32\cidaemon[Caution: Executable File]

 

C:\WINDOWS\system32\cidaemon[Caution: Executable File]

 

C:\Program Files\iTunes\iTunes[Caution: Executable File]

 

C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File]

 

C:\Documents and Settings\Daniel\My Documents\HiJackThis[Caution: Executable File]

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

 

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

 

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

 

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

 

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office 2007\Office12\GrooveShellExtensions.dll

 

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

 

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

 

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

 

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

 

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

 

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll

 

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

 

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

 

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud[Caution: Executable File]

 

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb[Caution: Executable File] /AllUsers

 

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect[Caution: Executable File]

 

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd[Caution: Executable File]

 

O4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm[Caution: Executable File]" -startup

 

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch[Caution: Executable File]" -start

 

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint[Caution: Executable File]"

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched[Caution: Executable File]" -osboot

 

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2[Caution: Executable File]"

 

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray[Caution: Executable File]

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: Executable File] C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

O4 - HKLM\..\Run: [nwiz] nwiz[Caution: Executable File] /install

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: Executable File] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl[Caution: Executable File]"

 

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor[Caution: Executable File]"

 

O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI[Caution: Executable File]

 

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth[Caution: Executable File]"

 

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp[Caution: Executable File]" -autorun -nosplash

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: Executable File]" -atboottime

 

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper[Caution: Executable File]"

 

O4 - HKCU\..\Run: [ctfmon[Caution: Executable File]] C:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: Executable File]

 

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify[Caution: Executable File] (User 'SYSTEM')

 

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator[Caution: Executable File] (User 'SYSTEM')

 

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify[Caution: Executable File] (User 'Default user')

 

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator[Caution: Executable File] (User 'Default user')

 

O4 - Startup: PowerReg Scheduler V3[Caution: Executable File]

 

O4 - Global Startup: Clip Art and Photos Readme.lnk = C:\Documents and Settings\Donald\My Documents\~$asons Greetings.doc

 

O4 - Global Startup: Font Manager.lnk = C:\Program Files\Cosmi\Greeting Card Magic\gcmfont[Caution: Executable File]

 

O4 - Global Startup: Free Offers.lnk = C:\Program Files\Cosmi\Greeting Card Magic\millenium.PDF

 

O4 - Global Startup: Greeting Card Phrases.lnk = C:\Documents and Settings\Donald\My Documents\Viv 75.sig

 

O4 - Global Startup: Install Photo Editor.lnk = C:\Program Files\Cosmi\Greeting Card Magic\Photo Editor\photos[Caution: Executable File]

 

O4 - Global Startup: Manual.lnk = C:\Program Files\Cosmi\Greeting Card Magic\gcm.PDF

 

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

 

O4 - Global Startup: Readme.lnk = C:\Program Files\Cosmi\Greeting Card Magic\AREAD32.txt

 

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL[Caution: Executable File]/3000

 

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll

 

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll

 

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL

 

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

 

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

 

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag[Caution: Executable File]

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3412876908

 

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5989060156

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{3B0AADD3-D607-468C-A893-8D23785AE463}: NameServer = 85.255.112.168,85.255.112.146

 

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146

 

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146

 

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office 2007\Office12\GrooveSystemServices.dll

 

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

 

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

 

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService[Caution: Executable File]

 

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc[Caution: Executable File]

 

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc[Caution: Executable File]

 

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder[Caution: Executable File]

 

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN[Caution: Executable File]

 

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst[Caution: Executable File] (file missing)

 

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService[Caution: Executable File]

 

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas[Caution: Executable File]

 

O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv[Caution: Executable File]

 

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService[Caution: Executable File]

 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: Executable File]

 

O23 - Service: iPAHelper[Caution: Executable File] - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper[Caution: Executable File]

 

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService[Caution: Executable File]

 

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs[Caution: Executable File]

 

O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc[Caution: Executable File]

 

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache[Caution: Executable File]

 

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc[Caution: Executable File]

 

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32[Caution: Executable File]

 

 

 

--

 

End of file - 12466 bytes

[jasignhagj]

Please help, it would be a great, as i have no clue what the log means (Im posting a newer one)

[Stragomagus]

I hate to be the bearer of bad news, but there does not seem to be anything wrong with your "processes" or "registry" file.

 

 

 

My advice would be to go poking around where the internet explorer file resides and tell us about any strange files there.

[jasignhagj]

where would this file be located?

[Stragomagus]

It is located here:

 

 

 

C:\Program Files\Internet Explorer

 

 

 

The mischievous file should be in one of those files where IE is if it is being redirected.

[Sbrideau]

Actually, I was waiting for someone that has actually no problems reading those to post, but it seems none of them logged in in the last days. I'll post what I think you should remove. I didn't have time until today to do that.

 

 

 

Have you installed a program called powerReg? If not: O4 - Startup: PowerReg Scheduler V3[Caution: Executable File]

 

 

 

The following three lines:

 

 

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{3B0AADD3-D607-468C-A893-8D23785AE463}: NameServer = 85.255.112.168,85.255.112.146

 

 

 

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146

 

 

 

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146

[jimv]

Really, really sounds like you have the smitfraud virus. If you can, use a library or a friends computer to download a Netscape 7.1 or any old netscape browser that still works, burn to cd and load on your comp, as the hijacker with the smitfraud virus does not work on it. Then surf for smitfraud and virtumonde fixes.Went through this last year and it is truly a pain in the butt. You most commonly get the smitfraud virus from sites that use the small pop-up window that says "warning your computer may be at risk" click here for a free scan. Sound familiar?

[Stragomagus]

O17 - HKLM\System\CCS\Services\Tcpip\..\{3B0AADD3-D607-468C-A893-8D23785AE463}: NameServer = 85.255.112.168,85.255.112.146

 

 

 

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146

 

 

 

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146

 

 

 

My eyes glanced right on over that, but it would appear that Mcaffee has been alerted to the site and others have already found out that it does indeed redirect you to sites that you would not goto otherwise.

 

 

 

http://sunbeltblog.blogspot.com/2009/05 ... orthy.html

 

 

 

 

 

here are some snippets of what it does:

 

 

 

00402040 - DnsFlushResolverCache

 

00402058 - dnsapi

 

00402060 - DhcpNotifyConfigChange

 

00402078 - dhcpcsvc

 

00402084 - DhcpNameServer

 

00402094 - NameServer

 

004020A0 - SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s

 

0040219A - SHSetValueA

 

004021A6 - SHLWAPI.dll

 

004021B4 - GetAdaptersInfo

 

004021C4 - iphlpapi.dll

 

004021D4 - _snprintf

 

004021DE - ntdll.dll

 

004021E8 - WS2_32.dll

[jasignhagj]

thanks for the help, however, i have another virus that has taken over my computer, and im going to format then reinstall windows