Solved

What the hell: Warning you visited an illegal Pedo site

Posted on 2004-04-10
26
5,596 Views
Last Modified: 2007-12-19
Hello I was browsing some sites earlier today and I got a message from norton antivirus which said malicous script is trying to execute so I cancelled it from executing. However for some reason now

A browser opens with a message "Warning you visited an illegal Pedo site" every five minutes (address = http://81.211.105.49/)
and My homepage keeps changing to http://freednshost.info/ even if I change it back to yahoo

I think a virus has been installed

Can anyone tell me how to fix this?
0
Comment
Question by:auk_ie
  • 12
  • 5
  • 5
  • +4
26 Comments
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 350 total points
ID: 10797829
You have dnloaded some spyware onto your system...

Spyware/Adware removal tools
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml

Ad-aware : http://www.webattack.com/download/dladaware.shtml

You may also want to ck your Host file for anything that is not:   localhost  127.0.0.1

FE
0
 
LVL 22

Assisted Solution

by:Bartender_1
Bartender_1 earned 75 total points
ID: 10797831
Hi auk_ie,
It sounds as if your browser has been hijacked, I recommend using this to correct the problem:
CWShredder: http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

(Please note, you may have to run it more than once to get everything completely cleaned out.)

Hope this helps!

:o)

Bartender_1
0
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 75 total points
ID: 10797833
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797838
Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar


and remove http://freednshost.info/  if present
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797840
You can also try these if the above does not work:

CWShredder (hijack removal):  http://www.spywareinfo.com/~merijn/downloads.html

HijackThis : http://www.webattack.com/download/dlhijackthis.shtml
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797843
Forgot to mention .. after installing and before running these tools , update them all
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797846
Boy did this thread get hammered quickly..!!   :)

FE
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797851
Fatal_Exception,
> Boy did this thread get hammered quickly..!!   :)

Sure aslong as I am free today.. LOL !

got to help my friend here on his thesis work so wont be much active for next 30 mins.... I know you will rock
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797854
*grin*
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797872
FYI, SB is on vacation and is coming back tonite.. Cant do much from tomm tho.....
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797879
Wondered where he has been lately...   Good to hear someone gets to take vacations..
0
 

Author Comment

by:auk_ie
ID: 10797966
I tried SpyBot-S&D, but it didn't work. There has to be some exe most likely running as a service that periodically

opens a browser
creates links on my desktop
and set a new homepage for me

Is there no way I can manually find and remove this

Should I just keep trying the spy utils. That sounds like a bit of a hit and hope idea
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798019
It is probably in your Host file..

Look in this folder:

c:\windows\system32\drivers\etc

Open the host file with Notepad...  Then delete any and all entries BUT the localhost reference to 127.0.0.1

FE
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:auk_ie
ID: 10798109
What is the Host File? Whats it called?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798186
If you go to the folder I mentioned.. you will find host there..  You can also open Notepad and then File > Open and navigate to that location and open it..  

It could be that the attributes have been turned on too..  In this case, open Explorer and then Tools > Folder Options > View tab..  select to Show Hidden Files and Folders..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798191
BTW:  the host file helps with name resolution..  here is a link to provide more understanding of the host file..

The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address, or "telephone number," for that site. If you do, then your computer will "call it" and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the phone number before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites.

http://www.accs-net.com/hosts/what_is_hosts.html
0
 

Author Comment

by:auk_ie
ID: 10798283
Yeah I opened the host file, There was a whole lot of crap I didn't recognise. So I deleted it all, then that stupid spy program executed again and threw all this in to the host file

213.159.118.226 1-se.com
213.159.118.226 58q.com
213.159.118.226 aifind.cc
213.159.118.226 aifind.info
213.159.118.226 allneedsearch.com
213.159.118.226 approvedlinks.com
213.159.118.226 auto.ie.searchforge.com
213.159.118.226 awebfind.biz
213.159.118.226 best.royalsearch.net
213.159.118.226 cracks.am
213.159.118.226 default-homepage-network.com
213.159.118.226 find.microgirls.com
213.159.118.226 find4u.net
213.159.118.226 freshvideogals.com
213.159.118.226 i-lookup.com
213.159.118.226 ie-search.com
213.159.118.226 in.webcounter.cc
213.159.118.226 itseasy.us
213.159.118.226 just.find-itnow.com
213.159.118.226 link.startmake.com
213.159.118.226 mysearchnow.com
213.159.118.226 nativehardcore.com
213.159.118.226 qwertysearch123.biz
213.159.118.226 search.ieplugin.com
213.159.118.226 search.psn.cn
213.159.118.226 searchbar.findthewebsiteyouneed.com
213.159.118.226 searchcentrix.com
213.159.118.226 searchmyrequest.com
213.159.118.226 super-spider.com
213.159.118.226 t.rack.cc
213.159.118.226 teen-biz.com
213.159.118.226 teenhqpics.com
213.159.118.226 tits.hardcore4ever.net
213.159.118.226 webcoolsearch.com
213.159.118.226 wmmse.com
213.159.118.226 www.008i.com
213.159.118.226 www.2fastsearch.net
213.159.118.226 www.8095.com
213.159.118.226 www.alfa-search.com
213.159.118.226 www.boredlife.com
213.159.118.226 www.couldnotfind.com
213.159.118.226 www.cracks.am
213.159.118.226 www.daum.net
213.159.118.226 www.dreamwiz.com
213.159.118.226 www.find-itnow.com
213.159.118.226 www.find-itnow.com
213.159.118.226 www.find4u.net
213.159.118.226 www.firstbookmark.com
213.159.118.226 www.gajai.com
213.159.118.226 www.hand-book.com
213.159.118.226 www.hao123.com
213.159.118.226 www.hotsearchbox.com
213.159.118.226 www.hotwebsearch.com
213.159.118.226 www.hugesearch.net
213.159.118.226 www.iquicksearch.com
213.159.118.226 www.lookfor.cc
213.159.118.226 www.maxxxhosters.com
213.159.118.226 www.naver.com
213.159.118.226 www.nkvd.us
213.159.118.226 www.novafuck.com
213.159.118.226 www.ohcorea.com
213.159.118.226 www.omega-search.com
213.159.118.226 www.onet.pl
213.159.118.226 www.power-search.info
213.159.118.226 www.rightfinder.net
213.159.118.226 www.search-1.net
213.159.118.226 www.search-and-go.com
213.159.118.226 www.search-dot.com
213.159.118.226 www.search-space.com
213.159.118.226 www.searchforge.com
213.159.118.226 www.searching-the-net.com
213.159.118.226 www.searchv.com
213.159.118.226 www.searchxl.com
213.159.118.226 www.seznam.cz
213.159.118.226 www.slotch.com
213.159.118.226 www.spidersearch.com
213.159.118.226 www.startium.com
213.159.118.226 www.therealsearch.com
213.159.118.226 www.ttjj.com
213.159.118.226 www.viewpornkey.com
213.159.118.226 www.wazzupnet.com
213.159.118.226 www.websearch.com
213.159.118.226 www.windowws.cc
213.159.118.226 www.xgmm.com
213.159.118.226 xwebsearch.biz
213.159.118.226 yourbookmarks.ws
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 10798479
You say you tried SpyBot Search & Destroy.  I would also try LavaSoft AdAware.  I use both on all three of the Windows versions I multiboot (98, ME, and XP Pro.)  What one tool misses, the other catches.  And make sure you have downloaded the latest data updates with both programs.  Also try CWShredder...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798513
Yep.. you have definitely been hijacked...  

CWShredder (above) should kill this for you..  If not, then dnload and run Hijackthis (also above) and post the results here..  we will try to sort this out for you..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798516
One more thing..  you might try running the Anti-Spyware program in Safe mode..  It helps if nothing is loaded when it is executing..

FE
0
 

Author Comment

by:auk_ie
ID: 10798585
Hello I also tried Ad-aware : http://www.webattack.com/download/dladaware.shtml but with no luck

However, I did make some process, I found a process called rundll.exe and terminated it. Now That stupid web page doesn't appear every 5 minutes or so, the favaourites and shortcuts are not created etc.

Still though, Whenever I change my home page settings they change back to http://81.211.105.49/.

Before I terminated the process rundll.exe it used to change to http://freednshost.info/

Anyway I'll try CWShredder now
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798627
yes.. try shredder..  but make sure you turn off everything in the startup menu..  Use msconfig to do this (Start > Run > msconfig)

Or boot to safe mode to kill it..

FE
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 10800000
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10801052
Thanks..  and Happy Easter..

FE
0
 

Author Comment

by:auk_ie
ID: 10802589
You to
0
 

Expert Comment

by:sgt1035
ID: 10975859
'Grokster' is known to considerably slow a systemdown causing many programs toeventually crash. It also is known to change your network & internet connections.

Pest Patrol is terrific at handling this and most other 'Pests'. I usually run it after AdAware & Spybot.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now