Solved

What the hell: Warning you visited an illegal Pedo site

Posted on 2004-04-10
26
5,601 Views
Last Modified: 2007-12-19
Hello I was browsing some sites earlier today and I got a message from norton antivirus which said malicous script is trying to execute so I cancelled it from executing. However for some reason now

A browser opens with a message "Warning you visited an illegal Pedo site" every five minutes (address = http://81.211.105.49/)
and My homepage keeps changing to http://freednshost.info/ even if I change it back to yahoo

I think a virus has been installed

Can anyone tell me how to fix this?
0
Comment
Question by:auk_ie
  • 12
  • 5
  • 5
  • +4
26 Comments
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 350 total points
ID: 10797829
You have dnloaded some spyware onto your system...

Spyware/Adware removal tools
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml 

Ad-aware : http://www.webattack.com/download/dladaware.shtml 

You may also want to ck your Host file for anything that is not:   localhost  127.0.0.1

FE
0
 
LVL 22

Assisted Solution

by:Bartender_1
Bartender_1 earned 75 total points
ID: 10797831
Hi auk_ie,
It sounds as if your browser has been hijacked, I recommend using this to correct the problem:
CWShredder: http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

(Please note, you may have to run it more than once to get everything completely cleaned out.)

Hope this helps!

:o)

Bartender_1
0
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 75 total points
ID: 10797833
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797838
Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar


and remove http://freednshost.info/  if present
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797840
You can also try these if the above does not work:

CWShredder (hijack removal):  http://www.spywareinfo.com/~merijn/downloads.html

HijackThis : http://www.webattack.com/download/dlhijackthis.shtml 
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797843
Forgot to mention .. after installing and before running these tools , update them all
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797846
Boy did this thread get hammered quickly..!!   :)

FE
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797851
Fatal_Exception,
> Boy did this thread get hammered quickly..!!   :)

Sure aslong as I am free today.. LOL !

got to help my friend here on his thesis work so wont be much active for next 30 mins.... I know you will rock
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797854
*grin*
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797872
FYI, SB is on vacation and is coming back tonite.. Cant do much from tomm tho.....
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797879
Wondered where he has been lately...   Good to hear someone gets to take vacations..
0
 

Author Comment

by:auk_ie
ID: 10797966
I tried SpyBot-S&D, but it didn't work. There has to be some exe most likely running as a service that periodically

opens a browser
creates links on my desktop
and set a new homepage for me

Is there no way I can manually find and remove this

Should I just keep trying the spy utils. That sounds like a bit of a hit and hope idea
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798019
It is probably in your Host file..

Look in this folder:

c:\windows\system32\drivers\etc

Open the host file with Notepad...  Then delete any and all entries BUT the localhost reference to 127.0.0.1

FE
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:auk_ie
ID: 10798109
What is the Host File? Whats it called?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798186
If you go to the folder I mentioned.. you will find host there..  You can also open Notepad and then File > Open and navigate to that location and open it..  

It could be that the attributes have been turned on too..  In this case, open Explorer and then Tools > Folder Options > View tab..  select to Show Hidden Files and Folders..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798191
BTW:  the host file helps with name resolution..  here is a link to provide more understanding of the host file..

The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address, or "telephone number," for that site. If you do, then your computer will "call it" and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the phone number before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites.

http://www.accs-net.com/hosts/what_is_hosts.html
0
 

Author Comment

by:auk_ie
ID: 10798283
Yeah I opened the host file, There was a whole lot of crap I didn't recognise. So I deleted it all, then that stupid spy program executed again and threw all this in to the host file

213.159.118.226 1-se.com
213.159.118.226 58q.com
213.159.118.226 aifind.cc
213.159.118.226 aifind.info
213.159.118.226 allneedsearch.com
213.159.118.226 approvedlinks.com
213.159.118.226 auto.ie.searchforge.com
213.159.118.226 awebfind.biz
213.159.118.226 best.royalsearch.net
213.159.118.226 cracks.am
213.159.118.226 default-homepage-network.com
213.159.118.226 find.microgirls.com
213.159.118.226 find4u.net
213.159.118.226 freshvideogals.com
213.159.118.226 i-lookup.com
213.159.118.226 ie-search.com
213.159.118.226 in.webcounter.cc
213.159.118.226 itseasy.us
213.159.118.226 just.find-itnow.com
213.159.118.226 link.startmake.com
213.159.118.226 mysearchnow.com
213.159.118.226 nativehardcore.com
213.159.118.226 qwertysearch123.biz
213.159.118.226 search.ieplugin.com
213.159.118.226 search.psn.cn
213.159.118.226 searchbar.findthewebsiteyouneed.com
213.159.118.226 searchcentrix.com
213.159.118.226 searchmyrequest.com
213.159.118.226 super-spider.com
213.159.118.226 t.rack.cc
213.159.118.226 teen-biz.com
213.159.118.226 teenhqpics.com
213.159.118.226 tits.hardcore4ever.net
213.159.118.226 webcoolsearch.com
213.159.118.226 wmmse.com
213.159.118.226 www.008i.com
213.159.118.226 www.2fastsearch.net
213.159.118.226 www.8095.com
213.159.118.226 www.alfa-search.com
213.159.118.226 www.boredlife.com
213.159.118.226 www.couldnotfind.com
213.159.118.226 www.cracks.am
213.159.118.226 www.daum.net
213.159.118.226 www.dreamwiz.com
213.159.118.226 www.find-itnow.com
213.159.118.226 www.find-itnow.com
213.159.118.226 www.find4u.net
213.159.118.226 www.firstbookmark.com
213.159.118.226 www.gajai.com
213.159.118.226 www.hand-book.com
213.159.118.226 www.hao123.com
213.159.118.226 www.hotsearchbox.com
213.159.118.226 www.hotwebsearch.com
213.159.118.226 www.hugesearch.net
213.159.118.226 www.iquicksearch.com
213.159.118.226 www.lookfor.cc
213.159.118.226 www.maxxxhosters.com
213.159.118.226 www.naver.com
213.159.118.226 www.nkvd.us
213.159.118.226 www.novafuck.com
213.159.118.226 www.ohcorea.com
213.159.118.226 www.omega-search.com
213.159.118.226 www.onet.pl
213.159.118.226 www.power-search.info
213.159.118.226 www.rightfinder.net
213.159.118.226 www.search-1.net
213.159.118.226 www.search-and-go.com
213.159.118.226 www.search-dot.com
213.159.118.226 www.search-space.com
213.159.118.226 www.searchforge.com
213.159.118.226 www.searching-the-net.com
213.159.118.226 www.searchv.com
213.159.118.226 www.searchxl.com
213.159.118.226 www.seznam.cz
213.159.118.226 www.slotch.com
213.159.118.226 www.spidersearch.com
213.159.118.226 www.startium.com
213.159.118.226 www.therealsearch.com
213.159.118.226 www.ttjj.com
213.159.118.226 www.viewpornkey.com
213.159.118.226 www.wazzupnet.com
213.159.118.226 www.websearch.com
213.159.118.226 www.windowws.cc
213.159.118.226 www.xgmm.com
213.159.118.226 xwebsearch.biz
213.159.118.226 yourbookmarks.ws
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 10798479
You say you tried SpyBot Search & Destroy.  I would also try LavaSoft AdAware.  I use both on all three of the Windows versions I multiboot (98, ME, and XP Pro.)  What one tool misses, the other catches.  And make sure you have downloaded the latest data updates with both programs.  Also try CWShredder...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798513
Yep.. you have definitely been hijacked...  

CWShredder (above) should kill this for you..  If not, then dnload and run Hijackthis (also above) and post the results here..  we will try to sort this out for you..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798516
One more thing..  you might try running the Anti-Spyware program in Safe mode..  It helps if nothing is loaded when it is executing..

FE
0
 

Author Comment

by:auk_ie
ID: 10798585
Hello I also tried Ad-aware : http://www.webattack.com/download/dladaware.shtml but with no luck

However, I did make some process, I found a process called rundll.exe and terminated it. Now That stupid web page doesn't appear every 5 minutes or so, the favaourites and shortcuts are not created etc.

Still though, Whenever I change my home page settings they change back to http://81.211.105.49/.

Before I terminated the process rundll.exe it used to change to http://freednshost.info/

Anyway I'll try CWShredder now
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798627
yes.. try shredder..  but make sure you turn off everything in the startup menu..  Use msconfig to do this (Start > Run > msconfig)

Or boot to safe mode to kill it..

FE
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 10800000
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10801052
Thanks..  and Happy Easter..

FE
0
 

Author Comment

by:auk_ie
ID: 10802589
You to
0
 

Expert Comment

by:sgt1035
ID: 10975859
'Grokster' is known to considerably slow a systemdown causing many programs toeventually crash. It also is known to change your network & internet connections.

Pest Patrol is terrific at handling this and most other 'Pests'. I usually run it after AdAware & Spybot.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now