Solved

What the hell: Warning you visited an illegal Pedo site

Posted on 2004-04-10
26
5,629 Views
Last Modified: 2007-12-19
Hello I was browsing some sites earlier today and I got a message from norton antivirus which said malicous script is trying to execute so I cancelled it from executing. However for some reason now

A browser opens with a message "Warning you visited an illegal Pedo site" every five minutes (address = http://81.211.105.49/)
and My homepage keeps changing to http://freednshost.info/ even if I change it back to yahoo

I think a virus has been installed

Can anyone tell me how to fix this?
0
Comment
Question by:auk_ie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 5
  • 5
  • +4
26 Comments
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 350 total points
ID: 10797829
You have dnloaded some spyware onto your system...

Spyware/Adware removal tools
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml 

Ad-aware : http://www.webattack.com/download/dladaware.shtml 

You may also want to ck your Host file for anything that is not:   localhost  127.0.0.1

FE
0
 
LVL 22

Assisted Solution

by:Christopher McKay
Christopher McKay earned 75 total points
ID: 10797831
Hi auk_ie,
It sounds as if your browser has been hijacked, I recommend using this to correct the problem:
CWShredder: http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

(Please note, you may have to run it more than once to get everything completely cleaned out.)

Hope this helps!

:o)

Bartender_1
0
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 75 total points
ID: 10797833
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797838
Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar


and remove http://freednshost.info/  if present
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797840
You can also try these if the above does not work:

CWShredder (hijack removal):  http://www.spywareinfo.com/~merijn/downloads.html

HijackThis : http://www.webattack.com/download/dlhijackthis.shtml 
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797843
Forgot to mention .. after installing and before running these tools , update them all
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797846
Boy did this thread get hammered quickly..!!   :)

FE
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797851
Fatal_Exception,
> Boy did this thread get hammered quickly..!!   :)

Sure aslong as I am free today.. LOL !

got to help my friend here on his thesis work so wont be much active for next 30 mins.... I know you will rock
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797854
*grin*
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10797872
FYI, SB is on vacation and is coming back tonite.. Cant do much from tomm tho.....
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10797879
Wondered where he has been lately...   Good to hear someone gets to take vacations..
0
 

Author Comment

by:auk_ie
ID: 10797966
I tried SpyBot-S&D, but it didn't work. There has to be some exe most likely running as a service that periodically

opens a browser
creates links on my desktop
and set a new homepage for me

Is there no way I can manually find and remove this

Should I just keep trying the spy utils. That sounds like a bit of a hit and hope idea
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798019
It is probably in your Host file..

Look in this folder:

c:\windows\system32\drivers\etc

Open the host file with Notepad...  Then delete any and all entries BUT the localhost reference to 127.0.0.1

FE
0
 

Author Comment

by:auk_ie
ID: 10798109
What is the Host File? Whats it called?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798186
If you go to the folder I mentioned.. you will find host there..  You can also open Notepad and then File > Open and navigate to that location and open it..  

It could be that the attributes have been turned on too..  In this case, open Explorer and then Tools > Folder Options > View tab..  select to Show Hidden Files and Folders..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798191
BTW:  the host file helps with name resolution..  here is a link to provide more understanding of the host file..

The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address, or "telephone number," for that site. If you do, then your computer will "call it" and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the phone number before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites.

http://www.accs-net.com/hosts/what_is_hosts.html
0
 

Author Comment

by:auk_ie
ID: 10798283
Yeah I opened the host file, There was a whole lot of crap I didn't recognise. So I deleted it all, then that stupid spy program executed again and threw all this in to the host file

213.159.118.226 1-se.com
213.159.118.226 58q.com
213.159.118.226 aifind.cc
213.159.118.226 aifind.info
213.159.118.226 allneedsearch.com
213.159.118.226 approvedlinks.com
213.159.118.226 auto.ie.searchforge.com
213.159.118.226 awebfind.biz
213.159.118.226 best.royalsearch.net
213.159.118.226 cracks.am
213.159.118.226 default-homepage-network.com
213.159.118.226 find.microgirls.com
213.159.118.226 find4u.net
213.159.118.226 freshvideogals.com
213.159.118.226 i-lookup.com
213.159.118.226 ie-search.com
213.159.118.226 in.webcounter.cc
213.159.118.226 itseasy.us
213.159.118.226 just.find-itnow.com
213.159.118.226 link.startmake.com
213.159.118.226 mysearchnow.com
213.159.118.226 nativehardcore.com
213.159.118.226 qwertysearch123.biz
213.159.118.226 search.ieplugin.com
213.159.118.226 search.psn.cn
213.159.118.226 searchbar.findthewebsiteyouneed.com
213.159.118.226 searchcentrix.com
213.159.118.226 searchmyrequest.com
213.159.118.226 super-spider.com
213.159.118.226 t.rack.cc
213.159.118.226 teen-biz.com
213.159.118.226 teenhqpics.com
213.159.118.226 tits.hardcore4ever.net
213.159.118.226 webcoolsearch.com
213.159.118.226 wmmse.com
213.159.118.226 www.008i.com
213.159.118.226 www.2fastsearch.net
213.159.118.226 www.8095.com
213.159.118.226 www.alfa-search.com
213.159.118.226 www.boredlife.com
213.159.118.226 www.couldnotfind.com
213.159.118.226 www.cracks.am
213.159.118.226 www.daum.net
213.159.118.226 www.dreamwiz.com
213.159.118.226 www.find-itnow.com
213.159.118.226 www.find-itnow.com
213.159.118.226 www.find4u.net
213.159.118.226 www.firstbookmark.com
213.159.118.226 www.gajai.com
213.159.118.226 www.hand-book.com
213.159.118.226 www.hao123.com
213.159.118.226 www.hotsearchbox.com
213.159.118.226 www.hotwebsearch.com
213.159.118.226 www.hugesearch.net
213.159.118.226 www.iquicksearch.com
213.159.118.226 www.lookfor.cc
213.159.118.226 www.maxxxhosters.com
213.159.118.226 www.naver.com
213.159.118.226 www.nkvd.us
213.159.118.226 www.novafuck.com
213.159.118.226 www.ohcorea.com
213.159.118.226 www.omega-search.com
213.159.118.226 www.onet.pl
213.159.118.226 www.power-search.info
213.159.118.226 www.rightfinder.net
213.159.118.226 www.search-1.net
213.159.118.226 www.search-and-go.com
213.159.118.226 www.search-dot.com
213.159.118.226 www.search-space.com
213.159.118.226 www.searchforge.com
213.159.118.226 www.searching-the-net.com
213.159.118.226 www.searchv.com
213.159.118.226 www.searchxl.com
213.159.118.226 www.seznam.cz
213.159.118.226 www.slotch.com
213.159.118.226 www.spidersearch.com
213.159.118.226 www.startium.com
213.159.118.226 www.therealsearch.com
213.159.118.226 www.ttjj.com
213.159.118.226 www.viewpornkey.com
213.159.118.226 www.wazzupnet.com
213.159.118.226 www.websearch.com
213.159.118.226 www.windowws.cc
213.159.118.226 www.xgmm.com
213.159.118.226 xwebsearch.biz
213.159.118.226 yourbookmarks.ws
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 10798479
You say you tried SpyBot Search & Destroy.  I would also try LavaSoft AdAware.  I use both on all three of the Windows versions I multiboot (98, ME, and XP Pro.)  What one tool misses, the other catches.  And make sure you have downloaded the latest data updates with both programs.  Also try CWShredder...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798513
Yep.. you have definitely been hijacked...  

CWShredder (above) should kill this for you..  If not, then dnload and run Hijackthis (also above) and post the results here..  we will try to sort this out for you..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798516
One more thing..  you might try running the Anti-Spyware program in Safe mode..  It helps if nothing is loaded when it is executing..

FE
0
 

Author Comment

by:auk_ie
ID: 10798585
Hello I also tried Ad-aware : http://www.webattack.com/download/dladaware.shtml but with no luck

However, I did make some process, I found a process called rundll.exe and terminated it. Now That stupid web page doesn't appear every 5 minutes or so, the favaourites and shortcuts are not created etc.

Still though, Whenever I change my home page settings they change back to http://81.211.105.49/.

Before I terminated the process rundll.exe it used to change to http://freednshost.info/

Anyway I'll try CWShredder now
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10798627
yes.. try shredder..  but make sure you turn off everything in the startup menu..  Use msconfig to do this (Start > Run > msconfig)

Or boot to safe mode to kill it..

FE
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 10800000
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10801052
Thanks..  and Happy Easter..

FE
0
 

Author Comment

by:auk_ie
ID: 10802589
You to
0
 

Expert Comment

by:sgt1035
ID: 10975859
'Grokster' is known to considerably slow a systemdown causing many programs toeventually crash. It also is known to change your network & internet connections.

Pest Patrol is terrific at handling this and most other 'Pests'. I usually run it after AdAware & Spybot.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question