TechSpot

Hijack me

By mckfodder
Nov 19, 2006
  1. Hi hope im doing this right have a problem with google keeps redicerting me all over the place i have uploaded my hijack this file any help would be great thank you
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have moved your thread to the correct forum.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    O11 - Options group: [INTERNATIONAL] International*

    O17 - HKLM\System\CCS\Services\Tcpip\..\{32C2AA72-8659-4CE5-911E-13D1650334B6}: NameServer = 85.255.114.106,85.255.112.123

    O17 - HKLM\System\CCS\Services\Tcpip\..\{56DC4C3B-55BB-46E0-940B-8A99808E7397}: NameServer = 85.255.114.106,85.255.112.123

    O17 - HKLM\System\CCS\Services\Tcpip\..\{75B5E628-8271-4F1C-B114-13DC1C104587}: NameServer = 85.255.114.106 85.255.112.123

    O17 - HKLM\System\CCS\Services\Tcpip\..\{77882854-EBCF-441F-910C-675436A86089}: NameServer = 85.255.114.106,85.255.112.123

    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D80E605-D945-40FE-B788-B3FD9015CF28}: NameServer = 85.255.114.106,85.255.112.123

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.106 85.255.112.123

    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.106 85.255.112.123

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.106 85.255.112.123

    Only fix the above 017 entries if they don`t belong to your ISP or you don`t recognise the domain.

    Click on the fix checked button.

    Close HJT and reboot your computer.

    I can find nothing particularly nasty in your HJT log.

    Regards Howard :)

    This thread is for the use of mckfodder only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. mckfodder

    mckfodder TS Rookie Topic Starter

    thanks for ur quick reply as im pretty new at this how do i tell if o17 belong to my isp
    Thanks once again
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Is this your ISP?

    xbox.dedi.inhoster.com
    Inhoster hosting company
    OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

    If it is, then don`t fix the 017 entries.

    Regards Howard :)

    This thread is for the use of mckfodder only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. mckfodder

    mckfodder TS Rookie Topic Starter

    thanks howard fixxed my problems
    great site keep up the good work
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s good news and thanks for letting me know.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of mckfodder only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. mckfodder

    mckfodder TS Rookie Topic Starter

    ok know worries just a quick question whats the best spyware adware removal tool i have avg 7 and use lava soft adware but some times feel thats not enough also i only use xp firewall any recomendations would be helpflly
    thanks
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The best antispyware/adware programme is supposed to be SpySweeper. However, it`s not free.

    I normally just use SS&D/Ad-Aware se personal/AVG Antispyware/Spyware Blaster. I also use AVG free antivirus and Zonealarm firewall and I never have any problems.

    Regards Howard :)

    This thread is for the use of mckfodder only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. mckfodder

    mckfodder TS Rookie Topic Starter

    Hi im still getting my browser hijacked the line
    O17 - HKLM\System\CCS\Services\Tcpip\..\{75B5E628-8271-4F1C-B114-13DC1C104587}: NameServer = 85.255.114.106 85.255.112.123
    keeps coming on hijack i delete it and its fine but if i start the browser again its back any help on this would be helpful thanks
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Again I ask you is this your ISP?

    85.255.114.106-xbox.dedi.inhoster.com

    If it is, then you`ve no need to worry.

    Here`s some more detailed info on that IP.

    inetnum: 85.255.112.0 - 85.255.127.255
    netname: inhoster
    descr: Inhoster hosting company
    descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
    remarks: -----------------------------------
    remarks: Abuse notifications to: abuse@inhoster.com
    remarks: Network problems to: noc@inhoster.com
    remarks: Peering requests to: peering@inhoster.com
    remarks: -----------------------------------
    country: UA
    org: ORG-EST1-RIPE
    admin-c: AK4026-RIPE
    tech-c: AK4026-RIPE
    tech-c: FWHS1-RIPE
    status: ASSIGNED PI
    mnt-by: RIPE-NCC-HM-PI-MNT
    mnt-lower: RIPE-NCC-HM-PI-MNT
    mnt-by: RECIT-MNT
    mnt-routes: RECIT-MNT
    mnt-domains: RECIT-MNT
    mnt-by: DAV-MNT
    mnt-routes: DAV-MNT
    mnt-domains: DAV-MNT
    source: RIPE # Filtered

    organisation: ORG-EST1-RIPE
    org-name: INHOSTER
    org-type: NON-REGISTRY
    remarks: *************************************
    remarks: * Abuse contacts: abuse@inhoster.com *
    remarks: *************************************
    address: OOO Inhoster
    address: Poltavskij Shliax 24, Xarkov,
    address: 61000, Ukraine
    phone: +38 066 4633621
    e-mail: support@inhoster.com
    admin-c: AK4026-RIPE
    tech-c: AK4026-RIPE
    mnt-ref: DAV-MNT
    mnt-by: DAV-MNT
    source: RIPE # Filtered

    person: Andrei Kislizin
    address: OOO Inhoster,
    address: ul.Antonova 5, Kiev,
    address: 03186, Ukraine
    phone: +38 044 2404332
    nic-hdl: AK4026-RIPE
    source: RIPE # Filtered

    person: Fast Web Hosting Support
    address: 01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 201.
    address: UA
    phone: +35 79 91 17 759
    e-mail: support@fwebhost.net
    nic-hdl: FWHS1-RIPE
    source: RIPE # Filtered

    Regards Howard :)

    This thread is for the use of mckfodder only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. mckfodder

    mckfodder TS Rookie Topic Starter

    i do not think so im with plusnet net in the uk when i delete it from hijack this my browser works fine but if its their i always get redirected from where i want to go to some ****ty search engine also thats not my servers ip address
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    In that case, do the following.

    I strongly suggest you backup your registry before doing the following.

    Click start/run and type regedit into the run box and press the enter key. Click file, export and save a copy of your registry to where ver you want. Then, if you need to restyore your original registry, it`s a simple matter of double clicking the reg file and clicking yer when asked if you want to merge it into the registery.

    Navigate to the following keys and delete them in the righthand pane. Make sure you ionly delete the keys with the bold codes.

    HKEY_LOCAL_MACHINE\System\CCS\Services\Tcpip\..\{8D80E605-D945-40FE-B788-B3FD9015CF28}: NameServer = 85.255.114.106,85.255.112.123

    HKEY_LOCAL_MACHINE\System\CCS\Services\Tcpip\..\{32C2AA72-8659-4CE5-911E-13D1650334B6}: NameServer = 85.255.114.106,85.255.112.123

    HKEY_LOCAL_MACHINE\System\CCS\Services\Tcpip\..\{56DC4C3B-55BB-46E0-940B-8A99808E7397}: NameServer = 85.255.114.106,85.255.112.123

    HKEY_LOCAL_MACHINE\System\CCS\Services\Tcpip\..\{75B5E628-8271-4F1C-B114-13DC1C104587}: NameServer = 85.255.114.106 85.255.112.123

    HKEY_LOCAL_MACHINE\System\CCS\Services\Tcpip\..\{77882854-EBCF-441F-910C-675436A86089}: NameServer = 85.255.114.106,85.255.112.123


    See if that helps.

    You should post a fresh HJT log, once you done the above.

    Regards Howard :)

    This thread is for the use of mckfodder only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. mckfodder

    mckfodder TS Rookie Topic Starter

    new hijack log
    none off them regedits where their and once i restart the pc 17 only comes back after i start the browser
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re not using any firewall software. Go HERE and follow the links for either Zonealarm or Kerio firewalls.

    Once you`ve installed a firewall, run HJT and fix that 017 entry. Other than that, your HJT log is clean as a whistle.

    See if that helps.

    Regards Howard :)

    This thread is for the use of mckfodder only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. mckfodder

    mckfodder TS Rookie Topic Starter

    thanks
    i ll do it now
     
  16. mckfodder

    mckfodder TS Rookie Topic Starter

    hi howard sorry to pester u but i can not load zone alarm i use to have it but thought i had deleted it now it is saying set up is unable to log into the true vector service. Install cannot continue without logging into the true vector services.
    if you can help i would be very grateful had a quick look on the forums but could not find much their
    Ian
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try these manual removal instructions. Obviously, you`ll already have removed some of the entries, but you should see if any of the entries in the instructions are still on your system.

    If none of that helps, then maybe you should try the free Kerio firewall instead.

    Regards Howard :)

    This thread is for the use of mckfodder only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. mckfodder

    mckfodder TS Rookie Topic Starter

    thanks worked a treat great job
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...