Maxxxhosters.com

Discussion in 'malware problems & news' started by thehighway, Aug 22, 2005.

Thread Status:
Not open for further replies.
  1. thehighway

    thehighway Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    1
    I am constantly having a problem with this "maxxxhosters.com". It seems to be hijackign into any process that has an internet connection.

    For example, when using firefox or playing WoW I would run a netstat -a -o and see an established connection with maxxxhosters.com on some port, sharing the same process id as WoW.exe or firefox.exe.

    Before you refer me to AdAware or anything like that, heres a history of my attempts to remove it

    AdAware 6, failed to remove it
    Spybot S&D, failed
    Kaspersky Personal Anti Virus, failed
    Spyware Doctor 3.2, failed
    Pestpatrol, failed
    Hijackthis, failed

    I have done a file search for a sys****.exe file but no luck. It is NOT in my process list.

    If you need screenshots I can post them.
    As I am posting this, this is my netstat report


    Active Connections

    Proto Local Address Foreign Address State PID
    TCP PowerSpec8921:3014 maxxxhosters.com:3015 ESTABLISHED 1596
    TCP PowerSpec8921:3015 maxxxhosters.com:3014 ESTABLISHED 1596
    TCP PowerSpec8921:3104 64.233.161.83:http ESTABLISHED 1596

    PID 1596 is firefox

    This is a desperate cry for help, I really dont know what to do and it's really making me frustrated

    Thank you for reading this far and please help if you can, I'll try to answer any questions you have.

    Edit: My "HKEY_blah blah blah\CurrentVersion\Run" is clear of ANY exe files other than soundman and winampa
    Edit2: I may have posted this in the wrong section of the forum, sorry :(
     
  2. cleverboy12

    cleverboy12 Guest

    hi there,

    hate to tell you this but it sounds like you have got a premium rate dialler and they cost money so if i were you i would be careful and would let your ISP know what is going on before you recieve your next phone bill.

    Trust me u will be in for the shock of a lifetime once you look at your bill if you dont act fast any more question please reply to this post ok !
     
  3. thehighway2

    thehighway2 Guest

    dialers dont work if your computer isnt plugged into the modem jack right?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Maybe you could try carrying out an in-depth scan with NOD32. What's more, its HTTP scanner can intercept a huge percentage of unknown threats via Advanced heuristics (part of the ThreatSense Early Warning System). Just my 0.02$ :)
     
  5. thehighway2

    thehighway2 Guest

    Hmmm, this is very interesting

    After learning more and more about this maxxxhosters thing I realized that when i ping maxxxhosters.com on my computer it shows up as 127.0.0.1

    Now, there are always an even number of maxxxhosters connections, 2 popup whenever I use an application that has internet access.

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    Active Connections

    Proto Local Address Foreign Address State
    TCP PowerSpec8921:3026 maxxxhosters.com:40041 ESTABLISHED
    TCP PowerSpec8921:3034 maxxxhosters.com:3035 ESTABLISHED
    TCP PowerSpec8921:3035 maxxxhosters.com:3034 ESTABLISHED
    TCP PowerSpec8921:40041 maxxxhosters.com:3026 ESTABLISHED

    notice how they are connected to each other

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\Harry>netstat

    Active Connections

    Proto Local Address Foreign Address State
    TCP PowerSpec8921:3026 maxxxhosters.com:40041 ESTABLISHED
    TCP PowerSpec8921:3034 maxxxhosters.com:3035 ESTABLISHED
    TCP PowerSpec8921:3035 maxxxhosters.com:3034 ESTABLISHED
    TCP PowerSpec8921:40041 maxxxhosters.com:3026 ESTABLISHED
    TCP PowerSpec8921:3030 206.16.235.115:3724 ESTABLISHED
    TCP PowerSpec8921:3037 64.233.161.147:http ESTABLISHED
    TCP PowerSpec8921:3038 12-129-217-203.attens.net:http ESTABLISHED
    TCP PowerSpec8921:3039 12-129-217-203.attens.net:http ESTABLISHED


    Other tests

    C:\Documents and Settings\Harry>tracert maxxxhosters.com

    Tracing route to maxxxhosters.com [127.0.0.1]
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms maxxxhosters.com [127.0.0.1]

    Trace complete.

    C:\Documents and Settings\Harry>ping maxxxhosters.com

    Pinging maxxxhosters.com [127.0.0.1] with 32 bytes of data:

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    Here is my HiJackThis log, but I dont think it contains any traces of this maxxxhosters

    <snip>




    ==================================================

    A very interesting thing as well is when I use the TCP killing program eSTOP to cancel the TCP connection, whatever process it was hijacked to (WoW or firefox for example) will cause it to use up 99% of CPU resources, makign everything slow and choppy.

    Yes I have posted this on numerous sites in hopes to find an answer


    HiJackThis log removed as per this announcement - Detox
     
    Last edited by a moderator: Aug 22, 2005
  6. cleverboy12

    cleverboy12 Guest

    this site dosnt do hijacthis logs anymore ! youre not allowed to post logs
     
  7. thehighway2

    thehighway2 Guest

    Does this have anythig to do with the hosts file?

    Here is mine
    127.0.0.1 maxxxhosters.com
    127.0.0.1 therealsearch.com
    127.0.0.1 thumbest-traffic.com
    127.0.0.1 600pics.com
    127.0.0.1 tonser.4-counter.com
    127.0.0.1 free.sinpussy.com

    ~replaced the first six Hosts file entries for clarification purposes....Bubba~
    <snip>

    content removed - be careful! This contained many clickable links to very bad sites - Detox
     
    Last edited by a moderator: Aug 22, 2005
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Please take a look at your Hosts file. The first entry of a Hosts file needs to be 127.0.0.1 localhost. I'll assume for a moment given the info you have shared that your Hosts file has a beginning entry of 127.0.0.1 maxxxhosters.com....which would be the reason for the netstat results you are seeing.
     
Thread Status:
Not open for further replies.