Maxxxhosters.com

I am constantly having a problem with this "maxxxhosters.com". It seems to be hijackign into any process that has an internet connection.

For example, when using firefox or playing WoW I would run a netstat -a -o and see an established connection with maxxxhosters.com on some port, sharing the same process id as WoW.exe or firefox.exe.

Before you refer me to AdAware or anything like that, heres a history of my attempts to remove it

AdAware 6, failed to remove it
Spybot S&D, failed
Kaspersky Personal Anti Virus, failed
Spyware Doctor 3.2, failed
Pestpatrol, failed
Hijackthis, failed

I have done a file search for a sys****.exe file but no luck. It is NOT in my process list.

If you need screenshots I can post them.
As I am posting this, this is my netstat report


Active Connections

Proto Local Address Foreign Address State PID
TCP PowerSpec8921:3014 maxxxhosters.com:3015 ESTABLISHED 1596
TCP PowerSpec8921:3015 maxxxhosters.com:3014 ESTABLISHED 1596
TCP PowerSpec8921:3104 64.233.161.83:http ESTABLISHED 1596

PID 1596 is firefox

This is a desperate cry for help, I really dont know what to do and it's really making me frustrated

Thank you for reading this far and please help if you can, I'll try to answer any questions you have.

Edit: My "HKEY_blah blah blah\CurrentVersion\Run" is clear of ANY exe files other than soundman and winampa
Edit2: I may have posted this in the wrong section of the forum, sorry

 

hi there,

hate to tell you this but it sounds like you have got a premium rate dialler and they cost money so if i were you i would be careful and would let your ISP know what is going on before you recieve your next phone bill.

Trust me u will be in for the shock of a lifetime once you look at your bill if you dont act fast any more question please reply to this post ok !

 

dialers dont work if your computer isnt plugged into the modem jack right?

 

Maybe you could try carrying out an in-depth scan with NOD32. What's more, its HTTP scanner can intercept a huge percentage of unknown threats via Advanced heuristics (part of the ThreatSense Early Warning System). Just my 0.02$

 

Hmmm, this is very interesting

After learning more and more about this maxxxhosters thing I realized that when i ping maxxxhosters.com on my computer it shows up as 127.0.0.1

Now, there are always an even number of maxxxhosters connections, 2 popup whenever I use an application that has internet access.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

Active Connections

Proto Local Address Foreign Address State
TCP PowerSpec8921:3026 maxxxhosters.com:40041 ESTABLISHED
TCP PowerSpec8921:3034 maxxxhosters.com:3035 ESTABLISHED
TCP PowerSpec8921:3035 maxxxhosters.com:3034 ESTABLISHED
TCP PowerSpec8921:40041 maxxxhosters.com:3026 ESTABLISHED

notice how they are connected to each other

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Harry>netstat

Active Connections

Proto Local Address Foreign Address State
TCP PowerSpec8921:3026 maxxxhosters.com:40041 ESTABLISHED
TCP PowerSpec8921:3034 maxxxhosters.com:3035 ESTABLISHED
TCP PowerSpec8921:3035 maxxxhosters.com:3034 ESTABLISHED
TCP PowerSpec8921:40041 maxxxhosters.com:3026 ESTABLISHED
TCP PowerSpec8921:3030 206.16.235.115:3724 ESTABLISHED
TCP PowerSpec8921:3037 64.233.161.147:http ESTABLISHED
TCP PowerSpec8921:3038 12-129-217-203.attens.net:http ESTABLISHED
TCP PowerSpec8921:3039 12-129-217-203.attens.net:http ESTABLISHED


Other tests

C:\Documents and Settings\Harry>tracert maxxxhosters.com

Tracing route to maxxxhosters.com [127.0.0.1]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms maxxxhosters.com [127.0.0.1]

Trace complete.

C:\Documents and Settings\Harry>ping maxxxhosters.com

Pinging maxxxhosters.com [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Here is my HiJackThis log, but I dont think it contains any traces of this maxxxhosters

<snip>




==================================================

A very interesting thing as well is when I use the TCP killing program eSTOP to cancel the TCP connection, whatever process it was hijacked to (WoW or firefox for example) will cause it to use up 99% of CPU resources, makign everything slow and choppy.

Yes I have posted this on numerous sites in hopes to find an answer


HiJackThis log removed as per this announcement - Detox

 

this site dosnt do hijacthis logs anymore ! youre not allowed to post logs

 

Does this have anythig to do with the hosts file?

Here is mine
127.0.0.1 maxxxhosters.com
127.0.0.1 therealsearch.com
127.0.0.1 thumbest-traffic.com
127.0.0.1 600pics.com
127.0.0.1 tonser.4-counter.com
127.0.0.1 free.sinpussy.com

~replaced the first six Hosts file entries for clarification purposes....Bubba~
<snip>

content removed - be careful! This contained many clickable links to very bad sites - Detox

 

Please take a look at your Hosts file. The first entry of a Hosts file needs to be 127.0.0.1 localhost. I'll assume for a moment given the info you have shared that your Hosts file has a beginning entry of 127.0.0.1 maxxxhosters.com....which would be the reason for the netstat results you are seeing.