Hijacked!

 

A few days ago I was reading several posts on this site and downloaded a few POIs, at one point I used the Explorer "Back Arrow" to go back to a previous page and I was redirected to "www.draw3d.com" Mark Kistlers Imagination Station. A site I have never been to before. Since then I cannot go to Poi Factory without being redirected to this same site. I use McAfee Security software for virus and firewall protection, and Spybot. I've logged onto the site today from a different computer to ask this question. I did a complete search of my hard drive including the registry for anything related to Poi-factory or "www.draw3d.com Mark Kistlers Imagination Station" without finding anything! Has anyone else experienced this?

--
USN Recon Heavy Attack Squadron 1, Smoking Tigers. --- Zumo 550 mounted on Harley handlebars.

.

I wish I could help more then this; Your browser has definitely been hijacked. I'm surprised Spybot didn't already catch it, but there are other spyware removers out there that you can use. I might also suggest going to www.overclockers.com/forums/ and posting asking the same question there. The users there will be able to point you out much more better then I can, since the names of the programs elude my poor memory.

Sorry about lack of links

A few that come to mind are:
Hijackthis
Spybot S&D
Ad-Aware by Lavasoft
Malwarebytes

May also be able to clear the "hosts" file. This is often used to redirect a browser. Then rerun the "Immunize" from Spybot to add protection again.

Try looking at your Proxy settings

They might have altered your internet proxy settings. You'll find them in your browser's Tools/Options menu.

Yep. Time to clean up your

Yep. Time to clean up your computer.

--
OK.....so where the heck am I?

spyware

Another good spyware program is Superantispyware checker.

--
Anytime you have a 50-50 chance of getting something right, there's a 90% probability you'll get it wrong.

Run MalwareBytes, and

Run MalwareBytes, and Super-AntiSpyware to make sure your system is clean.

Also do an online scan with Trend Micro.

--
http://www.poi-factory.com/node/21626 - red light cameras do not work

Update

This has been an interesting week, belive me. I ran Malwarebytes, Spybot, McAfee several times on both my laptop and desktop (both infected). The thing that invaded me was insidious. It appeared to work for awhile, and once I'd go to poi-factory and click on a link it would redirect me to www.draw3d.com. The only site that was targeted was Poi-Factory, and the only site I was directed to was draw3d.

I finally had to use system restore and go back about a week or so, then run all the spy and virus stuff again. It appears to be working ok now, but it has done that in the past. Time will tell.

On another note, thank you wknight40; I sent my daughter info about the program you suggested "malwarebytes", she used it on my grand daughter's laptop she was getting ready to trash due to many, many problems. It solved them all and my grand daughter has a laptop to use again. Thanks for your help, and thanks to the rest of you for your help and suggestions.

So, it's snowing like hell here in Northern Virginia again, so let me surf the net (safely). Later, George

--
USN Recon Heavy Attack Squadron 1, Smoking Tigers. --- Zumo 550 mounted on Harley handlebars.

If The Problem Persists

berettag wrote:

This has been an interesting week, belive me. I ran Malwarebytes, Spybot, McAfee several times on both my laptop and desktop (both infected). The thing that invaded me was insidious. It appeared to work for awhile, and once I'd go to poi-factory and click on a link it would redirect me to www.draw3d.com. The only site that was targeted was Poi-Factory, and the only site I was directed to was draw3d.

I finally had to use system restore and go back about a week or so, then run all the spy and virus stuff again. It appears to be working ok now, but it has done that in the past. Time will tell.

On another note, thank you wknight40; I sent my daughter info about the program you suggested "malwarebytes", she used it on my grand daughter's laptop she was getting ready to trash due to many, many problems. It solved them all and my grand daughter has a laptop to use again. Thanks for your help, and thanks to the rest of you for your help and suggestions.

So, it's snowing like hell here in Northern Virginia again, so let me surf the net (safely). Later, George

If you find you still have the problem, I have one other suggestion - running HijackThis and posting the results at bleepingcomputer.com. The folks over there do a good job helping users identify and remove malware. Here is the link to the complete set of instructions:

arrow http://www.bleepingcomputer.com/forums/topic34773.html

--
Tampa, FL - Garmin nüvi 660 (Software Ver 4.90), 2021.20 CN NA NT maps | Magellan Meridian Gold

Malwarebytes is a fantastic

Malwarebytes is a fantastic program for removing the nasty stuff that creeps into your computer, but give it a better chance to clean things out by restarting your Windows computer in "Safe Mode" so not as much it running. Safe mode can be accessed at boot time by tapping the F8 key before the Windows splash screen comes up. You will be given a set of options, choose safe mode with networking and then run Malwarebytes.

Hack Attacks

Someone or or several people have been posting phony discussions. The most recent seems to be "muddled,games,pleasure,modish"

All I can say, is be careful, about clicking on questionable links.

--
DriveSmart 65, NUVI2555LMT, (NUVI350 is Now Retired)

On this site?

davidkbrown wrote:

Someone or or several people have been posting phony discussions. The most recent seems to be "muddled,games,pleasure,modish"

All I can say, is be careful, about clicking on questionable links.

On Poi-factory?

--
USN Recon Heavy Attack Squadron 1, Smoking Tigers. --- Zumo 550 mounted on Harley handlebars.

Sorry about that spam....

davidkbrown wrote:

Someone or or several people have been posting phony discussions. The most recent seems to be "muddled,games,pleasure,modish"

All I can say, is be careful, about clicking on questionable links.

We delete them as soon as we find them. They usually go up around 2 in the morning and we don't get them removed until we start work at 9:00 am.

Miss POI

I run

Malwarebytes Anti Malware, and IObit Security 360 along with my antivirus and don't usually have any problems. You might also install CCleaner. This works well, too.

--
Not doing anything worth a darn.

Both Sites are Good

I have used geekpolice.net and geekstogo.com to have spyware removed from computers I was working on. Both sites are associated with bleeping computers.

Hijacked

miss poi wrote:
davidkbrown wrote:

Someone or or several people have been posting phony discussions. The most recent seems to be "muddled,games,pleasure,modish"

All I can say, is be careful, about clicking on questionable links.

We delete them as soon as we find them. They usually go up around 2 in the morning and we don't get them removed until we start work at 9:00 am.

Miss POI

So there is a good possibility that I did get this off poi-factory. I figured I must have since it was the only site I was directed away from. Have any disgruntled former members?

--
USN Recon Heavy Attack Squadron 1, Smoking Tigers. --- Zumo 550 mounted on Harley handlebars.

Be sure to run

Be sure to run Super-Antispyware also. Works just like Malwarebytes but may catch stuff it doesn.

--
http://www.poi-factory.com/node/21626 - red light cameras do not work

.

berettag wrote:

So there is a good possibility that I did get this off poi-factory. I figured I must have since it was the only site I was directed away from. Have any disgruntled former members?

So you're upset at POI Factory because you clicked on an unknown link and got a virus???

No

Never said that. I'm a retired Intelligence Officer, once attacked I attempt to find the source, to prevent it from happening again, and caution others.

--
USN Recon Heavy Attack Squadron 1, Smoking Tigers. --- Zumo 550 mounted on Harley handlebars.

Malware was on another site

GadgetGuy2008 wrote:
berettag wrote:

So there is a good possibility that I did get this off poi-factory. I figured I must have since it was the only site I was directed away from. Have any disgruntled former members?

So you're upset at POI Factory because you clicked on an unknown link and got a virus???

Get it straight where you are pointing the finger.

Link to a photo album was here. The malware was on the site that you went to after you left here.

hijacked

another good program if you do a lot of web surfing , is cc cleaner. this program should be run last when your ready to shut down your computer for the night .helps keep the mess down from surfing.
mike

Preventative measures

I use Fire Fox with NoScript, and AdBlock Plus. The NoScript prevents anything (javascript) loading without your permission, and the AdBlock Plus stops the ads on sites from doing a drive-by download. SpyWareBlaster is a good passive program as well.

Using a good hosts file in addition to all those makes for good security while browsing.

--
nüvi 3790T | nüvi 775T | Those who make peaceful revolution impossible, will make violent revolution inevitable ~ JFK

Firefox

Hope the firefox users have seen the warning about the false update circulating for firefox. It contains malware.

--
Nuvi 750 and 755T

?

Link please?

I only update it internally i.e, the program itself.

--
nüvi 3790T | nüvi 775T | Those who make peaceful revolution impossible, will make violent revolution inevitable ~ JFK

.

JFCTexas wrote:

Hope the firefox users have seen the warning about the false update circulating for firefox. It contains malware.

What false updates are you referring to? Firefox or the add-on updates? Can you provide a link to the article?

CCleaner

donicus and mrpkd have recommended CCleaner and I agree with them. The business software company where I work uses CCleaner, which is freeware, rather than designing custom software to help maintain their tens of thousands of PCs worldwide. This is only one tool of many that is needed to keep malware away.

dobs108 smile

Preventative measures

I use firefox with an add-on WOT "Web of Trust" that will warn you of risky sites. I only do any type of banking and on-line purchase on my Linux system. I don't trust any Microsoft Window system with credit card or banking information.

--
Bob, Garmin Nuvi 350 & 255WT

It's still alive

Been working on this for weeks since this thing returned. If you're interested you can follow the attempts for a fix at:

http://www.bleepingcomputer.com/forums/topic296303.html

May need an exorsism!

--
USN Recon Heavy Attack Squadron 1, Smoking Tigers. --- Zumo 550 mounted on Harley handlebars.

Possessed

Read whole post from the link. Sounds very frustrating. Hopefully the guy can find a solution for you. Be sure to post your fix if you manage to find one.

--
Nuvi 660. Nuvi 40 Check out. www.houserentalsorlando.com Irish Saying. A man loves his sweetheart the most, his wife the best, but his mother the longest.

The same with me

But instead of chasing a ghost I would rather reformat the hard drives and reinstall everything, especially since you already have your data backed up.

Man, if I were to

Man, if I were to guess....

It sounds like your DNS server is poisoned, and/or the DNS server you connect to has been modified to a different one.

Unfortunately, to check/work those topics you'd have to be pretty knowledgeable about the router you are using. Keep going with the bleeping computer guys. They'll track it down.

hosts file

Its possible that his hosts file in c:\windows\system32\drivers\etc\hosts was modified. If that is changed then anyone trying to go to site A will always be sent to a site B.

Spy Ware

Here is a nice program I use called Advance System Care http://www.iobit.com/advancedwindowscareper.html .It does a good job plus has a lot of other nice features.It is free and you can also purchase the pro version if you want.

--
Charlie. Nuvi 265 WT and Nuvi 2597 LMT. MapFactor - Offline Maps & GPS.

The End, I hope.

After several weeks of fighting this thing, I believe it is finally gone, thanks to Mole (in London) at bleepingcomputers.com. The thread was read by some 1000 people, worldwide, and was listed as a Hot Thread. My hat's off to Mole, I was fully expecting him (or her) to give up long ago, but he worked this thing out with much troubleshooting by web posts. Somehow, something modified the address for POI-factory, his comments are below:

"For some reason, and we're not quite sure what but it wasn't a malicious thing, the IP address for poi-factory was a digit out from the address that gets pinged. The number should be 21 at the end but as you can see the ping address shows 4.

QUOTE
Name: poi-factory.com
Address: 74.208.99.21

Pinging poi-factory.com [74.208.99.4] with 32 bytes of data:

As you may have guessed already, 74.208.99.4 is the IP address of 3ddraw.

Having cleaned out all the caches to avoid the return of the redirection it resolves correctly."

He wrote a small program to clean things out for me, then helped cleaning out Java and IE cache and temp files. So far, for the past few days, both my PC and Laptop are working fine and I can get back onto Poi-factory.

If you'd like to read the thread, it's at: http://www.bleepingcomputer.com/forums/topic296303.html

--
USN Recon Heavy Attack Squadron 1, Smoking Tigers. --- Zumo 550 mounted on Harley handlebars.

I agree with one of the

I agree with one of the posts above about using Firefox. While it's not bullet proof the combo of Firefox, NoScript and AdBlockPlus is pretty good for avoiding the more run of the mill exploits, locking down your hosts file can help too, though that's a pretty easy fix if someone does attack it. The more advanced attacks can be a real pain to fix and sometimes it's just easier to reformat and reinstall.

One other thing I'd recommend is to never, ever, just blindly follow the defaults on install screens and read every page and option before installing a program. Even Java updates now default to installing the Yahoo toolbar unless you tell it not to. A while back I had to reformat a computer on which the user had installed a MS Messenger add-on which came with the added bonus of a hijack called "LOP" as part of the install process. It was a bastard to try to remove so I just reformatted in the end. The author justified it by saying the user had the option not to install it but the default was to install and teenagers tend to just hit the default keys. My advice is always choose the "custom" or "advanced" install, and read the options for the components to be installed very carefully.

hosts file.

if you ping and it still redirects, your hosts file is the likeliest victim. go find it at c:\windows\system32\drivers\etc and edit the offending entry (entries). re-save it -- note: NO extension... it's simply "hosts" -- and then set it read-only.

btw if anyone wants *my* hosts file (over 30,000 lines long which blocks ads and malware sites), let me know. i am not peddling this, rather offering it as a favor to the community. it would be your responsibility to understand what the hosts file is and does, and then you'd also want to at least look through it a bit before you add it to your system. i have composed it over the course of several years by adding the URLs of malware sites that come to my attention; i have also allowed spybot to add its own blocklists.