find4u.net hijacks homepage

Discussion in 'adware, spyware & hijack cleaning' started by Golfer273, Feb 26, 2004.

Thread Status:
Not open for further replies.
  1. Golfer273

    Golfer273 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    8
    Hi,

    We are experiencing a problem as our home page appears to be high jacked by http://find4u.net/index.htm from our normal lycos start page. Our Internet Service Provider told us to download the "Hijack This" software to try to solve the problem. We have ran the download and have attached the log below. Any assistance on what files we need to check to fix this problem would be so appreciated by us. Thank you so much for your help!
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Golfer273 :)

    Welcome to Wilders.

    Your log did not show up. ;)

    Did u try to copy and paste it into your post?



    snowbound
     
  3. Golfer273

    Golfer273 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    8
    Hijack This Log File Attached

    Not sure if the log file posted, here it is from a copy and paste:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:41:01 PM, on 2/26/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSCHED.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\WINDOWS\SVCHOST.EXE
    C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
    C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
    C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
    C:\PROGRAM FILES\THE HELPSPOT!\RTFIXM32.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://online.lycos.com/att/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://mylycos.com/
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
    O4 - HKLM\..\Run: [VSchedule] C:\Program Files\Network Associates\McAfee VirusScan\VSCHED.EXE
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\Run: [spp] regedit -s C:\WINDOWS\sp.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AdobeFonts] C:\WINDOWS\FONTS\fonts.hta
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Windows Guardian.lnk = C:\Program Files\the HelpSpot!\Fawgrd32.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://online.lycos.com/att/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    ok,

    Could u please download and run CWShredder at this link,

    http://www.computercops.biz/downloads-file-329.html



    snowbound
     
  5. Golfer273

    Golfer273 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    8
    What do we do after we have downloaded this file?

    Thank you for your help!
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    After u download CWShredder, run it and let it fix everything it finds.

    Then post a fresh HijackThis log.



    snowbound
     
  7. Golfer273

    Golfer273 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    8
    Wow, I typed this four times already to find out it wasn't posting due to our session logging out here.
    Well, we tried to dowload the CWShredder software from the web site that was lsisted but encountered issues. Our system uses Internet explorer software. Could this be the problem? The link causes Netscape to open with a box that says download file? We click yes and then another window open with the same question. This happens again and again. We finally got a file named VU583VE2 ? ? We can't seem to access this? Is there something we should be doing different or is there another place for this download? Help! :)
     
  8. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    hmmm.... that's strange. :doubt:

    I have IE and i just tested the link and download went fine.

    This is the only site i know of right now to get the download.

    Hopefully someone will post who can help with this situation.



    snowbound
     
  9. Golfer273

    Golfer273 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    8
    We tried the link again and it did not work. Is it absolutely necessary to use the CWShredder before analyzing the hijack this log for what files to fix?
     
  10. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    find4u.net is a variant of the CoolWebSearch Hijacker.

    CWShredder will remove this malware.

    Iam not a HijackThis expert so it could be possible to have HijackThis fix it itself.

    It is better for u to wait for advice from one of the experts.
    Please be patient as most of them live in different time zones.

    Sorry i could not help u any further. :(


    snowbound
     
  11. groundling

    groundling Registered Member

    Joined:
    Oct 26, 2003
    Posts:
    20
    Not an expert but you can download cwshredder from here:
    http://www.spywareinfoforum.com/~merijn/downloads.html

    Scroll down and get it from one of the mirrors or site

    Or here's a mirror http://www.zerosrealm.com/downloads.php
     
  12. Minera

    Minera Registered Member

    Joined:
    Oct 31, 2003
    Posts:
    42
    Location:
    Canada
    Hi:
    You could if you had access to another machine download the file to disc and copy it to your computer and go from there.
    To be honest Im getting fed up with all this hyjacking, worms viruses,
    malware and what not that has been prolifirating lately. I spend more time cleaning and repairing than enjoying my computer. :mad:
     
  13. Golfer273

    Golfer273 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    8
    Hi, we have tried the links above and appear to have downloaded something for the CWShredder. The file appears to be named CWshredder.zip. When we click on this it opens up a Netscape window that is blank (we use Internet Explorer). Does anyone know how to open this file or to run the CWShredder? Thank you. -Golfer273
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  15. Golfer273

    Golfer273 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    8
    Hi,

    Thank you for your help thus far. We were able to unzip the CWShredder file and ran the software. It found the following items: Which ones should we click fix for?

    Thank you,
    Golfer 273

    CWShredder v1.51.0 scan only report

    Windows 98 (4.10.1998 )
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Application Data
    Username: Dix

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer,SearchURL
    Infected data: http://www.jethomepage.com/ie/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    Infected data: http://www.jethomepage.com/ie/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: http://find4u.net/sp.htm
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: http://find4u.net/index.htm
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
    Infected data: http://find4u.net/index.htm
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL
    Infected data: http://www.jethomepage.com/ie/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    Infected data: http://www.jethomepage.com/ie/
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    Infected data: http://find4u.net/sp.htm
    Found Hosts file: C:\WINDOWS\hosts (4 bytes, A)
    CWS.Olehelp Registry value: HKCU\..\Run [svchost] C:\WINDOWS\SVCHOST.EXE
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (8792 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2433 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Use the Fix button and carefully read and follow the instructions provided by the program.

    Regards,

    Pieter
     
  17. Golfer273

    Golfer273 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    8
    Thank you very much! This appears to have solved our problem. Excellent advice and service :) :)
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good news. Excellent job. :cool:

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.