i need help!!! please i think i've been hijacked

hey, i keep getting my default website to http://www.find-online.net/index.htm and a number of porn, insurance,and pharmecy links or folders in my favorites. i ran cws shredder which doesn't fix it...here is the scan results

can anyone please tell me how to get rid of it??thanks


CWShredder v1.59.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Tim\Application Data
Username: Tim

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://www.find-online.net/sp.htm
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http://www.find-online.net/index.htm
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
Infected data: http://www.find-online.net/index.htm
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: http://www.find-online.net/sp.htm
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (568 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)

- END OF REPORT -

 

Hi timalodapus,

Welcome to Wilders.

Did you hit just the "Scan" button in CWShredder, or did you hit the "Fix" button?

Before you go further, please follow ALL the instructions in this link:
https://www.wilderssecurity.com/showthread.php?t=15913

Once you have downloaded HijackThis, create a permanent folder for it on your C: (call the folder whatever you'd like) then unzip Hijackthis.exe into the new folder (do not put it in a Temp folder or desktop).

Then open Hijackthis and run it by clicking on the Scan button. When the scan has finished, the "Scan" button will then change to a Save Log button. Press the "Save Log" button and save it to a location you can easily find it. Open the saved log with Notepad, and copy and paste the entire contents of the log here in your next post.

Please do NOT fix anything in Hijackthis by yourself. Most of what it lists will be harmless and even essential. Someone will review your log and reply back with instructions on what needs to be fixed.

Regards,

snap

 

hi, this is what i got.


Logfile of HijackThis v1.97.7
Scan saved at 12:36:37 a.m., on 21/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ziphelp.exe
C:\Tims\programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xtra.co.nz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ziphelp] C:\WINDOWS\ziphelp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38155.9582523148

 

Hi timalodapus,

First, could you navigate to the C:\WINDOWS folder and find the file ziphelp.exe, zip up a copy of it and submit it to pieterATwilderssecurity.org (replace the AT with an @) and include a link back to this thread with a brief message in the body of the email so Pieter will be able to find it easily. We'd very much appreciate a copy of it. Thank you kindly.

The above requested file may be hidden. Make sure you have all files and folders viewable: How to Show Hidden Files and Folders

Then boot your computer into Safe Mode by tapping the F8 key just before windows begins to load.


Rescan with Hijackthis and place a check beside the following items.
Close all windows except HijackThis, and click *Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm

(if this one does not look familiar to you, then fix it too.)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xtra.co.nz

(this one has been seen with another CWS infection similar to your's, so if you do not recognize it, please fix it too)
O4 - HKCU\..\Run: [ziphelp] C:\WINDOWS\ziphelp.exe

(this one is optional but it is a resource hog and isn't needed in the startup group)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

(the same with this one, fix it if you did not set this as your Start Page)
O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz

While still in safe mode, run CWShredder again. (make sure you have the most recent version which is version 1.59)

Reboot your computer, and post a new log here to be checked.

Regards,

snap

 

hey man, i tried what you told me, haven't done anything yet, but i only found this when i run hijackthis in safe mode, the others are not there.
shall i just fix them while not in safe mode??


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm

 

Hi timalodapus,

I'm not sure what you mean there, but yes, fix anything that has the "find-online" link in it.

Could you please post a new log so I can see where we're at.

Regards,

snap

 

sorry, what i meant was that, i booted into safe mode and scanned with hijack this, and only one of the things you mentioned to fix showed up, but in normal mode, they all show up....so shall i fix them in normal mode??

 

Hi timalodapus,

It is important to fix:
O4 - HKCU\..\Run: [ziphelp] C:\WINDOWS\ziphelp.exe

Delete the file it starts as well:
C:\WINDOWS\ziphelp.exe

The deleting might be easier in safe mode. Whether you use HijackThis in safe mode or not shouldn't matter.

Regards,

Pieter