i need help!!! please i think i've been hijacked

Discussion in 'adware, spyware & hijack cleaning' started by timalodapus, Jun 20, 2004.

Thread Status:
Not open for further replies.
  1. timalodapus

    timalodapus Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    4
    hey, i keep getting my default website to http://www.find-online.net/index.htm and a number of porn, insurance,and pharmecy links or folders in my favorites. i ran cws shredder which doesn't fix it...here is the scan results

    can anyone please tell me how to get rid of it??thanks


    CWShredder v1.59.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Tim\Application Data
    Username: Tim

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: http://www.find-online.net/sp.htm
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: http://www.find-online.net/index.htm
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
    Infected data: http://www.find-online.net/index.htm
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    Infected data: http://www.find-online.net/sp.htm
    Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
    Found Win.ini file: C:\WINDOWS\win.ini (568 bytes, A)
    Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)

    - END OF REPORT -
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi timalodapus,

    Welcome to Wilders.

    Did you hit just the "Scan" button in CWShredder, or did you hit the "Fix" button?

    Before you go further, please follow ALL the instructions in this link:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Once you have downloaded HijackThis, create a permanent folder for it on your C: (call the folder whatever you'd like) then unzip Hijackthis.exe into the new folder (do not put it in a Temp folder or desktop).

    Then open Hijackthis and run it by clicking on the Scan button. When the scan has finished, the "Scan" button will then change to a Save Log button. Press the "Save Log" button and save it to a location you can easily find it. Open the saved log with Notepad, and copy and paste the entire contents of the log here in your next post.

    Please do NOT fix anything in Hijackthis by yourself. Most of what it lists will be harmless and even essential. Someone will review your log and reply back with instructions on what needs to be fixed.

    Regards,

    snap
     
  3. timalodapus

    timalodapus Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    4
    hi, this is what i got.


    Logfile of HijackThis v1.97.7
    Scan saved at 12:36:37 a.m., on 21/11/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\ziphelp.exe
    C:\Tims\programs\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xtra.co.nz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ziphelp] C:\WINDOWS\ziphelp.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38155.9582523148
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi timalodapus,

    First, could you navigate to the C:\WINDOWS folder and find the file ziphelp.exe, zip up a copy of it and submit it to pieterATwilderssecurity.org (replace the AT with an @) and include a link back to this thread with a brief message in the body of the email so Pieter will be able to find it easily. We'd very much appreciate a copy of it. Thank you kindly. :)

    The above requested file may be hidden. Make sure you have all files and folders viewable: How to Show Hidden Files and Folders

    Then boot your computer into Safe Mode by tapping the F8 key just before windows begins to load.


    Rescan with Hijackthis and place a check beside the following items.
    Close all windows except HijackThis, and click *Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm

    (if this one does not look familiar to you, then fix it too.)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xtra.co.nz

    (this one has been seen with another CWS infection similar to your's, so if you do not recognize it, please fix it too)
    O4 - HKCU\..\Run: [ziphelp] C:\WINDOWS\ziphelp.exe

    (this one is optional but it is a resource hog and isn't needed in the startup group)
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    (the same with this one, fix it if you did not set this as your Start Page)
    O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz

    While still in safe mode, run CWShredder again. (make sure you have the most recent version which is version 1.59)

    Reboot your computer, and post a new log here to be checked.

    Regards,

    snap
     
    Last edited: Jun 20, 2004
  5. timalodapus

    timalodapus Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    4
    hey man, i tried what you told me, haven't done anything yet, but i only found this when i run hijackthis in safe mode, the others are not there.
    shall i just fix them while not in safe mode??


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi timalodapus,

    I'm not sure what you mean there, but yes, fix anything that has the "find-online" link in it.

    Could you please post a new log so I can see where we're at. :)

    Regards,

    snap
     
  7. timalodapus

    timalodapus Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    4
    sorry, what i meant was that, i booted into safe mode and scanned with hijack this, and only one of the things you mentioned to fix showed up, but in normal mode, they all show up....so shall i fix them in normal mode??
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi timalodapus,

    It is important to fix:
    O4 - HKCU\..\Run: [ziphelp] C:\WINDOWS\ziphelp.exe

    Delete the file it starts as well:
    C:\WINDOWS\ziphelp.exe

    The deleting might be easier in safe mode. Whether you use HijackThis in safe mode or not shouldn't matter.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.