Another find4u hijacked victim

Computing.Net > Forums > Windows 95/98 > Another find4u hijacked victim

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Another find4u hijacked victim

Name: harryg
Date: March 1, 2004 at 08:55:01 Pacific
OS: Win 98
CPU/Ram: 450 MHz/128 RAM

Comment:

I have recently run Spysweeper and Adaware and now have Zone Alarm installed but was infected with find4u several months ago. I want to get rid of it since it's a nuisance.
With what's been shown above, can anybody direct me what I should remove? Keep in mind that I'm not very computer literate. Thanks in advance.
Logfile of HijackThis v1.97.5
Scan saved at 11:35:23 AM, on 3/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\MATROX MGA POWERDESK\MGACTRL.exe
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.exe
C:\PROGRAM FILES\CD-WRITER PLUS\HP SIMPLE TRAX\HPCRON.exe
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\WINDOWS\SVCHOST.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe
C:\PROGRAM FILES\MATROX MGA POWERDESK\QDESK\MGAQDESK.exe
C:\WINDOWS\OLEHELP.exe
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.exe
C:\PROGRAM FILES\PICOZIP\PICOZIPTRAY.exe
C:\WINDOWS\SVCHOST.exe
C:\PROGRAM FILES\CD-WRITER PLUS\E-REG\REMIND32.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.exe
C:\PROGRAM FILES\PALM\HOTSYNC.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\YOSUJCI.exe
C:\WINDOWS\SYSTEM\THS8952.exe
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.exe
C:\INSTALL\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/spa.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/indexa.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/spa.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/indexa.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
F1 - win.ini: run=fntldr.exe
O1 - Hosts: 1089288654 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [HP Simple Trax] C:\Program Files\CD-Writer Plus\HP Simple Trax\hpcron.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] c:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [4M#2B9825NZ7LX] C:\WINDOWS\SYSTEM\Nub7i0h.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\SYSTEM\soundmx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - HKCU\..\Run: [Matrox QuickDesk] C:\Program Files\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PicoZip] C:\PROGRAM FILES\PICOZIP\PicoZipTray.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.exe
O4 - Startup: Reminder-hpc41801.lnk = C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HotSync.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Sponsored Link

Ads by Google

Response Number 1

Name: trvlr
Date: March 2, 2004 at 06:58:34 Pacific

Reply:

I got rid of this particular pest using CWShredder - but just recently it seems to have had a few problems (for some folks)? Which having said... a very recent comment by SVG seems to suggest all is now well with CWShredder?
Check out the asssorted references/links in:
http://www.computing.net/windowsxp/wwwboard/forum/94623.html
http://www.computing.net/windows95/wwwboard/forum/155566.html
http://computing.net/windows2000/wwwboard/forum/31494.html
http://www.computing.net/windows2000/wwwboard/forum/55980.html
There will be some duplication in the above references - sorry about that...; but check them all out regardless. SVG and The Count (and DAVE in Caps) to name but three, seem to be well across dealing with many of these irritants.

Response Number 2

Name: harryg
Date: March 2, 2004 at 10:29:04 Pacific

Reply:

Thanks TRVLR. CWSHREDDER worked. PC didn't want to power up to find4u afterwards. Thanks again.

Response Number 3

Name: Abnormal
Date: March 2, 2004 at 11:56:27 Pacific

Reply:

Harry, you also have the Peper trojan.
O4 - HKLM\..\Run: [4M#2B9825NZ7LX] C:\WINDOWS\SYSTEM\Nub7i0h.exe
Please run this uninstaller:http://www.voiceofthepublic.com/nasties/puninst.exe
note: This must be done online with full net access.
Good luck
There is no reason for any individual to have a computer in his home.
Ken Olsen (1926 - ), President, Digital Equipment, 1977

Response Number 4

Name: The Count
Date: March 2, 2004 at 15:08:12 Pacific

Reply:

Hi harryg, trvlr, Abnormal, hi everyone
Although I'm still in learning mode on the logs, I have analyzed yours and I think you really want to run a up-to-date full virusscan and/or a online virusscan on all of your drives. Housecall is a online virusscanner you could run.
(http://housecall.antivirus.com/housecall/start_frame.asp)

You would also want to run CWShredder.
(http://www.softpedia.com/public/cat/10/17/10-17-150.shtml)

Reading your log I've found references to two other viruses, W32.Hostidel.Trojan.B/C or Backdoor.Daemonize and Trojan.Bookmarker.D.
Also found references to the CoolWebSearch parasite, if I'm not mistaken CWShreder should take care of this.

I would also like to recommend to update your Ad-Aware to the latest definitions, 01R264 29.02.2004, and re-run Ad-Aware.
Further more grab yourself a copy of Spybot Search & Destroy, after installing click on the Online button and than on Update to get the latest updates. Then run the program.

When you have fixed what the above programs found, run the latest version of HijackThis and post back the log.
(http://www.softpedia.com/public/cat/10/17/10-17-69.shtml)
As for now I don't think it's really useful to you to post what you want to clean, I urge you first to follow the above suggestions.
Special thanks go to Mesich, with his guidance I'm getting familiar with analyzing the logs. He's got a enormous list of cleaned logs on his name, bridge.dll RUNDLL error :-))
(http://computing.net/windowsme/wwwboard/forum/40996.html)

Best Regards and Wishes,
The Count, Co-webmaster of mesich.com

Sponsored Link

Ads by Google

matrox mga-g100a-e matrox mga myst matrox mga g100a W32.DSS.Trojan reading iis logs vsmon.exe m.yahoo.com removal Trojan/BytVErify-C zzzhpsetup CoolWWWSearch.OleHelp	trojan $ .b spy sweeper removal tool auto search msn response starting homepage got hijack to another website google has been hijacked by another search engine cannot delete ntuser it is being used by another person or program access files from another computer view files another computer move documents and settings to another drive how to enter another computer
See More

Scandisk error in HDD

msbb error

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Windows 95/98 Forum Home

Sponsored links

Ads by Google

Results for: Another find4u hijacked victim

FATAL EXCEPTION OE ERROR AT 0028:C00099B0 VXD VMM(01) +000089B0

Summary

www.computing.net/answers/windows-95/fatal-exception-oe-error-at-0028c00099b0-vxd-vmm01-000089b0/1438.html

Homepage Keeps Changing

Summary

www.computing.net/answers/windows-95/homepage-keeps-changing/149515.html

Hijacked! New exe programs downloa

Summary

www.computing.net/answers/windows-95/hijacked-new-exe-programs-downloa/157933.html

From the Geek Dictionary
Alternating Current - A type of electricity first engineered by Nikola Tesla,it can be carried ov...

Ask a Question!

Weekly Poll
Do you think Comcast should have bought NBC?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
Trying to Do Repair Install - comes up with P

Computer won't turn on

Stuck in Install Loop

Difference in XP release dates?

rundll32 error

All Awaiting Reply

Tom's News
Verizon: iPhone is Digitally Clueless Beauty Queen

Nintendo DS Flash Cards are Legal Says Judge

Go Retro: Dragon's Lair Confirmed for iPhone

Sony's PSPgo May Get External UMD Reader

Report: Teen Internet Addicts Likely to Self-Harm

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE