Hijacked by find-everything.com

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ne0phyte, Apr 2, 2005.

  1. ne0phyte

    ne0phyte Private E-2

    Hey Guys,

    I've been hijacked by find everything.com and I've done everything the guide said (followed every instruction), but it hasn't been completely fixed.

    Most of the scans reported nothing, but using Symantec Anti-Virus, it found a trojan file and deleted it. Using the CWS scanner, it found a variant and fixed it. After those two incidents, nothing can be found using any of the scans.

    But the problem remains. Everytime i shutdown/restart, I get a "unable to shutdown win min.exe" error. Obviously that is a trojan, but i have been unable to find it on my hard drive (even with the viewing of system and hidden files enabled). besides that error, my homepage in internet explorer is permanently linked to "http://www.find-everything.com/index.htm". No matter what I change in the registry.

    I've included as an attachment of my hijackthis log. I hope one of you guys can help.
     

    Attached Files:

    ne0phyte, Apr 2, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow forum guidelines on using HijackThis. Only post logs when requested and you must follow the steps below. You MUST exit all browsers before using HijackThis and you must not post logs from safe mode boot unless we request them that way. Normally they are not useful.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

    Were you running the below?
    C:\Documents and Settings\aznkc730\Local Settings\Temporary Internet Files\Content.IE5\F7EC72XY\fixvundo[1].exe
     
    chaslang, Apr 2, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you install Tencent QQ

    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\qq\QQ.exe
    O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\qq\QQ.exe

    It is adware. See http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453083549
     
    chaslang, Apr 2, 2005
    #3
  4. ne0phyte

    ne0phyte Private E-2

    Sorry about posting the hjt log but i thought it would save some time. Yes i followed all the scanning guidelines. I did all scans in reg boot and in safe mode. I have the latest version of HJT, and yes i made a folder with nothing else in it but just HJT. As of now, I still can't figure out what .exe im being hijacked with.

    Also, i did instal Tencent QQ. I know it is spyware, but it's the only messenging program my cousins use in china that supports both chinese and english.
     
    ne0phyte, Apr 2, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I need to see a HijackThis log from normal boot mode with no browsers running. Post as an attachment.
     
    chaslang, Apr 2, 2005
    #5
  6. ne0phyte

    ne0phyte Private E-2

    Well luckily, i managed to figure it out on my own. The hijacked exe was mstask.exe. Once i disabled that, all my problems went away. But just to be safe could one of you guys look at my hjt log and tell me if it's clean?
     

    Attached Files:

    ne0phyte, Apr 3, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The mstask.exe process was on my list but I wanted to see a full HJT log from normal boot mode before doing anything with it.

    Your clean now. But you can just fix the below left over line from running HSremove:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
     
    chaslang, Apr 3, 2005
    #7
  8. ne0phyte

    ne0phyte Private E-2

    thanks chaslang! but about the mstask.exe, i just deleted it, since i never use it anyway. I didn't how else to fix the problem, since my antivirus cant quarantine or fix it. I think i'll just copy a clean version of mstask.exe from one of my friend's computer if i ever need it.

    once again, thanks.
     
    ne0phyte, Apr 3, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not need it! It is not part of Windows XP. What you had was a virus. mstask.exe is a valid file in Win9x based systems (if located in the proper folder) but it is not valid in WinXP!

    You should fix the entry in HijackThis if still there too.
     
    chaslang, Apr 4, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds