"www.find-everything" is killing my inner peace

As of six days ago, my computer has been invaded by something (trojan?) that automatically changes my Internet Explorer homepage to "www.find-everything." Furthermore, it adds various sites to my favorites -- sites that are not only sexual, but also weirdly pornographic. All that's missing is a link to "Sex with Squirrels."

I'm extremely eager to get rid of this thing that keeps haunting my beloved computer. I went ahead and followed all the guidelines laid out in the MajorGeeks article "Read Me First Before Asking For Support: Basic Spyware, Trojan and Virus Removal." I started to get excited at the prospect of liberation from the "find-everything" thing. In the end, however, it reset itself as my homepage first chance it got. Talk about frustration.


I'm the opposite of expert when it comes to computer stuff. I would certainly appreciate any step-by-step guidance you could give me. I've saved my HijackThis log and would be happy to post it. Please don't let my cry for help go unheard!

Many thanks.

Jeff

 

Dear Chaslang,
Thanks very much for the speedy reply.

I've read through the tutorial on HijackThis. I haven't yet had the program fix anything. I was hoping to get a green flag and some guidance from you first.

As requested, I'll try to post the log file as an attachment. Let's hope I do it correctly!

Many thanks again for the help. Eagerly awaiting further instructions.
Yours, Jeff

 

Dear Major Attitude and Chaslang,
Your points are well-taken. I hope you understand that dishonesty doesn’t come into the picture. What could I possibly hope to gain by trying to deceive? If my answers fell short of the full truth, I would blame instead my own incompetence, frustration, impatience, and plain old ignorance. Keep in mind that some of your instructions, however clear, are like saying to someone who is used to driving only cars with an automatic transmission, “I told you to put your foot on the clutch, damn it!”
A not surprising reply might be, “You mean that wasn’t the clutch I stepped on? I couldn’t have sworn it was the clutch. It was one of those little black pedals down there, anyway. Isn’t that the same thing?”

Rather than say I had carried out all steps, I should have said that I tried to do everything to the best of my ability (or inability!). Here, in any case, is an update on the steps I’ve taken.

Getting Prepared:
1) Disable System Restory temporarily. Yes, I’ve done that.
2) Network Security & Workstation Netlogon Services. I’ve done this, too.
3) Enable viewing of hidden files and folders and extensions. Yes.
4) Downloading tools. I’ve downloaded the following tools:
Ad-Aware SE
Ad-Aware VX2 Cleaner Plug-In
CCleaner
Spybot
McAfee AVERT Stinger
CWShredder

Scanning and Cleaning Steps:
1b) I had a problem here. Although I booted in “safe mode with networking support,” I couldn’t convince my computer to connect to the net. Right-clicking on the properties for IE, I discovered the setting for “never connect.” Clicking around some, I ended up activating Connection Wizard, then panicked and stopped trying. Here’s my question: Does it make sense that I would need to set up a new connection for safe mode when my computer connects perfectly well in normal mode?
For fear of making a wrong move, I have, since posting my last message to you, run the Trend Micro’s Free Online Virus Scan (in normal mode, because I was having no luck in safe mode). The scan took about an hour. The scan revealed no viruses or other threats.
I then attempted to run the Symantec Security Check online scan. About 25 minutes into the download, the connection was interrupted by a glitch on the phone line. (I live in the Italian countryside. Phone connections are intermittent at the best of times.) I have not tried that online scan again, mostly because I have Norton Antivirus on my computer and keep that program constantly updated. Would the Symantec online scan reveal anything that the Norton Antivirus might miss? I’d be happy to try the online scan again if you tell me it’s necessary.
I ran the McAfee AVERT Stinger. It found no viruses or threats.
2) Clean Your Hard Drive. I did this with the CCleaner. An oddly refreshing experience. I have not yet performed the optional operation of deleting Index.dat. Should I?
3) Main Spyware Scan and Removal. I’ve repeatedly run Spybot, and have run Ad-Aware some 48 times. Spybot finds and fixes 3 or 5 instances of DSO Exploit each time.
Ad-Aware sometimes finds a series of critical objects; other times it finds only negligible objects. I have the program remove both sorts of object, for good measure.
4) Secondary Spyware Scan and Removal: I’ve run CWShredder.

One or two nights ago (I haven’t been sleeping much because of this bug), I managed to make the computer appear problem-free in safe mode, in that Ad-Aware could find no dangerous objects and the homepage stopped resetting itself to “find-everything” or “find-online.” Just when I started to get happy, I rebooted in normal mode and the homepage reset itself to “find-everything” once more.
I don’t understand what this means. Is it possible for a problem to appear solved in safe mode, only to reappear in normal mode? Is this symptom indicative of something?

As to Hijack This, I didn’t realize I was using an outdated version. I have now chucked the old version and downloaded Hijack This.v.1.98.2. Is this a better version?
I also didn’t realize I was using it from the desktop. (“You mean that’s not the clutch?”) You see, I created a file on the desktop called “Download Shortcuts,” and within that made a separate file called “Hijack This” where I’ve placed anything pertinent to Hijack This. Where should I put Hijack This instead?

I went ahead and deleted all the files that Major Attitude recommended on the previous Hijack This log, and now attach the most recent log as a text file. Looking forward to further recommendations.

The symptoms persist. The homepage keeps resetting itself for “find-everything,” and unwanted sites keep finding their way onto my favorites list, however many times I delete them.

Here’s another symptom I forgot to mention before. When I’m shutting down, a window appears to tell me that the computer is trying to end a program called Win Min. If I let it keep trying, it tells me its attempt was unsuccessful because the program isn’t responding. I can bypass this hitch by clicking on the End Now button. Do you think this shut-down problem is related to the “find-everything” menace?

There you have it. That’s as full a truth as I know how to describe. I appreciate your patience in seeing me through these dark days. Eager to receive your advice and comments.

Many thanks. Yours, Jeff

 

Dear Major Attitude,
I can't believe it, but the problem would seem (touch wood) to have disappeared, thanks to your recommendations. I think you should be promoted from Major to General.

Here's a rundown.

I noticed that the HijackThis logs seemed to change considerably from scan to scan, with some objects vanishing and others appearing out of the blue. I wasn't surprised, therefore, when I couldn't find the ACS.exe file anywhere on my computer.

I did, however, find the zhelp files. These, I believe, were the culprit. I couldn't delete them with HijackThis because, so a message told me, there were currently in use. Using Task Manager, I blocked their use, found out their properties (no coincidence, but those files were created the very same night I first noticed signs of infection on my computer), and then deleted them.

I could find neither of the Extras that HijackThis had listed as O9 items, but that doesn't seem important.

As to the ETRUST stuff, I think I was overly hasty in deleting that object. In a subsequent search of my hard drive, I discovered various ETRUST files that are connected to the EZ Firewall I'm using. Whoops! I hope the deletion of the one file that appears on the list in your post won't impair the firewall's effectiveness. Maybe someday I'll learn to be less impatient. (Unlikely.)

And now, for a change, I can report some symptoms of health. After the deletions (the zhelp especially, I'm certain), the homepage no longer set itself to "find-everything." And when I rebooted the computer as a test, it had no problem in shutting down, no hitch on the Win Min that had obstructed shut-down previously. Once I rebooted, I checked out the propreties of the IE, and, for the first time in a week, it hadn't reset itself to that damned "find-everything." Nagivating even feels quicker now.

Very encouraging. Looks like a success. Superstitiously, I'm still keeping my fingers crossed.

Two last questions.

1) I read in the READ THIS post that you suggest getting rid of Java as a precaution against future infection. Frankly I've never understood what Java is. Is it anything I'll miss if I delete it?
2) Please tell me how I can repay you for the help you've given me. Would you like me to send you cash payment? Alternatively, I'm a novelist and would be happy to send you a book. (I live by my computer, which is why I've been feeling so desperate.) I believe my e-mail address is on my membership record. Please feel free to write to me to let me know how I can send you some concrete form of thanks.

Should I send you a new HijackThis log to make sure I'm really as clean as I feel?

Fingers still nervously crossed.

Many, many thanks. Yours, Jeff