find-everything hijacked!

I believe I have been hijacked by find-everything/more. Problems include:

1) unable to change the home page through tools or regedit
2) adds links to "my favorites"
3) not able to access "control panel"
4) computer seems to run slower when surfing the net

I have followed the instructions in the "readme first" post including:

"Getting Prepared"
Step 3 (I am running Windows 98)
Step 4 including Ad-Aware SE, CCleaner, Spybot including the DSO fix, Spyware blaster, and McAfee Avert Stinger

"Scanning and Cleaning"
Step 1a (no viruses found but no virus protection) I did NOT boot in safe mode and run AVERT Stinger

I have NOT performed any steps under alternative scan as I did not think it applied to find-everything .com issues. I did try ADS SPY but was unable to run as it stated it could only be run on NTFS systems.

I have also run HJT in it's own directory but am unable to find the same lines mentioned in the post "www.find-everything" is killing my inner peach". If there are other threads regarding this problem I am unable to find them.

Anyway, bottom line is I still have the problem and need help!

Thanks for taking a look. Andy.

 

Hi Andy,

Attach a HijackThis Log and somebody will take a peek as time permits. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

PP

 

Thanks PhilliePhan!

I ran HJT (C:/HJT/hijackthis.exe) by using Start/Run and closed as many items that I could in the system tray (I believe these are the programs running in the background that show up on bottom right of screen?). Both the browser and email programs were closed.

Thanks for taking a look.

Andy.

 

Hi Andy,

Things don't look too bad. . . .

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-more.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-more.net/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-more.net/index.htm

O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\SYSTEM\WER1316.DLL

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
Remove these two lines if you did not set them
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if it should remain:

C:\WINDOWS\SYSTEM\WER1316.DLL

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

PP,

Thanks for the quick reply!

The problem still exists but keep reading....

I performed all of the functions, HOWEVER, I was unable to boot into safe mode. I used the F8 key at boot but I received an Error (I tried this several times) screen. Is there another way to boot into safe mode?

Also, when I checked for the WER1316.dll file (which I deleted in normal mode) I noticed that there were three WER1316.* files including an .ini, .dll and .tmp. I just went back and checked for the file and I only see the .ini and .tmp files at this time (Normal mode).

One other thing to note is that I have a very difficult time shutting down. I have to either power down or CTL ALT DEL several times to manually shut down background programs. Again, thanks for helping me out!

Andy.

 

Hi Andy,

I'm not too familiar with Windows 98. . . .

For alternate safe mode procedure: Booting to Safe Mode

You should delete all those WER1316 files.


Did you fix these lines below with HJT? Did they just come right back?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-more.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-more.net/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-more.net/index.htm

Will check back when time permits . . . Likely Thursday evening.

PP

 

PP,

I did get into safe mode and reran your instructions in previous post, unfortunately I'm still getting hijacked and the entries you questioned in newest post still exist. I did delete all WER1316.* files as well. Here is the newest HJT logfile.

Thanks,

Andy.

 

Try running CWShredder and see if it helps any.

Download CWShredder


After you run this, post a new HJT log.

 

I didn't run CWShredder but we've fixed the problem. I ran regedit and deleted the value mstask.exe from:

HKEY Currentusers\software\microsoft\windows\currentversion\run

I then went into safe mode and deleted all of the find-more and find-everything entries. I then rebooted and changed the homepage.

I found this information by searching google to see if there were other fixes out there and came up with the posting:

http://www.techsupportforum.com/computer/topic/38777-1.html

Take a look at the bottom of this posting. It was interesting to note that find-more.com actually has a FAQ page that helps you fix the problem.

I truly appreciate everybody's effort and time in helping me fix this problem and if there is anything I can do to help out please let me know.

Andy.

 

Glad you got it fixed!

You should see this article on How to Protect yourself from malware!