My homepage has been hijacked by find4u.net

Logfile of HijackThis v1.97.7
Scan saved at 11:06:16 PM, on 09/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\olehelp.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Long Duong\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uoguelph.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I've tried AdAware AND SpyBot S&D but neither of those solved the problem. Please help.

Run this, if you still have problems
post back.

cwshredder.zip

cwshredder.exe

Click fix and reboot.

These are bad and need to be deleted:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm

There may be others - you could wait for an expert's opinion.

Did cwshredder remove this or not?
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe

Olehelp.exe is a CoolWebSearch hijacker variant.

Those entries are spot on, suzi.
This had me guessing http://www.uoguelph.ca/ as it looked random, but I now know about one more Canadian uni. lol.

One thing to do is to put HjT in a permanent folder rather than a temp file,
which ensures that the backup function in HjT will always be available if required,
cause that temp folder gets cleaned out at some point in time.

Next thing is:
show hidden and operating system files
as there can sometimes be a hidden rogue winlogon.exe

So good idea to do those changes first and then repost a new log.

It’s the Olehelp.exe that has been flagged as a CWS variant by Tony Klein and is listed as Pacs Portal as X- CWS to be removed.
But do that after the changes above when you repost that new log.

iceblue

Hello Thunder 01

Do this:
First delete C:\windows\system32\olehelp.exe.
You can to have problems to delete this file, if have it, close C:\Windows\System32\olehelp.exe at "Running Processes" first and try to erase to file olehelp.exe at c:\windows\system32 again.
Then run Regedit.exe
delete the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Olehelp.exe
Then you can change your homepage and will be free of find4u.net

I contacted find4u and explained that they have taken over my homepage and would they kindly send me information on how to remove this 'hijacking'. This is what they sent:

Hello!

No problem. Absolutely!
Just scroll down start page or click the link directly:
http://find4u.net/help.htm
New detailed instructions just added for assisting you.
Reload the help page if you see old variant of help!

Max.

...of course I had already tried this and they new damn well this wouldn't work... suffice to say I sent them another e-mail telling them what I thought of them (to help vent my frustration). Anyway, the shredder file worked great thanks.

There is only 1 way to remove FIND4U.NET. It's controlled by a rogue file called WINLOGON.EXE which stays in MSCONFIG and running virus software, cleanup applications is pointless, it will just come back on start up.

TO REMOVE THIS PESKY LITTLE BLIGHTER:

You need to put your PC in to Safe Mode. Do this by keep hitting the F8 button when your PC starts up - if the motherboard boot sequence comes up first, hit Esc and then the F8 button again immediately. The Windows Start up screen with then appear.

Select Safe Mode and then go Start, then Search. You need to search for a file called WINLOGON.EXE. When found deleted it - BUT THERE ARE GENUINE WINLOGON FILES WHICH MUSTN'T BE DELETED. THE ROGUE WINLOGON.EXE FILE WILL USUALLY BE THE MOST RECENT ONE AND WILL BE 12-25KBS IN SIZE. THE GENUINE WINLOGON FILES ARE 250-510KBS IN SIZE AND ARE USUALLY HELD IN THE C:\WINDOWS FOLDER. THE ROGUE WINLOGON.EXE FILE WILL BE HELD IN THE DEFAULT FOLDER YOU USE WHEN DOWNLOADING FROM THE WEB, E.G. Documents and Settings\User\My Pictures, ETC.

Once WINLOGON.EXE has been deleted, go to Control Panel and in the Internet Options, General tab make sure the Home Page is either blank, or the site of your choice. If FIND4U is in there, delete it.

Empty the recycle bin.

Restart and everything will all be OK.

i agree with browne16549 - the only way is to remove the fake winlogon.exe - all steps mentioned in browne's post are correct, but i thought i just had to add this...

i tried both approaches - clearing the registry manually, then deleting the winlogon.exe file manually - i believe this combination works best.

i use win xp, and attempting to stop the winlogon.exe (observe the lower case here, the real one's all upper case) using taskmanager did not work - it apparently believes both are the real thing.

so rebooted the pc, and on startup, pressed f8 - brought up a menu and navigated to command prompt with safe mode.

on searching for this file, found it in "all users\..\startup\", which ensures it's run first thing (on win xp, even before the logon screen is shown).

deleted it using the "del winlogon.exe" command (it's an old dos trick, for the newbies), and restarted in normal mode.

problem cleared.

thanks browne!

browne16549 and yakamichimurder are right on, I followed their directions and successfully removed the find4u spyware.

THX,

The Agent

hey, i have had this same problem and have tried many times to delete the virus. i think i finally killed it.

however i was wondering if there was any way the cops/gov't/internet security people can go after the people that host the site "find4u" or any other websites that spread malicious viruses.

jude

Just a word of caution on deleting winlogon.exe in safe mode. I had two files named winlog.exe in lower case, both were 19 to 21 kbs in size and both had been created within days of each other. I deleted both but left them in the recycle bin. After restarting I could no longer dial up my ISP. Restoring them one by one I was able to sort them out. The end result was great not only was find4u gone but 4 items on my favorites list that I had not put there and that could not be deleted were gone for good. Thanks

browne16549, I followed your instructions to the letter. However, search results came up empty when searching for WINLOGON.EXE
I don't understand. Do you have any idea?

djboo

Thanks Renato. Your steps worked for me. I tried cwshredder, but it kept stopping on olehelp.exe. I followed your steps to manually delete that file and the registry key and that did the trick. Thanks again.

Listen sorry for bothering everyone, but I have that same problem. Except, now a new website has come up. It is called thesearches. I receive even more websites in my favorites, and porn and marijuana popups appear. I don't even know what to download. I tried cwshredder, but I can not get to the page. Also, I tried using spybot:Search and Destroy and Ad-Aware, but it doesn't help. I'm desperate here.

Your friend,
TheCaller

P.S.
And also, I'm a little nervous about trying the steps given. I haven't had much luck with computers.

Your friend(again)
TheCaller

Oops forgot to mention something. I also ave been getting a number of viruses. I have removed them though. Also, don't know if this will help, but I will give you some information on my computer.

Microsoft Windows 98 4.10.1998
Upgrade using Full OEM CD /T:C:\WININST0.400 /SrcDir=D:\WIN98 /IZ /IS /IQ /IT /II /NR /II /C /U:xxxxxxxxxxxxxxxxx
IE 5 6.0.2800.1106
Uptime: 0:12:16:37
Normal mode
On "LAMB" as "Louis Billera"

GenuineIntel Pentium(r) II Processor Intel MMX(TM) Technology
288MB RAM
58% system resources free
Windows-managed swap file on drive C (1120MB free)
Available space on drive C: 1120MB of 2043MB (FAT32)

I also use MSN with Verizon. Not sure if this will help though.

And ummm will showing my computer name be bad(hehe)

Apparently everyone has had to do something different to get rid of find4u. This is what I did.
Using the hijackthis! program, I deleted the following files:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm

Olehelp.exe

These are the files listed by some of the other users, and all should appear when using hijackthis! (even the olehelp file).
Delete them. Fix your homepage. Delete those stupid bookmarks. Reboot. All should be well afterwards

Where can I download hijackthis? I tried merijn.org, but I can't get to the site. I also tried download.com, but it wouldn't work. Help!

I'm having trouble with a number of spyware programs. I get a dialog box for IESearchBar every now and then with the options ABORT RETRY and IGNORE. No matter what I do, it doesn't go away. I've tried deleting it from the system registry a la another website's instructions but it continues to reappear after I restart. Now I'm also having trouble with a BLAZE search engine? How do I get rid of these things? I have SpyBot Search and Destroy and it finds alot of adware but apparently not all of it. What do you suggest for deleting all of this Spyware and KEEPING IT AWAY? THANK YOU IN ADVANCE!

Geno