Hi,
My start page of Internet Explore always reverts back to: http://www.find4u.net/main.htm
I used Ad-Aware and deleted all files/registry that were ereounous. I also did a search in the registry to remove everything that had "find4u".
THere are pron pup ups that pops as soon as I log on the internet. I need to get rid of this stuff!
When I log off, there is a program called "Win Min" that is not responding. I'm pretty sure it has something to do with the start page.

Can someone help me to remove this start page!!!

Thanks to all!

Here is my HijackThis log:
Logfile of HijackThis v1.97.5
Scan saved at 7:20:53 PM, on 10/11/03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\PROMon.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\ePOAgent\naimag32.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSupdate.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\ePOAgent\naimas32.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\nvsvc32.exe
C:\Windows\system32\dllcache\msngr.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Windows\System32\svchost.exe
c:\Progra~1\ORL\vnc\winvnc.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\rgendron.ONFB-1304\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/spm.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find4u.net/main.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by National Film Board of Canada
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/spm.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 216.200.3.32 thehun.net
O1 - Hosts: 216.200.3.32 www.thehun.net
O1 - Hosts: 216.200.3.32 thehun.com
O1 - Hosts: 216.200.3.32 www.thehun.com
O1 - Hosts: 216.200.3.32 worldsex.com
O1 - Hosts: 216.200.3.32 www.worldsex.com
O1 - Hosts: 216.200.3.32 sexocean.com
O1 - Hosts: 216.200.3.32 www.sexocean.com
O1 - Hosts: 216.200.3.32 easypic.com
O1 - Hosts: 216.200.3.32 www.easypic.com
O1 - Hosts: 216.200.3.32 free6.com
O1 - Hosts: 216.200.3.32 www.free6.com
O1 - Hosts: 216.200.3.32 al4a.com
O1 - Hosts: 216.200.3.32 www.al4a.com
O1 - Hosts: 216.200.3.32 thumbnailpost.com
O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
O1 - Hosts: 216.200.3.32 drbizzaro.com
O1 - Hosts: 216.200.3.32 www.drbizzaro.com
O1 - Hosts: 216.200.3.32 hoes.com
O1 - Hosts: 216.200.3.32 www.hoes.com
O1 - Hosts: 216.200.3.32 absolut-series.com
O1 - Hosts: 216.200.3.32 www.absolut-series.com
O1 - Hosts: 216.200.3.32 elephantlist.com
O1 - Hosts: 216.200.3.32 www.elephantlist.com
O1 - Hosts: 216.200.3.32 ah-me.com
O1 - Hosts: 216.200.3.32 www.ah-me.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\rgendron.ONFB-1304\Application Data\winlink\winlink.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "c:\Progra~1\ORL\vnc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MSupdate.exe
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Intranet (HKCU)
O9 - Extra button: WebMail (HKCU)
O9 - Extra button: Oracle (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.nfb.ca
O15 - Trusted Zone: apollo.nfb.ca
O15 - Trusted Zone: oraweb.nfb.ca
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Fix these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/spm.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find4u.net/main.htm
R1 - HKCU\Software\Microsoft\Internet
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/spm.htm
O1 - Hosts: 216.200.3.32 thehun.net
O1 - Hosts: 216.200.3.32 www.thehun.net
O1 - Hosts: 216.200.3.32 thehun.com
O1 - Hosts: 216.200.3.32 www.thehun.com
O1 - Hosts: 216.200.3.32 worldsex.com
O1 - Hosts: 216.200.3.32 www.worldsex.com
O1 - Hosts: 216.200.3.32 sexocean.com
O1 - Hosts: 216.200.3.32 www.sexocean.com
O1 - Hosts: 216.200.3.32 easypic.com
O1 - Hosts: 216.200.3.32 www.easypic.com
O1 - Hosts: 216.200.3.32 free6.com
O1 - Hosts: 216.200.3.32 www.free6.com
O1 - Hosts: 216.200.3.32 al4a.com
O1 - Hosts: 216.200.3.32 www.al4a.com
O1 - Hosts: 216.200.3.32 thumbnailpost.com
O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
O1 - Hosts: 216.200.3.32 drbizzaro.com
O1 - Hosts: 216.200.3.32 www.drbizzaro.com
O1 - Hosts: 216.200.3.32 hoes.com
O1 - Hosts: 216.200.3.32 www.hoes.com
O1 - Hosts: 216.200.3.32 absolut-series.com
O1 - Hosts: 216.200.3.32 www.absolut-series.com
O1 - Hosts: 216.200.3.32 elephantlist.com
O1 - Hosts: 216.200.3.32 www.elephantlist.com
O1 - Hosts: 216.200.3.32 ah-me.com
O1 - Hosts: 216.200.3.32 www.ah-me.com
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\rgendron.ONFB-1304\Application Data\winlink\winlink.dll
O4 - Global Startup: MSupdate.exe

Verify that this is correct for your proxy:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

This may or may not be bad:
O4 - Global Startup: winlogon.exe

If this winlogon is located in your system32 directory then it is ok.

Hi,
I had the exact problem and tried fixing the lines suggested here. But everytime I restarted my PC, the fixed host file would get corrupted
again. Same thing happened with CWShredder.
So, I realized that the winlogon.exe HijackThis found suspicious was not under system 32, but under Start Menu/Programs/StartUp. Its size was
different from the correct one under system32. Also, when I searched all files containing the phrase "find4u" it returned the corrupt winlogon.exe(under StartUp). So, because the correct winlogon.exe is a critical process for Windows, the OS won't let you delete or kill the corrupt one either. So, I renamed the corrupt winlogon.exe, restarted my machine and successfully killed that process, and then deleted it!!! I also fixed my homepage from Internet Options. At shut down the Win Min error was gone!!!! Moreover, at start up find4u was gone forever!!!!

Hi,
I had the exact problem and tried fixing the lines suggested here. But everytime I restarted my PC, the fixed host file would get corrupted again. Same thing happened with CWShredder.
So, I realized that the winlogon.exe HijackThis found suspicious was not under system 32, but under Start Menu/Programs/StartUp. Its size was
different from the correct one under system32. Also, when I searched all files containing the phrase "find4u" it returned the corrupt winlogon.exe
(under StartUp). So, because the correct winlogon.exe is a critical process for Windows, the OS won't let you delete or kill the corrupt one either. So, I renamed the corrupt winlogon.exe, restarted my machine and sucessfully killed that process, and then deleted it!!! I also fixed my homepage from Internet Options. At shut down the Win Min error was gone!!!! Moreover, at start up find4u was gone forever!!!!

here is my hijackthis file log.
i cannot start my home page msn.com i keep getting find4u. please help

Logfile of HijackThis v1.97.7
Scan saved at 1:02:51 AM, on 12/3/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe
C:\WINDOWS\System32\msblast.exe
C:\WINDOWS\System32\WINCFG.SCR
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://customer.voodoopc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://customer.voodoopc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
O1 - Hosts: 66.250.130.132 thehun.net
O1 - Hosts: 66.250.130.132 www.thehun.net
O1 - Hosts: 66.250.130.132 thehun.com
O1 - Hosts: 66.250.130.132 www.thehun.com
O1 - Hosts: 66.250.130.132 worldsex.com
O1 - Hosts: 66.250.130.132 www.worldsex.com
O1 - Hosts: 66.250.130.132 sexocean.com
O1 - Hosts: 66.250.130.132 www.sexocean.com
O1 - Hosts: 66.250.130.132 easypic.com
O1 - Hosts: 66.250.130.132 www.easypic.com
O1 - Hosts: 66.250.130.132 free6.com
O1 - Hosts: 66.250.130.132 www.free6.com
O1 - Hosts: 66.250.130.132 al4a.com
O1 - Hosts: 66.250.130.132 www.al4a.com
O1 - Hosts: 66.250.130.132 thumbnailpost.com
O1 - Hosts: 66.250.130.132 www.thumbnailpost.com
O1 - Hosts: 66.250.130.132 drbizzaro.com
O1 - Hosts: 66.250.130.132 www.drbizzaro.com
O1 - Hosts: 66.250.130.132 hoes.com
O1 - Hosts: 66.250.130.132 www.hoes.com
O1 - Hosts: 66.250.130.132 absolut-series.com
O1 - Hosts: 66.250.130.132 www.absolut-series.com
O1 - Hosts: 66.250.130.132 elephantlist.com
O1 - Hosts: 66.250.130.132 www.elephantlist.com
O1 - Hosts: 66.250.130.132 ah-me.com
O1 - Hosts: 66.250.130.132 www.ah-me.com
O1 - Hosts: 66.250.130.131 msn.com
O1 - Hosts: 66.250.130.131 www.msn.com
O1 - Hosts: 66.250.130.131 search.msn.com
O1 - Hosts: 66.250.130.131 auto.search.msn.com
O1 - Hosts: 66.250.130.133 google.com
O1 - Hosts: 66.250.130.133 www.google.com
O1 - Hosts: 66.250.130.133 google.de
O1 - Hosts: 66.250.130.133 www.google.de
O1 - Hosts: 66.250.130.133 google.co.in
O1 - Hosts: 66.250.130.133 www.google.co.in
O1 - Hosts: 66.250.130.133 google.ca
O1 - Hosts: 66.250.130.133 www.google.ca
O1 - Hosts: 66.250.130.133 google.fr
O1 - Hosts: 66.250.130.133 www.google.fr
O1 - Hosts: 66.250.130.133 google.it
O1 - Hosts: 66.250.130.133 www.google.it
O1 - Hosts: 66.250.130.133 google.com.au
O1 - Hosts: 66.250.130.133 www.google.com.au
O1 - Hosts: 66.250.130.133 google.co.uk
O1 - Hosts: 66.250.130.133 www.google.co.uk
O1 - Hosts: 66.250.130.133 google.be
O1 - Hosts: 66.250.130.133 www.google.be
O1 - Hosts: 66.250.130.130 find4u.net
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Winsock2 driver] WINCFG.SCR
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Winsock2 driver] WINCFG.SCR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?
O14 - IERESET.INF: START_PAGE_URL=http://customer.voodoopc.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37789.3888773148
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)

Hi,
I am having same net4u home page problem. Here is the log

Logfile of HijackThis v1.97.7
Scan saved at 4:22:53 PM, on 12/5/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\loadqm.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINDOWS\SVCHOST.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nyPROXY1:80
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.download.dir", "C:\\Program Files\\Netscape\\Netscape 6");
user_pref("browser.history.last_page_visited", "http://www.yahoo.com/");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://www.yahoo.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4.1");
user_pref("general.open_location.last_url", "http://www.yahoo.com/");
user_pref("intl.charsetmenu.browser.cache", "windows-1252");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "19788228.s");
user_pref("timebomb.first_launch_time", "1019788266661000");
user_pref("wallet.SchemaValueFileName", "19788722.w");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\murali\Application Data\Mozilla\Profiles\default\smq1zxqu.slt\prefs.js)
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.download.dir", "C:\\Program Files\\Netscape\\Netscape 6");
user_pref("browser.history.last_page_visited", "http://www.yahoo.com/");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://www.yahoo.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4.1");
user_pref("general.open_location.last_url", "http://www.yahoo.com/");
user_pref("intl.charsetmenu.browser.cache", "windows-1252");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "19788228.s");
user_pref("timebomb.first_launch_time", "1019788266661000");
user_pref("wallet.SchemaValueFileName", "19788722.w");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\murali\Application Data\Mozilla\Profiles\default\smq1zxqu.slt\prefs.js)
O1 - Hosts: 66.250.130.132 thehun.net
O1 - Hosts: 66.250.130.132 www.thehun.net
O1 - Hosts: 66.250.130.132 thehun.com
O1 - Hosts: 66.250.130.132 www.thehun.com
O1 - Hosts: 66.250.130.132 worldsex.com
O1 - Hosts: 66.250.130.132 www.worldsex.com
O1 - Hosts: 66.250.130.132 sexocean.com
O1 - Hosts: 66.250.130.132 www.sexocean.com
O1 - Hosts: 66.250.130.132 easypic.com
O1 - Hosts: 66.250.130.132 www.easypic.com
O1 - Hosts: 66.250.130.132 free6.com
O1 - Hosts: 66.250.130.132 www.free6.com
O1 - Hosts: 66.250.130.132 al4a.com
O1 - Hosts: 66.250.130.132 www.al4a.com
O1 - Hosts: 66.250.130.132 thumbnailpost.com
O1 - Hosts: 66.250.130.132 www.thumbnailpost.com
O1 - Hosts: 66.250.130.132 drbizzaro.com
O1 - Hosts: 66.250.130.132 www.drbizzaro.com
O1 - Hosts: 66.250.130.132 hoes.com
O1 - Hosts: 66.250.130.132 www.hoes.com
O1 - Hosts: 66.250.130.132 absolut-series.com
O1 - Hosts: 66.250.130.132 www.absolut-series.com
O1 - Hosts: 66.250.130.132 elephantlist.com
O1 - Hosts: 66.250.130.132 www.elephantlist.com
O1 - Hosts: 66.250.130.132 ah-me.com
O1 - Hosts: 66.250.130.132 www.ah-me.com
O1 - Hosts: 66.250.130.131 msn.com
O1 - Hosts: 66.250.130.131 www.msn.com
O1 - Hosts: 66.250.130.131 search.msn.com
O1 - Hosts: 66.250.130.131 auto.search.msn.com
O1 - Hosts: 66.250.130.133 google.com
O1 - Hosts: 66.250.130.133 www.google.com
O1 - Hosts: 66.250.130.133 google.de
O1 - Hosts: 66.250.130.133 www.google.de
O1 - Hosts: 66.250.130.133 google.co.in
O1 - Hosts: 66.250.130.133 www.google.co.in
O1 - Hosts: 66.250.130.133 google.ca
O1 - Hosts: 66.250.130.133 www.google.ca
O1 - Hosts: 66.250.130.133 google.fr
O1 - Hosts: 66.250.130.133 www.google.fr
O1 - Hosts: 66.250.130.133 google.it
O1 - Hosts: 66.250.130.133 www.google.it
O1 - Hosts: 66.250.130.133 google.com.au
O1 - Hosts: 66.250.130.133 www.google.com.au
O1 - Hosts: 66.250.130.133 google.co.uk
O1 - Hosts: 66.250.130.133 www.google.co.uk
O1 - Hosts: 66.250.130.133 google.be
O1 - Hosts: 66.250.130.133 www.google.be
O1 - Hosts: 66.250.130.130 find4u.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .asp: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I had the same problem and quickly solved it with: Spybot S&D

You can find it at:

http://spybot.safer-networking.de/index.php?lang=en&page=start

Make sure that after you install it that you run the updater so that you'll have all the definitions.

The program is intuitive.

Good luck!

I just got hit with the find4u bug and the information above is correct, but a little confusing to work through.

Here are the steps that I used:

1. Do a search on "winlogon.exe". You should find two copies, one in your start menu and the other in program files. The start menu one was 23k while the one in program files was 505k. It is the 23k one that is causing the problems.

2. Start up your MS-DOS Prompt ("cmd" from "Run") and "cd" (change directory to the directory the start menu directory pointed to by search) and then "ren winlogon.exe garbage.garbage". This is important because you have to change the file type from .exe to something THAT CANNOT EXECUTE.

3. Power Down and Power Up your PC. As you power down you will still get the win min.exe error ("End Program" and continue). When you power back up, you will get a message saying the system can't execute or open "garbage.garbage". It will ask you if you would like to choose a program to open it up, just "cancel".

4. Execute "regedit" from "Run" and look for (Ctrl-F) all instances of "find4u" and delete the entries.

5. Start up Explorer, you will still get the find4u on start up, but you can now change it to your normal start up window. You might also want to check your "Favorites", chances are a few surprises have been added there.

6. That's it, now when you power up and down, you should be fine.

myke

Let's try this again, in the previous post I forgot to mention that you should delete "garbage.garbage". I've updated the list below to include this.

Here are the steps that I used:

1. Do a search on "winlogon.exe". You should find two copies, one in your start menu and the other in program files. The start menu one was 23k while the one in program files was 505k. It is the 23k one that is causing the problems.

2. Start up your MS-DOS Prompt ("cmd" from "Run") and "cd" (change directory to the directory the start menu directory pointed to by search) and then "ren winlogon.exe garbage.garbage". This is important because you have to change the file type from .exe to something THAT CANNOT EXECUTE.

3. Power Down and Power Up your PC. As you power down you will still get the win min.exe error ("End Program" and continue). When you power back up, you will get a message saying the system can't execute or open "garbage.garbage". It will ask you if you would like to choose a program to open it up, just "cancel".

4. Using "search", find "garbage.garbage" and delete it. Once you have deleted this, you will no longer get the start up error message noted in the previous step.

5. Execute "regedit" from "Run" and look for (Ctrl-F) all instances of "find4u" and delete the entries.

6. Start up Explorer, you will still get the find4u on start up, but you can now change it to your normal start up window. You might also want to check your "Favorites", chances are a few surprises have been added there.

7. That's it, now when you power up and down, you should be fine.

myke

Myke, you da man! (kudos also to fix4u)

Your fix worked like a charm. I have Spy Bot, Spy Guard, Adaware, Pop Up Stopper, and HijackThis, not to mention Norton Anti-Virus and my WiFi firewall. None of this stuff worked to either stop this find4u piece of dung or to remove it.

Thank you Myke and fix4u!

My question to all you tech types is simple: Why can't an application be developed that simply alerts you to when someone is trying to make a change to your Start Menu or some other critical area of your software?

And why aren't we doing something legally about this adware/spyware crap, which are just viruses as far as I am concerned? Can you identify the source of this junk? If you can, I'll sue them (think class action).

OK, I'm done.
Tom

I encountered the find4u bug while registering my new website through various Internet search engines. I want to commend Myke for posting excellent advice. I followed his instructions in Response Number 8 and got rid of the bug.

Thanks so much, Myke!

hello

i have the same problem but i can't rename the file it appears "cannot rename winlogon: it is being used by another person or program. Close any programs that might be using the file and try again".
It's all closed. Can anybody help me?