|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
Removing Find4U home page
|
Original Message
|
Name: gmuralik
Date: December 5, 2003 at 13:47:14 Pacific
Subject: Removing Find4U home page
OS: win 2000
CPU/Ram: Intel 4
|
Comment: Hi,
I tried CWShredder and hijackthis. My win min is unable to close. Here is the hijackthis log. please help me. Logfile of HijackThis v1.97.7
Scan saved at 4:52:42 PM, on 12/5/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300) Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\WINDOWS\loadqm.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINDOWS\SVCHOST.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\download\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nyPROXY1:80
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file! user_pref("browser.download.dir", "C:\\Program Files\\Netscape\\Netscape 6");
user_pref("browser.history.last_page_visited", "http://www.yahoo.com/");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://www.yahoo.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4.1");
user_pref("general.open_location.last_url", "http://www.yahoo.com/");
user_pref("intl.charsetmenu.browser.cache", "windows-1252");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "19788228.s");
user_pref("timebomb.first_launch_time", "1019788266661000");
user_pref("wallet.SchemaValueFileName", "19788722.w");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\murali\Application Data\Mozilla\Profiles\default\smq1zxqu.slt\prefs.js)
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file! user_pref("browser.download.dir", "C:\\Program Files\\Netscape\\Netscape 6");
user_pref("browser.history.last_page_visited", "http://www.yahoo.com/");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://www.yahoo.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4.1");
user_pref("general.open_location.last_url", "http://www.yahoo.com/");
user_pref("intl.charsetmenu.browser.cache", "windows-1252");
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "19788228.s");
user_pref("timebomb.first_launch_time", "1019788266661000");
user_pref("wallet.SchemaValueFileName", "19788722.w");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\murali\Application Data\Mozilla\Profiles\default\smq1zxqu.slt\prefs.js)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: blender
Date: December 5, 2003 at 15:55:22 Pacific
|
Reply: Hi I have never seen anything like that....Tom41 likely has..I also see you have no antivirus. Looks like you have some sort of virus...just dont know what.. Try an online scan here: http://www.ravantivirus.com/scan/ or here: http://housecall.trendmicro.com/housecall/start_corp.asp
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: suzi
Date: December 5, 2003 at 20:06:17 Pacific
|
Reply: Yes, there's a lot of stuff I don't recognize at all in that log. Tom41 should have a handle on it.
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: unclelen
Date: December 5, 2003 at 23:22:33 Pacific
|
Reply: just wanted to say thank you for your assistance as well and thank heaven for hijackthis! That Find4U was so damn annoying.
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: iceblue
Date: December 6, 2003 at 14:41:25 Pacific
|
Reply: After a quick glance,
That's an impressive looking log;
but it is not fixed yet. C:\WINDOWS\SVCHOST.EXE
needs to be cleaned up. Close all browser windows and
Have HijackThis fix this item
O4 - HKCU\..\Run: [svchost] Reboot into safe mode and delete the file C:\WINDOWS\SVCHOST.EXE Reboot and rescan with Hjt;
and repost the log.
*The legit file is
C:\WINDOWS\system32\svchost.exe
and there are often 2,3,4 or 5 or more instances of this service running at thesame time.
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: greg
Date: December 10, 2003 at 15:57:11 Pacific
|
Reply: I have the same problem with find4u hijacking my google home page on Windows XP. Any more suggestions on correcting this. I have run spybot and avg antivirus software without success. I am reluctant to start changing the host files, but is that the solution. Does anyone have a program to fix this? Symantec? thanks. thank you
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: iceblue
Date: December 10, 2003 at 21:51:51 Pacific
|
Reply: Greg,
better start your own new post,
otherwise it gets too confusing.
The advice given here in this post will not be applicable to you.
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: Joe Dawson
Date: December 16, 2003 at 10:49:30 Pacific
|
Reply: I had the exact same problem and I followed iceblue's instructions and the insidious beast has finally been slain. I ran Hijack This and removed all lines with the Find4U url in it and couple more that the info button said are useless. I then rebooted into save mode, removed c\windows\svchost.exe. Now it is all good. I thought I was going to have to do a clean install of windows. This was much easier. Thank you iceblue.
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: Uncle D
Date: January 19, 2004 at 17:07:16 Pacific
|
Reply: Hi, Everytime I open Internet Explorer Find4U is my homepage & I have 6 spyware addresses listed under my Favorites. I continuously change my homepage & delete the spyware addresses, but it doesn't fix the problem. I ran hijackthis & and applied Fix to all entries with Find4U, but that hasn't solve the problem either. Below is my hijackthis log. Any advice you could provide to helo me take back my homepage & save my sanity, will be greatly appreciated. Logfile of HijackThis v1.97.7
Scan saved at 7:42:31 PM, on 1/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Donny Anderson\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.184.54/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.184.54/find4u/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.184.54/find4u/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.topsearcher.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topsearcher.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topsearcher.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.184.54/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://69.50.184.54/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.attbi.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R3 - URLSearchHook: ViewSource Class - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Donny Anderson\Application Data\winshow\winshow.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Donny Anderson\Application Data\winshow\winshow.dll
O2 - BHO: (no name) - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Donny Anderson\Application Data\winlink\winlink.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -S c:\ie.reg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlogon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06496b571be8515c0919/netzip/RdxIE601.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37897.2742476852
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Report Offensive Follow Up For Removal
|
|
|
Post Locked
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
Go to Security and Virus Forum Home
Results for: Removing Find4U home page
Remove Pup ups and home page Summary: Hi, My start page of Internet Explore always reverts back to: http://www.find4u.net/main.htm I used Ad-Aware and deleted all files/registry that were ereounous. I also did a search in the registry to... www.computing.net/answers/security/remove-pup-ups-and-home-page-/7316.html
home page hijacker will not leave Summary: Hi, I recently got a home page hijacker on my computer, I believe it is searchx, every time I remove it and the corresponding values with hijack this, the hijacker still comes back. Ive tried everythi... www.computing.net/answers/security/home-page-hijacker-will-not-leave/11284.html
home page hijack - res://rcuib.dll/ Summary: I have been hijacked by something that resets my home page to this: res://rcuib.dll/index.html#96676 I have an up to date virus checker (which found and removed Dropper.Inor.) I remove the dll that th... www.computing.net/answers/security/home-page-hijack-resrcuibdll/12318.html
|
|
|
