Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Removing Find4U!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Removing Find4U!

Reply to Message Icon

Name: dannyboy
Date: December 2, 2003 at 22:39:08 Pacific
OS: me Home
CPU/Ram: me
Comment:


Everytime I do a new IE search, Find4U pops up and I can't get rid of it! I have run spybot, adaware, and hijackthis and removed programs, but it still pops up! It completly disabled my google toolbar and I removed it, but everytime I search with google on IE, it still comes up.

Here is my hijackthis run:
Logfile of HijackThis v1.97.7
Scan saved at 10:43:37 PM, on 12/2/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.exe
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\CONNECTIONMANAGER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.exe
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 66.250.130.133 google.com
O1 - Hosts: 66.250.130.133 www.google.com
O1 - Hosts: 66.250.130.133 google.de
O1 - Hosts: 66.250.130.133 www.google.de
O1 - Hosts: 66.250.130.133 google.co.uk
O1 - Hosts: 66.250.130.133 www.google.co.uk
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe -Show
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/sbcy/yinst.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37912.8040856481

Thanks!




Sponsored Link
Ads by Google

Response Number 1
Name: www
Date: December 2, 2003 at 23:15:39 Pacific
Reply:

have ht fix these:
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 66.250.130.133 google.com
O1 - Hosts: 66.250.130.133 www.google.com
O1 - Hosts: 66.250.130.133 google.de
O1 - Hosts: 66.250.130.133 www.google.de
O1 - Hosts: 66.250.130.133 google.co.uk
O1 - Hosts: 66.250.130.133 www.google.co.uk

(when i put the ip numbers in my ie Find4U!
popped up)
and check your hosts file in c:\windows



0

Response Number 2
Name: dannyboy12345
Date: December 2, 2003 at 23:18:15 Pacific
Reply:

Thanks WWW-

I read more of the posts and used Highjack This to 'fix' all the 01-google roots and this fixed the problem.

The thing is, Find4U is undetectable using: msconfig, adaware, spybot, add/remove, and the C:\drive search function of my computer.

Spyware sux!

peace- yall


0

Response Number 3
Name: www
Date: December 2, 2003 at 23:36:36 Pacific
Reply:

your welcome.
if you haven't installed spywareblaster yet, it helps a lot.


0

Response Number 4
Name: unclelen
Date: December 5, 2003 at 23:25:14 Pacific
Reply:

thank you both and thank heaven for hijackthis...the fix worked! that Find4U was so damn annoying.... why do companies or persons think this kind of crap works.. do people actually use these popups?!


0

Response Number 5
Name: Kevin
Date: December 8, 2003 at 18:28:47 Pacific
Reply:

Hey I fixed the stupid Find4U.com bug. All i did was renamed it because it wouldnt let me delete it manually. After i renamed it I waited a day (after several restarts) then ended the process (In Ctrl,alt,delete window) called winlogon then deleted the file "winlogon" under the startup tab in programs. Make sure you see "winlogon" in the process tab and try to end the process if it says that it is a critical sytem process then that's it!! The process should also be under your "windows username!" The only critical sytem process that you are not allowed to end is the processes with the username "system" meaning that the computer it is running it and not you or your username. I hope this helps some people cuz i know it is very annoying!!


0

Related Posts

See More



Response Number 6
Name: tfalconn2o
Date: December 8, 2003 at 20:11:27 Pacific
Reply:

can someone pplease tell me step by step how to get rid of this find4u problem? i really need help.


0

Response Number 7
Name: fantasmagical
Date: December 9, 2003 at 07:55:36 Pacific
Reply:

Thank you for the info I was very close to reformatting. I renamed the little ba$$tered and was able to kill it will hijacker. I think the a$$ holes that make these should be shot.


0

Response Number 8
Name: Scott
Date: December 9, 2003 at 18:14:41 Pacific
Reply:

Ok Ok... I've read and tried these... but the problem thickens. I'm trying to delete the horrible thing from my in-laws' computer. They use MSN Explorer. To fix the www.google.com part, I just downloaded the GOOGLE search engine tool bar-- it blocks pop-ups, including the Find4u! So... if you're just looking to get rid of it for Internet Explorer, just get the google tool bar. However...

I'm stuck because while internet explorer works... MSN Explorer still goes to find4u.net... ARGH! There are no "find4u" files or "winlogin" or anything the like on the computer. We've run many spyware/adaware programs... not much luck. ANY SUGGESTIONS?

Please Help!


0

Response Number 9
Name: suzi
Date: December 9, 2003 at 22:37:30 Pacific
Reply:

Scott, you need to start a new thread instead of adding to an old one. Go ahead and download and run HijackThis!. Then start a new thread here, describe your problem and say that you already tried the other things. Copy and paste the entire contents of the log into your post. Someone will check it and tell you what to delete.


0

Response Number 10
Name: Kevin
Date: December 10, 2003 at 11:45:06 Pacific
Reply:

Glad to hear that renaming the file did work for other people. The file "winlogon" IS an actuall windows program but the Find4U bug names it this or possibly other windows system processes so it wont let you end their bug under the (ctrl,alt,delete mode) so that's why renaming it lets you end the process and then delete it from the windows "startup" folder.


0

Response Number 11
Name: Ads
Date: December 10, 2003 at 14:58:47 Pacific
Reply:

First delete all added unwanted favorites, even www2.google.com, history and internet files in windows explorer. Open control panel, internet options, click "use blank" delete files and history while there. go into "regedit" under current user open software, open microsoft, highlite internet explorer and delete any unwanted lines, open the internet explorer, highlite "main" delete all unwanted lines, highlite search and do the same, highlite "searchUrl" do the same. Back out and open local machine, and repeat as was did in current user, back out and exit. Open find files or folders type in hosts look in c drive, click find, there may be a few hosts files with older dates, delete the newest dated hosts file. Go to settings, taskbar & start menue and clear documents. If you have a system information that will restore internet explorer, do so, when asked, you must restart, click yes. When your system reboots you should be rid of "find4u", I dont use any software popup blockers, firewalls ect., I like to get rid of junk the old way, manually. The only advantage I use is "screen shot" to print out the internet explorer in the regedit "current user" and "local machine" so I dont delete out wanted lines, after doing it a few times I dont think its a biggie, NOW, searching the net and you click on the wrong site, find4u and others will attach its self again, have no fear, just repeat the clean up and your back cruising with out being redirected.



0

Response Number 12
Name: amberzombie
Date: January 5, 2004 at 03:05:57 Pacific
Reply:

hey WWW can you help me with this?

Logfile of HijackThis v1.97.7
Scan saved at 6:50:11 PM, on 1/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\DOCUME~1\CHANLI~1\LOCALS~1\Temp\Rar$EX00.238\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.184.54/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.184.54/find4u/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=35
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.184.54/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://69.50.184.54/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=35
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
O1 - Hosts: 1089288654 auto.search.msn.com
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzzCamInSuiteIII] D:\SETUP.exe 246***
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.exe"
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\Icq.exe -trayboot
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMENU.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

THANKS!!!!


0

Response Number 13
Name: michcomet
Date: January 5, 2004 at 17:18:42 Pacific
Reply:

Can someone help have no idea how to remove this stupid find4u thing and it is driving me crazy!!!!!!!!!!!


Logfile of HijackThis v1.97.7
Scan saved at 11:16:20 PM, on 5/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\olehelp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[2].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.find-online.net/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/spa.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/indexa.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/indexa.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/spa.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/indexa.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09459E17-B865-4427-97AB-80F403C953F9}: NameServer = 203.2.75.132 198.142.0.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{09459E17-B865-4427-97AB-80F403C953F9}: NameServer = 203.2.75.132 198.142.0.51


0

Response Number 14
Name: Jason Roy
Date: January 6, 2004 at 22:13:47 Pacific
Reply:

I have a question for the writer of "Response Number 11"--I have tried to get rid of this incredibly annoying crap with adaware, spybot seek and destroy, spyware blaster and hijackthis and to no avail. I would like to delete it the old-fashioned way using the regedit, but I know that if the wrong thing is deleted in the registry it can really screw things up and I really don't know what is an "unwanted line" in there.


0

Response Number 15
Name: JerryB
Date: January 9, 2004 at 08:33:53 Pacific
Reply:

Had the same problem til today. Was hijacked by find4U search engine about a week ago. Read all the fixes but they only confused me. I have windows XP home, took a chance and restored to a date about 2 weeks ago. Voila, the hijacker is gone. Operation took about 5 minutes, no need to go into registry. Of course other OS may be different.


0

Response Number 16
Name: bobbyo
Date: January 10, 2004 at 04:15:47 Pacific
Reply:

Please help! Computer illiterate stung by Find4U! Here's my HT log

Logfile of HijackThis v1.97.7
Scan saved at 11:53:42 AM, on 1/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.exe
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\MSREXE.exe
C:\PROGRAM FILES\IPOD\BIN\IPODMANAGER.exe
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.exe
C:\WINDOWS\SVCHOST.exe
C:\PROGRAM FILES\IPOD\BIN\IPODSERVICE.exe
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\WINZIP\WZQKPICK.exe
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.184.51/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgin.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgin.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/sp.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2264889c46f0e2038117/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37985.3000694444



0

Response Number 17
Name: Apriliamann
Date: January 22, 2004 at 09:37:49 Pacific
Reply:

Hi! Im having problem with that find4u.net thing but i don't know what to do?? I ran a scan with HijackThis. PLIZ HELP ME; I'M GOING CRAZY!!! My log looks like this:


Logfile of HijackThis v1.97.7
Scan saved at 18:24:11, on 22.01.2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Norton Internet Security\NISUM.exe
C:\Programfiler\Norton Internet Security\ccPxySvc.exe
C:\WINNT\System32\svchost.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINNT\loadqm.exe
C:\Programfiler\Fellesfiler\CMEII\CMESys.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\Messenger Plus! 2\MsgPlus.exe
C:\Programfiler\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINNT\System32\olehelp.exe
C:\Programfiler\Fellesfiler\GMT\GMT.exe
C:\Programfiler\Internet Explorer\IEXPLORE.exe
C:\My Download Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINNT\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINNT\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINNT\search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\search.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINNT\System32\DReplace.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CMESys] "C:\Programfiler\Fellesfiler\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Programfiler\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioEngine] RXFMON.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Programfiler\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKCU\..\Run: [LDM] C:\Programfiler\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe
O4 - HKCU\..\Run: [olehelp] C:\WINNT\System32\olehelp.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37994.2498726852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O19 - User stylesheet: c:\winnt\my.css



0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Removing Find4U!
find4u removal help www.computing.net/answers/security/find4u-removal-help/8710.html

Removing Find4U home page www.computing.net/answers/security/removing-find4u-home-page/7794.html

removing find4u.net www.computing.net/answers/security/removing-find4unet/12717.html