find4u hijacks IE home page

Discussion in 'adware, spyware & hijack cleaning' started by DM, Feb 26, 2004.

Thread Status:
Not open for further replies.
  1. DM

    DM Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    3
    Hi,

    I am having a problem with find4u replacing my home page in Interent Explorer.

    I ran SpyBot which solved the problem initially, but it all comes back after I log out and log back in again.

    Below is the hijackthis log taken after logging back in (ie with the problem).

    Can you please help - thanks.


    ----------------------- hijackthis log ---------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 09:23:43, on 2/26/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\Explorer.EXE
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    D:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    D:\Program Files\QuickTime\qttask.exe
    D:\Program Files\Canon\MultiPASS\monitr32.exe
    D:\Program Files\Canon\MultiPASS\MPTBox.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\WINNT\system32\FxRedir.EXE
    D:\DownLoad\Hijackthis 1.97.7\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [InstantAccess] D:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] D:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "D:\Program Files\Canon\MultiPASS\monitr32.exe" I
    O4 - HKLM\..\Run: [MPTBox] "D:\Program Files\Canon\MultiPASS\MPTBox.exe"
    O4 - HKLM\..\RunServices: [RegisterDropHandler] D:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = D:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    O4 - Global Startup: winlogon.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

    --------------------------- end of log ------------------------------------
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm

    O4 - Global Startup: winlogon.exe


    Reboot after fixing.
     
  3. DM

    DM Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    3
    Are you serious about winlogon.exe as this is a critical process and always seems to be in use, so cannot be fixed in hijackthis and and cannot be terminated in Task Manager ?!?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi DM,

    Yes, he is sure. This C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    is not a real Windows file.

    Follow dave38's advise, reboot into safe mode and delete the winlogon file in the startup folder.

    Regards,

    Pieter
     
  5. DM

    DM Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    3
    Hi Pieter, I've already done what you suggested and everything seems fine now. So thanks for your help guys. DM
     
Thread Status:
Not open for further replies.