find4u hijacks IE home page

Discussion in 'adware, spyware & hijack cleaning' started by DM, Feb 26, 2004.

Thread Status:
Not open for further replies.
  1. DM

    DM Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    3
    Hi,

    I am having a problem with find4u replacing my home page in Interent Explorer.

    I ran SpyBot which solved the problem initially, but it all comes back after I log out and log back in again.

    Below is the hijackthis log taken after logging back in (ie with the problem).

    Can you please help - thanks.


    ----------------------- hijackthis log ---------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 09:23:43, on 2/26/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\Explorer.EXE
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    D:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    D:\Program Files\QuickTime\qttask.exe
    D:\Program Files\Canon\MultiPASS\monitr32.exe
    D:\Program Files\Canon\MultiPASS\MPTBox.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\WINNT\system32\FxRedir.EXE
    D:\DownLoad\Hijackthis 1.97.7\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [InstantAccess] D:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] D:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "D:\Program Files\Canon\MultiPASS\monitr32.exe" I
    O4 - HKLM\..\Run: [MPTBox] "D:\Program Files\Canon\MultiPASS\MPTBox.exe"
    O4 - HKLM\..\RunServices: [RegisterDropHandler] D:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = D:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    O4 - Global Startup: winlogon.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

    --------------------------- end of log ------------------------------------
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm

    O4 - Global Startup: winlogon.exe


    Reboot after fixing.
     
  3. DM

    DM Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    3
    Are you serious about winlogon.exe as this is a critical process and always seems to be in use, so cannot be fixed in hijackthis and and cannot be terminated in Task Manager ?!?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi DM,

    Yes, he is sure. This C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    is not a real Windows file.

    Follow dave38's advise, reboot into safe mode and delete the winlogon file in the startup folder.

    Regards,

    Pieter
     
  5. DM

    DM Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    3
    Hi Pieter, I've already done what you suggested and everything seems fine now. So thanks for your help guys. DM
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.