Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Browser Hijack-find4u.net

Status
Not open for further replies.
solderjockey

solderjockey

Technical User
Jan 16, 2003
23
0
0
US
I've been commissioned by my sister-in-law to come and fix several virus and malware related problems on their small networked system. The first, her system, had the w32.galil-c virus, norton took care of that. The next, is a nasty browser hijack to a site find4u dot net. I've googled the heck out of this thing, and have only come up with like 2 sites that have anything useful on them, and that wasn't much, and it didn't help. I've run spybot search-n-destroy, adaware, cwshredder, and their pc-cillin antivirus over it, and it stays away as long as you don't restart the computer. As soon as you restart, it sets the start page back to find4u. They are all running windows xp, which probably hadn't been updated in over a year. I spent the better part of half an hour at windows update. If anyone has any experience with this particular piece of malware, I would greatly appreciate any insights on how to get rid of it.

TIA-
solderjockey
 
Sort by date Sort by votes
Crap! how could I have forgotten the SysRestore? Too obvious I guess. Thanks for the reminder, and I'll definitely try bcastner's suggestion. That's what i get for trying to be in a hurry and answer a million questions at the same time! Thanks guys, I'm heading over there tomorrow morning and I'll post again after that.

sj
 
Upvote 0 Downvote
Can anyone help us remove find4u? In addition to this pest, it appears to have added five folders to our favorites that reload every time as well. This is our log from HijackThis. Thanks for anything you can do! tandv

Logfile of HijackThis v1.97.7
Scan saved at 9:19:49 PM, on 12/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\frxhser.exe
C:\WINDOWS\system32\frxhapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\McAfee\QuickClean\PlgUni.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [MSKExe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\PlgUni.exe" /START
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MSupdater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: winlogon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {EB533642-0AFC-4559-A494-8CFFA296ACAE} (Whale Attachment Wiper for IE4 and higher) - O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx
 
Upvote 0 Downvote
I, too, have been commissioned to help eradicate this plague upon a friend's computer. I have searched hi and low for a solution. I have come across many, but only once or twice have I seen anybody mention what I feel is the most important fix, delete the WINLOGON.EXE file from the startup folder in the start menu. This is the hook. You can scrub any and all references from the registry, but if you don't get rid of the hook, it will just come back next time you reboot. CAUTION: There are two files called winlogon.exe, one is good and one is bad. It's important to leave the good one intact. It's in the System32 folder. The bad one is in Start>Programs>Startup>winlogon.exe. There is a catch however, the bad one is locked in as a critical system file and XP won't let you delete it by click and delete(the prevailing theory is that the good version of the file, which IS a critical system file, has the same name and Windows is protecting it because of that). So, how do you kill it? The answer is as simple as DOS itself. You need to turn off system restore, and reboot into "safe mode w/command prompt". Once you are in 'DOS' mode go to C:\documents and settings\all users\start\programs\startup and delete this scourge of the internet. Once it is gone from the 'all users' startup, verify it doesn't exist in any other user's start folder. Then reboot into regular safe mode. NOW, go scrub the registry and look for any and all references to find4u.net and change them to whatever you feel is appropriate(I use since it pretty benign). Once the search and repair is complete, reboot back into regular Windows as an Admin. Check everybody's 'Favorites' folder and clean out all shortcuts you don't recognise. Empty out the recycle bin (this isn't needed, but it's good for the soul). Reboot. Verify eradication by logging onto the Internet. Your start page should be Google (or whatever you picked). If it goes back to find4u.net you (or maybe I) missed something. Try again. If all goes well, restart stsytem restore, reboot and make a fresh restore point. That should be it...
 
Upvote 0 Downvote
I read justbill1931s message and found the dodgy winlogon.exe file in the allusers ... startup directory. I created a \rubbish directory and moved it in there via Windows Explorer with no problems. My PC now appears to be my own again !
 
Upvote 0 Downvote
Have you tried AdAware and Spybot yet? They do a credible job of finding and removing nasties. (these are not for virii and worms)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows CE 6.5 Browser that isnt IE
Replies
1
Views
65
xwb
xwb
sskkk
  • Locked
  • Question
Windows 10 browsers and games BSoDs
Replies
0
Views
33
sskkk
sskkk
Alt255
  • Locked
  • Question
Reaching localhost through browser
Replies
3
Views
38
vacunita
vacunita
geneg28
  • Locked
  • Question
When using an internet browser, when i scroll down the image stretches down
Replies
6
Views
53
sbcsu
sbcsu
xwb
  • Locked
  • Question
Browsers starting automatically 2
Replies
7
Views
46
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top