|
Can't remove certain IE "favorites"
|
Clompjes
01/09/04
|
Help!
My IE mainpage has been converted to www.find4u.net and I have 5 new "favorites" bookmarks all dealing with "hidden cams." The problem that has me stumped is even when I remove them and change my homepage, they all come back when I turn my computer on. It must be happening at startup but I don't know how to fix it. Please help. Thanks
|
Mark
01/09/04
|
Can't remove certain IE "favorites"
From what I read, this one is nasty, and needs work to eliminate. If you run XP or ME, you could be lucky if you "Restore" back to a day before you were Hijacked. Try it. If that doesn't help, you'll need to download "Hi Jack This!" (carefull, don't delete anything with it yet) and find a forum where you can post your log for an expert to analyse. Someone else could step-in and tell you where to go. But try the Restore first. Good luck.
|
Clompjes
01/09/04
|
Can't remove certain IE "favorites"
Just my luck, I've got 2000pro. Thanks for the quick reply tho, I'm going to start looking for HijackThis now. I've seen a thing do that to my IE homepage before, but it had a link that converted it to MSN and then I could change it again. This one isn't so nice.
|
Mark
01/09/04
|
Can't remove certain IE "favorites"
Here's where I found the info. Search on, you might find other sources... Best of luck.
http://www.computing.net/security/wwwboard/forum/7737.html
|
snowman
01/09/04
|
Can't remove certain IE "favorites"
Appears to be a Coolweb variant. Use CW-Shredder to get rid of it. (free)
http://www.spywareinfo.com/~merijn/cwschronicles.html
or here:
http://www.merijn.org/downloads.html
Available as zip file or exe
|
Mark
01/09/04
|
Can't remove certain IE "favorites"
After this one, I'm done!! Better explained here:
http://www.tek-tips.com/gviewthread.cfm/lev2/67/lev3/70/pid/779/qid/728835
|
Mark
01/09/04
|
Can't remove certain IE "favorites"
Sorry Snowman, I was busy writing the last one...
|
snowman
01/09/04
|
Can't remove certain IE "favorites"
No problem Mark! Good advice.
Just noticed that CW-Shredder seemed to remove it in some before and after Hijack this logs.
You're most definitely right that you need advice when using Hijack this.
|
Peter
01/09/04
|
Can't remove certain IE "favorites"
I've noticed so much threads about problems people have with Spyware and Adware or some sort toolbar Hijack. Just goes to show the flaw in IE is appalling. We have to stick to IE as well because some use CSS stylesheets which are specific to IE to be able to view all content. I mentioned this before for people to use a third-party browser which uses IE core. We wouldn't have to waste so much time downloading this and that to remove them. Prevention is better than cure.
|
Mark
01/09/04
|
Can't remove certain IE "favorites"
Peter, if you don't stop it, I'll have to get myself one of those third-party browsers myself... more time spent on this box...
I've only started enjoying this forum a few days ago (as you may have noticed) and it's incredible to see the large amount of spyware related problems (toolbars, Hijackers, etc...) This is not only P2P related anymore. Scary stuff. Again, which browser(s) do you recommend?
|
Clompjes
01/09/04
|
Can't remove certain IE "favorites"
Thanks so much for your quick replys and VERY helpful advice. I always thought spybot and adaware were all I needed. Little did I know! I know have 6 virus and spyware related programs on my computer. Maybe i should look into that suggestion about 3rd party browser? I'd love to hear more about them. Do you mean something like Mozzila or Netscape?
I've just removed about 5 items with HijackThis that had the site's name on them and, on accident my scheduled AVG antivirus scan picked up the .exe file after its most recent update. It couldn't get rid of it, but at least it gave me the location. I believe it was c:documentsandsettings/allusers/startmenu/programs/startup/msexplorer.exe (or a similar filename) I couldn't delete it manually, but I renamed it "stupidvirus" so I could pick it out easier with HijackThis and got rid of it then. I'm about to restart my computer to see if it works. *fingers crossed*
-Clomp
|
Peter
01/10/04
|
Can't remove certain IE "favorites"
Third-party browsers which I recommend:
SlimBrowser
myIE
Avant
Mozilla
Opera
I prefer Slimbrowser but Avant seems to have the best of both worlds in terms of webpage loading and more functionality than IE.
|
Mark
01/10/04
|
Can't remove certain IE "favorites"
Glad we could help! From what I can tell, you have some experience at this, and had no problem finding a spot to post your Hi Jack This! log. Excellent work. SpyBot and Ad-Aware are great tools. Keep 'em, as they can take care of most of the crap out there. Lately though, it appears that malware is getting nastier, and bigger guns are needed.
If your problem comes back (hope it doesn't !!), check for that Winlogon file mentionned on Tek-tips (the one in start-up).
|
Peter
01/10/04
|
Can't remove certain IE "favorites"
Having trouble deleting malware in windows?
ctrl-alt-delete and kill that task off. If it refuses reboot into DOS and delete it the old fashion way cd c:\windows..del msexplorer.exe..etc
I'd check by running msconfig in windows and look at your startup programs. These malware aren't as clever as you think. They place themselves there usually so windows runs them on startup. Uncheck them and look at their paths so you delete them manually.
|
Mark
01/10/04
|
Can't remove certain IE "favorites"
From what I read, there's a kicker with "www.find4u.net" : it creates a "Winlogon.exe" clone to stop attempts to delete (Windows is fooled into seeing it as a system file). The user now has two "Winlogon.exe" files, a vital one and the crap one. The good one resides in Windows/System32 (XP), or Winnt/System (Win2K, I think) and the bad one sits in "Start>Programs>Startup".Windows won't let you delete it, so you need to reboot in "Safe mode w/command prompt", then you can find it and kill it. How can Windows allow this to happen? grrr...
|
Peter
01/10/04
|
Can't remove certain IE "favorites"
www.tinyapps.org
Theres a 406K browser. Yes less than half a MB in size. No install required straight run. Theres no security risk..because it has no features hoho. Text and Pics only fullstop. Interesting.
An Operating System that can fit onto a floppy disk? Now that is interesting. I don't think I'll remove windows yet.
Yeah Mark, windows is really pathetic. I would love to try out Linux but then I would have to go on courses on something to get everything running. Maybe oneday.
|
Mark
01/10/04
|
Can't remove certain IE "favorites"
Friend of a friend is a programmer, and runs Win2K on his main box, with a secondary box acting as server running Linux. He teases me with it from time to time... Like a lot of programmers out there, he's reluctant to switch to XP because he likes the "lean" NT core approach, and doesn't run old programs so he's ok. He did try XP Pro a few times, and got lost a bit with all the extra goodies (and not so goodies...). He's slowly getting into Linux, and I'm waiting 'till he can teach me!!
|
Mike
ishmael2398@yahoo.com
02/01/04
|
Can't remove certain IE "favorites"
I've been struggling to remove the i-lookup, click2findnow, and find4u browser Hijacks. Ad-aware finds all this but can't make it go away. Spybot didn't even find them.
Snowman, thanks for the CW-Shredder tip. It looks like that actually got it.
Nasty little bugger. We ought to send all this crap to Mr. Gates and company. He deserves it at least for using the general public as his Windows crash-test-dummies.
|
Jake
j_holub@yahoo.com
02/03/04
|
Can't remove certain IE "favorites"
Hi, I have the same problem. However, I've heard bad things about CW-Shredder crashing people's hard drives. How probable is this? Please help this find4u.net Hijacker is tearing the A$$ out of me. I've already ran AdAware and Spybot.
|
snowman
02/03/04
|
Can't remove certain IE "favorites"
find4u.net is a Coolweb domain.
So it's up to you.
There was a boobytrapped Coolweb variant, shredder been updated, Far as I know no problems.
There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.
If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CW-Shredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums).
http://www.safer-networking.org/minifiles.html
Note thats only a mini tool you'll still have to run CW-Shredder:
CW-Shredder direct download: http://216.180.233.153/~merijn/files/CW-Shredder.exe
Thats the best way to remove it.
If ad -aware has problems you can consider this:just came out today Feb.2
Ad-aware Cloak:
Ad-aware Cloak 1.0 is designed to allow Ad-aware to open fully when there are items on the system which close Ad-aware when it attempts to start, such as some CoolwebSearch variants. To use Ad-aware Cloak, save it to your system, and run the program before opening Ad-aware. Once Ad-aware Cloak opens, click "Activate Cloak" and then open Ad-aware and scan as normal. When you are done using Ad-aware, close Ad-aware Cloak.
http://www.lavasoftnews.com/downloads/AAWCloak.exe
|
matrixdts
matrixdts@hotmail.com
02/22/04
|
Can't remove certain IE "favorites"
Please help.
Have the find4u and the dotcomtoolbar browser Hijack. Tryed relentlessly to remove to no avail. Please somebody help. Here is the Hijack log.
|
matrixdts
02/22/04
|
Can't remove certain IE "favorites"
sorry heres the HijackThis log.
Logfile of HijackThis v1.97.7
Scan saved at 12:37:58, on 22/02/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.00)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\windows\redirect5.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\matrix\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E7188-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [redirect] C:\windows\redirect5.exe
O4 - HKLM\..\Run: [easywww] C:\windows\easywww.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SIDEBAR] "C:\WINDOWS\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A456F35-17F8-48E2-9EC7-7F7F34A117A7}: NameServer = 194.72.9.34 194.74.65.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A456F35-17F8-48E2-9EC7-7F7F34A117A7}: NameServer = 194.72.9.34 194.74.65.68
|
snowman
02/22/04
|
Can't remove certain IE "favorites"
To remove find4u and the dotcomtoolbar you need to use a program called CW-Shredder:
Go the majorgeeks link.
You'll find 2 tools you'll need.
Get both the smartsearchkiller mini tool and CW-Shredder 1.49.1
Run the minitool first;
Then run the new shredder.
have it fix problems, reboot
the updaters won't work for awhile.
So this is the only way of doing it
LINK:
http://www.majorgeeks.com/download4086.html
What your Hijack this log shows though is easywww and redirect5
Here are removal instructions for that:
http://www.pestpatrol.com/PestInfo/e/easywww.asp
Spykiller is not a very good program. I'd uninstall it.
Use ad-aware:
http://www.lavasoftusa.com/software/adaware/
or spybot S&D instead:
http://www.safer-networking.org/
Spysweeper is good.
|
Frank
|
A little caution about PestPatrol.
Their site offers great malware "information", used by many pros out there;
they have a good database for pests (processes, extensions,...),
with good manual removal instructions that are a little excessive partly as a ploy to
sell their software. Basically they "enhance" manual removal efforts to push their product.
Nothing to worry about so far,... Well, they have a free scanner called "Pestscan".
First of all it scans only. NO removal. Second of all the scan is total garbage.
This garbage scanner will give a report of multiple nasties like Coolweb and many known "super spyware", when in fact the machine can be clean.
THAT is totally unforgiveable. This creates excess upset and difficulty. It is really hard to remove a program that doesn't exist. :-)
So in conclusion, they have some good information. But their scanner sucks.
|
Mark
02/22/04
|
Can't remove certain IE "favorites"
Matrix : after following Snowman's instructions, please post a new Hi Jack This! log. You have so much junk, that we may still have some work to do.
Spykiller does need to go. If you paid money for Popup Stopper Pro, then keep it. If not, I recommend you remove it and install the Google toolbar instead. The Google bar kills just as many popups, and is much less difficult to manage (and it's free). Just leave out the "Page Rank" option.
|
bonniej
02/28/04
|
Can't remove certain IE "favorites"
THANK YOU Mark, Snowman & Peter!!
I have spent all day tring to figure out this www.find4u.net problem on my husbands Dell.
I tried Adware, Spybot, SpyHunters & hijacked.
Nothing seemed to work.
Then I happened across this thread. Downloaded CW-shredder to my Mac.. burned ir to CD & took it over to his Dell running XP.
IT WORKED!!
Thank you so much for posting this information!!
I didn't want to contect him back to the internet untill I had the problem solved. He is now back up & running.
THANK YOU!!!
Anti-SpyWare: SpyHunter
Anti-Virus: Virex
Firewall: yes
OS: XP
|
|
