Unable to remove "bestfind4u.com/index.htm" as search engine for IE

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hariraghavan, Jan 2, 2005.

  1. hariraghavan

    hariraghavan Private E-2

    Hi,
    My browser has been hijacked and the default search engine and home page has become "http://bestfind4u.com/index.htm". I have done all the steps listed under (1) http://forums.majorgeeks.com/showthread.php?t=35407 and (2) http://forums.majorgeeks.com/showthread.php?t=38752. Post delete evreything looks fine in safe mode. But when start XP in normal mode my home page returns back to this site. I am stuck guys and any help or thoughts is highly appreciated.

    My OS is Windows XP SP-1. I have uploaded three log files - (1) prior to delete (2) post delete - both is safe mode and (3) log in normal mode.

    Thanks,
    Hari
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    If you have followed ALL the steps in this Sticky thread
    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal please read below:

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a current HijackThis log as a .txt file attachment to your message. All running programs should be closed, including your web browser,
    e-mail, etc; before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
  3. hariraghavan

    hariraghavan Private E-2

    Hi,

    Thanks for your very quick response. Based on what was posted, I ensured that I got the latest versions of all the software listed. I completed the required steps listed in 1-4 and also did the optional step 6. The programs I ran are:

    Before I started, I disabled system restore. hen I logged on to safe mode with network support.
    Step 1: Did an online scan at Symantec. No Viruses found.
    Step 2: Ran McAfeeAVERT Stinger. Had got the latest version from NAI.com
    Step 3: Ran CC Cleaner and checked everything under the Windows TAB. Did not check any of the options under Application tab as all the programs listed were valid programs.
    Step 4: Ran Ad-Aware SE with Ad-Aware VX2 Cleaner Plug-In: It found this as the default engine and I asked the program to fix it.
    Step 5: Ran Spybot (the DSO Exploit patch was installed). It found a few additonal Spyware. I allowed Sptbot to fx it. I did use the Immunize feature.
    Step 6: Ran CW Shredder. This program did not find anything
    Step 7: Ran Kill2Me. This program did not find anything.
    Step 8: Ran abount:buster. It scanned the system twice.
    Step 9: Ran HS Remove. This program finally gave me a mesage that it had deleted 8 entries
    Step 10.: Ran Hijack This and found the log for R0, R1, O2 and O3 looked OK.

    I logged again in normal mode and when I started IE it went back to th same search engine's home page. I ran HJT again. My HJT version is 1.99. As requested I have uploaded the tesxt version of the latest HJT log.

    Thanks,
    Hari
     

    Attached Files:

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    This below process should NOT be running while HJT is being used. Please CLOSE ALL BROWSERS BEFORE RUNNING HJT!!

    C:\Program Files\Internet Explorer\iexplore.exe


    1) Now run HJT again and fix these entries, BE SURE TO CLOSE ALL OPEN BROWSERS BEFORE FIXING ANYTHING WITH HJT!!!!!

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bestfind4u.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bestfind4u.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestfind4u.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bestfind4u.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestfind4u.com/index.htm
    O2 - BHO: SDWin32 Class - {CFCC89AF-CC30-4746-B206-77C60E96281D} - C:\WINDOWS\System32\uzddu.dll (file missing)
    O23 - Service: Office Source Engine - Unknown - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)

    2) After removing the above entries, reboot in Safe Mode

    3) Now go into Add/Remove programs and uninstall Spyware Begone

    4) After the uninstall go into the directory "C:\freescan" and look for the file freescan.exe and delete it (if it exist)

    5) Now go into the directory C:\WINDOWS\System32 and locate the file winupdtl.exe and delete it!

    6) Last one, go into the directory C:\WINDOWS and locate the file mutealj.exe and delete it.

    7) Reboot, reset web settings and post new HJT log.

    Tell me how things are running at this point
     
  5. PhilliePhan

    PhilliePhan Guest

    Bj - Please take the time to be more thorough!

    You didn't mention these:

    C:\windows\smnljda.exe

    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [vylsn] C:\WINDOWS\vylsn.exe
    O4 - HKLM\..\Run: [uzdduc] C:\WINDOWS\System32\uzdduc.exe


    They need to be addressed as well.

    Also, why not delete the whole Freescan folder?

    PP :)
     
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I wanst sure about those so I didnt have the user remove them just yet!
     
  7. PhilliePhan

    PhilliePhan Guest

    I think you'll find that they all need to go ;)
     
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    hey hariraghavan, sorry about this but I have to bail out and let chaslang or philliephan finish this thread, im done here.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds