Help ! adware SearchCounter fntldr.exe

Discussion in 'Trading Software' started by Kicking, Dec 31, 2003.

  1. You might want to look at what site that you keep returning to that keeps tapping in to your setup also. This stuff just loves to re-install itself. :)
     
    #11     Jan 1, 2004
  2. ron2368

    ron2368

    Only thing that worked for me was to go into msconfig and disble all start up programs, then run spybot after re-booting. The adware program is impossible to delete , if you delete it there is another hidden program that keeps restoring it. Good luck!
     
    #12     Jan 1, 2004
  3. No I deleted everything in Internet options and I swear I will never use this PC again for websurfing. You can't protect yourself from that kind of evilware , ZA did not stop it , IE doesn't prompt you upon download, you can't see nothing. I vaguely remember some dvd website that had porn pop ups trying to dl stuff and I hit ZA's stop button because it smelled fishy. Not sure if it was that, anyway I read this stuff just installs itself and you can't see anything. None of the anti spyware programs can get rid of it. There is an app called CWShredder designed specifically for that program available for free but it doesn't get rid of it completely either I think. Read the scumbags behind this are way ahead in the field of designing the most evil adware sh*t .
     
    #13     Jan 1, 2004
  4. nkhoi

    nkhoi Moderator

    search & destroy can lock your start page so so nothing can change it, however it also disable tool button in IE browser, now if I want to access tool function I have to right click on IE icon then select properties a little inconvenient but my start page stay put.
     
    #14     Jan 1, 2004
  5. I have 3 Active X control files in the objects windows of Internet options Temporary files (downloaded program files) No dates of creation no extensions. I am not sure this is related (I have seen them before I think, one is from akamai 2 others show codecs microsoft as status) I was wondering if I can delete those without affecting my system.
     
    #15     Jan 1, 2004
  6. nkhoi

    nkhoi Moderator

    you will feel worse if you can't turn on your machine at all, don't wipe out anything you see and hope it work what happen if it wouldn't, do some major back up before you attempt to 'fix' it.
     
    #16     Jan 1, 2004
  7. Ebo

    Ebo

    I had this problem.
    You MUST backup your Registry first.
    Then remove it from your registry while you are logged into windows in "Safe Mode". There are specific instructions on how to safely do this on The Symantec site. It is worth the $30 to pay Symantec to walk you through this if you are not sure how to back up and edit your registry. I REPEAT....DO NOT GUESS! You will lose everything on your machine if you mess it up. When it all cleaned up I also recommend "SPYBOT" free download to keep these pests away.
    Good Luck!

    ebo
     
    #17     Jan 1, 2004
  8. Maybe I managed to get rid of it . At least I didn't get my homepage hijacked this morning . First time since I got this pest. I 'll have to wait a couple of days before declaring victory of course and I will then post to tell you what I did that may have solved the problem. I literally lost sleep over this, I could see myself going through the registry and seeing the .exe files back again. What a nightmare. It was like those dreams of NQ cratering in premarket when I am long.

    Life is good . No more Coolsearch I am in pure bliss listening to Tunnel Trance vol 24, the Q's are set to blast at the open and I am long.
     
    #18     Jan 2, 2004
  9. debud

    debud

    Hello, frustrated traders,

    We've recently encountered the frustrating find4u problem. It's actually a CWS bug which can be eliminated by enduring a rather stringent and lengthy operation. To get the nitty gritty on the fix, please browse to:
    http://forums.spywareinfo.com/index.php?showtopic+24870&hl=find4u

    Make sure you copy the entire URL above into your browser's address bar ... complete from the "http://" to the "find4u" at the end. The discussion will detail what you need to do to clear up the problem, although the poster isn't aware of the recent (1-1-04) upgrades to the product so you'll have to wing it through some of the final steps in the Adaware product.


    In a nutshell, you will need to run Microsoft's critical updates and download three programs (cwshredder, spybot, and adaware6) and run them sequentially to get the little bugger out of your system. It's a time-consuming process ... especially if you're on a dial-up (which, regrettably due to a recent move, we are), but hey ... if it fixes the problem it's worth it, right?

    Happy '04, and safe and happy computing and trading to you all.
    Anita
     
    #19     Jan 2, 2004
  10. OK guys, here 's how I fixed it. It's been 3 days now since I haven't seen the Coolsearch page back. I think it's safe to say that I got rid of these motherf*ckers. I am pretty proud of me especially since as you will see or already know I am far from being an expert in computing rather the opposite, an " if ain't broken don't fix it" kind of guy who usually only downloads updates when forced to ahaha... I was lucky enough not to get one of the nastier strains that constantly display pop ups and slow down your machine to a crawl.

    Now I just wish the FBI would take care of the scumbags behind this.

    But let's get to the meat. Again this experience is a good example of how breakthroughs can happen just when you are about to give up and throw in the towel. I had followed the Symantec instructions and followed the advice given on the Dell website but still the spyware would reload itself the next day . Even if upon reboot it appeared to have disappeared. I was pretty much resigned to living with it or reformat , a pretty grim prospect since I still have no idea of how to reformat a HD. I nonetheless kept searching for clues on Google.

    This is when I came about a post making mention of the values in HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles

    "User Stylesheet"="%Windir%\Web\tips.ini"
    the program points to that file, which cannot be found. The Symantec instructions are to delete this value. The poster as far as I understand advised to delete the file itself too "tips.ini". I could not find that but send all the tips file in the bin :eek: :eek: But I don't think that file was the culprit.

    I think the breakthrough came when I read about the file soundmx.exe that some say is used by the program to reload itself. When searching for soundmx.exe the results were all Hijack this logs from people infected with adware searchcounter. I too happen to have this program in my start up items and did not recall ever seeing it before. What a coincidence. So I unchecked it too.

    Symantec also mentions HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer

    "ReconfLast"=dword:07D30C01

    as one of the registry entries altered by the program . But they don't say what to do with it. I tried to delete the values but it would not let me do it so I added a digit to the series. Heck who knows ?


    I also had 3 Active X controls files in IE temp files, status and dates of creation unknown. All the legit files have that info so I got rid of those too. It's probably unrelated but worth a look at.


    So I started first by cleaning cache and history, deleted the host file line (see Symantec instructions) then changed all the altered values in the registry deleting the fntldr.exe, Coolsearch and adware search counter files in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
    then followed with the above.

    Hopefully this should provide some clues if you have the misfortune to be infected. I am not sure what did it , IMO the soundmx.exe file. I am trying to find a way to completely erase it from my machine as it is still on my startup list but unchecked. I am concerned some more hidden components could still be affecting my system though. I had 2 weird crashes in 3 days so maybe I will run Spy bot and more likely than not DL MS updates.


     
    #20     Jan 4, 2004