Search42 Removal

Search42 is a variant of the Virtumonde (Vundo) web browser hijacker. This nasty trojan can be removed by following the steps below:

Note: You should print out these directions before continuing, as you will need to reboot your computer. 

Remove Search42

Step 1: HijackThis

Download and run HijackThis. Our HijackThis tutorial will get you through that part. Once you have run it and created a log file, return to these instructions.

Step 2: Examine HijackThis Log

Next, look at the log file that HijackThis created and look for entries similar to this:
Remember - YOURS will be different

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\repair\srvdisk.dll

O20 - Winlogon Notify: srvdisk - C:\WINDOWS\repair\srvdisk.dll

The file and path to the file in Blue are random (yours will be different). Everywhere you see the file in Blue change it to the name of the one you have and write it down.

Step 3: VundoFix

Please download VundoFix.exe to your desktop: http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files. This will create a VundoFix folder on your desktop.

Step 4: Reboot into safe mode

If you're not sure of how to get into safe mode, click here for instructions.

Step 5: KillVundo.bat

Now that you are in safe mode, open the VundoFix folder on your desktop and double-click on KillVundo.bat

The first thing you see will be this :

Press Enter. 

Next it will ask you for the filename - enter in the exact filename you wrote down in Step 2, i.e. C:\WINDOWS\repair\srvdisk.dll (as shown in the O2 & O20 entries in YOUR HijackThis log file)

Press Enter.

It will now ask you for a second filename. Please type the following file path (make sure to enter it exactly as below)

C:\WINDOWS\repair\ksidvrs.* This will be the vundo filename from Step 2 spelled backwards. For example, if the Search42 dll was C:\WINDOWS\badfile.dll you would enter C:\WINDOWS\elifdab.* - if it was C:\WINDOWS\repair\srvdisk.dll you would enter C:\WINDOWS\repair\ksidvrs.*

REMEMBER...(This is the entry as shown in the O2 & O20 entries in YOUR hijackthis ... spelled backwards)

Press Enter. The fix will run, then HijackThis will open.

Step 6: HijackThis

In Hijackthis, please place a check next to the following item(s) and click FIX CHECKED : (Again, replace srvdisk.dll with whatever you found in Step 2)

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\repair\srvdisk.dll

O20 - Winlogon Notify: srvdisk - C:\WINDOWS\repair\srvdisk.dll

After you have fixed these item(s), close Hijackthis and Press any key to Force a reboot of your computer. Pressing a key may cause a "Blue Screen of Death" this is normal, do not worry! this is normal...

Once your machine reboots please continue with the instructions below. 

Step 7: CleanUp

Download and install CleanUp: http://www.stevengould.org/downloads/cleanup/CleanUp40.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows :
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Step 8: Panda ActiveScan

Run Panda ActiveScan virus scanner: http://www.pandasoftware.com/products/activescan.htm

Done!

Your computer should now be clean of the Search42 trojan! 

If you want your results checked....start a new thread in the Spyware Forum. Copy the results of the ActiveScan and paste them in the new thread, along with a new Hijackthis log and the vundofix.txt file from the vundofix folder. Make sure you tell us you have run the vundofix...

Have a question? Need help? Get free, friendly person-to-person help with your computer questions or spyware questions in our help forums!