Search42 Removal |
by steamwiz | |
January 15, 2006 | |
Search42 is a variant of the Virtumonde (Vundo) web browser hijacker. This nasty trojan can be removed by following the steps below: Note: You should print out these directions before continuing, as you will need to reboot your computer. Remove Search42Step 1: HijackThisDownload and run HijackThis. Our HijackThis tutorial will get you through that part. Once you have run it and created a log file, return to these instructions.
Step 2: Examine HijackThis LogNext, look at the log file that HijackThis created and look for entries similar to this:
Step 3: VundoFixPlease download VundoFix.exe to your desktop: http://www.atribune.org/downloads/VundoFix.exe Step 4: Reboot into safe modeIf you're not sure of how to get into safe mode, click here for instructions. Step 5: KillVundo.batNow that you are in safe mode, open the VundoFix folder on your desktop and double-click on KillVundo.bat
Press Enter. Next it will ask you for the filename - enter in the exact filename you wrote down in Step 2, i.e. C:\WINDOWS\repair\srvdisk.dll (as shown in the O2 & O20 entries in YOUR HijackThis log file)
Press Enter. It will now ask you for a second filename. Please type the following file path (make sure to enter it exactly as below) REMEMBER...(This is the entry as shown in the O2 & O20 entries in YOUR hijackthis ... spelled backwards) Press Enter. The fix will run, then HijackThis will open.
Step 6: HijackThisIn Hijackthis, please place a check next to the following item(s) and click FIX CHECKED : (Again, replace srvdisk.dll with whatever you found in Step 2)
Step 7: CleanUp Download and install CleanUp: http://www.stevengould.org/downloads/cleanup/CleanUp40.exe
Step 8: Panda ActiveScanRun Panda ActiveScan virus scanner: http://www.pandasoftware.com/products/activescan.htm
Done! Your computer should now be clean of the Search42 trojan! If you want your results checked....start a new thread in the Spyware Forum. Copy the results of the ActiveScan and paste them in the new thread, along with a new Hijackthis log and the vundofix.txt file from the vundofix folder. Make sure you tell us you have run the vundofix... |