|
|
#1
November 8th, 2003, 01:23 PM
|
|||
|
|||
heiderle's problems with rightfinder.net... Spyware??
Hi,
I'm German and I also have Problems. I checked my machine with Hijack This and here is the result. Please can you tell me, what I should do now? Thanks Thomas Logfile of HijackThis v1.97.3 Scan saved at 18:59:23, on 08.11.2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\PROGRA~1\0190WA~1\w0svc.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\khooker.exe C:\WINDOWS\System32\sistray.EXE C:\Programme\T-DSL Business\bolog.exe C:\PROGRA~1\0190WA~1\WARN0190.EXE C:\Programme\Browser MOUSE\mouse32a.exe C:\Programme\Browser MOUSE\R2M.EXE C:\WINDOWS\System32\ctfmon.exe C:\Programme\22M WLAN\WLANMON.exe C:\Programme\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SYSTEM32\HOTKEY.EXE C:\WINDOWS\System32\khooker.exe C:\WINDOWS\System32\sistray.EXE C:\Programme\T-DSL Business\bolog.exe C:\PROGRA~1\0190WA~1\WARN0190.EXE C:\Programme\Browser MOUSE\mouse32a.exe C:\Programme\Browser MOUSE\R2M.EXE C:\WINDOWS\System32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\22M WLAN\WLANMON.exe C:\Programme\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\BRQIKMON.EXE C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://porntwist.com/search/ O1 - Hosts: 66.118.163.109 auto.search.msn.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Dokumente und Einstellungen\th\Anwendungsdaten\winshow\winshow.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll O4 - HKLM\..\Run: [HOTKEY.EXE] C:\WINDOWS\SYSTEM32\HOTKEY.EXE O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [BusinessOnline Log] "C:\Programme\T-DSL Business\bolog.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Programme\Browser MOUSE\mouse32a.exe O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Programme\Browser MOUSE\R2M.EXE O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Settings] C:\Programme\FAST-Dazzle\tv4me\WIN2K\Application\settings.exe O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe O4 - HKCU\..\Run: [YAW starten] "c:\programme\yaw 3.5\fast.exe" O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe O4 - Global Startup: 22M WLAN Adapter Utility.lnk = C:\Programme\22M WLAN\WLANMON.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: Recherche-Assistent (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O13 - DefaultPrefix: http://ehttp.cc/? O13 - WWW Prefix: http://ehttp.cc/? O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O19 - User stylesheet: C:\WINDOWS\my.css O19 - User stylesheet: C:\WINDOWS\my.css (HKLM) |
|
#2
November 8th, 2003, 01:46 PM
|
||||
|
||||
|
Re:Problems with rightfinder.net... Spyware??
Download CWShredder by Merijn Bellekom, of Hijack This and Startuplist fame.
Run it, and have it fix all it finds. Next, run Hijack This once more, repost to this forum thread, and please show us a fresh log. Also, would you please find the C:\WINDOWS\AddClass.exe file, rightclick it, choose 'Properties', and tells us whether that reveals its nature?
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
|
#3
November 8th, 2003, 01:51 PM
|
||||
|
||||
|
Re:Problems with rightfinder.net... Spyware??
Also, as the following domains aren't as yet targeted by CWShredder, after running the application, have Hijack This fix the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://porntwist.com/search/
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
|
#4
November 8th, 2003, 02:12 PM
|
|||
|
|||
|
Re:Problems with rightfinder.net... Spyware??
Hi Tony,
I did what you told me and here is the report. I looked for AddClass.exe and found the last change at Nov. 3rd 2003 and I think that coul b the date of invasion. By the way: rightfinder and porntwister are still active while typing this. thomas Logfile of HijackThis v1.97.3 Scan saved at 19:55:53, on 08.11.2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\khooker.exe C:\WINDOWS\System32\sistray.EXE C:\Programme\T-DSL Business\bolog.exe C:\PROGRA~1\0190WA~1\WARN0190.EXE C:\Programme\Browser MOUSE\mouse32a.exe C:\Programme\Browser MOUSE\R2M.EXE C:\WINDOWS\System32\ctfmon.exe C:\Programme\22M WLAN\WLANMON.exe C:\Programme\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SYSTEM32\HOTKEY.EXE C:\WINDOWS\System32\khooker.exe C:\WINDOWS\System32\sistray.EXE C:\Programme\T-DSL Business\bolog.exe C:\PROGRA~1\0190WA~1\WARN0190.EXE C:\Programme\Browser MOUSE\mouse32a.exe C:\Programme\Browser MOUSE\R2M.EXE C:\WINDOWS\System32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\22M WLAN\WLANMON.exe C:\Programme\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\BRQIKMON.EXE C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Internet Explorer\IEXPLORE.EXE C:\Dokumente und Einstellungen\th\Lokale Einstellungen\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.porntwist.com/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://porntwist.com/search/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll O4 - HKLM\..\Run: [HOTKEY.EXE] C:\WINDOWS\SYSTEM32\HOTKEY.EXE O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [BusinessOnline Log] "C:\Programme\T-DSL Business\bolog.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Programme\Browser MOUSE\mouse32a.exe O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Programme\Browser MOUSE\R2M.EXE O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Settings] C:\Programme\FAST-Dazzle\tv4me\WIN2K\Application\settings.exe O4 - HKCU\..\Run: [YAW starten] "c:\programme\yaw 3.5\fast.exe" O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe O4 - Global Startup: 22M WLAN Adapter Utility.lnk = C:\Programme\22M WLAN\WLANMON.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: Recherche-Assistent (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O13 - DefaultPrefix: http://ehttp.cc/? O13 - WWW Prefix: http://ehttp.cc/? O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab |
|
#5
November 8th, 2003, 02:50 PM
|
||||
|
||||
|
Re:Problems with rightfinder.net... Spyware??
First, would you please send a copy of that C:\WINDOWS\AddClass.exe file to this e-mail address for analysis?
We'd like to have a closer look at it! TIA!  After that, have Hijack This fix all of the following: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.porntwist.com/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://porntwist.com/search/ O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe O13 - DefaultPrefix: http://ehttp.cc/? O13 - WWW Prefix: http://ehttp.cc/? Restart your computer, and please tell us whether that made a difference.
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
|
#6
November 8th, 2003, 03:25 PM
|
||||
|
||||
|
Re:Problems with rightfinder.net... Spyware??
Thanks for the file. It's your culprit; I found this inside:
Code:
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
|
#7
November 8th, 2003, 03:35 PM
|
|||
|
|||
|
Re:Problems with rightfinder.net... Spyware??
Hi Tony,
it seems the machine is clean now again.  Thanks a lot for giving me your time and your knowledge! If you ever like to come to Germany / Bavaria send me a mail and be my guest! Best wishes happy thomas |
|
#8
November 8th, 2003, 03:43 PM
|
||||
|
||||
|
Re:Problems with rightfinder.net... Spyware??
Glad we were able to help!
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
