heiderle's problems with rightfinder.net... Spyware??

Discussion in 'adware, spyware & hijack cleaning' started by heiderle, Nov 8, 2003.

Thread Status:
Not open for further replies.
  1. heiderle

    heiderle Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    3
    Hi,
    I'm German and I also have Problems.
    I checked my machine with Hijack This and here is the result.
    Please can you tell me, what I should do now?
    Thanks
    Thomas

    Logfile of HijackThis v1.97.3
    Scan saved at 18:59:23, on 08.11.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\PROGRA~1\0190WA~1\w0svc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Programme\T-DSL Business\bolog.exe
    C:\PROGRA~1\0190WA~1\WARN0190.EXE
    C:\Programme\Browser MOUSE\mouse32a.exe
    C:\Programme\Browser MOUSE\R2M.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programme\22M WLAN\WLANMON.exe
    C:\Programme\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\HOTKEY.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Programme\T-DSL Business\bolog.exe
    C:\PROGRA~1\0190WA~1\WARN0190.EXE
    C:\Programme\Browser MOUSE\mouse32a.exe
    C:\Programme\Browser MOUSE\R2M.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\Programme\22M WLAN\WLANMON.exe
    C:\Programme\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\BRQIKMON.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://porntwist.com/search/
    O1 - Hosts: 66.118.163.109 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Dokumente und Einstellungen\th\Anwendungsdaten\winshow\winshow.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HOTKEY.EXE] C:\WINDOWS\SYSTEM32\HOTKEY.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [BusinessOnline Log] "C:\Programme\T-DSL Business\bolog.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Programme\Browser MOUSE\mouse32a.exe
    O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Programme\Browser MOUSE\R2M.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Settings] C:\Programme\FAST-Dazzle\tv4me\WIN2K\Application\settings.exe
    O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
    O4 - HKCU\..\Run: [YAW starten] "c:\programme\yaw 3.5\fast.exe"
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe
    O4 - Global Startup: 22M WLAN Adapter Utility.lnk = C:\Programme\22M WLAN\WLANMON.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: Recherche-Assistent (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O19 - User stylesheet: C:\WINDOWS\my.css
    O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re:problems with rightfinder.net... Spyware??

    Download CWShredder by Merijn Bellekom, of Hijack This and Startuplist fame.
    Run it, and have it fix all it finds.

    Next, run Hijack This once more, repost to this forum thread, and please show us a fresh log.

    Also, would you please find the C:\WINDOWS\AddClass.exe file, rightclick it, choose 'Properties', and tells us whether that reveals its nature?
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re:problems with rightfinder.net... Spyware??

    Also, as the following domains aren't as yet targeted by CWShredder, after running the application, have Hijack This fix the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://porntwist.com/search/
     
  4. heiderle

    heiderle Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    3
    Re:problems with rightfinder.net... Spyware??

    Hi Tony,
    I did what you told me and here is the report.
    I looked for AddClass.exe and found the last change at Nov. 3rd 2003 and I think that coul b the date of invasion.
    By the way: rightfinder and porntwister are still active while typing this.
    thomas

    Logfile of HijackThis v1.97.3
    Scan saved at 19:55:53, on 08.11.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Programme\T-DSL Business\bolog.exe
    C:\PROGRA~1\0190WA~1\WARN0190.EXE
    C:\Programme\Browser MOUSE\mouse32a.exe
    C:\Programme\Browser MOUSE\R2M.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programme\22M WLAN\WLANMON.exe
    C:\Programme\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\HOTKEY.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Programme\T-DSL Business\bolog.exe
    C:\PROGRA~1\0190WA~1\WARN0190.EXE
    C:\Programme\Browser MOUSE\mouse32a.exe
    C:\Programme\Browser MOUSE\R2M.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\Programme\22M WLAN\WLANMON.exe
    C:\Programme\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\BRQIKMON.EXE
    C:\Programme\Internet Explorer\iexplore.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\Dokumente und Einstellungen\th\Lokale Einstellungen\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.porntwist.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://porntwist.com/search/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HOTKEY.EXE] C:\WINDOWS\SYSTEM32\HOTKEY.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [BusinessOnline Log] "C:\Programme\T-DSL Business\bolog.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Programme\Browser MOUSE\mouse32a.exe
    O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Programme\Browser MOUSE\R2M.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Settings] C:\Programme\FAST-Dazzle\tv4me\WIN2K\Application\settings.exe
    O4 - HKCU\..\Run: [YAW starten] "c:\programme\yaw 3.5\fast.exe"
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe
    O4 - Global Startup: 22M WLAN Adapter Utility.lnk = C:\Programme\22M WLAN\WLANMON.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: Recherche-Assistent (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re:problems with rightfinder.net... Spyware??

    First, would you please send a copy of that C:\WINDOWS\AddClass.exe file to this e-mail address for analysis?
    We'd like to have a closer look at it!

    TIA! :)

    After that, have Hijack This fix all of the following:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.porntwist.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://porntwist.com/search/

    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe

    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?


    Restart your computer, and please tell us whether that made a difference.
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re:problems with rightfinder.net... Spyware??

    Thanks for the file. It's your culprit; I found this inside:

    Code:
    .c:\windows\hosts.c:\windows\system32\Drivers\Etc\hosts.127.0.0.1       localhost
    66.118.163.109  auto.search.msn.com
    \Find Anything in the Net.url.[InternetShortcut]
    URL=http://www.rightfinder.net/main/b1/
    Modified=806188A46609C1013E
    \Find Hot Porn in the Net.url.[InternetShortcut]
    URL=http://www.rightfinder.net/main/b2/
    Modified=806188A46609C1013E
    ....\windows\system\mshta.exe.\windows\system32\mshta.exe.......................................
     
  7. heiderle

    heiderle Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    3
    Re:problems with rightfinder.net... Spyware??

    Hi Tony,
    it seems the machine is clean now again. :D
    Thanks a lot for giving me your time and your knowledge!
    If you ever like to come to Germany / Bavaria send me a mail and be my guest!
    Best wishes
    happy thomas
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re:problems with rightfinder.net... Spyware??

    Glad we were able to help! :)
     
Thread Status:
Not open for further replies.