Richfind.com Browser Hijacker

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Jono, Sep 27, 2004.

  1. Jono

    Jono Private E-2

    I am infected with a browser hijacker that resets my home page to http://www.richfind.com. I have followed all of the steps listed in your README FIRST posting, but it reappears once I leave safe mode and reboot back to normal.

    I have downloaded Hijack This but have not run it yet, pending any instructions you can give me.

    Thanks in advance.
     
    Jono, Sep 27, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    If you are sure you ran all the steps, please post your logfile per the Hijack This tutorial.
     
    Major Attitude, Sep 27, 2004
    #2
  3. Jono

    Jono Private E-2

    Well I can see it right at the beginning of the logfile attached. Any advice on the correct way to remove it would be much appreciated.
     

    Attached Files:

    Jono, Sep 27, 2004
    #3
  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Hijack This needs to be in its own directory please. You will not have backups for mistakes otherwise. I see doing our tutorial removed some calls to the dll, but I see the problem and this should fix it...

    Remove:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/

    Unless your net provider put this here, it can be removed:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

    R3 - URLSearchHook: Richfind - {114A5BFD-05CE-4070-8E22-4D9C51F54BEE} - C:\WINDOWS\system32\Q10689330.dll (file missing)
    O3 - Toolbar: Richfind - {1E023577-4611-485C-95DC-C2CD2ABFCFCD} - C:\WINDOWS\system32\Q10689330.dll (file missing)
    O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - Startup: StarUpdater.exe.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Richfind - {00000000-0000-0000-0000-000000000000} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Richfind - {1E023577-4611-485C-95DC-C2CD2ABFCFCD} - C:\WINDOWS\system32\Q10689330.dll (file missing)

    For the end, your on your own, check over all of the 016 lines. Remove anything you did not install or recognize. Theres really no damage to be done in that area, so dont sweat it, otherwise I wouldnt tell you to do that. Theres just too many there for me to accurately tell you what is good and what is not. Dont forget this step! :) Some make me nervous like....

    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {E49D9ED2-653B-4611-8ADD-909E9EC05C5C} - http://130.94.70.13/player/ach.cab


    Check back with us!
     
    Major Attitude, Sep 27, 2004
    #4
  5. Jono

    Jono Private E-2

    That did the trick - thanks for your help! :)
     
    Jono, Sep 28, 2004
    #5
  6. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    My pleasure!
     
    Major Attitude, Sep 28, 2004
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds