Limited Time!
Totally FREE Web Design!
Click here!

Parasite: RichFind

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

RichFind is an Internet Explorer toolbar, homepage and search hijacker aimed at www.richfind.com.

Variants

RichFind/win32: simple hijacker toolbar based on the Pugi (Softomate) toolbar code. Stored in the Downloaded Program Files folder.

RichFind/Q: also includes a Internet Explorer Browser Helper Object (BHO) and web page filters, all with random class IDs. It is stored as a single DLL in the System32 folder, with the name ‘Q’ followed by a large random number.

Distribution

win32 variant: believed to be installed by ActiveX drive-by download in pop-up ads from searchfind.info.

Q variant: Installed by the OnlineDialer/Ole parasite, made by the same group of companies as RichFind. OnlineDialer/Ole is itself loaded by CoolWebSearch exploits.

What it does

Advertising

Yes, in the Q variant. Opens periodic untargeted pop-up adverts from mb-tv.com, including pages from RichFind-clone search site searchinfo.com.

Privacy violation

No.

Security issues

Yes, in the Q variant. The software can download and execute arbitrary code silently from its controlling server 63.219.181.7.

Also during testing, the software spawned porn pop-ups from traffic-stock.com containing IE security exploits that loaded further parasites.

Stability problems

None known.

Removal

win32 variant

There may be an entry ‘win32’ in the Control Panel’s Add/Remove Programs list. During testing, this failed to work completely (it deregistered the toolbar component, then crashed with 100% CPU usage).

Manual removal

Open a Command Prompt window (click Start, open the Programs menu, Accessories submenu; called ‘DOS Prompt’ on Windows 95/98/Me) and type the following commands:

cd "%WinDir%\Downloaded Program Files"
regsvr32 /u win32.dll

Restart the computer and open the Downloaded Program Files folder (inside the Windows folder). Delete the entry ‘{C94158E1-6151-4442-ABE6-FD53D6534EFB}’.

Q variant

Open the System32 folder (inside the Windows folder; called just ‘System’ under Windows 95/98/Me) and sort the files by date so you can see the newest files easily. Look for one with a name like ‘Q12345’; note down the real number.

Open a Command Prompt window (click Start, open the Programs menu, Accessories submenu; called ‘DOS Prompt’ on Windows 95/98/Me) and type the following commands:

cd "%WinDir%\System"
regsvr32 /u Q12345.dll

Substitute ‘12345’ with the real filename’s number you noted down.

Restart the computer and you should be able to delete the Q12345.file from the System32 folder. You can also open the registry (click Start, choose Run, enter regedit) and delete the key HKEY_CURRENT_USER\Software\LAWGA to clean up, if you wish.