Hey everyone, I seem to have the rightfinder thing going on too. It keeps changing my home web page, adding indecent web sites to my favorites and web browser. Here is my log:
Logfile of HijackThis v1.97.5
Scan saved at 1:23:22 PM, on 11/11/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETZIP CLASSIC\NZFPROP.EXE
C:\PROGRAM FILES\DANTZ\RETROSPECT\COMBOBUTTON.EXE
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\WINNET.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\EPSON\ESM2\STMS.EXE
C:\PROGRAM FILES\EPSON\ESM2\EEBSVC.EXE
C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\COMWIZ.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
O1 - Hosts: 66.118.163.109 auto.search.msn.com
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL (file missing)
O2 - BHO: (no name) - {00000000-5eb9-11d5-9d45-009027c14662} - C:\WINDOWS\VX2.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {139D88E5-C372-469D-B4C5-1FE00852AB9B} - C:\WINDOWS\SYSTEM\FAVORITE.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBABE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [NetZIPFolders] C:\Program Files\Netzip Classic\nzfprop.exe /startup
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\DANTZ\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\RunServices: [NetZIPFolders] C:\Program Files\Netzip Classic\nzfprop.exe /startup
O4 - HKLM\..\RunServices: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [MaxtorCombo] "C:\PROGRA~1\DANTZ\RETROS~1\ComboButton.exe"
O4 - HKLM\..\RunServices: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\RunServices: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\RunServices: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\RunServices: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
O4 - HKLM\..\RunServices: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\RunServices: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GatorStubSetup.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\AddressBar\createbookmark.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\AddressBar\createnote.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\AddressBar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\AddressBar\navigate.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra 'Tools' menuitem: Block This Page (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://216.187.80.232/files/900001/100806/plugin/reese_witherspoon_topless.exe
O19 - User stylesheet: C:\WINDOWS\my.css
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)


Please Help me!!!
Thanks,
John.

Hi John,

I'm sorry to say you have a real collection of spy- and cr@pware there.

Please download, unzip and run CWShredder (http://www.spywareinfo.com/~merijn/files/cwshredder.zip)

Then go to Add/Remove software and remove:
NewDotNet aka New.Net there, either way continue with the following.

Then download Spybot - Search & Destroy (http://www.tomcoyote.org/SPYBOT/)
After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

Or, download Ad-Aware at lavasoft.usa.com (http://www.lavasoftusa.com/software/adaware)
After installing AAW, and before running the program, update by using the Globe icon.
Shut down and restart Ad-Aware.
Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Rightclick in that pane and choose "select all" and click 'next'.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

If you would be so kind to post a new log after that, we will be happy to help you get rid of any remains.

Regards,

Pieter

Hey,
I did everything you guys said except the Ad-aware. I got a message from spybot that "Some problems could not be fixed; the reason could be that the associated files are still in use (in memory)" it then asked if it could run after startup and I checked yes. I then rebooted my computer, ran a scan, and it found garbage and I got the same message. Here is a new log:

Logfile of HijackThis v1.97.5
Scan saved at 2:14:19 PM, on 11/11/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETZIP CLASSIC\NZFPROP.EXE
C:\PROGRAM FILES\DANTZ\RETROSPECT\COMBOBUTTON.EXE
C:\WINDOWS\MXOALDR.EXE
C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\WINNET.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\EPSON\ESM2\STMS.EXE
C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\COMWIZ.EXE
C:\PROGRAM FILES\EPSON\ESM2\EEBSVC.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NetZIPFolders] C:\Program Files\Netzip Classic\nzfprop.exe /startup
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\DANTZ\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [NetZIPFolders] C:\Program Files\Netzip Classic\nzfprop.exe /startup
O4 - HKLM\..\RunServices: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [MaxtorCombo] "C:\PROGRA~1\DANTZ\RETROS~1\ComboButton.exe"
O4 - HKLM\..\RunServices: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\RunServices: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\RunServices: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\RunServices: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\WINDOWS\DESKTOP\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O4 - Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks for your help and please let me know what else I can do.
Thanks again,
John

Hey guys,
Can ya'll look at the above Hijack this report? My internet seems much faster, but now the browser is acting up- I tried to go to the internet options and change my security like I read in one of your forums, and when I was in the tools/internet options mode, everything was really slow and choppy. Please let me know if everything has been cleared out and if I need to run adaware if I already ran Spybot.
Thanks guys,
John

Hi John,

That sure looks much better. :)

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

O4 - HKLM\..\RunServices: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\RunServices: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\RunServices: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL

Reboot after doing so, preferably into safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
and delete:
C:\PROGRAM FILES\ACCELERATION SOFTWARE <= entire folder
C:\PROGRAM FILES\COMMONNAME <= entire folder

Then surf to:
http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp
select the correct language in the drop-down box at the right and install SP1 for IE 6.

Keep us posted,

Pieter

Hey Pieter,
I did everything you said, but when I went to HijackThis to fix the appropriate files, all of the
04 - HKLM\..\Runservices:
files were gone. I tried to scan again, but they still never showed up.

Also, I noticed as I was following the instructions to enter into safe mode (after going to Start, Run, and typing msconfig ) that under the System Configuration Utility window my computer was bulleted for selectivestart up (as opposed to normal startup); is this okay?

Also, after starting my computer in safe mode, I looked for the "acceleration software" and "commonname" folders and neither were there. I looked for them using the find option, but only located "eacceleration" and "Commonname" files in a
C:\Windows\Application Data\Spybot-Search&Destroy\Recovery
directory, and since it was Spybot, I didn't do anything to the files. Could Spybot have already taken care of them? Let me know what else I can do, and here is a HijackThis log if it helps:

Logfile of HijackThis v1.97.5
Scan saved at 9:10:25 AM, on 11/12/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETZIP CLASSIC\NZFPROP.EXE
C:\PROGRAM FILES\DANTZ\RETROSPECT\COMBOBUTTON.EXE
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\EPSON\ESM2\STMS.EXE
C:\PROGRAM FILES\EPSON\ESM2\EEBSVC.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NetZIPFolders] C:\Program Files\Netzip Classic\nzfprop.exe /startup
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\DANTZ\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

Also, since I have been fixing these problems, suddenly my Microsoft Office Applications have been giving me trouble. Word keeps looking for a visual basic element it cannot find, and Excel won't even open right. Unfortunately, I have no idea where my office tools disk is, so hopefully I can fix the problems.

Thanks for all you have done for me and everyone else Pieter. Please let me know what else I can do.
Thanks,
John

Hi John,

That sure sounds like Spybot already took care of eAcceleration and CommonName. As it is supposed to.
And your log looks clean.
Can you tell us the exact error Works gives you?
That might put us on track to the solution.

Regards,

Pieter