PDA

View Full Version : rightfinder - what a pest

jackafrica
November 22nd, 2003, 03:48 AM
Hi All Learned Ones,
I've had rouble with rightfinder coming up as my home page, using MS Internet Explorer. I've installed Ad-aware and Hijack This, run them both.
Here is the log file of what Hijack This has identified - after some deletions by me.
Is there anything in this logfile below which looks suspicious ( or perhaps shouldn't be there ) to you? Am running VET as my anti virus software.
Thanks, I appreciate the help you offer in this forum, even though my knowledge is limited.
Logfile of HijackThis v1.97.7
Scan saved at 7:36:52 PM, on 22/11/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\SBPCI\CTMIX32.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\VET\VETTRAY.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/sa/common/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB


Thanks, look ofrward to your reply
Regards
jackafrica
Pieter_Arntz
November 22nd, 2003, 06:13 AM
Hi jackafrica,

Welcome at Wilders. :)

To get rid of the rightfinder hijack, please download, unzip and run CWShredder (http://www.spywareinfo.com/~merijn/files/cwshredder.zip) written by Merijn (creator of HijackThis)

But you also seem to have a trojan: http://www.sophos.com/virusinfo/analyses/trojinora.html

Have HijackThis Fix:
O4 - HKLM\..\Run: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE

and after a reboot follow additional instructions here: http://www.sophos.com/virusinfo/analyses/trojinora.html

Regards,

Pieter
Detox
November 22nd, 2003, 01:38 PM
Welcome from me, too Jack, and let us know if that gets ya runnin' smooth again!
jackafrica
November 22nd, 2003, 03:05 PM
Thanks Pieter and Detox,
Looks as though, with your help in directions ( and the very useful programs ), the beastie is gone. Must confess to be somewhat disappointed my VET anti virus program did not alert me of the infection. Given that updates are run every day, this program would seem to be lacking. Looks like a new learning curve for me :)
Again, my heartfelt thanks for helping me.
Best regards
jackafrica
Pieter_Arntz
November 22nd, 2003, 03:13 PM
Hi jackafrica,

Glad we could help. :)

Regards,

Pieter
Detox
November 22nd, 2003, 06:03 PM
Good to hear; gave pieter another cookie but I'm afraid he's gonna get chunky with all those :o
Pieter_Arntz
November 22nd, 2003, 06:11 PM
Never fear Detox,

I'm one of those annoying people that can eat all they want without gaining an ounce. :P
DolfTraanberg
November 22nd, 2003, 06:18 PM
{QUOTE-> quoting: jackafrica link=board=17;threadid=16678;start=0#msg103367 date=1069531553]
Must confess to be somewhat disappointed my VET anti virus program did not alert me of the infection. Given that updates are run every day, this program would seem to be lacking. <-QUOTE}
Hi jackafrica
You might want to install an Anti Trojan program. Not all AV's detect Trojans.
Dolf