Wilders Security Forums  

Go Back   Wilders Security Forums > Browser Hijacks and Spyware Problems > adware, spyware & hijack cleaning
Reload this Page Martin_r's problems with rightfinder.net... Spyware??
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old November 11th, 2003, 05:07 PM
Martin_r
 
Posts: n/a
Default Martin_r's problems with rightfinder.net... Spyware??
Hi,
I'm afraid I've got the same problem! Could someone please have a look through this logfile from Hijackthis.
Many thanks for your help,
Martin.

Logfile of HijackThis v1.97.5
Scan saved at 21:49:14, on 11/11/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ATWTUSB.EXE
C:\WINDOWS\SYSTEM\TBLMOUSE.EXE
C:\WINDOWS\SYSTEM\ABCD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\atwtexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMME\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\TWAIN_32\A4USB\WATCH.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newstoday.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by WHSmithnet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxysetup.solent.ac.uk/halls.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O1 - Hosts: 66.118.163.109 auto.search.msn.com
O2 - BHO: DeltaClick Browser Helper Object - {0FC817C2-3B45-11D4-8340-0050DA825906} - C:\Programme\DeltaClick\DeltaClick.dll (file missing)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SMS Win9x Message Agent] C:\WINDOWS\MS\SMS\core\bin\SMSMsg.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAMME\NETWORK ASSOCIATES\DR SOLOMON'S VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAMME\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRAMME\AGNITUM\TAUSCAN 1.6\TAUMON.EXE
O4 - HKLM\..\Run: [jbvathigg] dxqcid.exe autorun
O4 - HKLM\..\Run: [mheciwn] vsab.exe autorun
O4 - HKLM\..\Run: [ciac] awfk.exe autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - Startup: Encoder Agent.lnk = C:\Programme\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4Usb\WATCH.exe
O4 - Startup: EPSON Status Monitor 3.2 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O8 - Extra context menu item: Bild zum Bildarchiv senden - file://C:\WINDOWS\Anwendungsdaten\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .asp: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .swf: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.zdf.msnbc.de/tools/NewsBrowser/nm0713.cab
O16 - DPF: {56ECEF01-E59E-11D0-9243-000000000000} (ViewPixCtrl01 Class) - http://18.43.0.71/OpenPix/controls/ViewPix01.CAB
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} (CometCursor Class) - http://files.cometsystems.com/cometcursor2x/comet.cab
O16 - DPF: {0FC817C2-3B45-11D4-8340-0050DA825907} - http://www.deltaclick.com/DeltaClick.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/controls/agent2/tv_enua.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! WebCam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} (RealPlayer G2 Control) - http://www.real.com/player/index.html
O16 - DPF: {6F8AC4DE-286F-4A2B-98FB-2A73A46595BD} (ActiveNva Control) - http://www.sharp-usa.com/SharpMotionART/activex/ActiveNva100.cab
O16 - DPF: {1E5592CB-8F5B-46F8-9EA6-65C01213808A} (InstaladorBetyByte Control) - http://www2.redzone.fi/uploads/cab/instaladorbetybyte.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37898.2832407407
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = falmouth.ac.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 193.61.64.2,10.100.100.2
O19 - User stylesheet: C:\WINDOWS\my.css
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)
  #2  
Old November 12th, 2003, 02:34 AM
Pieter_Arntz's Avatar
Pieter_Arntz Pieter_Arntz is offline
Spyware Veteran
  
Join Date: Apr 2002
Location: Netherlands
Posts: 12,298
Default Re:Martin_r's problems with rightfinder.net... Spyware??
Hi Martin_r,

First, download, unzip and run: http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Then follow the instructions here: http://de.trendmicro-europe.com/ente...=BKDR_LARSLP.A

Then try to remove NewDotNet aka New.Net (domains) in Add/Remove software. Either way continue with what's below.

Then download Spybot - Search & Destroy
After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

Or, download Ad-Aware at lavasoft.usa.com
After installing AAW, and before running the program, update by using the Globe icon.
Shut down and restart Ad-Aware.
Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Rightclick in that pane and choose "select all" and click 'next'.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

Then please post a new log, so we can help you get rid of any remains.

Regards,

Pieter
__________________
Regards,

Pieter
It´s nice to be important, but it´s more important to be nice.
Remove & Prevent spyware
It's human to make mistakes. It's even more so to blame the computer for it.
 

Wilders Security Forums > Browser Hijacks and Spyware Problems > adware, spyware & hijack cleaning « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 08:39 AM.

Contact Us - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2009, Wilders Security Forums