valerio's problems with rightfinder.net... Spyware??

Hi tony,

I also had the "rightfinder problem", slow browser and some pages not even accesible.
I had installed and run Ad Aware 6, which helped a bit, but didn,t solve completely the problem.
Finally I read and follwed your instructions to the other "infected" users and now everything seems to work all right.
Just as a final check, seen your kindness, I attach the log of the last scan, the one I have done after cleaning.

Thank you very much indeed.

 

Reroblems with rightfinder.net... Spyware??

Hi Valerio.

No log, I'm afraid.

I suggest you don't attach it, but simply do a copy and paste of its contents.

 

Reroblems with rightfinder.net... Spyware??

All right, here is the log file in text form:

Logfile of HijackThis v1.97.3
Scan saved at 23:56:54, on 08/11/03
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\COMMON\FSMA32.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\COMMON\FSMB32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\COMMON\FCH32.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\COMMON\FNRB32.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\COMMON\FAMEH32.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\ANTI-VIRUS\FSGK32.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\COMMON\FIH32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\COMMON\FSM32.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\ANTI-VIRUS\FSSM32.EXE
C:\WINDOWS\STARTER.EXE
C:\ARCHIVOS DE PROGRAMA\MATROX MGA POWERDESK\MGACTRL.EXE
C:\ARCHIVOS DE PROGRAMA\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\ANTI-VIRUS\FSAV32.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\ARCHIVOS DE PROGRAMA\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\ARCHIVOS DE PROGRAMA\MATROX MGA POWERDESK\QDESK\MGAQDESK.EXE
C:\ARCHIVOS DE PROGRAMA\F-SECURE\BACKWEB\7681197\PROGRAM\BACKWEB-7681197.EXE
C:\ARCHIVOS DE PROGRAMA\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\ARCHIVOS DE PROGRAMA\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.elpais.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vnunet.es
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.123mania.com/ie.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por vnunet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: SrchHook Class - {582788CA-7014-4904-A4EE-6FB6108AFE8E} - C:\WINDOWS\SYSTEM\MSAPASRC.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@3082,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Archivos de programa\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Matrox Control Center] C:\Archivos de programa\Matrox MGA PowerDesk\mgactrl.exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Archivos de programa\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Matrox Diagnostic] C:\Archivos de programa\Matrox MGA PowerDesk\diag\mgadiag.exe -s
O4 - HKLM\..\Run: [ScrSvr] C:\WINDOWS\ScrSvr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CXMon] "C:\Archivos de programa\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [fsaa] C:\Archivos de programa\F-Secure\Common\fsaa.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\Archivos de programa\F-Secure\Common\FSMA32.EXE
O4 - HKCU\..\Run: [Matrox QuickDesk] C:\Archivos de programa\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - HKCU\..\RunServices: [Matrox QuickDesk] C:\Archivos de programa\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - Global Startup: F-Secure BackWeb.lnk = C:\Archivos de programa\F-Secure\BackWeb\7681197\Program\backweb-7681197.exe
O9 - Extra button: ActualizaMessenger (HKCU)
O9 - Extra 'Tools' menuitem: ActualizaMessenger (HKCU)
O12 - Plugin for .mov: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.vnunet.es
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0000000C-0000-0000-0000-000000000000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {582788CA-7014-4904-A4EE-6FB6108AFE8E} (SrchHook Class) - http://www.123mania.com/asrcware.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D879A0F1-2B3B-4409-8879-FAD6E49E1EA9} - http://www.123mania.com/softhtml.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1064051746570
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = hetnet.nl

And thanks again.

 

Reroblems with rightfinder.net... Spyware??

You want to have Hijack This fix these:

R3 - URLSearchHook: SrchHook Class - {582788CA-7014-4904-A4EE-6FB6108AFE8E} - C:\WINDOWS\SYSTEM\MSAPASRC.DLL

O4 - HKLM\..\Run: [ScrSvr] C:\WINDOWS\ScrSvr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - Global Startup: F-Secure BackWeb.lnk = C:\Archivos de programa\F-Secure\BackWeb\7681197\Program\backweb-7681197.exe

Now restart your computer, and delete the following files, if you still happen to have them:

C:\WINDOWS\ScrSvr.exe
C:\WINDOWS\Addclass.exe

Good luck,

 

It's done, and everything seems to work all right, so that we can close this problem

 

Excellent!