Martin_r's problems with rightfinder.net... Spyware??

Discussion in 'adware, spyware & hijack cleaning' started by Martin_r, Nov 11, 2003.

Thread Status:
Not open for further replies.
  1. Martin_r

    Martin_r Guest

    Hi,
    I'm afraid I've got the same problem! Could someone please have a look through this logfile from Hijackthis.
    Many thanks for your help,
    Martin.

    Logfile of HijackThis v1.97.5
    Scan saved at 21:49:14, on 11/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ATWTUSB.EXE
    C:\WINDOWS\SYSTEM\TBLMOUSE.EXE
    C:\WINDOWS\SYSTEM\ABCD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\atwtexe.exe
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAMME\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\WINDOWS\TWAIN_32\A4USB\WATCH.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAMME\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newstoday.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by WHSmithnet
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxysetup.solent.ac.uk/halls.pac
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    O1 - Hosts: 66.118.163.109 auto.search.msn.com
    O2 - BHO: DeltaClick Browser Helper Object - {0FC817C2-3B45-11D4-8340-0050DA825906} - C:\Programme\DeltaClick\DeltaClick.dll (file missing)
    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [SMS Win9x Message Agent] C:\WINDOWS\MS\SMS\core\bin\SMSMsg.exe
    O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAMME\NETWORK ASSOCIATES\DR SOLOMON'S VIRUSSCAN\WebScanX.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAMME\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRAMME\AGNITUM\TAUSCAN 1.6\TAUMON.EXE
    O4 - HKLM\..\Run: [jbvathigg] dxqcid.exe autorun
    O4 - HKLM\..\Run: [mheciwn] vsab.exe autorun
    O4 - HKLM\..\Run: [ciac] awfk.exe autorun
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
    O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
    O4 - Startup: Encoder Agent.lnk = C:\Programme\Windows Media Components\Encoder\WMENCAGT.EXE
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4Usb\WATCH.exe
    O4 - Startup: EPSON Status Monitor 3.2 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Bild zum Bildarchiv senden - file://C:\WINDOWS\Anwendungsdaten\MGI\PhotoSuite4\Temp\MGI00000.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by WebHancer
    O12 - Plugin for .asp: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
    O12 - Plugin for .avi: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
    O12 - Plugin for .swf: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.zdf.msnbc.de/tools/NewsBrowser/nm0713.cab
    O16 - DPF: {56ECEF01-E59E-11D0-9243-000000000000} (ViewPixCtrl01 Class) - http://18.43.0.71/OpenPix/controls/ViewPix01.CAB
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} (CometCursor Class) - http://files.cometsystems.com/cometcursor2x/comet.cab
    O16 - DPF: {0FC817C2-3B45-11D4-8340-0050DA825907} - http://www.deltaclick.com/DeltaClick.cab
    O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/controls/agent2/tv_enua.exe
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! WebCam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
    O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} (RealPlayer G2 Control) - http://www.real.com/player/index.html
    O16 - DPF: {6F8AC4DE-286F-4A2B-98FB-2A73A46595BD} (ActiveNva Control) - http://www.sharp-usa.com/SharpMotionART/activex/ActiveNva100.cab
    O16 - DPF: {1E5592CB-8F5B-46F8-9EA6-65C01213808A} (InstaladorBetyByte Control) - http://www2.redzone.fi/uploads/cab/instaladorbetybyte.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37898.2832407407
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = falmouth.ac.uk
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 193.61.64.2,10.100.100.2
    O19 - User stylesheet: C:\WINDOWS\my.css
    O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Martin_r,

    First, download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Then follow the instructions here: http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_LARSLP.A

    Then try to remove NewDotNet aka New.Net (domains) in Add/Remove software. Either way continue with what's below.

    Then download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Or, download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that pane and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    Then please post a new log, so we can help you get rid of any remains.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.