Rightfinder Problems - My HijackThis Log

Discussion in 'adware, spyware & hijack cleaning' started by steveb1308, Nov 16, 2003.

Thread Status:
Not open for further replies.
  1. steveb1308

    steveb1308 Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    2
    Heeeelp! I'm having the problem of rightfinder changing my home page to rightfinder and adding entries in the registry. Is there anything we can do about that organisation? Here is my log from Hijack This. Thanks for any help in advance.

    Logfile of HijackThis v1.97.5
    Scan saved at 11:48:30 AM, on 11/16/2003
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Allaire\JRun\bin\jrun.exe
    C:\Program Files\Allaire\JRun\bin\jrun.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\mysql\bin\mysqld-nt.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\sdpasvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\system32\mobsync.exe
    C:\WINNT\System32\atiptaxx.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\viewport.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\Caere\OmniPagePro90\opware32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\ntvdm.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.0.exe
    C:\Program Files\CConnect\CConnect.exe
    C:\mysql\bin\winmysqladmin.exe
    C:\Program Files\Common Files\Symantec Shared\nmain.exe
    C:\Documents and Settings\SteveB\Desktop\Virus_stuff\Hijack_This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AddClass] C:\WINNT\AddClass.exe
    O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.0.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.andlotsmore.com/factory/058343uk.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O19 - User stylesheet: C:\WINNT\my.css
    O19 - User stylesheet: C:\WINNT\my.css (HKLM)
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,351
    Location:
    The Netherlands
    Download the latest version ofCWShredder by Merijn Bellekom, of Hijack This and Startuplist fame.
    Run it, press 'Next', and allow it to fix all it finds.

    It should take care of this.

    Next, upgrade your version of Hijack This using the built in updater, run the program once more, repost to this forum thread, and please show us a fresh log.
     
  3. jkotsonas

    jkotsonas Guest

    I seem to be having this issue as well. Have run the cwshredder and "Hijackthis" programs, and it will revert the settings back to their correct ones. Have set the "ActiveX" setting in IE>Tools>Internet settings etc... to "prompt" and "disable". However, I still cannot seem to get rid of rightfinder. When I shut down the laptop and restart it later, it's reverted back to the rightfinder settings.
    Where else would this thing be and how can i get rid of it?

    Here is the log:

    Logfile of HijackThis v1.97.5
    Scan saved at 8:39:00 AM, on 11/16/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    d:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\TPPALDR.EXE
    C:\Program Files\Winamp3\winampa.exe
    C:\WINNT\svchost.exe
    C:\Program Files\cwshredder\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ehttp.cc/?www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:6588
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
    O4 - HKLM\..\Run: [freesurfer] D:\Program Files\Free Surfer\fs20.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINNT\AddClass.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37931.4131828704

    I've checked and fixed all the rightfinder stuff; the default prefixes and the Shockwave ActiveX entry.

    Thanks much in advance for any/all help!

    jim
     
  4. steveb1308

    steveb1308 Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    2
    Thanks Tony,

    I just ran CWshredder as instructed - it removed some items and registry settings. I just ran HijackThis again and here is the logfile it generated. Thanks agin for all your help.

    Logfile of HijackThis v1.97.5
    Scan saved at 4:51:01 PM, on 11/16/2003
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Allaire\JRun\bin\jrun.exe
    C:\Program Files\Allaire\JRun\bin\jrun.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\mysql\bin\mysqld-nt.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\sdpasvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\atiptaxx.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\viewport.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\Caere\OmniPagePro90\opware32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\ntvdm.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.0.exe
    C:\Program Files\CConnect\CConnect.exe
    C:\mysql\bin\winmysqladmin.exe
    C:\Documents and Settings\SteveB\Desktop\Virus_stuff\Hijack_This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.0.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.andlotsmore.com/factory/058343uk.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi steveb1308,

    These need fixing:
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?

    And this one looks a bit iffy:
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.andlotsmore.com/factory/058343uk.exe
    If you don't know what it's for fix that one as well.

    Regards,

    Pieter
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,351
    Location:
    The Netherlands
    Steve,

    These still remain to be fixed:

    O4 - HKLM\..\Run: [LoadQM] loadqm.exe

    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?

    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.andlotsmore.com/factory/058343uk.exe



    jkotsonas,

    You probably don't have the latest CWShredder build.

    But check the following in Hijack This, and press Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/

    O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINNT\AddClass.exe

    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?


    Reboot and detete both the AddClass.exe and Svchost.exe files in your C:\Winnt folder.

    WARNING: Do NOT touch the Svchost.exe file in your Winnt\System32 folder. It's a vital Windows system file!
     
  7. jkotsonas

    jkotsonas Guest

    Thanks Tony.
    You were correct in that I didn't have the latest version of cwshredder.

    I had already deleted the rightfinder stuff, but have checked and deleted the "addclass" and "svhost", and also deleted them from the c:\winnt folder (and not the sys32 folder - I knew the svhost file was good there, but wasn't sure about the winnt one).

    I ran the updated cwshredder and it found a couple of extra things that the earlier one didn't.

    We'll give it a day and see if it's all gone when I boot up again.

    Again, thanks very much for the help!

    -jim
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,351
    Location:
    The Netherlands
    You're welcome. Glad we were able to help. :0
     
Thread Status:
Not open for further replies.