View Full Version : Another Omegasearch problem[solved]
Like some others here on this forum, i've also got some problems with some spyware of omegasearch.
Here is my logfile of HijackThis, can somebody please tell which files to delete?
Thanks
Logfile of HijackThis v1.97.7
Scan saved at 19:02:09, on 7-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\STUPID~1\Fivedart2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\C Schijf\Franke\Van alles wat\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem217.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.232962963
O16 - DPF: {C7384A94-12AB-4798-9A63-67A9B24C993D} (Vacpro.netherland_ver2) - http://www.7adpower.com/dialer/netherland_ver2.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
Drop this one for certain:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.wanadoo.nl/
These 2 look iffy:
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {C7384A94-12AB-4798-9A63-67A9B24C993D} (Vacpro.netherland_ver2) - http://www.7adpower.com/dialer/netherland_ver2.CAB
Make sure you run the anti-spyware cocktail if you haven't already. Follow Primesuspect's guide here (http://www.short-media.com/article.php?131.0).
primesuspect
7 Apr 2004, 6:59pm
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem217.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {C7384A94-12AB-4798-9A63-67A9B24C993D} (Vacpro.netherland_ver2) - http://www.7adpower.com/dialer/netherland_ver2.CAB
Not sure about this one, if it looks fishy to you, delete it:
O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
I've deleted the files you suggested, but it didn't work. The omegasearch spyware still comes back. Any more suggestions, or should I reinstall windows XP?
Anyway, thanks for the quick reply:)
primesuspect
7 Apr 2004, 7:20pm
Delete them, then run the cocktail mentioned in my article. Have you run updated versions of both adaware and spybot?
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
That one looks fishy too. Type in just the www.p3.postbank.nl into your browser. unless you can read the langauge, I'd toast that entry. It is from the Netherlands, and appears to be an Internet Bank....but who knows....
(anyone speak Dutch here?)
Dexter...
I've used spybot to delete all spyware. (the latest version)
I don't exactly know what to do with that program adaware.
I've deleted all the files that you suggested with Hijackthis (except that one of the postbank, that's my homebank, I'm from Holland :p )
But the omegasearch spyware still returns.
Here is the logfile of adaware, maybe you can tell me which files to delete?
Thanks
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :woensdag 7 april 2004 20:23:44
Created with Ad-aware Personal, free for private use.
Using reference-file :1R200 12.07.2003
______________________________________________________
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
7-4-2004 20:23:44 - Scan started. (Smart mode)
Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-4-2004 18:21:05
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : High
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services en controllertoepassingen
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Besturingssysteem Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00
#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:11
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00
#:8 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-4-2004 18:21:11
BasePriority : Normal
FileSize : 80 KB
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 52.16
Created on : 6-10-2003 13:16:00
Last accessed : 7-4-2004 17:49:17
Last modified : 6-10-2003 13:16:00
#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-4-2004 18:21:13
BasePriority : Normal
FileSize : 984 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Verkenner
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Besturingssysteem Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 18:21:13
Last modified : 11-9-2002 12:00:00
#:10 [itouch.exe]
FilePath : C:\Program Files\Logitech\iTouch\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 872 KB
FileVersion : 2.20.243
ProductVersion : 2.20.243
Copyright : (C) 1998-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : iTouch Application
InternalName : iTouch
OriginalFilename : iTouch.exe
ProductName : iTouch
Created on : 12-2-2004 12:59:13
Last accessed : 7-4-2004 18:21:05
Last modified : 1-12-2003 10:38:16
#:11 [logi_mwx.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 19 KB
FileVersion : 9.79.016
ProductVersion : 9.79.016
Copyright : (C) 1987-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Launcher Application
InternalName : Logi_MWX
OriginalFilename : Logi_MWX.exe
ProductName : MouseWare
Created on : 12-2-2004 12:59:40
Last accessed : 7-4-2004 18:21:05
Last modified : 7-11-2003 8:50:00
#:12 [dragdiag.exe]
FilePath : C:\Program Files\Alcatel\SpeedTouch USB\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 840 KB
FileVersion : 201.2.0.0
ProductVersion : 201.2.0.0
Copyright : Copyright
CompanyName : THOMSON multimedia
FileDescription : SpeedTouch Statistics
ProductName : SpeedTouch USB
Created on : 12-2-2004 18:40:56
Last accessed : 7-4-2004 18:21:05
Last modified : 12-11-2002 10:02:08
#:13 [hpztsb04.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 192 KB
FileVersion : 2,80,0,0
ProductVersion : 2,80,0,0
Copyright : Copyright (c) Hewlett-Packard Company 1999-2001
CompanyName : HP
ProductName : HP DeskJet
Created on : 12-2-2004 18:50:49
Last accessed : 7-4-2004 18:21:05
Last modified : 12-10-2001 9:57:26
#:14 [fivedart2.exe]
FilePath : C:\PROGRA~1\STUPID~1\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 228 KB
Created on : 27-3-2004 11:14:19
Last accessed : 7-4-2004 18:21:05
Last modified : 27-3-2004 11:14:16
#:15 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 18:21:05
Last modified : 11-9-2002 12:00:00
#:16 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Een DLL-bestand als toepassing starten
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Besturingssysteem Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 18:21:14
Last modified : 11-9-2002 12:00:00
#:17 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ThreadCreationTime : 7-4-2004 18:21:15
BasePriority : Normal
FileSize : 104 KB
FileVersion : 1.0 (32-bit)
ProductVersion : 8.1 (4319)
Copyright : Copyright (c) WinZip Computing, Inc. 1991-2001 - All Rights Reserved
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
OriginalFilename : WZQKPICK.EXE
ProductName : WinZip
Created on : 12-2-2004 20:13:11
Last accessed : 7-4-2004 18:21:05
Last modified : 11-10-2002 7:10:00
#:18 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 7-4-2004 18:21:31
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Besturingssysteem Microsoft
Created on : 12-2-2004 12:34:42
Last accessed : 7-4-2004 18:21:31
Last modified : 11-9-2002 12:00:00
#:19 [ad-aware.exe]
FilePath : D:\C Schijf\Franke\Van alles wat\Ad-aware 6\
ThreadCreationTime : 7-4-2004 18:23:39
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 6-4-2004 11:18:58
Last accessed : 6-4-2004 22:00:00
Last modified : 12-7-2003 20:00:20
Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0
Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : DyFuCA_BH.BHObj
DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : DyFuCA_BH.BHObj.1
DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}
DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Avenue Media
DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Avenue Media\Internet Optimizer
Dialer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Coulomb
DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\FCI
Alexa Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
DyFuCA Object recognized!
Type : RegKey
Data : DyFuCA
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA
DyFuCA Object recognized!
Type : RegKey
Data : Internet Optimizer
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer
DyFuCA Object recognized!
Type : RegKey
Data : Internet Optimizer
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Active Alert
DyFuCA Object recognized!
Type : RegKey
Data : Internet Optimizer
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Software Installer
DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}
DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}
Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 14
Objects found so far: 14
Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.com/passthrough/
Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/"
Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 15
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Tracking Cookie Object recognized!
Type : File
Data : dhr. hiemstra@doubleclick[1].txt
Object : C:\Documents and Settings\Dhr. Hiemstra\Cookies\
Created on : 7-4-2004 18:01:48
Last accessed : 7-4-2004 18:01:49
Last modified : 7-4-2004 18:01:49
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
DyFuCA Object recognized!
Type : Folder
Object : c:\program files\Internet Optimizer
DyFuCA Object recognized!
Type : File
Data : actalert.exe
Object : c:\program files\internet optimizer\
FileSize : 64 KB
Created on : 22-2-2004 15:11:11
Last accessed : 7-4-2004 17:49:17
Last modified : 22-2-2004 15:11:11
DyFuCA Object recognized!
Type : File
Data : install.exe
Object : c:\program files\internet optimizer\
FileSize : 44 KB
Created on : 22-2-2004 15:11:24
Last accessed : 7-4-2004 17:55:23
Last modified : 22-2-2004 15:11:24
DyFuCA Object recognized!
Type : File
Data : optimize.exe
Object : c:\program files\internet optimizer\
FileSize : 68 KB
Created on : 22-2-2004 15:11:10
Last accessed : 7-4-2004 17:49:17
Last modified : 27-2-2004 14:14:38
DyFuCA Object recognized!
Type : File
Data : sim
Object : c:\program files\internet optimizer\
Created on : 22-2-2004 15:12:24
Last accessed : 7-4-2004 16:06:14
Last modified : 3-4-2004 7:24:15
DyFuCA Object recognized!
Type : File
Data : update
Object : c:\program files\internet optimizer\
Created on : 22-2-2004 15:11:10
Last accessed : 7-4-2004 17:55:23
Last modified : 27-2-2004 14:14:37
DyFuCA Object recognized!
Type : File
Data : actalert.exe
Object : c:\program files\internet optimizer\update\
FileSize : 64 KB
Created on : 22-2-2004 15:11:11
Last accessed : 7-4-2004 17:55:23
Last modified : 22-2-2004 15:11:11
DyFuCA Object recognized!
Type : File
Data : install.exe
Object : c:\program files\internet optimizer\update\
FileSize : 44 KB
Created on : 22-2-2004 15:11:23
Last accessed : 7-4-2004 17:55:23
Last modified : 22-2-2004 15:11:24
DyFuCA Object recognized!
Type : File
Data : optimize.exe
Object : c:\program files\internet optimizer\update\
FileSize : 68 KB
Created on : 27-2-2004 14:14:37
Last accessed : 7-4-2004 17:55:23
Last modified : 27-2-2004 14:14:38
Dialer Object recognized!
Type : Folder
Object : c:\windows\Coder
Dialer Object recognized!
Type : Folder
Object : c:\program files\dialers
Dialer Object recognized!
Type : File
Data : coder.log
Object : c:\windows\coder\
FileSize : 1 KB
Created on : 28-2-2004 12:36:38
Last accessed : 7-4-2004 17:55:23
Last modified : 28-2-2004 12:40:57
Dialer Object recognized!
Type : File
Data : _11416-hcd-0-0-.exe
Object : c:\windows\coder\
FileSize : 30 KB
FileVersion : 2.2.3.253
ProductVersion : 3.0.0.0
FileDescription : Anw
Created on : 28-2-2004 12:36:38
Last accessed : 7-4-2004 17:55:23
Last modified : 28-2-2004 12:40:02
Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 13
Objects found so far: 29
20:24:13 Scan complete
Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:00:29:484
Objects scanned :30248
Objects identified :29
Objects ignored :0
New objects :29
primesuspect
7 Apr 2004, 7:48pm
First, you are using an old referencefile from adaware - make sure you update it.... Then, run it, and have it delete whatever it wants to delete. I can see from the log that it recognizes 29 pieces of malicious software.
I've run the complete cocktail mentioned by primesuspect (the latest versions of al programs) and deleted the files you've suggested, but the spyware still returns. Other suggestions, or reinstall windows?
profdlp
7 Apr 2004, 8:28pm
I've run the complete cocktail mentioned by primesuspect (the latest versions of al programs) and deleted the files you've suggested, but the spyware still returns. Other suggestions, or reinstall windows?
Boot up in Safe Mode and try again. They're probably loaded at boot and can't be deleted because they're in use.
CBR, where are you located?
I did a traceroute on the DNS servers listed in your original Hijack This log. They show up as being in the Netherlands. Unless you are in the Netherlands, too, then your DNS servers may have been hijacked. Check with your ISP as to what your DNS should be. Also, are you running a firewall?
Dexter...
Did you repair this one as well in HTJ:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
?
That may be redirecting through something else. You may need to check the contents of your redir.dll file.
You can always do a system restore (if you are on XP) and roll back to a date before you had these problems. Not the most desirable option, but it would probably work.
///EDIT: are you running XP with system restore on? If so, and you are rebooting, it may be restoring the Omegasearch crap in there. You may need to disable system restore, remove everything, re-enable system restore, and create a new restore point.
Dexter...
I'm located in the Netherlands, so if you find that through a traceroute, that's correct :smiles:
The problem is this, i'm deleting al the suggested files with Hijack this and then everyting is alright.(I've cleaned all other spyware with Adaware and Spybot) But when I reboot my computer for the second time than all the omegasearch crap is coming back. When I reboot the computer only once, then the omegasearch spyware is still gone. But it returns the second time I restart my computer.
So the only option left, I guess, is through a system restore. But how can I create a new restore point? The new restore point should be a week ago or something like that, because that's when I've got the first problems with the spyware.
And I'm not running a firewall.
profdlp
8 Apr 2004, 4:30pm
Go through your Program Files folder and look for suspicious subfolders. Lots of spyware stashes itself there or in the Windows folder. Delete the ones you are absolutely positive are bad. If you're not sure, try renaming the folder. I usually put an "XXX" in front of the name to make it stand out if I need to change it back.
Did you try the Safe Mode method?
So the only option left, I guess, is through a system restore. But how can I create a new restore point? The new restore point should be a week ago or something like that, because that's when I've got the first problems with the spyware.
And I'm not running a firewall.
Disable system restore, then make your changes to get rid of the spyware / hijacking ware. Then re-enable system restore. Next click Start -> All Programs -> Accessories -> System Tools -> System Restore. When the System Restore Utility opens, click "Create a Restore Point" then click Next. Enter a name for this Restore Point (I would just use the date, or "After Sweeping Spyware" or something to that effect), and click Create. The utility will then take a snapshot of your system so that you can restore to that point sometime in the future.
Windows XP automatically creates a Restore Point when any of the following occurs:
An unsigned device driver is installed
A new application is installed (if the installation program is compatible with System Restore
Windows Update is used to update your system
A Restore Point from earlier is restored
A backup using the Backup Utility is restored.
You should use a firewall, even if it is only the built in XP firewall. Either buy a hardware firewall/router, or purchase a software firewall, or use the free ZoneAlarm software firewall. It is so important, and can save you a lot of headaches in the future.
Dexter...
I've tried the "disable restore system method" mentioned by dexter. But the spyware still returns. Here is my Hijack logfile another time, can you tell me which files to delete, because I think I'm not deleting all the infected files.
Thanks again.
Logfile of HijackThis v1.97.7
Scan saved at 20:44:00, on 9-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\STUPID~1\Fivedart2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\C Schijf\Franke\Van alles wat\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.232962963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
primesuspect
9 Apr 2004, 6:54pm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
try those.
The middle two have nothing to do with omega search, but they are unnecessary anyway.
Did you read Dexter's OmegaSearch Removal (http://www.short-media.com/review.php?r=235) article?
primesuspect
9 Apr 2004, 7:37pm
Moved to our new security forum :)
Moved to our new security forum :)
I couldn't find my topic, but her it is :)
I've deleted the files Primesuspect suggested ( with the method Dexter suggested in his article) but the spyware returned after the third time I restarted my computer. So this method didn't worked for me.
I think I'm going to reinstall windows and hope that the spyware is away than.
Or are there any last suggestions?
Dexter
10 Apr 2004, 4:29am
Have you installed any other software items lately? A Peer-to-Peer program, or a "free" utililty?
Run HJT again, and post your most current log, let's see what is going on there.
Also, when you are running HJT, make sure you close all open Internet Explorer windows, to ensure that the processes are not in use.
Dexter...
I've installed wimamp and winrar a few weeks ago and spybot, adaware and hijackthis a week ago.
This is my most currently HJT logfile, with all internet explorer windows closed:
Logfile of HijackThis v1.97.7
Scan saved at 9:16:18, on 10-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\STUPID~1\Fivedart2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\C Schijf\Franke\Van alles wat\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.232962963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
Dexter
10 Apr 2004, 7:36am
What is this?
C:\PROGRA~1\STUPID~1\Fivedart2.exe
And do you recognize this?
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
Doing research I saw a lot of people with hijacks who had this on there system, but I don't know what it is.
Definitely remove this:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.wanadoo.nl/
Make sure to disable system restore first, then set a new restore point later.
Dexter...
This C:\PROGRA~1\STUPID~1\Fivedart2.exe also returns every time I delete it with HJT. I don't know what it is.
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
This is an online virusscan deliverd by housecall.
And R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.wanadoo.nl/ also returns every time I delete it with HJT, even if I delete it through your "system restore" method.
Dexter
10 Apr 2004, 7:54am
Hmmm, most people have been able to beat this sucker using HJT.
Do you know how to use the MSCONFIG program? You may have to hunt through your startup, boot.ini, win.ini, and system.ini to remove those.
Dexter...
I think I've found the sollution to my problem.
I've used the method mentioned by someone else on an other forum and I've restarted my computer four times now, but the spyware still hasn't returned. Let's hope it stays away!
Maybe you can also mention this method in your article dexter?
Anyway, thanks for all your help everybody! :tongue:
familurize yourself with how to start in safe mode if you dont already know how.How to start in safe mode
Set windows to show hidden files and folders
How to Show hidden files and folders.
Start Hijackthis and place a check next to these items
Close all browser windows and shut down all other programs(even folders)
that show in the taskbar. Then Hit fix selected
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.h...p://about:blank
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - D:\WINNT\system32\n3tpa1.dll
O4 - HKLM\..\Run: [miywipjd] D:\WINNT\dockqs.exe
O4 - HKLM\..\Run: [31254214.exe] D:\WINNT\System32\31254214.exe
O4 - HKLM\..\Run: [Belt] D:\WINNT\Belt.exe
4 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
====================
Reboot into safe Mode and delete only these exact files
Be very carefull if your unsure of what to delete leave them be.
D:\PROGRA~1\ONEFOURJUGS
D:\WINNT\Belt.exe
D:\WINNT\System32\31254214.exe
D:\WINNT\dockqs.exe
While in safe mode run your anti virus program and do a full system scan
Reboot to a normal windows session and
Come back and post a fresh hijackthis log also >
copy and past into IE's addressbar
javascript:navigator.userAgent
Hit enter or go
and copy paste that back here for us please
Dexter
10 Apr 2004, 8:13am
Seeing this guy in your process list:
C:\WINDOWS\System32\RUNDLL32.EXE
makes me wonder....
Rundll32.exe is a legitimate app, but it should not always be in your process list. It is a commonly targetted file for viruses and hijackers, the "Cool Web Search" used it to do it's hijacks.
Can you do a manual virus scan of that one file?
Dexter...
Dexter
10 Apr 2004, 8:23am
That's great CBR. Yours was the most stubborn I've seen so far, we will try to confirm that info, then definitely add that advice to our guide if it is verified!
Dexter...
The virusscan found nothing on that runddl32.exe file.
But the problem seems to be away, let's hope it stays away!
MediaMan
10 Apr 2004, 2:42pm
Can anyone else confirm CBR's removal method?
Straight_Man
10 Apr 2004, 3:45pm
Can anyone else confirm CBR's removal method?
Method is valid, Dexter and MediaMan.
system32 directory should not have a numbers-only named .exe file like that. That exact set of apps and reg entries is total trash-- malware for certain.
Look at the Computer Cops forum, some decent folks there. There are a couple folks there who really know how to parse HijackThis output. Different people have had different issues which are part of this set and removing them fixed their issues-- which were ALL malware related.
Thanks for the fix report, CBR. :D
John D.
I've didn't developed the fix method, I only found it on an another forum. So I don't deserve the credits( do appreciate them off course ;) )!
The method was mentioned in this post:
http://www.spywareinfo.com/forums/index.php?showtopic=38216&hl=omegasearch
A lot of people seems to have problems with that omegasearch crap, lukely I've seem to got rid of it! :clap:
CBR
I'm still having problem and this my log. Help
Wcube
Logfile of HijackThis v1.97.7
Scan saved at 11:15:21 PM, on 4/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\BASHLO~1\PopEqBook.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Defender Pro Anti Spam\admin.exe
C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Defender Pro Anti Spam\dpantispam.exe
C:\WINDOWS\System32\msynthd.exe
C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Willie\My Documents\HijackThis.exe
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUp.dll
O2 - BHO: (no name) - {60E01071-029F-4337-A266-C2AA9ECDFBBD} - (no file)
O2 - BHO: (no name) - {EB632FAA-A69B-F266-98B6-58F546C81238} - C:\PROGRA~1\ISONUR~1\army drive.dll
O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: pingmeowhope - {62A2DC69-709B-819E-44A4-B84FC69D93B4} - C:\PROGRA~1\ISONUR~1\army drive.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Angela\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [plus fork] C:\PROGRA~1\BASHLO~1\PopEqBook.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [103] "C:\Program Files\Defender Pro Anti Spam\admin" "-hide"
O4 - HKLM\..\Run: [Kaspersky Anti-Virus Lite] C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
O4 - HKLM\..\Run: [msynthd] C:\WINDOWS\System32\msynthd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DefenderProAutoRun] "C:\Program Files\Defender Pro Anti Spam\dpantispam" -D "C:\Program Files\Defender Pro Anti Spam\conf"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
primesuspect
12 Apr 2004, 5:02am
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUp.dll
O2 - BHO: (no name) - {60E01071-029F-4337-A266-C2AA9ECDFBBD} - (no file)
O2 - BHO: (no name) - {EB632FAA-A69B-F266-98B6-58F546C81238} - C:\PROGRA~1\ISONUR~1\army drive.dll
O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: pingmeowhope - {62A2DC69-709B-819E-44A4-B84FC69D93B4} - C:\PROGRA~1\ISONUR~1\army drive.dll
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Angela\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [plus fork] C:\PROGRA~1\BASHLO~1\PopEqBook.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [msynthd] C:\WINDOWS\System32\msynthd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
Kill those, and read this (http://www.short-media.com/review.php?r=132).... Run the "cocktail" that I describe in that article.
Practice better surfing habits :)
Welcome to short-media :)
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.