PDA

View Full Version : omegasearch - Shuky

Shuky
16 Apr 2004, 5:15pm
Can someone help me to get rid from this hijack.
I followed Dexter datailed information , runnig through Safe mode etc.
but after the reboot still have it back.
Here is my HijackThis log file.
Thanks,
Shuky.

--------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 18:53:49, on 16/04/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\VPNremote for Windows 2000\AvVpnService.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\Program Files\NMapWin\bin\nmapserv.exe
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\slserv.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\system32\ZONELABS\vsmon.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\Explorer.exe
D:\WINNT\anvshell.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
D:\Program Files\Analog Devices\SoundMAX\Smtray.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\PROGRA~1\UPLOAD~1\Ace mp3.exe
D:\WINNT\System32\internat.exe
D:\Program Files\Babylon\babylon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
D:\Program Files\MRU-Blaster\scheduler.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
D:\WINNT\System32\mdm.exe
D:\Documents and Settings\administrator\My Documents\Shuky\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [WheelMouse] c:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [once memo] D:\PROGRA~1\UPLOAD~1\Ace mp3.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Babylon Translator] D:\Program Files\Babylon\babylon.exe
O4 - HKLM\..\RunOnce: [MRUBlaster] D:\Program Files\MRU-Blaster\indexcleaner.exe -COOKIES
O4 - Startup: MRU-Blaster Scheduler.lnk = D:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = D:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .php3: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
mondi
16 Apr 2004, 5:30pm
Hi there, glad to see you found the updated instructions already.

these are the entries/files you need to delete using those instructions:

D:\PROGRA~1\UPLOAD~1\Ace mp3.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [once memo] D:\PROGRA~1\UPLOAD~1\Ace mp3.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

let me know if that does it, if not post back an updated log and we'll take it from there

mondi
Shuky
16 Apr 2004, 5:38pm
Thanks Mondi for your prompt reply.
About my log file - This is the log file I got after cleaning the same line
from my previous Hijackthis run - and do a reboot.
( of course directly after cleaning it and rerun of hijackthis - that line does not appear).
Shuky.
mondi
16 Apr 2004, 5:48pm
Thanks Mondi for your prompt reply.
About my log file - This is the log file I got after cleaning the same line
from my previous Hijackthis run - and do a reboot.
( of course directly after cleaning it and rerun of hijackthis - that line does not appear).
Shuky.

no problem ...though im not sure that i understand your reply - you already deleted those lines and it came back ?, if so did you make sure to delete the file too (D:\PROGRA~1\UPLOAD~1\Ace mp3.exe) ...

if so, ill look a little deeper into your log and see if i can find anything else.

mondi
Dexter
16 Apr 2004, 9:51pm
Shuky,

is your system clean now, or not? Can you post a fresh log please?

Dexter...
Shuky
17 Apr 2004, 4:02pm
My system is clean now. It was the "Ace mp3.exe" .

Thanks Mondi and Dexter.

Shuky.
Dexter
17 Apr 2004, 4:36pm
You are welcome, glad we could help. Hope you stick around our site, we have a wonderful community here with lots of great people, and of course, all the tech knowledge you'll ever need.

I'd also like to invite you to click the links in my signature below, and consider joining our good cause: Folding For a Cure. We are part of a worldwide effort to use home computers to find cures to complex diseases like cancer, alzheimers, parkinson's, etc. Short-Media's team is ranked #9 world-wide for our contribution, and we welcome all new members. Check the links below to find out more, and we hope you will consider joining our Team and helping the cause!

Cheers,

Dexter...