View Full Version : OmegaKiller Log-What do I do. Jaybee
jaybee
28 Sep 2004, 6:47am
Hi everyone, I brand new at this so please excuse me if I seem to be asking dumb questions :) I have run OmegaKiller and it has created the following log, what do I need to do? Thanks in advance. Oh yeah, I also have spyblaster installed and run it frequently.
Running pass number: 1
- enumerating modules
- Downloader.HC module found
c:\documents and settings\janet\local settings\temp\sta2f.exe
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\janet\locals~1\temp\sta2f.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- found infection: mapi build
- deleted.
- found infection: mapi build
- deleted.
- scanning executable variants
- scanning BHO's
- infected BHO: {709B8058-542C-9AAA-034C-E68D578059D7}
- removed
- infected BHO: {709B8058-542C-9AAA-034C-E68D578059D7}
- removed
- scanning toolbars
- adding host entries
Running pass number: 2
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\progra~1\starto~1\bytena~2.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
- adding host entries
Running pass number: 3
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\progra~1\starto~1\bytena~2.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
- adding host entries
Running pass number: 4
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\progra~1\starto~1\bytena~2.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
- adding host entries
Running pass number: 5
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
- adding host entries
- launching homepage reset
- no infections found, system clean on pass number: 5 ...
It's all meaningless to me. Hope someone can explain.
Lord_Night
28 Sep 2004, 7:51am
ok now go and get adaware and spybot, install and run, then download HJT Hijack This and get the log file form that..... and post it...
from what i see here you are clean but Omega killer does not find some of the hidden stuff the other 3 will.
jaybee
29 Sep 2004, 5:02am
Thanks for your reply. Hey I might not be the sharpest crayon but I knew where to come for help :) I deserve credit for that I think. Anyway have done as you reqested and here is log. Will await your reply. Many thanks.
Logfile of HijackThis v1.98.2
Scan saved at 11:49:14 AM, on 29/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iMesh\iMesh5\iMesh.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MediaKey v1.00\Versato.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MediaKey v1.00\MediaPlayer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MediaKey v1.00\OSD.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: prjBHO_New.CBrowserHelpObj - {A2E1AE65-BB68-11D6-B1B2-96787719A248} - C:\Program Files\Simcast Media\Simcast\Simcast.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iMesh] C:\Program Files\iMesh\iMesh5\iMesh.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: MediaKey v1.00.lnk = C:\Program Files\MediaKey v1.00\Versato.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.simcast.com.au/install/Install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCAA814E-56AC-42DB-86A3-6B3EBEA82340}: NameServer = 210.80.58.34,210.80.58.42
primesuspect
30 Sep 2004, 2:42am
Jaybee: I merged your threads, so that there is one single thread to work with you on instead of two seperate ones. And don't worry - Lord Night wasn't directing the crayon comment at you - that's just his signature - everybody sees it :D
At any rate, have HJT fix the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll (file missing)
O2 - BHO: prjBHO_New.CBrowserHelpObj - {A2E1AE65-BB68-11D6-B1B2-96787719A248} - C:\Program Files\Simcast Media\Simcast\Simcast.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll (file missing)
O4 - HKCU\..\Run: [iMesh] C:\Program Files\iMesh\iMesh5\iMesh.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.simcast.com.au/install/Install.cab
Remove those entries, reboot, and post a new log in this thread :)
jaybee
30 Sep 2004, 6:10am
primesuspect thanks for your reply here is new log created after following your instructions.
Logfile of HijackThis v1.98.2
Scan saved at 12:57:26 PM, on 30/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\MediaKey v1.00\Versato.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MediaKey v1.00\MediaPlayer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MediaKey v1.00\OSD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Janet\Desktop\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: MediaKey v1.00.lnk = C:\Program Files\MediaKey v1.00\Versato.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCAA814E-56AC-42DB-86A3-6B3EBEA82340}: NameServer = 210.80.58.34,210.80.58.42
primesuspect
30 Sep 2004, 6:17am
Log looks clean. Do the problems seem to be gone?
jaybee
30 Sep 2004, 7:15am
Hi again, yes thanks, all seems to be well. I don't have any foreign looking shortcuts on my desk top and I know some kind of ad was just blocked. Normally problem would reappear after that. Thanks for all the help. It is muchly appreciated. Keep up the good work.
primesuspect
30 Sep 2004, 7:20am
No problem. Check out the links in my sig - especially the spyware article and the folding team :D We would LOVE to have you join our folding team :)
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.