To talk on Icrontic, just register!

It only takes 30 seconds.

Have an account? Sign in:

Forgot?

To reopen your thread, send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own thread instead.

 
Reply to Discussion Options
CBR
Icrontic Convert
CBR
12 Posts
7 Apr 2004, 6:13pm

Another Omegasearch problem[solved]

Like some others here on this forum, i've also got some problems with some spyware of omegasearch.
Here is my logfile of HijackThis, can somebody please tell which files to delete?

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 19:02:09, on 7-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\STUPID~1\Fivedart2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\C Schijf\Franke\Van alles wat\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/i...ww.wanadoo.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem217.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8029.232962963
O16 - DPF: {C7384A94-12AB-4798-9A63-67A9B24C993D} (Vacpro.netherland_ver2) - http://www.7adpower.com/dialer/netherland_ver2.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
Kwitko
Sheriff of Dicktown
Kwitko
6,525 Posts

» Subscriber

7 Apr 2004, 6:50pm

Re: Another Omegasearch problem

Drop this one for certain:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.wanadoo.nl/

These 2 look iffy:
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {C7384A94-12AB-4798-9A63-67A9B24C993D} (Vacpro.netherland_ver2) - http://www.7adpower.com/dialer/netherland_ver2.CAB

Make sure you run the anti-spyware cocktail if you haven't already. Follow Primesuspect's guide here.
__________________ "Is it not cruel to let our city die by degrees, stripped of all her proud monuments, until there will be nothing left of all her history and beauty to inspire our children?... this is the time to take a stand, to reverse the tide, so that we won't all end up in a uniform world of steel and glass boxes." - Jacqueline Kennedy Onassis
primesuspect
The Icrontic Guy
primesuspect
27,810 Posts
7 Apr 2004, 6:59pm

Re: Another Omegasearch problem

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem217.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {C7384A94-12AB-4798-9A63-67A9B24C993D} (Vacpro.netherland_ver2) - http://www.7adpower.com/dialer/netherland_ver2.CAB


Not sure about this one, if it looks fishy to you, delete it:

O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
__________________ "I offer my genius to the world, all I ask is you pick up my expenses"
CBR
Icrontic Convert
CBR
12 Posts
7 Apr 2004, 7:16pm

Re: Another Omegasearch problem

I've deleted the files you suggested, but it didn't work. The omegasearch spyware still comes back. Any more suggestions, or should I reinstall windows XP?
Anyway, thanks for the quick reply
primesuspect
The Icrontic Guy
primesuspect
27,810 Posts
7 Apr 2004, 7:20pm

Re: Another Omegasearch problem

Delete them, then run the cocktail mentioned in my article. Have you run updated versions of both adaware and spybot?
Dexter
Former SM Staff Member
Dexter
3,580 Posts
7 Apr 2004, 7:37pm

Re: Another Omegasearch problem

O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab

That one looks fishy too. Type in just the www.p3.postbank.nl into your browser. unless you can read the langauge, I'd toast that entry. It is from the Netherlands, and appears to be an Internet Bank....but who knows....

(anyone speak Dutch here?)

Dexter...
__________________ "Forty-two," said Deep Thought, with infinite majesty and calm.

Put your computer's spare power to work searching for the cure to diseases: Folding@Home. Join Team 93 today! Join a winning team, and help Fold for a Cure!
Get spyware fighting tools at our Security Downloads Page. Get a better browser: Get Firefox. Get Firefox!

[folding_sig1]
CBR
Icrontic Convert
CBR
12 Posts
7 Apr 2004, 7:46pm

Re: Another Omegasearch problem

I've used spybot to delete all spyware. (the latest version)
I don't exactly know what to do with that program adaware.
I've deleted all the files that you suggested with Hijackthis (except that one of the postbank, that's my homebank, I'm from Holland )
But the omegasearch spyware still returns.
Here is the logfile of adaware, maybe you can tell me which files to delete?

Thanks


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :woensdag 7 april 2004 20:23:44
Created with Ad-aware Personal, free for private use.
Using reference-file :1R200 12.07.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


7-4-2004 20:23:44 - Scan started. (Smart mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-4-2004 18:21:05
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services en controllertoepassingen
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Besturingssysteem Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-4-2004 18:21:10
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-4-2004 18:21:11
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 17:49:17
Last modified : 11-9-2002 12:00:00

#:8 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-4-2004 18:21:11
BasePriority : Normal
FileSize : 80 KB
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 52.16
Created on : 6-10-2003 13:16:00
Last accessed : 7-4-2004 17:49:17
Last modified : 6-10-2003 13:16:00

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-4-2004 18:21:13
BasePriority : Normal
FileSize : 984 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Verkenner
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Besturingssysteem Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 18:21:13
Last modified : 11-9-2002 12:00:00

#:10 [itouch.exe]
FilePath : C:\Program Files\Logitech\iTouch\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 872 KB
FileVersion : 2.20.243
ProductVersion : 2.20.243
Copyright : (C) 1998-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : iTouch Application
InternalName : iTouch
OriginalFilename : iTouch.exe
ProductName : iTouch
Created on : 12-2-2004 12:59:13
Last accessed : 7-4-2004 18:21:05
Last modified : 1-12-2003 10:38:16

#:11 [logi_mwx.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 19 KB
FileVersion : 9.79.016
ProductVersion : 9.79.016
Copyright : (C) 1987-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Launcher Application
InternalName : Logi_MWX
OriginalFilename : Logi_MWX.exe
ProductName : MouseWare
Created on : 12-2-2004 12:59:40
Last accessed : 7-4-2004 18:21:05
Last modified : 7-11-2003 8:50:00

#:12 [dragdiag.exe]
FilePath : C:\Program Files\Alcatel\SpeedTouch USB\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 840 KB
FileVersion : 201.2.0.0
ProductVersion : 201.2.0.0
Copyright : Copyright
CompanyName : THOMSON multimedia
FileDescription : SpeedTouch Statistics
ProductName : SpeedTouch USB
Created on : 12-2-2004 18:40:56
Last accessed : 7-4-2004 18:21:05
Last modified : 12-11-2002 10:02:08

#:13 [hpztsb04.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 192 KB
FileVersion : 2,80,0,0
ProductVersion : 2,80,0,0
Copyright : Copyright (c) Hewlett-Packard Company 1999-2001
CompanyName : HP
ProductName : HP DeskJet
Created on : 12-2-2004 18:50:49
Last accessed : 7-4-2004 18:21:05
Last modified : 12-10-2001 9:57:26

#:14 [fivedart2.exe]
FilePath : C:\PROGRA~1\STUPID~1\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 228 KB
Created on : 27-3-2004 11:14:19
Last accessed : 7-4-2004 18:21:05
Last modified : 27-3-2004 11:14:16

#:15 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 18:21:05
Last modified : 11-9-2002 12:00:00

#:16 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-4-2004 18:21:14
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Een DLL-bestand als toepassing starten
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Besturingssysteem Microsoft
Created on : 11-9-2002 12:00:00
Last accessed : 7-4-2004 18:21:14
Last modified : 11-9-2002 12:00:00

#:17 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ThreadCreationTime : 7-4-2004 18:21:15
BasePriority : Normal
FileSize : 104 KB
FileVersion : 1.0 (32-bit)
ProductVersion : 8.1 (4319)
Copyright : Copyright (c) WinZip Computing, Inc. 1991-2001 - All Rights Reserved
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
OriginalFilename : WZQKPICK.EXE
ProductName : WinZip
Created on : 12-2-2004 20:13:11
Last accessed : 7-4-2004 18:21:05
Last modified : 11-10-2002 7:10:00

#:18 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 7-4-2004 18:21:31
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Besturingssysteem Microsoft
Created on : 12-2-2004 12:34:42
Last accessed : 7-4-2004 18:21:31
Last modified : 11-9-2002 12:00:00

#:19 [ad-aware.exe]
FilePath : D:\C Schijf\Franke\Van alles wat\Ad-aware 6\
ThreadCreationTime : 7-4-2004 18:23:39
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 6-4-2004 11:18:58
Last accessed : 6-4-2004 22:00:00
Last modified : 12-7-2003 20:00:20

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : DyFuCA_BH.BHObj


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : DyFuCA_BH.BHObj.1


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Avenue Media


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Avenue Media\Internet Optimizer


Dialer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Coulomb


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\FCI


Alexa Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}


DyFuCA Object recognized!
Type : RegKey
Data : DyFuCA
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA


DyFuCA Object recognized!
Type : RegKey
Data : Internet Optimizer
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer


DyFuCA Object recognized!
Type : RegKey
Data : Internet Optimizer
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Active Alert


DyFuCA Object recognized!
Type : RegKey
Data : Internet Optimizer
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Software Installer


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 14
Objects found so far: 14


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.com/passthrough/

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/"


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 15


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : dhr. hiemstra@doubleclick[1].txt
Object : C:\Documents and Settings\Dhr. Hiemstra\Cookies\

Created on : 7-4-2004 18:01:48
Last accessed : 7-4-2004 18:01:49
Last modified : 7-4-2004 18:01:49


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

DyFuCA Object recognized!
Type : Folder
Object : c:\program files\Internet Optimizer


DyFuCA Object recognized!
Type : File
Data : actalert.exe
Object : c:\program files\internet optimizer\
FileSize : 64 KB
Created on : 22-2-2004 15:11:11
Last accessed : 7-4-2004 17:49:17
Last modified : 22-2-2004 15:11:11



DyFuCA Object recognized!
Type : File
Data : install.exe
Object : c:\program files\internet optimizer\
FileSize : 44 KB
Created on : 22-2-2004 15:11:24
Last accessed : 7-4-2004 17:55:23
Last modified : 22-2-2004 15:11:24



DyFuCA Object recognized!
Type : File
Data : optimize.exe
Object : c:\program files\internet optimizer\
FileSize : 68 KB
Created on : 22-2-2004 15:11:10
Last accessed : 7-4-2004 17:49:17
Last modified : 27-2-2004 14:14:38



DyFuCA Object recognized!
Type : File
Data : sim
Object : c:\program files\internet optimizer\

Created on : 22-2-2004 15:12:24
Last accessed : 7-4-2004 16:06:14
Last modified : 3-4-2004 7:24:15



DyFuCA Object recognized!
Type : File
Data : update
Object : c:\program files\internet optimizer\

Created on : 22-2-2004 15:11:10
Last accessed : 7-4-2004 17:55:23
Last modified : 27-2-2004 14:14:37



DyFuCA Object recognized!
Type : File
Data : actalert.exe
Object : c:\program files\internet optimizer\update\
FileSize : 64 KB
Created on : 22-2-2004 15:11:11
Last accessed : 7-4-2004 17:55:23
Last modified : 22-2-2004 15:11:11



DyFuCA Object recognized!
Type : File
Data : install.exe
Object : c:\program files\internet optimizer\update\
FileSize : 44 KB
Created on : 22-2-2004 15:11:23
Last accessed : 7-4-2004 17:55:23
Last modified : 22-2-2004 15:11:24



DyFuCA Object recognized!
Type : File
Data : optimize.exe
Object : c:\program files\internet optimizer\update\
FileSize : 68 KB
Created on : 27-2-2004 14:14:37
Last accessed : 7-4-2004 17:55:23
Last modified : 27-2-2004 14:14:38



Dialer Object recognized!
Type : Folder
Object : c:\windows\Coder


Dialer Object recognized!
Type : Folder
Object : c:\program files\dialers


Dialer Object recognized!
Type : File
Data : coder.log
Object : c:\windows\coder\
FileSize : 1 KB
Created on : 28-2-2004 12:36:38
Last accessed : 7-4-2004 17:55:23
Last modified : 28-2-2004 12:40:57



Dialer Object recognized!
Type : File
Data : _11416-hcd-0-0-.exe
Object : c:\windows\coder\
FileSize : 30 KB
FileVersion : 2.2.3.253
ProductVersion : 3.0.0.0
FileDescription : Anw
Created on : 28-2-2004 12:36:38
Last accessed : 7-4-2004 17:55:23
Last modified : 28-2-2004 12:40:02



Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 13
Objects found so far: 29


20:24:13 Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:00:29:484
Objects scanned :30248
Objects identified :29
Objects ignored :0
New objects :29
primesuspect
The Icrontic Guy
primesuspect
27,810 Posts
7 Apr 2004, 7:48pm

Re: Another Omegasearch problem

First, you are using an old referencefile from adaware - make sure you update it.... Then, run it, and have it delete whatever it wants to delete. I can see from the log that it recognizes 29 pieces of malicious software.
CBR
Icrontic Convert
CBR
12 Posts
7 Apr 2004, 8:03pm

Re: Another Omegasearch problem

I've run the complete cocktail mentioned by primesuspect (the latest versions of al programs) and deleted the files you've suggested, but the spyware still returns. Other suggestions, or reinstall windows?
profdlp
Off To The Gym
profdlp
21,407 Posts
7 Apr 2004, 8:28pm

Re: Another Omegasearch problem

Quoting CBR
I've run the complete cocktail mentioned by primesuspect (the latest versions of al programs) and deleted the files you've suggested, but the spyware still returns. Other suggestions, or reinstall windows?
Boot up in Safe Mode and try again. They're probably loaded at boot and can't be deleted because they're in use.
__________________ ---Prof

**********************************
If it doesn't come naturally, leave it
- Al Stewart
**********************************
RIP Short-Media
Dexter
Former SM Staff Member
Dexter
3,580 Posts
7 Apr 2004, 8:28pm

Re: Another Omegasearch problem

CBR, where are you located?

I did a traceroute on the DNS servers listed in your original Hijack This log. They show up as being in the Netherlands. Unless you are in the Netherlands, too, then your DNS servers may have been hijacked. Check with your ISP as to what your DNS should be. Also, are you running a firewall?

Dexter...
Dexter
Former SM Staff Member
Dexter
3,580 Posts
7 Apr 2004, 8:57pm

Re: Another Omegasearch problem

Did you repair this one as well in HTJ:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

?

That may be redirecting through something else. You may need to check the contents of your redir.dll file.

You can always do a system restore (if you are on XP) and roll back to a date before you had these problems. Not the most desirable option, but it would probably work.

///EDIT: are you running XP with system restore on? If so, and you are rebooting, it may be restoring the Omegasearch crap in there. You may need to disable system restore, remove everything, re-enable system restore, and create a new restore point.


Dexter...
CBR
Icrontic Convert
CBR
12 Posts
8 Apr 2004, 1:15pm

Re: Another Omegasearch problem

I'm located in the Netherlands, so if you find that through a traceroute, that's correct
The problem is this, i'm deleting al the suggested files with Hijack this and then everyting is alright.(I've cleaned all other spyware with Adaware and Spybot) But when I reboot my computer for the second time than all the omegasearch crap is coming back. When I reboot the computer only once, then the omegasearch spyware is still gone. But it returns the second time I restart my computer.
So the only option left, I guess, is through a system restore. But how can I create a new restore point? The new restore point should be a week ago or something like that, because that's when I've got the first problems with the spyware.
And I'm not running a firewall.
profdlp
Off To The Gym
profdlp
21,407 Posts
8 Apr 2004, 4:30pm

Re: Another Omegasearch problem

Go through your Program Files folder and look for suspicious subfolders. Lots of spyware stashes itself there or in the Windows folder. Delete the ones you are absolutely positive are bad. If you're not sure, try renaming the folder. I usually put an "XXX" in front of the name to make it stand out if I need to change it back.

Did you try the Safe Mode method?
Dexter
Former SM Staff Member
Dexter
3,580 Posts
8 Apr 2004, 6:27pm

Re: Another Omegasearch problem

Quoting CBR
So the only option left, I guess, is through a system restore. But how can I create a new restore point? The new restore point should be a week ago or something like that, because that's when I've got the first problems with the spyware.
And I'm not running a firewall.
Disable system restore, then make your changes to get rid of the spyware / hijacking ware. Then re-enable system restore. Next click Start -> All Programs -> Accessories -> System Tools -> System Restore. When the System Restore Utility opens, click "Create a Restore Point" then click Next. Enter a name for this Restore Point (I would just use the date, or "After Sweeping Spyware" or something to that effect), and click Create. The utility will then take a snapshot of your system so that you can restore to that point sometime in the future.

Windows XP automatically creates a Restore Point when any of the following occurs:

An unsigned device driver is installed
A new application is installed (if the installation program is compatible with System Restore
Windows Update is used to update your system
A Restore Point from earlier is restored
A backup using the Backup Utility is restored.

You should use a firewall, even if it is only the built in XP firewall. Either buy a hardware firewall/router, or purchase a software firewall, or use the free ZoneAlarm software firewall. It is so important, and can save you a lot of headaches in the future.

Dexter...
CBR
Icrontic Convert
CBR
12 Posts
9 Apr 2004, 6:50pm

Re: Another Omegasearch problem

I've tried the "disable restore system method" mentioned by dexter. But the spyware still returns. Here is my Hijack logfile another time, can you tell me which files to delete, because I think I'm not deleting all the infected files.

Thanks again.

Logfile of HijackThis v1.97.7
Scan saved at 20:44:00, on 9-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\STUPID~1\Fivedart2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\C Schijf\Franke\Van alles wat\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/i...://about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8029.232962963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
primesuspect
The Icrontic Guy
primesuspect
27,810 Posts
9 Apr 2004, 6:54pm

Re: Another Omegasearch problem

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97

try those.

The middle two have nothing to do with omega search, but they are unnecessary anyway.

Did you read Dexter's OmegaSearch Removal article?
primesuspect
The Icrontic Guy
primesuspect
27,810 Posts
9 Apr 2004, 7:37pm

Re: Another Omegasearch problem

Moved to our new security forum
CBR
Icrontic Convert
CBR
12 Posts
9 Apr 2004, 8:31pm

Re: Another Omegasearch problem

Quoting primesuspect
Moved to our new security forum
I couldn't find my topic, but her it is

I've deleted the files Primesuspect suggested ( with the method Dexter suggested in his article) but the spyware returned after the third time I restarted my computer. So this method didn't worked for me.
I think I'm going to reinstall windows and hope that the spyware is away than.
Or are there any last suggestions?
Dexter
Former SM Staff Member
Dexter
3,580 Posts
10 Apr 2004, 4:29am

Re: Another Omegasearch problem

Have you installed any other software items lately? A Peer-to-Peer program, or a "free" utililty?

Run HJT again, and post your most current log, let's see what is going on there.

Also, when you are running HJT, make sure you close all open Internet Explorer windows, to ensure that the processes are not in use.

Dexter...
CBR
Icrontic Convert
CBR
12 Posts
10 Apr 2004, 7:26am

Re: Another Omegasearch problem

I've installed wimamp and winrar a few weeks ago and spybot, adaware and hijackthis a week ago.

This is my most currently HJT logfile, with all internet explorer windows closed:

Logfile of HijackThis v1.97.7
Scan saved at 9:16:18, on 10-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\STUPID~1\Fivedart2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\C Schijf\Franke\Van alles wat\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/i...ww.wanadoo.nl/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8029.232962963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
Dexter
Former SM Staff Member
Dexter
3,580 Posts
10 Apr 2004, 7:36am

Re: Another Omegasearch problem

What is this?

C:\PROGRA~1\STUPID~1\Fivedart2.exe


And do you recognize this?

O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Doing research I saw a lot of people with hijacks who had this on there system, but I don't know what it is.




Definitely remove this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.wanadoo.nl/

Make sure to disable system restore first, then set a new restore point later.

Dexter...
CBR
Icrontic Convert
CBR
12 Posts
10 Apr 2004, 7:42am

Re: Another Omegasearch problem

This C:\PROGRA~1\STUPID~1\Fivedart2.exe also returns every time I delete it with HJT. I don't know what it is.

O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
This is an online virusscan deliverd by housecall.

And R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.wanadoo.nl/ also returns every time I delete it with HJT, even if I delete it through your "system restore" method.
Dexter
Former SM Staff Member
Dexter
3,580 Posts
10 Apr 2004, 7:54am

Re: Another Omegasearch problem

Hmmm, most people have been able to beat this sucker using HJT.

Do you know how to use the MSCONFIG program? You may have to hunt through your startup, boot.ini, win.ini, and system.ini to remove those.

Dexter...
CBR
Icrontic Convert
CBR
12 Posts
10 Apr 2004, 8:13am

Re: Another Omegasearch problem

I think I've found the sollution to my problem.
I've used the method mentioned by someone else on an other forum and I've restarted my computer four times now, but the spyware still hasn't returned. Let's hope it stays away!
Maybe you can also mention this method in your article dexter?
Anyway, thanks for all your help everybody!

familurize yourself with how to start in safe mode if you dont already know how.How to start in safe mode

Set windows to show hidden files and folders
How to Show hidden files and folders.

Start Hijackthis and place a check next to these items
Close all browser windows and shut down all other programs(even folders)
that show in the taskbar. Then Hit fix selected

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/i...://about:blank
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - D:\WINNT\system32\n3tpa1.dll
O4 - HKLM\..\Run: [miywipjd] D:\WINNT\dockqs.exe
O4 - HKLM\..\Run: [31254214.exe] D:\WINNT\System32\31254214.exe
O4 - HKLM\..\Run: [Belt] D:\WINNT\Belt.exe
4 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
====================
Reboot into safe Mode and delete only these exact files
Be very carefull if your unsure of what to delete leave them be.

D:\PROGRA~1\ONEFOURJUGS
D:\WINNT\Belt.exe
D:\WINNT\System32\31254214.exe
D:\WINNT\dockqs.exe

While in safe mode run your anti virus program and do a full system scan

Reboot to a normal windows session and
Come back and post a fresh hijackthis log also >
copy and past into IE's addressbar
javascript:navigator.userAgent
Hit enter or go
and copy paste that back here for us please
Dexter
Former SM Staff Member
Dexter
3,580 Posts
10 Apr 2004, 8:13am

Re: Another Omegasearch problem

Seeing this guy in your process list:

C:\WINDOWS\System32\RUNDLL32.EXE

makes me wonder....

Rundll32.exe is a legitimate app, but it should not always be in your process list. It is a commonly targetted file for viruses and hijackers, the "Cool Web Search" used it to do it's hijacks.

Can you do a manual virus scan of that one file?

Dexter...
Dexter
Former SM Staff Member
Dexter
3,580 Posts
10 Apr 2004, 8:23am

Re: Another Omegasearch problem

That's great CBR. Yours was the most stubborn I've seen so far, we will try to confirm that info, then definitely add that advice to our guide if it is verified!

Dexter...
CBR
Icrontic Convert
CBR
12 Posts
10 Apr 2004, 8:24am

Re: Another Omegasearch problem

The virusscan found nothing on that runddl32.exe file.
But the problem seems to be away, let's hope it stays away!
MediaMan
Driven by Socket 462754939940
MediaMan
2,691 Posts
10 Apr 2004, 2:42pm

Re: Another Omegasearch problem

Can anyone else confirm CBR's removal method?
__________________
Straight_Man
Playing with Virtual Painter
Straight_Man
3,716 Posts
10 Apr 2004, 3:45pm

Re: Another Omegasearch problem

Quoting MediaMan
Can anyone else confirm CBR's removal method?
Method is valid, Dexter and MediaMan.

system32 directory should not have a numbers-only named .exe file like that. That exact set of apps and reg entries is total trash-- malware for certain.

Look at the Computer Cops forum, some decent folks there. There are a couple folks there who really know how to parse HijackThis output. Different people have had different issues which are part of this set and removing them fixed their issues-- which were ALL malware related.

Thanks for the fix report, CBR.

John D.
CBR
Icrontic Convert
CBR
12 Posts
10 Apr 2004, 7:17pm

Re: Another Omegasearch problem

I've didn't developed the fix method, I only found it on an another forum. So I don't deserve the credits( do appreciate them off course )!
The method was mentioned in this post:
http://www.spywareinfo.com/forums/in...hl=omegasearch

A lot of people seems to have problems with that omegasearch crap, lukely I've seem to got rid of it!

CBR
wcube
New to the neighborhood
wcube
2 Posts
12 Apr 2004, 4:20am

Re: Another Omegasearch problem

I'm still having problem and this my log. Help
Wcube

Logfile of HijackThis v1.97.7
Scan saved at 11:15:21 PM, on 4/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\BASHLO~1\PopEqBook.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Defender Pro Anti Spam\admin.exe
C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Defender Pro Anti Spam\dpantispam.exe
C:\WINDOWS\System32\msynthd.exe
C:\Program Files\Defender Pro\Defender Pro Anti Pop Up\PopUpKiller.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Willie\My Documents\HijackThis.exe

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUp.dll
O2 - BHO: (no name) - {60E01071-029F-4337-A266-C2AA9ECDFBBD} - (no file)
O2 - BHO: (no name) - {EB632FAA-A69B-F266-98B6-58F546C81238} - C:\PROGRA~1\ISONUR~1\army drive.dll
O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: pingmeowhope - {62A2DC69-709B-819E-44A4-B84FC69D93B4} - C:\PROGRA~1\ISONUR~1\army drive.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Angela\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [plus fork] C:\PROGRA~1\BASHLO~1\PopEqBook.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [103] "C:\Program Files\Defender Pro Anti Spam\admin" "-hide"
O4 - HKLM\..\Run: [Kaspersky Anti-Virus Lite] C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
O4 - HKLM\..\Run: [msynthd] C:\WINDOWS\System32\msynthd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DefenderProAutoRun] "C:\Program Files\Defender Pro Anti Spam\dpantispam" -D "C:\Program Files\Defender Pro Anti Spam\conf"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
primesuspect
The Icrontic Guy
primesuspect
27,810 Posts
12 Apr 2004, 5:02am

Re: Another Omegasearch problem

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUp.dll
O2 - BHO: (no name) - {60E01071-029F-4337-A266-C2AA9ECDFBBD} - (no file)
O2 - BHO: (no name) - {EB632FAA-A69B-F266-98B6-58F546C81238} - C:\PROGRA~1\ISONUR~1\army drive.dll
O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: pingmeowhope - {62A2DC69-709B-819E-44A4-B84FC69D93B4} - C:\PROGRA~1\ISONUR~1\army drive.dll
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Angela\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [plus fork] C:\PROGRA~1\BASHLO~1\PopEqBook.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [msynthd] C:\WINDOWS\System32\msynthd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Kill those, and read this.... Run the "cocktail" that I describe in that article.

Practice better surfing habits

Welcome to short-media
Similar Threads
Thread Thread Starter Forum Replies Last Post
Stubborn Omegasearch :( Alexei Resolved / Inactive 1 30 Jun 2005 1:38pm
Another un-suspecting victim of OMEGASEARCH Kiskkek Resolved / Inactive 1 5 Oct 2004 11:02pm
Omegasearch, please help! MissStorm Resolved / Inactive 3 8 Jun 2004 11:38pm
omegasearch problem Isaac_Brock Resolved / Inactive 1 26 May 2004 12:51pm
Updated Omegasearch Removal Information - Check here for the latest Omegasearch Info! Dexter Resolved / Inactive 0 12 Apr 2004 3:17pm

Go Back   Icrontic Forums > Malware Help > Spyware & Virus Removal > Resolved / Inactive
Reload this Page Another Omegasearch problem[solved]
Jump to
This Thread Search this Thread
Search this Thread:

Advanced Search

Today's Posts - Mark All Read - Contact Us - Icrontic.com - Archive - Top

Current time: 6:16am (GMT)
Powered by vBulletin®
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Get Vanilla instead. Trust me.