Another Omegasearch problem[solved]

Unknown
edited April 2004 in Spyware & Virus Removal
Like some others here on this forum, i've also got some problems with some spyware of omegasearch.
Here is my logfile of HijackThis, can somebody please tell which files to delete?

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 19:02:09, on 7-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\STUPID~1\Fivedart2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\C Schijf\Franke\Van alles wat\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem217.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.232962963
O16 - DPF: {C7384A94-12AB-4798-9A63-67A9B24C993D} (Vacpro.netherland_ver2) - http://www.7adpower.com/dialer/netherland_ver2.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
«1

Comments

  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited April 2004
    Drop this one for certain:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.wanadoo.nl/

    These 2 look iffy:
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
    O16 - DPF: {C7384A94-12AB-4798-9A63-67A9B24C993D} (Vacpro.netherland_ver2) - http://www.7adpower.com/dialer/netherland_ver2.CAB

    Make sure you run the anti-spyware cocktail if you haven't already. Follow Primesuspect's guide here.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem217.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
    O16 - DPF: {C7384A94-12AB-4798-9A63-67A9B24C993D} (Vacpro.netherland_ver2) - http://www.7adpower.com/dialer/netherland_ver2.CAB


    Not sure about this one, if it looks fishy to you, delete it:

    O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
  • CBR
    edited April 2004
    I've deleted the files you suggested, but it didn't work. The omegasearch spyware still comes back. Any more suggestions, or should I reinstall windows XP?
    Anyway, thanks for the quick reply:)
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    Delete them, then run the cocktail mentioned in my article. Have you run updated versions of both adaware and spybot?
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab

    That one looks fishy too. Type in just the www.p3.postbank.nl into your browser. unless you can read the langauge, I'd toast that entry. It is from the Netherlands, and appears to be an Internet Bank....but who knows....

    (anyone speak Dutch here?)

    Dexter...
  • CBR
    edited April 2004
    I've used spybot to delete all spyware. (the latest version)
    I don't exactly know what to do with that program adaware.
    I've deleted all the files that you suggested with Hijackthis (except that one of the postbank, that's my homebank, I'm from Holland :p )
    But the omegasearch spyware still returns.
    Here is the logfile of adaware, maybe you can tell me which files to delete?

    Thanks


    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :woensdag 7 april 2004 20:23:44
    Created with Ad-aware Personal, free for private use.
    Using reference-file :1R200 12.07.2003
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    7-4-2004 20:23:44 - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 7-4-2004 18:21:05
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 7-4-2004 18:21:10
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 7-4-2004 18:21:10
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services en controllertoepassingen
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Besturingssysteem Microsoft
    Created on : 11-9-2002 12:00:00
    Last accessed : 7-4-2004 17:49:17
    Last modified : 11-9-2002 12:00:00

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 7-4-2004 18:21:10
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 11-9-2002 12:00:00
    Last accessed : 7-4-2004 17:49:17
    Last modified : 11-9-2002 12:00:00

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 7-4-2004 18:21:10
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 11-9-2002 12:00:00
    Last accessed : 7-4-2004 17:49:17
    Last modified : 11-9-2002 12:00:00

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 7-4-2004 18:21:10
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 11-9-2002 12:00:00
    Last accessed : 7-4-2004 17:49:17
    Last modified : 11-9-2002 12:00:00

    #:7 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 7-4-2004 18:21:11
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 11-9-2002 12:00:00
    Last accessed : 7-4-2004 17:49:17
    Last modified : 11-9-2002 12:00:00

    #:8 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 7-4-2004 18:21:11
    BasePriority : Normal
    FileSize : 80 KB
    FileVersion : 6.14.10.5216
    ProductVersion : 6.14.10.5216
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 52.16
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 52.16
    Created on : 6-10-2003 13:16:00
    Last accessed : 7-4-2004 17:49:17
    Last modified : 6-10-2003 13:16:00

    #:9 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 7-4-2004 18:21:13
    BasePriority : Normal
    FileSize : 984 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Verkenner
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Besturingssysteem Microsoft
    Created on : 11-9-2002 12:00:00
    Last accessed : 7-4-2004 18:21:13
    Last modified : 11-9-2002 12:00:00

    #:10 [itouch.exe]
    FilePath : C:\Program Files\Logitech\iTouch\
    ThreadCreationTime : 7-4-2004 18:21:14
    BasePriority : Normal
    FileSize : 872 KB
    FileVersion : 2.20.243
    ProductVersion : 2.20.243
    Copyright : (C) 1998-2003 Logitech. All rights reserved.
    CompanyName : Logitech Inc.
    FileDescription : iTouch Application
    InternalName : iTouch
    OriginalFilename : iTouch.exe
    ProductName : iTouch
    Created on : 12-2-2004 12:59:13
    Last accessed : 7-4-2004 18:21:05
    Last modified : 1-12-2003 10:38:16

    #:11 [logi_mwx.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 7-4-2004 18:21:14
    BasePriority : Normal
    FileSize : 19 KB
    FileVersion : 9.79.016
    ProductVersion : 9.79.016
    Copyright : (C) 1987-2003 Logitech. All rights reserved.
    CompanyName : Logitech Inc.
    FileDescription : Logitech Launcher Application
    InternalName : Logi_MWX
    OriginalFilename : Logi_MWX.exe
    ProductName : MouseWare
    Created on : 12-2-2004 12:59:40
    Last accessed : 7-4-2004 18:21:05
    Last modified : 7-11-2003 8:50:00

    #:12 [dragdiag.exe]
    FilePath : C:\Program Files\Alcatel\SpeedTouch USB\
    ThreadCreationTime : 7-4-2004 18:21:14
    BasePriority : Normal
    FileSize : 840 KB
    FileVersion : 201.2.0.0
    ProductVersion : 201.2.0.0
    Copyright : Copyright
    CompanyName : THOMSON multimedia
    FileDescription : SpeedTouch Statistics
    ProductName : SpeedTouch USB
    Created on : 12-2-2004 18:40:56
    Last accessed : 7-4-2004 18:21:05
    Last modified : 12-11-2002 10:02:08

    #:13 [hpztsb04.exe]
    FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
    ThreadCreationTime : 7-4-2004 18:21:14
    BasePriority : Normal
    FileSize : 192 KB
    FileVersion : 2,80,0,0
    ProductVersion : 2,80,0,0
    Copyright : Copyright (c) Hewlett-Packard Company 1999-2001
    CompanyName : HP
    ProductName : HP DeskJet
    Created on : 12-2-2004 18:50:49
    Last accessed : 7-4-2004 18:21:05
    Last modified : 12-10-2001 9:57:26

    #:14 [fivedart2.exe]
    FilePath : C:\PROGRA~1\STUPID~1\
    ThreadCreationTime : 7-4-2004 18:21:14
    BasePriority : Normal
    FileSize : 228 KB
    Created on : 27-3-2004 11:14:19
    Last accessed : 7-4-2004 18:21:05
    Last modified : 27-3-2004 11:14:16

    #:15 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 7-4-2004 18:21:14
    BasePriority : Normal
    FileSize : 13 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    OriginalFilename : CTFMON.EXE
    ProductName : Microsoft
    Created on : 11-9-2002 12:00:00
    Last accessed : 7-4-2004 18:21:05
    Last modified : 11-9-2002 12:00:00

    #:16 [rundll32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 7-4-2004 18:21:14
    BasePriority : Normal
    FileSize : 31 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Een DLL-bestand als toepassing starten
    InternalName : rundll
    OriginalFilename : RUNDLL.EXE
    ProductName : Besturingssysteem Microsoft
    Created on : 11-9-2002 12:00:00
    Last accessed : 7-4-2004 18:21:14
    Last modified : 11-9-2002 12:00:00

    #:17 [wzqkpick.exe]
    FilePath : C:\Program Files\WinZip\
    ThreadCreationTime : 7-4-2004 18:21:15
    BasePriority : Normal
    FileSize : 104 KB
    FileVersion : 1.0 (32-bit)
    ProductVersion : 8.1 (4319)
    Copyright : Copyright (c) WinZip Computing, Inc. 1991-2001 - All Rights Reserved
    CompanyName : WinZip Computing, Inc.
    FileDescription : WinZip Executable
    InternalName : WZQKPICK.EXE
    OriginalFilename : WZQKPICK.EXE
    ProductName : WinZip
    Created on : 12-2-2004 20:13:11
    Last accessed : 7-4-2004 18:21:05
    Last modified : 11-10-2002 7:10:00

    #:18 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 7-4-2004 18:21:31
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Besturingssysteem Microsoft
    Created on : 12-2-2004 12:34:42
    Last accessed : 7-4-2004 18:21:31
    Last modified : 11-9-2002 12:00:00

    #:19 [ad-aware.exe]
    FilePath : D:\C Schijf\Franke\Van alles wat\Ad-aware 6\
    ThreadCreationTime : 7-4-2004 18:23:39
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 6-4-2004 11:18:58
    Last accessed : 6-4-2004 22:00:00
    Last modified : 12-7-2003 20:00:20

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    DyFuCA Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : DyFuCA_BH.BHObj


    DyFuCA Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : DyFuCA_BH.BHObj.1


    DyFuCA Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}


    DyFuCA Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Avenue Media


    DyFuCA Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Avenue Media\Internet Optimizer


    Dialer Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Coulomb


    DyFuCA Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\FCI


    Alexa Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}


    DyFuCA Object recognized!
    Type : RegKey
    Data : DyFuCA
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA


    DyFuCA Object recognized!
    Type : RegKey
    Data : Internet Optimizer
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer


    DyFuCA Object recognized!
    Type : RegKey
    Data : Internet Optimizer
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Active Alert


    DyFuCA Object recognized!
    Type : RegKey
    Data : Internet Optimizer
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Software Installer


    DyFuCA Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : TypeLib\{0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}


    DyFuCA Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 14
    Objects found so far: 14


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.com/passthrough/

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/"
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 15


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : dhr. hiemstra@doubleclick[1].txt
    Object : C:\Documents and Settings\Dhr. Hiemstra\Cookies\

    Created on : 7-4-2004 18:01:48
    Last accessed : 7-4-2004 18:01:49
    Last modified : 7-4-2004 18:01:49


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    DyFuCA Object recognized!
    Type : Folder
    Object : c:\program files\Internet Optimizer


    DyFuCA Object recognized!
    Type : File
    Data : actalert.exe
    Object : c:\program files\internet optimizer\
    FileSize : 64 KB
    Created on : 22-2-2004 15:11:11
    Last accessed : 7-4-2004 17:49:17
    Last modified : 22-2-2004 15:11:11



    DyFuCA Object recognized!
    Type : File
    Data : install.exe
    Object : c:\program files\internet optimizer\
    FileSize : 44 KB
    Created on : 22-2-2004 15:11:24
    Last accessed : 7-4-2004 17:55:23
    Last modified : 22-2-2004 15:11:24



    DyFuCA Object recognized!
    Type : File
    Data : optimize.exe
    Object : c:\program files\internet optimizer\
    FileSize : 68 KB
    Created on : 22-2-2004 15:11:10
    Last accessed : 7-4-2004 17:49:17
    Last modified : 27-2-2004 14:14:38



    DyFuCA Object recognized!
    Type : File
    Data : sim
    Object : c:\program files\internet optimizer\

    Created on : 22-2-2004 15:12:24
    Last accessed : 7-4-2004 16:06:14
    Last modified : 3-4-2004 7:24:15



    DyFuCA Object recognized!
    Type : File
    Data : update
    Object : c:\program files\internet optimizer\

    Created on : 22-2-2004 15:11:10
    Last accessed : 7-4-2004 17:55:23
    Last modified : 27-2-2004 14:14:37



    DyFuCA Object recognized!
    Type : File
    Data : actalert.exe
    Object : c:\program files\internet optimizer\update\
    FileSize : 64 KB
    Created on : 22-2-2004 15:11:11
    Last accessed : 7-4-2004 17:55:23
    Last modified : 22-2-2004 15:11:11



    DyFuCA Object recognized!
    Type : File
    Data : install.exe
    Object : c:\program files\internet optimizer\update\
    FileSize : 44 KB
    Created on : 22-2-2004 15:11:23
    Last accessed : 7-4-2004 17:55:23
    Last modified : 22-2-2004 15:11:24



    DyFuCA Object recognized!
    Type : File
    Data : optimize.exe
    Object : c:\program files\internet optimizer\update\
    FileSize : 68 KB
    Created on : 27-2-2004 14:14:37
    Last accessed : 7-4-2004 17:55:23
    Last modified : 27-2-2004 14:14:38



    Dialer Object recognized!
    Type : Folder
    Object : c:\windows\Coder


    Dialer Object recognized!
    Type : Folder
    Object : c:\program files\dialers


    Dialer Object recognized!
    Type : File
    Data : coder.log
    Object : c:\windows\coder\
    FileSize : 1 KB
    Created on : 28-2-2004 12:36:38
    Last accessed : 7-4-2004 17:55:23
    Last modified : 28-2-2004 12:40:57



    Dialer Object recognized!
    Type : File
    Data : _11416-hcd-0-0-.exe
    Object : c:\windows\coder\
    FileSize : 30 KB
    FileVersion : 2.2.3.253
    ProductVersion : 3.0.0.0
    FileDescription : Anw
    Created on : 28-2-2004 12:36:38
    Last accessed : 7-4-2004 17:55:23
    Last modified : 28-2-2004 12:40:02



    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 13
    Objects found so far: 29


    20:24:13 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:00:29:484
    Objects scanned :30248
    Objects identified :29
    Objects ignored :0
    New objects :29
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    First, you are using an old referencefile from adaware - make sure you update it.... Then, run it, and have it delete whatever it wants to delete. I can see from the log that it recognizes 29 pieces of malicious software.
  • CBR
    edited April 2004
    I've run the complete cocktail mentioned by primesuspect (the latest versions of al programs) and deleted the files you've suggested, but the spyware still returns. Other suggestions, or reinstall windows?
  • profdlpprofdlp The Holy City Of Westlake, Ohio
    edited April 2004
    CBR wrote:
    I've run the complete cocktail mentioned by primesuspect (the latest versions of al programs) and deleted the files you've suggested, but the spyware still returns. Other suggestions, or reinstall windows?
    Boot up in Safe Mode and try again. They're probably loaded at boot and can't be deleted because they're in use.
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    CBR, where are you located?

    I did a traceroute on the DNS servers listed in your original Hijack This log. They show up as being in the Netherlands. Unless you are in the Netherlands, too, then your DNS servers may have been hijacked. Check with your ISP as to what your DNS should be. Also, are you running a firewall?

    Dexter...
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Did you repair this one as well in HTJ:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

    ?

    That may be redirecting through something else. You may need to check the contents of your redir.dll file.

    You can always do a system restore (if you are on XP) and roll back to a date before you had these problems. Not the most desirable option, but it would probably work.

    ///EDIT: are you running XP with system restore on? If so, and you are rebooting, it may be restoring the Omegasearch crap in there. You may need to disable system restore, remove everything, re-enable system restore, and create a new restore point.


    Dexter...
  • CBR
    edited April 2004
    I'm located in the Netherlands, so if you find that through a traceroute, that's correct :smiles:
    The problem is this, i'm deleting al the suggested files with Hijack this and then everyting is alright.(I've cleaned all other spyware with Adaware and Spybot) But when I reboot my computer for the second time than all the omegasearch crap is coming back. When I reboot the computer only once, then the omegasearch spyware is still gone. But it returns the second time I restart my computer.
    So the only option left, I guess, is through a system restore. But how can I create a new restore point? The new restore point should be a week ago or something like that, because that's when I've got the first problems with the spyware.
    And I'm not running a firewall.
  • profdlpprofdlp The Holy City Of Westlake, Ohio
    edited April 2004
    Go through your Program Files folder and look for suspicious subfolders. Lots of spyware stashes itself there or in the Windows folder. Delete the ones you are absolutely positive are bad. If you're not sure, try renaming the folder. I usually put an "XXX" in front of the name to make it stand out if I need to change it back.

    Did you try the Safe Mode method?
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    CBR wrote:
    So the only option left, I guess, is through a system restore. But how can I create a new restore point? The new restore point should be a week ago or something like that, because that's when I've got the first problems with the spyware.
    And I'm not running a firewall.

    Disable system restore, then make your changes to get rid of the spyware / hijacking ware. Then re-enable system restore. Next click Start -> All Programs -> Accessories -> System Tools -> System Restore. When the System Restore Utility opens, click "Create a Restore Point" then click Next. Enter a name for this Restore Point (I would just use the date, or "After Sweeping Spyware" or something to that effect), and click Create. The utility will then take a snapshot of your system so that you can restore to that point sometime in the future.

    Windows XP automatically creates a Restore Point when any of the following occurs:

    An unsigned device driver is installed
    A new application is installed (if the installation program is compatible with System Restore
    Windows Update is used to update your system
    A Restore Point from earlier is restored
    A backup using the Backup Utility is restored.

    You should use a firewall, even if it is only the built in XP firewall. Either buy a hardware firewall/router, or purchase a software firewall, or use the free ZoneAlarm software firewall. It is so important, and can save you a lot of headaches in the future.

    Dexter...
  • CBR
    edited April 2004
    I've tried the "disable restore system method" mentioned by dexter. But the spyware still returns. Here is my Hijack logfile another time, can you tell me which files to delete, because I think I'm not deleting all the infected files.

    Thanks again.

    Logfile of HijackThis v1.97.7
    Scan saved at 20:44:00, on 9-4-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\PROGRA~1\STUPID~1\Fivedart2.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\C Schijf\Franke\Van alles wat\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.232962963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97

    try those.

    The middle two have nothing to do with omega search, but they are unnecessary anyway.

    Did you read Dexter's OmegaSearch Removal article?
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    Moved to our new security forum :)
  • CBR
    edited April 2004
    primesuspect wrote:
    Moved to our new security forum :)

    I couldn't find my topic, but her it is :)

    I've deleted the files Primesuspect suggested ( with the method Dexter suggested in his article) but the spyware returned after the third time I restarted my computer. So this method didn't worked for me.
    I think I'm going to reinstall windows and hope that the spyware is away than.
    Or are there any last suggestions?
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Have you installed any other software items lately? A Peer-to-Peer program, or a "free" utililty?

    Run HJT again, and post your most current log, let's see what is going on there.

    Also, when you are running HJT, make sure you close all open Internet Explorer windows, to ensure that the processes are not in use.

    Dexter...
  • CBR
    edited April 2004
    I've installed wimamp and winrar a few weeks ago and spybot, adaware and hijackthis a week ago.

    This is my most currently HJT logfile, with all internet explorer windows closed:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:16:18, on 10-4-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\PROGRA~1\STUPID~1\Fivedart2.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\C Schijf\Franke\Van alles wat\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.wanadoo.nl/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [Safe Build] C:\PROGRA~1\STUPID~1\Fivedart2.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.232962963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB00561-5EAB-42FA-A95E-76422AF2F2AA}: NameServer = 194.134.5.5 194.134.0.97
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    What is this?

    C:\PROGRA~1\STUPID~1\Fivedart2.exe


    And do you recognize this?

    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

    Doing research I saw a lot of people with hijacks who had this on there system, but I don't know what it is.




    Definitely remove this:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.wanadoo.nl/

    Make sure to disable system restore first, then set a new restore point later.

    Dexter...
  • CBR
    edited April 2004
    This C:\PROGRA~1\STUPID~1\Fivedart2.exe also returns every time I delete it with HJT. I don't know what it is.

    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
    This is an online virusscan deliverd by housecall.

    And R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.wanadoo.nl/ also returns every time I delete it with HJT, even if I delete it through your "system restore" method.
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Hmmm, most people have been able to beat this sucker using HJT.

    Do you know how to use the MSCONFIG program? You may have to hunt through your startup, boot.ini, win.ini, and system.ini to remove those.

    Dexter...
  • CBR
    edited April 2004
    I think I've found the sollution to my problem.
    I've used the method mentioned by someone else on an other forum and I've restarted my computer four times now, but the spyware still hasn't returned. Let's hope it stays away!
    Maybe you can also mention this method in your article dexter?
    Anyway, thanks for all your help everybody! :tongue:

    familurize yourself with how to start in safe mode if you dont already know how.How to start in safe mode

    Set windows to show hidden files and folders
    How to Show hidden files and folders.

    Start Hijackthis and place a check next to these items
    Close all browser windows and shut down all other programs(even folders)
    that show in the taskbar. Then Hit fix selected

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.h...p://about:blank
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - D:\WINNT\system32\n3tpa1.dll
    O4 - HKLM\..\Run: [miywipjd] D:\WINNT\dockqs.exe
    O4 - HKLM\..\Run: [31254214.exe] D:\WINNT\System32\31254214.exe
    O4 - HKLM\..\Run: [Belt] D:\WINNT\Belt.exe
    4 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
    ====================
    Reboot into safe Mode and delete only these exact files
    Be very carefull if your unsure of what to delete leave them be.

    D:\PROGRA~1\ONEFOURJUGS
    D:\WINNT\Belt.exe
    D:\WINNT\System32\31254214.exe
    D:\WINNT\dockqs.exe

    While in safe mode run your anti virus program and do a full system scan

    Reboot to a normal windows session and
    Come back and post a fresh hijackthis log also >
    copy and past into IE's addressbar
    javascript:navigator.userAgent
    Hit enter or go
    and copy paste that back here for us please
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Seeing this guy in your process list:

    C:\WINDOWS\System32\RUNDLL32.EXE

    makes me wonder....

    Rundll32.exe is a legitimate app, but it should not always be in your process list. It is a commonly targetted file for viruses and hijackers, the "Cool Web Search" used it to do it's hijacks.

    Can you do a manual virus scan of that one file?

    Dexter...
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    That's great CBR. Yours was the most stubborn I've seen so far, we will try to confirm that info, then definitely add that advice to our guide if it is verified!

    Dexter...
  • CBR
    edited April 2004
    The virusscan found nothing on that runddl32.exe file.
    But the problem seems to be away, let's hope it stays away!
  • MediaManMediaMan Powered by loose parts.
    edited April 2004
    Can anyone else confirm CBR's removal method?
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited April 2004
    MediaMan wrote:
    Can anyone else confirm CBR's removal method?

    Method is valid, Dexter and MediaMan.

    system32 directory should not have a numbers-only named .exe file like that. That exact set of apps and reg entries is total trash-- malware for certain.

    Look at the Computer Cops forum, some decent folks there. There are a couple folks there who really know how to parse HijackThis output. Different people have had different issues which are part of this set and removing them fixed their issues-- which were ALL malware related.

    Thanks for the fix report, CBR. :D

    John D.
  • CBR
    edited April 2004
    I've didn't developed the fix method, I only found it on an another forum. So I don't deserve the credits( do appreciate them off course ;) )!
    The method was mentioned in this post:
    http://www.spywareinfo.com/forums/index.php?showtopic=38216&hl=omegasearch

    A lot of people seems to have problems with that omegasearch crap, lukely I've seem to got rid of it! :clap:

    CBR
This discussion has been closed.