The Date on my Computer keeps changing on Re-start

LeepointLeepoint Manchester
edited April 2004 in Spyware & Virus Removal
Hi there, I have some minor issues regarding 1. the removal of omegasearch from my homepage and 2. the strange problem of the date and time changing everytime I bootup(not sure if this is a spyware issue or a hardware one).

I followed the insructions on this website, but hijack this doesnt find any of those links found on the removal tutorial.

I was wondering if any of you knowledgable folk know how to fix any of these problems.

Here is my hijack this log :-

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\runservice.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ENCRDR~1\litethat.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\MSMSGS.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Mike\Desktop\New Downloads\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ByteFrag] C:\PROGRA~1\ENCRDR~1\litethat.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AdsGone (HKLM)
O9 - Extra 'Tools' menuitem: &AdsGone Settings (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37797.2012731481
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Cheers,

Comments

  • EnverexEnverex Worcester, UK Icrontian
    edited April 2004
    A way to check if it is hardware is to check what time it says. Turn the machine off, turn it back on and enter the BIOS (press DEL or F2 when writing first appears when you turn the machine on. It should tell you which button you need to press somewhere on the screen) and go into the top option, and it should tell you the time. Turn the PC off for a while, turn it back on and go back into the BIOS and check the time again. This will basically tell you if it is a hardware problem or not.

    By 'changing' do you mean resetting back to the same time and date? If so then you probably have a dead motherboard battery and need to replace it (very easy job, just pops out and pop a new one in).

    Heh, this security forum is getting a lot of use isn't it.
  • LeepointLeepoint Manchester
    edited April 2004
    Well, Iv just done what you said and the date and time remained the same. even now, it has stayed correct, but i havn't changed any settings, so Im expecting it will be a faulty battery, which has enough power to sustain the time settings if left for a couple of mins, but anylonger and it's too knackered. Although when the settings are lost they do not revert back to the original date, but completly random ones like in july or october etc. Cheers for the response, futher advice will be appreciated.

    Yeah, soz bout contributing to the overflowing amount of spyware related probs, but omegasearch is really pissin me off.
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    We had another user who ws not able to remove Omegasearch with the basic removal procedure in our guide. He found that he had to remove it in Safe Mode, and also delete a few files. Here are the extra steps that helped him:
    familirize yourself with how to start in safe mode if you dont already know how how to start in safe mode

    Set windows to show hidden files and folders
    How to Show hidden files and folders.

    Start Hijackthis and place a check next to these items
    Close all browser windows and shut down all other programs(even folders)
    that show in the taskbar. Then Hit fix selected

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - D:\WINNT\system32\n3tpa1.dll
    O4 - HKLM\..\Run: [miywipjd] D:\WINNT\dockqs.exe
    O4 - HKLM\..\Run: [31254214.exe] D:\WINNT\System32\31254214.exe
    O4 - HKLM\..\Run: [Belt] D:\WINNT\Belt.exe
    4 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
    ====================
    Reboot into safe Mode and delete only these exact files
    Be very carefull if your unsure of what to delete leave them be.

    D:\PROGRA~1\ONEFOURJUGS
    D:\WINNT\Belt.exe
    D:\WINNT\System32\31254214.exe
    D:\WINNT\dockqs.exe

    While in safe mode run your anti virus program and do a full system scan

    Also, just to make sure all is clear, when you run HJT, make sure you do not have any Internet Explorer pages open. Then after running it, try to manually set your home page back to something else and see what happens.

    Dexter...
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Also, unless you are running a browswer based P2P app, get rid of this guy:

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    And this is not a normal Windows program:

    C:\WINDOWS\runservice.exe

    Unless you know exactly what installed that, I'd toast it too.


    Dexter...
  • LeepointLeepoint Manchester
    edited April 2004
    Cheers, I'll try all that stuff 2night after a backup and will post back later to let you kno if the issue has been resolved.

    PS. Im very impressed with the prompt and expert advice on this forum.
    Thanks guys.
  • LeepointLeepoint Manchester
    edited April 2004
    Well i did not have any of the following files
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - D:\WINNT\system32\n3tpa1.dll
    O4 - HKLM\..\Run: [miywipjd] D:\WINNT\dockqs.exe
    O4 - HKLM\..\Run: [31254214.exe] D:\WINNT\System32\31254214.exe
    O4 - HKLM\..\Run: [Belt] D:\WINNT\Belt.exe
    4 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
    ====================
    Reboot into safe Mode and delete only these exact files
    Be very carefull if your unsure of what to delete leave them be.

    D:\PROGRA~1\ONEFOURJUGS
    D:\WINNT\Belt.exe
    D:\WINNT\System32\31254214.exe
    D:\WINNT\dockqs.exe

    but i did do everything you said with safe mode and iv still no luck. but thanks anyway for trying to help. here is my new hjt log if anyone else has any ideas.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\ENCRDR~1\litethat.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Documents and Settings\Mike\Desktop\New Downloads\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank This comes back everytime i re-boot
    R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4CF89AAB-3637-FEA5-3150-80395F66991A} - C:\PROGRA~1\ISOREC~1\OptionPing.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ByteFrag] C:\PROGRA~1\ENCRDR~1\litethat.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AdsGone (HKLM)
    O9 - Extra 'Tools' menuitem: &AdsGone Settings (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37797.2012731481
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    When I Google the following entry, I get no matches, which makes me think it is randomly generated:

    C:\PROGRA~1\ENCRDR~1\litethat.exe

    O4 - HKLM\..\Run: [ByteFrag] C:\PROGRA~1\ENCRDR~1\litethat.exe


    Find that Folder and program in your Program Files folder, and check the creation date, check the .exe file's properties, etc. If it does not seem to be a program you installed, or if it is something that came up recently, I suspect it could be randomly generated and be part of your hijack. Try removing it, than remove these 2 items as well:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank

    R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

    O2 - BHO: (no name) - {4CF89AAB-3637-FEA5-3150-80395F66991A} - C:\PROGRA~1\ISOREC~1\OptionPing.dll



    Then find that file/folder in Safe mode and rename it, or move it to your Trash temporarily and see what happens when you reboot.

    Also, this guy:

    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

    Is Spyware related. See: http://www.kephyr.com/spywarescanner/library/keenvalue.updmgr/index.phtml

    So Remove it as well.

    You can also clean up these items to improve performance and boot speed:

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

    Try that and let us know. Make sure you work in Safe Mode for best results.

    Dexter...
This discussion has been closed.