Options
hijack log please some one help
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\TITLEP~1\ADMINCHIC.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Documents and Settings\ricardo\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {B7D0E387-C9EA-7B38-F2FB-004181E7B6F3} - C:\PROGRA~1\MP3INT~1\LogoCast.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: FirstOwns - {EC6BCB31-103A-F4B8-97DA-FF7264DDF3DD} - C:\PROGRA~1\MP3INT~1\LogoCast.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Long style] C:\PROGRA~1\TITLEP~1\ADMINCHIC.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKCU\..\Run: [bootvid] C:\WINDOWS\System32\bootvid.exe
O4 - HKCU\..\Run: [spynuker_download] C:\WINDOWS\Downloaded Program Files\SWNInstaller.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/clickbank/SWNInstaller.exe
:banghead:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\TITLEP~1\ADMINCHIC.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Documents and Settings\ricardo\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {B7D0E387-C9EA-7B38-F2FB-004181E7B6F3} - C:\PROGRA~1\MP3INT~1\LogoCast.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: FirstOwns - {EC6BCB31-103A-F4B8-97DA-FF7264DDF3DD} - C:\PROGRA~1\MP3INT~1\LogoCast.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Long style] C:\PROGRA~1\TITLEP~1\ADMINCHIC.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKCU\..\Run: [bootvid] C:\WINDOWS\System32\bootvid.exe
O4 - HKCU\..\Run: [spynuker_download] C:\WINDOWS\Downloaded Program Files\SWNInstaller.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/clickbank/SWNInstaller.exe
:banghead: 0
Comments
Check the latest removal instructions here.
You've got a few things besides Omegasearch on your system.
Boot up in SAFE MODE. Run HJT. Fix the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
(If they have no files, toast 'em.)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
(Random file name, associated with one of your hijacks above.)
O2 - BHO: (no name) - {B7D0E387-C9EA-7B38-F2FB-004181E7B6F3} - C:\PROGRA~1\MP3INT~1\LogoCast.dll
(Omegasearch file.)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
(If they have no files, toast 'em.)
O3 - Toolbar: FirstOwns - {EC6BCB31-103A-F4B8-97DA-FF7264DDF3DD} - C:\PROGRA~1\MP3INT~1\LogoCast.dll
(Omegasearch file.)
O4 - HKLM\..\Run: [Long style] C:\PROGRA~1\TITLEP~1\ADMINCHIC.exe
(Omegasearch file.)
O4 - HKCU\..\Run: [bootvid] C:\WINDOWS\System32\bootvid.exe
(Not sure what this is, but it is not a normal Windows program.)
O4 - HKCU\..\Run: [spynuker_download] C:\WINDOWS\Downloaded Program Files\SWNInstaller.exe
(Claims to be a spyware remover, but is really spyware.)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
http://www.spywarenuker.com/product/camp/clickbank/SWNInstaller.exe
Next, you need to manually find and quarintine some of the files associated with the hijacks above. Make a new folder called Quarantine nad move these files into it:
C:\WINDOWS\system32\dla\tfswshx.dll
C:\WINDOWS\System32\bootvid.exe
What I recommend is to make a sub folder in Quarintine for DLL files and one for EXE's. Move the DLL's to the DLL folder, and the EXE's to the EXE folder. Then rename the last 3 letters of each file to .XXX. They are now quarintined, but if you fnd you need them for something legit after all, you can easily replace them by renaming them and replacing them in the folder they originially came from.
These ones you can completely delete the file and containing folder:
C:\PROGRAM FILES\MP3INT~1\LogoCast.dll
C:\PROGRAM FILES\TITLEP~1\ADMINCHIC.exe
Look for the folders whose names start with "MP3INT" and "TITLEP".
Reboot your system normally, and check things out. Post a fresh HJT log here, and let us know how it worked out.
Then, check out the links in my signature, and find out about Short-Media's favourite pastime: Folding for a Cure!
Dexter...
I would say two things:
A lot of reasons thing come back is because of other things.
In this case, I note you also need to security patch your Internet Explorer, by looking at version number. In this case, would also scan for viruses with something VERY recently updated as to definitions, pull that and security pack first if you can, then remove.
Explanation:
There is something coming back through a vuln or vuln holes for repeats to happen quickly, or you do not have System Restore DISABLED when you are removing, or box is virused or trojaned or wormed, or some combo. OR, you are going back to a site that is feeding this junk, or a site you go to is linking to such a site. OR, you have a cookie that is leading your IE back to a site that does this or is being used to route things for a trojan.
Problem is, it looks like Omegasearch, or what is called that by some, is in fact a multivectored remote computer attack set, and is being misrecognized as such when folks get similar symptoms, and it is being dynamically morphed deliberately and fed from multiple web "places." Problem with morphs is there are many distinct sets of things that can be used, so each apparent OmegaSearch can be a bit different, and things that use part of what Omegasearch can be pure viral attacks in combo and not even Omegasearch per se.
John D.-- who says to look at those things ALSO, to keep something from coming back, and notes that using pure Sun Java based browsers has resulted in less reoccurances than using IE after such an attack.
This can be an interative, or repeat looping process.
Basically, it repeats by name of link you want to remove, and an icon has hidden under it a property that is of type hard symbolic link with apath to what is linked to, with a reference to a graphic file that gives you the visible icon as another property.
These files, in XP are often of type .lnk, for the shortcut type.
Process I use is to use XP's find\search abilities to get the lcoations and a GUI that lets me delete them from within search results.
Let's say you have what look visibly like shortcuts in your box to soemthing you do not want to stay there. Easiest way to get rid of them is not to examine whole file system by yourself to find and delete, whihc would work but take forever.
Instead, use search, and use admin privileged logon into XP to let you find things on whole box.
Let's say you have Something of name Omegasearch on a desktop, and it keeps reappearing. This can happen two ways-- system restore can be restoring it due to a registry entry not removed casugin somethign to repace it, or autorecovery within XP can be triggered by that thing in the registry that was not pulled, or the thing can be registered as a service and XP can be autorestoring it at boot time.
Process definition-- plain language spec format.
But, simple delete using search of "icon" links, can be done like this:
1. Log in as administrator (to the ID you made as powerful as administrator at install time) for the XP install, with XP's admin passwoprd for that install.
2. Go to Start|Search|Files and Folders.
3. in the text box, give this search-- let it hunt for name beginning with the part you enter as name-- omega*.lnk
NOTE: the .lnk part will not be considered the name part, instead you will get every file that begins with Omega or omega, and the .lnk part will be used to filter so only links that look to you liake graphic icons show up.
4. For every one you are sure is a bad link that you want to trash, right click it and choose delete, right in the search results. while working as adimn you can do this. Files will get deleted, icons will vanish, AFTER a reboot if not also instantly.
Do this whole set of numbered things for every name you chose to use to delete things in HJT.
They should stay away after a reboot. IF they do not, something else happened that is not pure file recovery, as XP typically does not restore icons on desktop or to autorun unless they are special files and have registry entries for them. HJT is acting on registry for you, and not all .lnk files are only in registry, most have physcial presence as files also and files thus need to be deleted also. you can make them mostly harmless icons with HJT, but icons that you see themselves might not vanish, so you use Search to find the files that are graphical and delete, in XP they are of type .lnk normally, except that if you run somethign in compatibility mode you might have files in file system of type .ico and type .lnk and be seeing the .lnk ones.
john D.
R0 - hkcu\software\microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.google.cl
plz help i now that in some point this will bring some new problems