hijack this log

Unknown

I already removed those ones where red omegasearch, but omegasearch is still bothering me.. What else should I remove?

Logfile of HijackThis v1.97.7
Scan saved at 17:31:16, on 16.5.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\imuroidut\quartus\bin\JTAGServer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINNT\System32\svchost.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\PRISMSTA.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\NetDrive\netdrive.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\FIRSTT~1\DUPE 32 MEAL.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Network Associates\Common Framework\McScript.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Documents and Settings\eki\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stadia.fi/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A9C90A64-381D-6170-366B-98DF1503769B} - C:\PROGRA~1\SAVEEQ~1\TESTOPTION.dll
O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL (file missing)
O3 - Toolbar: readmebrowsesecond - {B5585423-9DCF-8AD1-D53E-1686C025A839} - C:\PROGRA~1\SAVEEQ~1\TESTOPTION.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\NetDrive\netdrive.exe /trayicon
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MEET IDLE] C:\PROGRA~1\FIRSTT~1\DUPE 32 MEAL.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fi/filesharingctrl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.2298032407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Straight_Man

Running processes:


C:\imuroidut\quartus\bin\JTAGServer.exe

C:\WINNT\system32\NALNTSRV.EXE

C:\WINNT\system32\stisvc.exe

C:\Program Files\NetDrive\wdService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\NOVELL\ZENRC\WUOLService.exe

C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE

C:\WINNT\System32\hkcmd.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\PRISMSTA.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE

C:\WINNT\AGRSMMSG.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\NetDrive\netdrive.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

C:\PROGRA~1\FIRSTT~1\DUPE 32 MEAL.exe
C:\WINNT\system32\internat.exe

C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE

C:\Program Files\Network Associates\Common Framework\McScript.exe
C:\Program Files\DC++\DCPlusPlus.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/.../www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stadia.fi/
KILL bolded things! Consider quarantining the rest, unless you know you need them.

O2 - BHO: (no name) - {A9C90A64-381D-6170-366B-98DF1503769B} - C:\PROGRA~1\SAVEEQ~1\TESTOPTION.dll
O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL (file missing)
O3 - Toolbar: readmebrowsesecond - {B5585423-9DCF-8AD1-D53E-1686C025A839} - C:\PROGRA~1\SAVEEQ~1\TESTOPTION.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe



O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\NetDrive\netdrive.exe /trayicon
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe


O4 - HKLM\..\Run: [MEET IDLE] C:\PROGRA~1\FIRSTT~1\DUPE 32 MEAL.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...ector/swdir.cab


O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.c...sharingctrl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -


I have cut out what I know is good. The rest, I question. I also wonder if you need Novell services running. Most folks who do not have a machine on a network do not need Novell services. Is this machine hooked to a Novell server, or a server that stores things and protects logins with Novell software??? If not, then stuff might be left over from a previous owner.

Informed opinions as to what is left and not bolded are solicited\wanted. Dexter, any ideas on those???

Kwitko

Welcome to Short-Media, ercci. Before beginning, make sure HiJackThis is located in its own folder in case you have to restore items from quarantine.

Reboot your PC into safe mode, rerun HiJackThis, and delete the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/.../www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stadia.fi/

O2 - BHO: (no name) - {A9C90A64-381D-6170-366B-98DF1503769B} - C:\PROGRA~1\SAVEEQ~1\TESTOPTION.dll
Omegasearch DLL

O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)
O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL (file missing)
Intellistopper toolbar

O3 - Toolbar: readmebrowsesecond - {B5585423-9DCF-8AD1-D53E-1686C025A839} - C:\PROGRA~1\SAVEEQ~1\TESTOPTION.dll
Another Omegasearch DLL

O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
Intel graphics resolution switcher. Unless you switch resolutions many times a day, you can safely remove to save resources without affecting your video card's functionality.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
QuickTime updater. Useless. Can be safely removed without affecting functionality.

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
Sun Java updater. Can be safely removed without affecting functionality.

O4 - HKLM\..\Run: [MEET IDLE] C:\PROGRA~1\FIRSTT~1\DUPE 32 MEAL.exe
Omegasearch executable

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
If you don't use MSN Messenger, you can safely delete this.

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
WinZip quick picks. If you've never used this, you can safely delete this.

After cleaning your machine, reboot and rerun HiJackThis. As John pointed out, you've got a lot of Netware programs running. Obviously, if you're using Netware, keep it, and if not, dump it.

ercci

Finally got rid off that naughty omegasearch.. Thanks a lot of good advices.
Keep up the good work.

Mr. Kwitko wrote:

Welcome to Short-Media, ercci. Before beginning, make sure HiJackThis is located in its own folder in case you have to restore items from quarantine.

Reboot your PC into safe mode, rerun HiJackThis, and delete the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/.../www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stadia.fi/

O2 - BHO: (no name) - {A9C90A64-381D-6170-366B-98DF1503769B} - C:\PROGRA~1\SAVEEQ~1\TESTOPTION.dll
Omegasearch DLL

O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)
O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL (file missing)
Intellistopper toolbar

O3 - Toolbar: readmebrowsesecond - {B5585423-9DCF-8AD1-D53E-1686C025A839} - C:\PROGRA~1\SAVEEQ~1\TESTOPTION.dll
Another Omegasearch DLL

O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
Intel graphics resolution switcher. Unless you switch resolutions many times a day, you can safely remove to save resources without affecting your video card's functionality.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
QuickTime updater. Useless. Can be safely removed without affecting functionality.

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
Sun Java updater. Can be safely removed without affecting functionality.

O4 - HKLM\..\Run: [MEET IDLE] C:\PROGRA~1\FIRSTT~1\DUPE 32 MEAL.exe
Omegasearch executable

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
If you don't use MSN Messenger, you can safely delete this.

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
WinZip quick picks. If you've never used this, you can safely delete this.

After cleaning your machine, reboot and rerun HiJackThis. As John pointed out, you've got a lot of Netware programs running. Obviously, if you're using Netware, keep it, and if not, dump it.