Omegasearch and other problems - tallbladeofgrass
Hello! I am hoping someone can help me with this problem. First, a little background.
Three days ago I formatted my primary hard drive and reinstalled windows 2000. I downloaded only windows updates and AOL software and did not use IE otherwise. I have a permanent connection to the internet via my school's t1 line. The very next day, my browser had been hijacked by omegasearch and I had various other spyware as well. Upon further poking around, i discovered that all three of my hard drives were shared on the network in their entirety.
since then, i have run adaware, spybot, cwshredder, and hijackthis. the only thing i can't get rid of is omegaware, which seems to reinstall itself every time i start my computer. also, my hard drives reshare themselves every time i start the computer, despite the fact that i unshare them every time.
Here is my most recent HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 1:55:47 PM, on 6/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\System32\svchost.exe
C:\Utilities\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Utilities\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\UTILIT~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\devldr32.exe
C:\UTILIT~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\MOVEBA~1\HIDEDEAF.exe
C:\Web\AIM\aim.exe
C:\WINNT\System32\svchost.exe
E:\Installation files\Utilities\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.google.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Utilities\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C3ABDE8F-44EF-7F28-632A-EF009B91CD72} - C:\PROGRA~1\CREATI~1\Surf Dvd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Utilities\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\UTILIT~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Web\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [WinampAgent] "C:\Media\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [acid sign] C:\PROGRA~1\MOVEBA~1\HIDEDEAF.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Apps\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38147.7053472222
i always delete the one obviously related to omegasearch, but it comes back whenever i reboot. if anyone can help me, i will be most grateful!
thanks
Three days ago I formatted my primary hard drive and reinstalled windows 2000. I downloaded only windows updates and AOL software and did not use IE otherwise. I have a permanent connection to the internet via my school's t1 line. The very next day, my browser had been hijacked by omegasearch and I had various other spyware as well. Upon further poking around, i discovered that all three of my hard drives were shared on the network in their entirety.
since then, i have run adaware, spybot, cwshredder, and hijackthis. the only thing i can't get rid of is omegaware, which seems to reinstall itself every time i start my computer. also, my hard drives reshare themselves every time i start the computer, despite the fact that i unshare them every time.
Here is my most recent HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 1:55:47 PM, on 6/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\System32\svchost.exe
C:\Utilities\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Utilities\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\UTILIT~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\devldr32.exe
C:\UTILIT~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\MOVEBA~1\HIDEDEAF.exe
C:\Web\AIM\aim.exe
C:\WINNT\System32\svchost.exe
E:\Installation files\Utilities\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.google.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Utilities\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C3ABDE8F-44EF-7F28-632A-EF009B91CD72} - C:\PROGRA~1\CREATI~1\Surf Dvd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Utilities\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\UTILIT~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Web\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [WinampAgent] "C:\Media\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [acid sign] C:\PROGRA~1\MOVEBA~1\HIDEDEAF.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Apps\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38147.7053472222
i always delete the one obviously related to omegasearch, but it comes back whenever i reboot. if anyone can help me, i will be most grateful!
thanks
0
Comments
Get rid of the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/.../www.google.com
O4 - HKLM\..\Run: [acid sign] C:\PROGRA~1\MOVEBA~1\HIDEDEAF.exe
I'd also get rid of the following for performance reasons, but it's not necessary to do this:
O2 - BHO: (no name) - {C3ABDE8F-44EF-7F28-632A-EF009B91CD72} - C:\PROGRA~1\CREATI~1\Surf Dvd.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Web\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [WinampAgent] "C:\Media\Winamp\Winampa.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Apps\Microsoft Office\Office\OSA9.EXE
Then, boot into safe mode and get rid of the following folders, in their entirety:
C:\PROGRAM FILES\MOVE BA* (Something that starts with Move Ba.....)
We're glad to help. If you're REALLY grateful, you may want to consider joining our folding team
O2 - BHO: (no name) - {C3ABDE8F-44EF-7F28-632A-EF009B91CD72} - C:\PROGRA~1\CREATI~1\Surf Dvd.dll
Surf any pr0n? Lookng for serialz or warez? Download any cool little smilies for your e-mail? Say YES to some internet conenction tune-up?
Figure out, if you can, where you got this stuff from. Then don't go there again.
If you do figure out what site it was, PM it to me...I'd like to do some sniffing around....
Dexter...
primesuspect:
I suspected this file:
O4 - HKLM\..\Run: [acid sign] C:\PROGRA~1\MOVEBA~1\HIDEDEAF.exe
at first, so the first time i ran hijackthis i did delete it. However, the next time i started my computer i had about 6 errors upon startup, including having my paging file deleted. Is there a way to keep that from happening?
I'll try all the rest and get back to y'all. Thanks again! i really appreciate it
I'm suspicious of that paging file being deleted, that's not something we have really seen before. Was there an error message that told you this? Or did you discover that another way?
Dexter...
good news: omegasearch is gone! looks like booting up in safe mode first did the trick: no omegasearch and no errors. my hard drives are still sharing themselves though. is that supposed to happen and i just never noticed it until now?
in any case, you guys are lifesavers. thanks so much!
They are not a security risk. At least not this week....
Dexter...