2000search
I have been infected with search2000/lop/omega.
I have run adaware 6.0, spybot and omega killer.
I still have the toolbar on the top of my browser and search2000 keeps trying to install itself as my home page. I have posted my hijack this log below. Could somebody help please and tell me what I should remove.
Logfile of HijackThis v1.97.7
Scan saved at 22:21:02, on 02/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\csrss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\system32\LEXBCES.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\system32\LEXPPS.EXE
I:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
I:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
I:\WINDOWS\System32\nvsvc32.exe
I:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
I:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\WINDOWS\System32\wdfmgr.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\System32\carpserv.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
I:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
I:\WINDOWS\System32\GSICON.EXE
I:\WINDOWS\System32\dslagent.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
I:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
I:\Program Files\Picasa\PicasaMediaDetector.exe
I:\WINDOWS\System32\ctfmon.exe
I:\Program Files\Messenger\msmsgs.exe
I:\WINDOWS\System32\svchost.exe
i:\progra~1\intern~1\iexplore.exe
I:\WINDOWS\system32\csrss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\SOUNDMAN.EXE
I:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
I:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
I:\WINDOWS\System32\GSICON.EXE
I:\WINDOWS\System32\dslagent.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
I:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
I:\Program Files\Picasa\PicasaMediaDetector.exe
I:\WINDOWS\System32\ctfmon.exe
I:\Program Files\Messenger\msmsgs.exe
i:\progra~1\intern~1\iexplore.exe
i:\progra~1\intern~1\iexplore.exe
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\Omega removal\OmegaKiller.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\Internet Explorer\HiJack This\HijackThis.exe
I:\Documents and Settings\All Users\Application Data\Third ace upload
proxy\2 Poke.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://search200.com/passthrough/index.html?http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://kwnywysfhrocwzywnfhlsqhb.com/PCkZfZjrWHkbLgvAkEvkF7dtvP3Oxbk0JVw/YRGGiJ4JqeSKYqYy3mYh8z_8_TyC.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program
Files\Internet Explorer\Spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program
files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B5DCC2E4-DC4B-F348-7165-D010447F1445} -
I:\PROGRA~1\CHINDR~1\GRIDBAIT.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - I:\Program
Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program
files\google\googletoolbar4.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
I:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
I:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
I:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LXBLKsk] I:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [MemoryCardManager] I:\Program Files\Lexmark\Lexmark Photo
Center\MemoryCardManager.exe -startup
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Mpeg2] I:\PROGRA~1\Playmapi\pile site slow.exe
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] I:\Program Files\Norton SystemWorks\Password
Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] I:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] I:\Program
Files\Picasa\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [SpySweeper] "I:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = I:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://i:\program
files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://i:\program
files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://i:\program
files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://I:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://i:\program
files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://i:\program
files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload
Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38108.2806597222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{4C016F79-0374-40D8-8AD3-509263033779}:
NameServer = 212.67.120.148 212.67.96.129
I have run adaware 6.0, spybot and omega killer.
I still have the toolbar on the top of my browser and search2000 keeps trying to install itself as my home page. I have posted my hijack this log below. Could somebody help please and tell me what I should remove.
Logfile of HijackThis v1.97.7
Scan saved at 22:21:02, on 02/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\csrss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\system32\LEXBCES.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\system32\LEXPPS.EXE
I:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
I:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
I:\WINDOWS\System32\nvsvc32.exe
I:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
I:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\WINDOWS\System32\wdfmgr.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\System32\carpserv.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
I:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
I:\WINDOWS\System32\GSICON.EXE
I:\WINDOWS\System32\dslagent.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
I:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
I:\Program Files\Picasa\PicasaMediaDetector.exe
I:\WINDOWS\System32\ctfmon.exe
I:\Program Files\Messenger\msmsgs.exe
I:\WINDOWS\System32\svchost.exe
i:\progra~1\intern~1\iexplore.exe
I:\WINDOWS\system32\csrss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\SOUNDMAN.EXE
I:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
I:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
I:\WINDOWS\System32\GSICON.EXE
I:\WINDOWS\System32\dslagent.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
I:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
I:\Program Files\Picasa\PicasaMediaDetector.exe
I:\WINDOWS\System32\ctfmon.exe
I:\Program Files\Messenger\msmsgs.exe
i:\progra~1\intern~1\iexplore.exe
i:\progra~1\intern~1\iexplore.exe
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\Omega removal\OmegaKiller.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\Internet Explorer\HiJack This\HijackThis.exe
I:\Documents and Settings\All Users\Application Data\Third ace upload
proxy\2 Poke.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://search200.com/passthrough/index.html?http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://kwnywysfhrocwzywnfhlsqhb.com/PCkZfZjrWHkbLgvAkEvkF7dtvP3Oxbk0JVw/YRGGiJ4JqeSKYqYy3mYh8z_8_TyC.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program
Files\Internet Explorer\Spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program
files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B5DCC2E4-DC4B-F348-7165-D010447F1445} -
I:\PROGRA~1\CHINDR~1\GRIDBAIT.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - I:\Program
Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program
files\google\googletoolbar4.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
I:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
I:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
I:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LXBLKsk] I:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [MemoryCardManager] I:\Program Files\Lexmark\Lexmark Photo
Center\MemoryCardManager.exe -startup
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Mpeg2] I:\PROGRA~1\Playmapi\pile site slow.exe
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] I:\Program Files\Norton SystemWorks\Password
Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] I:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] I:\Program
Files\Picasa\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [SpySweeper] "I:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = I:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://i:\program
files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://i:\program
files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://i:\program
files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://I:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://i:\program
files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://i:\program
files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload
Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38108.2806597222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{4C016F79-0374-40D8-8AD3-509263033779}:
NameServer = 212.67.120.148 212.67.96.129
0
This discussion has been closed.
Comments