Omegasearch Appears to be Back

Unknown
edited August 2004 in Spyware & Virus Removal
Our previous battle was here:http://www.short-media.com/forum/showthread.php?t=17483

The owner of this PC is a pretty conservative tech savy guy but he appears to be reinfested after only about 10 days. The only thing I see is that he lets Realplayer run at start up. I downloaded the lates version and security patches of Realplayer. Below is the latest HJT log

Logfile of HijackThis v1.97.7
Scan saved at 10:19:31 AM, on 8/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick\Desktop\johns_tools\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ycaqpaxcmzkmprjnialotm.com/UyKJhY_lwFoglxYVIPhW15L5QE/IPHwpM_R7v8KkTOlnJfI7Woiom0DP/Rccsdt7.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A4661565-1C34-6A4F-99DA-CA277DE194FE} - C:\PROGRA~1\SHOWGR~1\Wave Window.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37678.5085185185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Comments

  • mmonninmmonnin Centreville, VA
    edited August 2004
    Remove these entires and delete the files in that folder in safemode. Make sure not to delete your REAL internet explorer.
    c:\progra~1\intern~1\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe

    Notice the difference between these 2 entries. One is good and one is bad:
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    Do you know what this Program is?
    O2 - BHO: (no name) - {A4661565-1C34-6A4F-99DA-CA277DE194FE} - C:\PROGRA~1\SHOWGR~1\Wave Window.exe
    If not then delete the entry and the file in safemode.

    Hope that helps you out. Post again if its still there.
  • bumpaw
    edited August 2004
    mmonnin wrote:
    Remove these entires and delete the files in that folder in safemode. Make sure not to delete your REAL internet explorer.
    c:\progra~1\intern~1\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe

    Notice the difference between these 2 entries. One is good and one is bad:
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    Do you know what this Program is?
    O2 - BHO: (no name) - {A4661565-1C34-6A4F-99DA-CA277DE194FE} - C:\PROGRA~1\SHOWGR~1\Wave Window.exe
    If not then delete the entry and the file in safemode.

    Hope that helps you out. Post again if its still there.

    I have no clue what Wave Window.exe is and could find nothing on it in google.

    When I reran HJT in safe mode the evile 04-HKLM**********poll4mix.exe shows again and I'll have it fix that. Then I'll follow you instructions as above.

    Any clues that I could pass on as to the cause of the infection here? This is a real careful user that owns this machine.

    Thanks for your help.
  • mmonninmmonnin Centreville, VA
    edited August 2004
    Well a lot of people suggest using FireFox or Opera since neither of those are MicroSoft products.

    That and none of those 'sites' should be visted. Not sure if Patrick is into pr0n but thats how a lot of this gets installed. And if he does get a pop-up asking him if he wants to install something, ALWAYS click NO. Always.

    Looks like he needs to be a big more careful.:)
  • bumpaw
    edited August 2004
    mmonnin wrote:
    Well a lot of people suggest using FireFox or Opera since neither of those are MicroSoft products.

    That and none of those 'sites' should be visted. Not sure if Patrick is into pr0n but thats how a lot of this gets installed. And if he does get a pop-up asking him if he wants to install something, ALWAYS click NO. Always.

    Looks like he needs to be a big more careful.:)

    Yes I have Opera as default and recommended it to him.

    Problem: I can't find c:\progra~1\intern~1\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe

    I ran a search showing all files in safe mode. Is this anything?
    IEXPLORE.EXE-05719fb1.pf in C:\\WINDOWS\Prefetch
    iexplore.exe in C:\WINDOWS\system32\dllcache
    iexplore.exe.26e3ad32.ini in C:\Documents and Settings\Patrick\Local Settings\Application Data\A...
  • mmonninmmonnin Centreville, VA
    edited August 2004
    The ~ is put in place for a longer Folder/File name.

    It might be just C:\Program Files\Internet Explorer\iexplore.exe with some small letters instead.
  • bumpaw
    edited August 2004
    I can't find those files. All I get are the legitimate ones. After fixing poll4mix.exe and Wave Window.exe it all looked good and a great HJT log, but in a few minutes all infections were back. Wave Window.exe has to be bad.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:13:37 PM, on 8/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    c:\progra~1\intern~1\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Patrick\Desktop\johns_tools\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knpbvhscwevrzmryi.com/UyKJhY_lwFp_m0FySDOu4JddjKuiy9eihzWbL9XRkDM.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yyrtzbwrtwnfdkq.info/UyKJhY_lwFoglxYVIPhW15L5QE/IPHwpM_R7v8KkTOnKu2pkJl2_7UDP/Rccsdt7.cgi
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {A4661565-1C34-6A4F-99DA-CA277DE194FE} - C:\PROGRA~1\SHOWGR~1\Wave Window.exe
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [mailshim] C:\PROGRA~1\GPLJUM~1\poll4mix.exe
    O4 - HKLM\..\Run: [mail spam that tick] C:\Documents and Settings\All Users\Application Data\window shim mail spam\Bird bike.exe
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37678.5085185185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    This is not going to be an easy fix I'm afraid.
  • mmonninmmonnin Centreville, VA
    edited August 2004
    Are you able to see Hidden and System files?
  • bumpaw
    edited August 2004
    mmonnin wrote:
    Are you able to see Hidden and System files?

    I checked C:\WINDOWS\SYSTEM32 and can see all.
  • mondimondi Icrontian
    edited August 2004
    the other infection is

    O4 - HKLM\..\Run: [mail spam that tick] C:\Documents and Settings\All Users\Application Data\window shim mail spam\Bird bike.exe

    do me a favor, get the new omegakiller in the downloads section, and send me the log file it produces ... also, after youve sent it, run it again, and send the new log file ... ive found that this new infection launches itself as a module within the address space of iexplore.exe and explorer.exe - both valid applications ...

    once i have the logs Ill be able to point you to the right files to kill, and hopefully find the exact spot where the infection is lingering...

    m
  • bumpaw
    edited August 2004
    Hey Mondi,
    I am afraid I got ahead of the game and had already gone for and run the latest versions of Omegkiller and HJT. The log for Omegkiller has apperantly overwritten and it won't show the changes. I had already run it twice prior to your message. The latest logs are below.



    Running pass number: 1

    - scanning bookmarks
    - scanning and deleting browser hijacks

    - scanning running processes..
    - scanning startup processes
    - scanning executable variants

    - scanning BHO's
    - scanning toolbars

    - no infections found, system clean on pass number: 1 ...
    - all done ...

    Logfile of HijackThis v1.98.2
    Scan saved at 3:16:06 PM, on 8/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Patrick\Desktop\johns_tools\HJT1.98\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

    This is prior to opening IE 6.0 after fixing with Omegakiller and HJT 1.98. After opening IE and getting this far there is no change in HJT log.
  • mondimondi Icrontian
    edited August 2004
    looks pretty clean ... ive found that the infection can hide in IE and explorer processes though ... do you recall how many passes the killer made when you ran it?? and if so, did it kill explorer for you at any point ? you should be good, but lets see if its hidden itself in that explorer process again, if so, let me know and we'll work on it from there...

    m
  • bumpaw
    edited August 2004
    mondi wrote:
    looks pretty clean ... ive found that the infection can hide in IE and explorer processes though ... do you recall how many passes the killer made when you ran it?? and if so, did it kill explorer for you at any point ? you should be good, but lets see if its hidden itself in that explorer process again, if so, let me know and we'll work on it from there...

    m

    The killer made 3 passes and the open directory that contained it seemed to flash closed and then opened. I have Opera set up for him now and he plans to avoid IE unless he has to use it.

    I think it did hide in IE because we had it cleaned out about 10 days ago and then it came back, but I can't rule out user error. I am going to encourage him not to leave Real Player run at start up and accessible to the Web.

    Thanks for giving us a great tool.
This discussion has been closed.