Options

Spy Removing!

anyone help me fix it!

-> Image
-> Link Reffer the Bar Button

ps: i try using OmegaKiller1.2 but it's back again...

:cool:

Comments

  • DexterDexter Vancouver, BC Canada
    edited August 2004
    We are going to need a bit more info than that to help you out. Start with the links in BIG RED LETTERS at the top of the page, run Ad Aware, Spybot, Hijack This, then post a log for review.

    And, I removed your image. PLEASE DO NOT POST IMAGES WITH PROFANITY IN THEM. We understand your frustration, but we're triyng to run a reasonably clean site here ;)

    Dexter....
  • edited August 2004
    here the log...

    Logfile of HijackThis v1.97.7
    Scan saved at 6:09:08 PM, on 8/23/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    D:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\htpatch.exe
    D:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\system32\rundll32.exe
    D:\Program Files\DirectUpdate\DUControl.exe
    C:\Program Files\WindUpdates\WinUpdt.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Documents and Settings\( r 4 z y\Application Data\nute.exe
    C:\Program Files\WindUpdates\WinKA.exe
    C:\WINDOWS\system32\uahyfmf.exe
    D:\PROGRA~1\Serv-U\SERVUT~1.EXE
    C:\WINDOWS\System32\WScript.exe
    D:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    d:\PROGRA~1\DIRECT~1\DUService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    D:\Program Files\HiJack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ( r 4 z y *loves* Michaela
    F1 - win.ini: run=C:\WINDOWS\system32\services\msxmidi.exe
    O1 - Hosts: 127.0.0.54 www.active-max.com
    O1 - Hosts: 127.0.0.26 www.mp3search.com
    O1 - Hosts: 127.0.0.95 www.rub.to
    O1 - Hosts: 127.0.0.79 spawnet.com
    O1 - Hosts: 127.0.0.93 www.spawnet.com
    O1 - Hosts: 127.0.0.84 www.mp3search.com
    O1 - Hosts: 127.0.0.2 www.lyricsdomain.com
    O1 - Hosts: 127.0.0.37 best.omega-search.com
    O1 - Hosts: 127.0.0.38 omega-search.com
    O1 - Hosts: 127.0.0.6 www.omega-search.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {49FE6728-B41C-79B7-D353-655505D92E31} - C:\WINDOWS\system32\extlo.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - D:\Program Files\Mass Downloader\MDHELPER.DLL
    O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINDOWS\system32\max8264.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [DUControl] d:\Program Files\DirectUpdate\DUControl.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [SettingsSoap] C:\PROGRA~1\WAYONC~1\BindDrive.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Rdro] C:\Documents and Settings\( r 4 z y\Application Data\nute.exe
    O4 - HKCU\..\Run: [Xel] C:\WINDOWS\system32\uahyfmf.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [ServUTrayIcon] D:\PROGRA~1\Serv-U\SERVUT~1.EXE
    O4 - Startup: Express Assist Check.lnk = D:\Program Files\Express Assist\EA2Check.exe
    O4 - Startup: Stardock ObjectDock.lnk = D:\Program Files\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Search.vbs
    O8 - Extra context menu item: Download &All using Mass Downloader - D:\Program Files\Mass Downloader\Add_All.htm
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using &Mass Downloader - D:\Program Files\Mass Downloader\Add_Url.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
    O9 - Extra button: Mass Downloader (HKLM)
    O9 - Extra 'Tools' menuitem: &Mass Downloader (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Pesquisar (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: pumpErS (HKCU)
    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=d5ce257857a083868c1f4672b0407c8b9379fe5496c0e7d74dd5b79e931ad6d6d9b0f3669e53e51b8fba848fa8088c3fc64cb0edfedca287d6c4c1b056f368:c05c8ac2b23f939ff11a0351cafa03db
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092188653330
    O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91B8D7E7-B212-41AD-98A8-4C522A9C1490}: NameServer = 200.165.132.148 200.149.55.142
  • edited August 2004
    sorry about the image ... :(
  • edited August 2004
    in time I have problems with IE windows open in desktop, the link open is it http://vbs.searchwww.com/vbs.cgi, i use spybot to trying fix it but it continous.. remove but return, trying use to adware and noadware... not sucessfully...

    anyone know to fix it?
  • edited August 2004
    anyone help me with this problem?
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    Sorry to take a while, it has been a busy few days....

    You appear to have some residual traces of an Omegasearch infection. Download OmegakillerSM v1.2 from http://www.short-media.com/download.php?dc=69. Run it first. It may remove some of the entries I mention below, so if you don't see them later, that will be why.

    Set your system to Show Hidden Files and folders.

    For Windows XP or ME, Disable System Restore.

    Reboot into Safe Mode.


    Run Hijack This. FIX THE FOLLOWING:

    **************


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ( r 4 z y *loves* Michaela

    (Did you put that in yourself? If not, remove it.)


    F1 - win.ini: run=C:\WINDOWS\system32\services\msxmidi.exe

    (This is the root of your problem, the infection reloader.)


    O2 - BHO: (no name) - {49FE6728-B41C-79B7-D353-655505D92E31} - C:\WINDOWS\system32\extlo.dll

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll

    O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - D:\Program Files\Mass Downloader\MDHELPER.DLL

    (These downloader programs usually contain adware. You should stop using them.)


    O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

    (We've seen that file before, and removing it solved the user's problem.)

    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINDOWS\system32\max8264.dll

    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll

    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe

    O4 - HKLM\..\Run: [SettingsSoap] C:\PROGRA~1\WAYONC~1\BindDrive.exe

    O4 - HKCU\..\Run: [Xel] C:\WINDOWS\system32\uahyfmf.exe

    O4 - Global Startup: Search.vbs

    (This is a Visual Basic script running from your startup folder. Unless you put that script their yourself and are absolutely sure it is not harmful, delete it.)


    O8 - Extra context menu item: Download &All using Mass Downloader - D:\Program Files\Mass Downloader\Add_All.htm
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using &Mass Downloader - D:\Program Files\Mass Downloader\Add_Url.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: Mass Downloader (HKLM)
    O9 - Extra 'Tools' menuitem: &Mass Downloader (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: pumpErS (HKCU)
    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=d5ce257857a083868c1f4672b0407c8b9379fe5496c0e7d74dd5b79e931ad6d6d9b0f3669e53e51b8fba848fa8088c3fc64cb0edfedca287d6c4c1b056f368:c05c8ac2b23f939ff11a0351cafa03db
    O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

    **************


    Stay in Safe mode, manually locate the exe, htm and dll files in the entries above, and quarantine them.

    Reboot normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.

    Dexter...
Sign In or Register to comment.