Options
Spy Removing!
anyone help me fix it!
-> Image
-> Link Reffer the Bar Button
ps: i try using OmegaKiller1.2 but it's back again...
-> Image
-> Link Reffer the Bar Button
ps: i try using OmegaKiller1.2 but it's back again...
0
Comments
And, I removed your image. PLEASE DO NOT POST IMAGES WITH PROFANITY IN THEM. We understand your frustration, but we're triyng to run a reasonably clean site here
Dexter....
Logfile of HijackThis v1.97.7
Scan saved at 6:09:08 PM, on 8/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
D:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\DirectUpdate\DUControl.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\( r 4 z y\Application Data\nute.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\WINDOWS\system32\uahyfmf.exe
D:\PROGRA~1\Serv-U\SERVUT~1.EXE
C:\WINDOWS\System32\WScript.exe
D:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
d:\PROGRA~1\DIRECT~1\DUService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\HiJack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ( r 4 z y *loves* Michaela
F1 - win.ini: run=C:\WINDOWS\system32\services\msxmidi.exe
O1 - Hosts: 127.0.0.54 www.active-max.com
O1 - Hosts: 127.0.0.26 www.mp3search.com
O1 - Hosts: 127.0.0.95 www.rub.to
O1 - Hosts: 127.0.0.79 spawnet.com
O1 - Hosts: 127.0.0.93 www.spawnet.com
O1 - Hosts: 127.0.0.84 www.mp3search.com
O1 - Hosts: 127.0.0.2 www.lyricsdomain.com
O1 - Hosts: 127.0.0.37 best.omega-search.com
O1 - Hosts: 127.0.0.38 omega-search.com
O1 - Hosts: 127.0.0.6 www.omega-search.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49FE6728-B41C-79B7-D353-655505D92E31} - C:\WINDOWS\system32\extlo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - D:\Program Files\Mass Downloader\MDHELPER.DLL
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINDOWS\system32\max8264.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DUControl] d:\Program Files\DirectUpdate\DUControl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [SettingsSoap] C:\PROGRA~1\WAYONC~1\BindDrive.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Rdro] C:\Documents and Settings\( r 4 z y\Application Data\nute.exe
O4 - HKCU\..\Run: [Xel] C:\WINDOWS\system32\uahyfmf.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ServUTrayIcon] D:\PROGRA~1\Serv-U\SERVUT~1.EXE
O4 - Startup: Express Assist Check.lnk = D:\Program Files\Express Assist\EA2Check.exe
O4 - Startup: Stardock ObjectDock.lnk = D:\Program Files\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: Download &All using Mass Downloader - D:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using &Mass Downloader - D:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: Mass Downloader (HKLM)
O9 - Extra 'Tools' menuitem: &Mass Downloader (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Pesquisar (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: pumpErS (HKCU)
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=d5ce257857a083868c1f4672b0407c8b9379fe5496c0e7d74dd5b79e931ad6d6d9b0f3669e53e51b8fba848fa8088c3fc64cb0edfedca287d6c4c1b056f368:c05c8ac2b23f939ff11a0351cafa03db
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092188653330
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{91B8D7E7-B212-41AD-98A8-4C522A9C1490}: NameServer = 200.165.132.148 200.149.55.142
anyone know to fix it?
You appear to have some residual traces of an Omegasearch infection. Download OmegakillerSM v1.2 from http://www.short-media.com/download.php?dc=69. Run it first. It may remove some of the entries I mention below, so if you don't see them later, that will be why.
Set your system to Show Hidden Files and folders.
For Windows XP or ME, Disable System Restore.
Reboot into Safe Mode.
Run Hijack This. FIX THE FOLLOWING:
**************
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ( r 4 z y *loves* Michaela
(Did you put that in yourself? If not, remove it.)
F1 - win.ini: run=C:\WINDOWS\system32\services\msxmidi.exe
(This is the root of your problem, the infection reloader.)
O2 - BHO: (no name) - {49FE6728-B41C-79B7-D353-655505D92E31} - C:\WINDOWS\system32\extlo.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - D:\Program Files\Mass Downloader\MDHELPER.DLL
(These downloader programs usually contain adware. You should stop using them.)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
(We've seen that file before, and removing it solved the user's problem.)
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINDOWS\system32\max8264.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [SettingsSoap] C:\PROGRA~1\WAYONC~1\BindDrive.exe
O4 - HKCU\..\Run: [Xel] C:\WINDOWS\system32\uahyfmf.exe
O4 - Global Startup: Search.vbs
(This is a Visual Basic script running from your startup folder. Unless you put that script their yourself and are absolutely sure it is not harmful, delete it.)
O8 - Extra context menu item: Download &All using Mass Downloader - D:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using &Mass Downloader - D:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Mass Downloader (HKLM)
O9 - Extra 'Tools' menuitem: &Mass Downloader (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: pumpErS (HKCU)
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=d5ce257857a083868c1f4672b0407c8b9379fe5496c0e7d74dd5b79e931ad6d6d9b0f3669e53e51b8fba848fa8088c3fc64cb0edfedca287d6c4c1b056f368:c05c8ac2b23f939ff11a0351cafa03db
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
**************
Stay in Safe mode, manually locate the exe, htm and dll files in the entries above, and quarantine them.
Reboot normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.
Dexter...