Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

omgoshtest and general help


  • Please log in to reply

#1
Jack D

Jack D

    New Member

  • Member
  • Pip
  • 3 posts
Hi. I've been trying for about a week now to clean up a computer that had been infected with about 50+ kinds of viruses and spyware and other bad things. The person who owned the computer (my friend) had been running windows XP with no security updates and no antivirus software, and accessing the internet through aol. When I first started to look at it, it was almost completely non-functional. I followed all the advice listed under things to do before posting logs, and I've taken a lot of bad stuff off the system, but before I install windows service pack 2 I was hoping someone could help me analyze my hijack this logfile and let me know if there's stuff I've missed that still on the system. I am curious in particular about "omgoshtest" since I can't find any record of what it does, and it frequently appears in places where I've found other trojans, although it isn't setting off any alarms in any tds3, avg, or ad-aware.

Anyway, here is the hijack this log. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 7:48:39 PM, on 12/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\Program Files\QuickTime\qttask.exe
F:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\America Online 9.0\aoltray.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\Program Files\AOL Companion\companion.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\WINDOWS\system32\pctspk.exe
F:\WINDOWS\wanmpsvc.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Protection From Bad Stuff\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [live update monitor] umxlu32.exe
O4 - HKLM\..\Run: [NTsrv.exe] NTsrv.exe
O4 - HKLM\..\Run: [Microsofts media] winmplayd.exe
O4 - HKLM\..\Run: [Windows Autoreg Reader2] omgoshtest.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [live update monitor] umxlu32.exe
O4 - HKLM\..\RunServices: [NTsrv.exe] NTsrv.exe
O4 - HKLM\..\RunServices: [Microsofts media] winmplayd.exe
O4 - HKLM\..\RunServices: [Windows Autoreg Reader2] omgoshtest.exe
O4 - HKCU\..\Run: [Windows Autoreg Reader2] omgoshtest.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = F:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = F:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Reboot.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103782736682
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - AppInit_DLLs: f:\windows\system32\d3dm.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - F:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: W2k PCtel speaker phone - PCtel, Inc. - F:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - F:\WINDOWS\wanmpsvc.exe

Thanks again (and please let me know if I can provide any more useful information).

Michael
  • 0

Advertisements


#2
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Welcome to GeeksToGo. :tazz:

We apologize for the delay in response. The forums have been very busy lately.

I can't believe nothing picked these things up!!! :mad:

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKLM\..\Run: [live update monitor] umxlu32.exe
O4 - HKLM\..\Run: [NTsrv.exe] NTsrv.exe
O4 - HKLM\..\Run: [Microsofts media] winmplayd.exe
O4 - HKLM\..\Run: [Windows Autoreg Reader2] omgoshtest.exe
O4 - HKLM\..\RunServices: [live update monitor] umxlu32.exe
O4 - HKLM\..\RunServices: [NTsrv.exe] NTsrv.exe
O4 - HKLM\..\RunServices: [Microsofts media] winmplayd.exe
O4 - HKLM\..\RunServices: [Windows Autoreg Reader2] omgoshtest.exe
O4 - HKCU\..\Run: [Windows Autoreg Reader2] omgoshtest.exe
O4 - Global Startup: Reboot.exe
O20 - AppInit_DLLs: f:\windows\system32\d3dm.dll

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Please delete these files using Windows Explorer(if present):

f:\windows\system32\d3dm.dll

We need to do a search. Start | Search | For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

"omgoshtest.exe","winmplayd.exe","NTsrv.exe","umxlu32.exe"

If any of them are found delete them. Please also note down the location so that I can get a clearer picture of things.

Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. ;)
  • 0

#3
Jack D

Jack D

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi. Thanks very much for your help. I've just followed your instructions. In safe mode, I did not find the d3dm.dll file, and the search turned up no results. I'm hoping this is a good thing, but anyway, here is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 8:17:10 PM, on 1/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\Program Files\QuickTime\qttask.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\AOL Companion\companion.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\WINDOWS\system32\pctspk.exe
F:\WINDOWS\wanmpsvc.exe
C:\Program Files\Protection From Bad Stuff\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = F:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = F:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103782736682
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - F:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: W2k PCtel speaker phone - PCtel, Inc. - F:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - F:\WINDOWS\wanmpsvc.exe

If that's clean I'm going to try to install service pack 2. Thanks again so much.
  • 0

#4
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
The log looks good now. Great job! :tazz:

Here are some tips, in order to reduce the potential for future malware infections. ;)
  • Secure Internet Explorer - The most common reason that malware installs itself is that your Internet Explorer security settings are set too low.
    • Open Internet Explorer.
    • Click on the "Tools" menu and select "Internet Options...".
    • If not already selected, select the "Security" tab.
    • Click on "Internet" so that it becomes highlighted and then click "Custom Level...".
    • In the "Reset to:" drop-down menu select "Medium".
    • Click "Reset" and choose "Yes" at the prompt to reset the security settings.
    • Click "OK" to return to the Security menu.
    • Repeat the same steps for "Local intranet", "Trusted sites", "Restricted sites" with these security settings:
      • "Local intranet" - "Medium-low"
      • "Trusted sites" - "Low"
      • "Restricted sites" - "High"
    • Finally, click "Apply" and then "OK" to apply the settings that you set.
  • Windows Update - It is absolutely imperative that you stay on top of all updates to your operating system and browser. Malware authors and hackers make use of the many loopholes found in Microsoft's code. Keeping your system up to date is one of the most important steps in preventing infection.
  • Spybot - Search & Destroy - Spybot - Search & Destroy is an excellent general anti-malware tool. It has the ability to scan your system for all kinds of malware and even offers TeaTimer and SDHelper in order to provide real-time protection from malware.
  • Ad-Aware SE - Ad-Aware SE, like Spybot - Search & Destroy, is another general anti-malware solution which offers scanning. Both programs will often catch something the other cannot. It is best to use both of these wonderful programs in tandem so that you maximize the detection capabilities.
  • SpywareBlaster - SpywareBlaster offers real-time protection against malicious ActiveX controls. This will stop most of the drive-by malware installations that have been very common recently. The best part is, this program does not need to run in the background, so it uses no resources!
  • IE-SpyAd - IE-SpyAd attempts to stop malware infections by placing a huge list of known malicious sites into Internet Explorer's Restricted Sites list. If you accidentally come upon a harmful site, the Restricted Sites zone will hinder its maliciousness.
  • HOSTS - The HOSTS file is the Windows solution to malware prevention. By placing harmful sites in the HOSTS file, you are effectively denying your computer access to the site, and denying the site access to your computer.
  • Update Programs Regularly - Just as with your operating system and browser, the five aforementioned utlitlies are in need of constant updating. Malware changes everyday and is critical to be prepared at all times.
  • Get A New Browser - The recent outburst of malware that has taken the Internet and the world by storm. More and more people are realizing that Internet Explorer is a terribly insecure browser. Since then, several great browsers have been developed to dull the blow of malware. Besides offering improved security, alternate browers supply many new features. These are the browsers I currently recommend:
    • Opera - Opera is the perfect browser for me. While the free version displays an ad, it makes up for it with it's huge amount of features and customizable interface.
    • Mozilla Firefox - Firefox is the alternate browser of choice for many around the world. It's strength lies in the large amount of extensiosn that can be applied.
I encourage you to at least consider following some of these steps. It is important that everyone learn how to combat these evil creations.
  • 0

#5
Jack D

Jack D

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Ok! Thanks again. I'm now using a lot of the programs you recommended.
  • 0

#6
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Glad that we could be of service. Thanks for cooperating with me. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP