Why you should consider it: Omegasearch hijacks your web browser and you don’t want it. This is Short-Media.com’s how-to guide on what Omegasearch is, why you may not want it, and how to get rid of Omegasearch.
OmegaKillerSM 1.0 has been released by Short-Media as of July 21, 2004!
CRITICAL NOTICE: This article details a system of removal that is still valid, but obsolete. Short-Media has developed a free automatic removal tool: OmegaKillerSM 1.0
Is your Internet searching going places you don’t want to? Do you feel someone
else is in control? Omegasearch may be the culprit and it’s a pesky program
you may have installed without knowing. This is Short-Media.com’s how-to guide
on what Omegasearch is, why you may not want it, and how to get rid of Omegasearch.
What Is Omegasearch?
Omegasearch is the latest in a long list of what are known as “browser
hijackers.” A Hijacker serves a very simple, yet often highly annoying
function: it hijacks your browser’s presets for “home” and “search”
and steers them on a different course. As a user, this means that the home page
you prefer when opening a browser window, or the search engine you prefer when
clicking on your search button, are taken away from you.
When a program like Omegasearch has control then every time you open a browser
window or attempt a search, you are sent to the hijacker’s site. Why?
Money, money, money.
Every hit on their page is an increase in their traffic count. In the world
of internet advertising, traffic is the single most important consideration.
How many “eyeballs” you can deliver each day determines how many advertisers
pay top dollar to be on your search page. If you do a search through the search
engine of a hijacker’s site, the top search results will often have very little
to do with your query terms, and will almost always be paid advertisers. If
you click any of those links, you just put money in the hijacker’s pockets.
Advertiser’s pay by the “click-through”, the more clicks that lead
from the hijackers’ site to an advertiser’s site, the more money changes hands.
A nickel here, a quarter there….with thousands or even millions of click-throughs
per day, the hijackers can stand to make a nifty chunk of change. For that,
they are willing to annoy the heck out of you by infiltrating your computer,
and making themselves hard to remove.
Warning: read the following completely
before attempting. You do so at your own risk but removal instructions are included
in this guide should your browser already be hijacked by Omega search or become
hijacked.
Just for the fun of it, and to prove my point, go to Omegasearch.com. If you are already hijacked, you won’t even need to type that in, it will
conveniently 😉 appear for you when you open a browser page. If you are not
hijacked, make sure you have good security settings on your browser, set ActiveX
and Java permissions to “disable” or “prompt” to be safe.
If this little exercise does hijack you, never fear, we will tell you how to
get rid of Omegasearch shortly. Okay, so now you should be at Omegasearch’s
home page. Click in the search dialog box, and type in “short-media.com”
(without the quotes) and press the search button. On a reputable search engine
such as Google, Yahoo or MSN, your very first hit should be for our site. Your
other hits may take you to other tech sites that have linked to articles on
our site. But all of your first page hits should have something to do with our
site. On Omegasearch, your top hits will include a copier rental service, a
company selling thermal devices, and a couple of different media related companies,
all of whom are trying to sell you something. (Please do not click on any links,
don’t put any money in these scoundrel’s pockets.) If you want to have even
more fun, search again, using the query “remove Omegasearch + short-media.com”
Care to wager if your top link will take you back to this very article?
Hijackers like Omegasearch are often reincarnations of another version of themselves.
Omegasearch is actually “Lop.com”, and both names are copyrighted
by Search Web Now. In 6 months, after everyone has figured them out and gotten
rid of them, and their traffic declines, they will reincarnate as something
else.
How Did I Get Hijacked?
Okay, now that you know what you are dealing with, you can imagine that they
have no desire to make it easy for you to not come to their site any more. Most
hijackers, Omegasearch included, will have links marked “Help” or
“Support.” If you follow the links long enough, you may find some
helpful answers to questions like “How did (insert site name here) become
my homepage?” and “How do uninstall one of your software products?”
(They like to make themselves sound like they are providing you with “software
products”, not hijacking your browser.) Let’s start with the first question,
how did this site become your browser home/search page? According to Omegasearch:
This could happen one of several ways.
You could have clicked the ‘make start page’ link on the main Lop.com webpage.
You could have downloaded and installed one of our many software applications.
In the terms and conditions of any of our software products it is clearly stated
that we grant you a free license to use the software and by installing the software
on your computer you agree to use our search services in your web browser. Any
and all changes made to your system are clearly stated in the terms and conditions
and are fully uninstallable via the ‘Help’ then ‘uninstall’ option on any of
our software applications. Additionally a separate uninstall program may be
downloaded here
The likelihood of the first option being true is infinitesimally small.
The second option is much more likely: you may have installed some free utility
or software on your computer recently. Well, not everything free is really free.
If you succumbed to the temptation to “add smilies to your Outlook E-mail”
or were concerned that “Your computer’s date and time appeared to be incorrect”
or you really, really, really wanted a “Weatherbug” on your computer,
chances are that the “free” software you recently installed contained
the hijack software which has done the damage. Who really ever reads the fine
print in the End User License Agreement, right? By clicking next-next-next,
you inadvertently installed the hijacker on your box. You have now learned what
I call Heinlein’s Axiom: TANSTAAFL. There Ain’t No Such Thing As A Free Lunch.
That “free” software was just a hook, and you bit it, swallowed the
bait, and are now pumping money into the hijacker’s tackle box.
There is one more main method of getting hijacked that you should know about.
It’s what this writer likes to call a “drive-by” hijacking. This is
where your browser gets hijacked while you are browsing. Many users have low
security settings on their browsers. As alluded to above, ActiveX and Java permissions
are very important. Low security settings for these options allow malicious
scripts to execute on your computer without your permission, or often they trick
you by asking you to click OK to continue, which actually executes the script.
Drive-bys are commonly encountered when mistyping a website address into address
bar. Hijackers will scoop up typo’d versions of common site names, hoping to
snare more victims. People surfing for free porn, or “warez” are often
hijacked as well. When you suddenly get dozens of browser windows pop-up at
you, and the odd dialog box or two requesting permission to download something
to your computer, it is easy to get flustered and hit OK to the wrong dialog,
and the next thing you know, you are now a “happy” Omegasearch surfer…NOT!
If you want to know more about setting good security settings on Internet Explorer,
read Short-Media’s guide to defeating spyware.
How to Get Rid of Omegasearch?
If you go their Help page, you will find a handy link to an uninstaller.
DO NOT USE IT.
In most cases, the uninstaller will actually temporarily uninstall their homepage,
but the next time you open a browser window, you likely will see an “error”
message telling you that your browser is missing a component and cannot continue
unless you download this component by “clicking here.” If you have
already guessed that the missing component is actually the hijacker’s software,
score yourself 20 points.
So, armed with all this knowledge, here is how to remove Omegasearch, step
by step:
Step 1
If you are running Windows XP, disable the System Restore. Click on START MENU
-> Control Panel -> System. This will bring up the System Properties window.
Click on the System Restore tab, and click the check box beside “Turn Off
System Restore on all drives. Hit Apply, then OK. This will make sure that the
hijack settings do not get saved into your system restore points, and inadvertently
get reinstalled if you need to do a system restore in the near future.
Step 2
Download the program Hijack This from Short-Media’s download page. (All downloads
on our servers are virus scanned) and save it to desktop. Make a New Folder
called Hijack This, and move the program into there. This step is important,
as Hijack This will save backup’s of changes made, and you want them saved to
a Folder, not cluttering up your desktop.)
Step 3
Reboot your PC in SAFE MODE. If you do not know how to do this, it is very
simple. After rebooting, keep tapping the F8 key on your keyboard. Very soon,
you will see a text menu come up with several boot options. Choose the one that
says SAFE MODE, without any other options like Networking or Command Prompt.
By rebooting in safe mode, your PC runs only the processes necessary to boot
up, and makes no network / ethernet connections. This helps ensure that the
programs that are running the Omegsearch hijack are not active while you try
to clean them off your computer.
Step 4
Locate the Hijack This folder you made in Step 2 and open it. Find the Hijack
This program, and double-click to run it.
Press the SCAN button. You will get a list like this:
Now be VERY CAREFUL. Many of the items listed in the scan will be legitimate
items installed by software you actually want to use. Do not remove any items
unless you are sure they are not needed. If you are unsure, use the Save Log
feature to save your log as a text file, and post it here in our Security Forums, asking for advice.
One or more of our many knowledgeable users will be happy to help you clean
and tweak your settings. (To save a log, click Save Log, and call it HJTlog-date.txt.
Then open the .txt file, copy all the text, and paste it into your post in our
forums.)
Back to checking your scan. Look for and check off all of the following items:
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://omegasearch.com/searchbar.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://omegasearch.com/searchbar.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://omegasearch.com/passthrough/…p://about_:blank
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://omegasearch.com/searchbar.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://omegasearch.com/searchbar.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://omegasearch.com/searchbar.html
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://omegasearch.com/searchbar.html
The numbers might not match up to the ones here, but the strings will be basically
identical.
Now for the tricky part. Since this article was first published, we have discovered
many variations of the Omegasearch infection. When it installs itself on your
computer, Omegasearch randomly generates names of folders and files which are
part of the infection. Because we have helped many people clean this thing off
their computers, we have been able to identify certain key words used to create
the random names. We are posting this updated information in this thread on
our forums.
If any of the names of items here match those in your HJT log, select them
as well. If the items do not match identically, but you see some strange names
with similar key words, select them. If you are not sure, or not comfortable
making that jdugement call on your own, or if none of those key words match
your HJT log, then post the log to our Security Forum
and we will be happy to help you.
After selecting the correct items, click the Fix Checked button, and press Yes
to the confirmation prompt. Close Hijack This.
Step 5
To help clean the trash off of your computer, delete the files installed on
your hard drive by the installer. These are almost always located in the Program
Files folder, with a name you will be able to determine from your HJT log. For
instance, if the HJT entry says:
O4 – HKLM..Run: [bore atom] C:PROGRA~1GPLAXI~1Bluethat.exe
The files are located in C:PROGRAM FILES and then in a folder that starts
with GPLAXI and could have any characters in the name after those. You will
need to delete the entire folder. If you want to be sure that you are not deleting
something you actually want on your computer, you can either just not empty
the trash can yet, or instead of deleting, you can just rename the folder, or
move it from Program Files to somewhere else. Also, if you have your Program
Files folder on a different hard drive than C:, then you will need to check
there for any matches.
Once again, because the file names here are random, you can check our Updated
Information Thread
to try and match those names up. If you are unsure, post your log for help in
our Security Forum.
Step 6
Reboot your computer normally. Then, open a browser window, and check both
your home page and your search page. If you still have Omegasearch, re-run Hijack
This and post the log to our Security Forums for additional help.
If Omegasearch is gone from your computer, you need to re-enable XP system
restore, and create a new restore point. Click Start -> All Programs ->
Accessories -> System Tools -> System Restore. When the System Restore
Utility opens, click “Create a Restore Point” then click Next. Enter
a name for this Restore Point (I would just use the date, or “After Sweeping
Spyware” or something to that effect), and click Create. This will create
a new restore point that should not have the Omegasearch items in it.
After doing all that, I strongly recommend you read Short-Media’s article on
defeating
spyware and pay particular attention to the section titled “An Ounce
of Prevention.” Also, if you notice that your hijack this log has entries
similar to the other ones mentioned in that article, use the Defeat Spyware
Cocktail of programs to cleanse your computer of spyware. Secure browser settings
and smarter surfing habits will help keep your computer free of this, and other
irritants.
If you came across this Short-Media.com guide because you had Omegasearch on
your computer, and you were desperately searching for a solution, I hope you
will stop by our forums,
register as a user (it’s free!) and join our growing community. Our knowledgeable
users have vast and varied tech experience, and will be happy to help you with
any other system problems or questions you may have.
Guide updated 15 April 04, Dexter
Articles RSS