If geeks love it, we’re on it

Remove Omegasearch

Remove Omegasearch

Why you should consider it: Omegasearch hijacks your web browser and you don’t want it. This is Short-Media.com’s how-to guide on what Omegasearch is, why you may not want it, and how to get rid of Omegasearch.

OmegaKillerSM 1.0 has been released by Short-Media as of July 21, 2004!


CRITICAL NOTICE: This article details a system of removal that is still valid, but obsolete. Short-Media has developed a free automatic removal tool: OmegaKillerSM 1.0

Is your Internet searching going places you don’t want to? Do you feel someone
else is in control? Omegasearch may be the culprit and it’s a pesky program
you may have installed without knowing. This is Short-Media.com’s how-to guide
on what Omegasearch is, why you may not want it, and how to get rid of Omegasearch.

What Is Omegasearch?

Omegasearch is the latest in a long list of what are known as “browser
hijackers.” A Hijacker serves a very simple, yet often highly annoying
function: it hijacks your browser’s presets for “home” and “search”
and steers them on a different course. As a user, this means that the home page
you prefer when opening a browser window, or the search engine you prefer when
clicking on your search button, are taken away from you.

When a program like Omegasearch has control then every time you open a browser
window or attempt a search, you are sent to the hijacker’s site. Why?

Money, money, money.

Every hit on their page is an increase in their traffic count. In the world
of internet advertising, traffic is the single most important consideration.
How many “eyeballs” you can deliver each day determines how many advertisers
pay top dollar to be on your search page. If you do a search through the search
engine of a hijacker’s site, the top search results will often have very little
to do with your query terms, and will almost always be paid advertisers. If
you click any of those links, you just put money in the hijacker’s pockets.
Advertiser’s pay by the “click-through”, the more clicks that lead
from the hijackers’ site to an advertiser’s site, the more money changes hands.
A nickel here, a quarter there….with thousands or even millions of click-throughs
per day, the hijackers can stand to make a nifty chunk of change. For that,
they are willing to annoy the heck out of you by infiltrating your computer,
and making themselves hard to remove.

Warning: read the following completely
before attempting. You do so at your own risk but removal instructions are included
in this guide should your browser already be hijacked by Omega search or become
hijacked.

Just for the fun of it, and to prove my point, go to Omegasearch.com. If you are already hijacked, you won’t even need to type that in, it will
conveniently 😉 appear for you when you open a browser page. If you are not
hijacked, make sure you have good security settings on your browser, set ActiveX
and Java permissions to “disable” or “prompt” to be safe.
If this little exercise does hijack you, never fear, we will tell you how to
get rid of Omegasearch shortly. Okay, so now you should be at Omegasearch’s
home page. Click in the search dialog box, and type in “short-media.com”
(without the quotes) and press the search button. On a reputable search engine
such as Google, Yahoo or MSN, your very first hit should be for our site. Your
other hits may take you to other tech sites that have linked to articles on
our site. But all of your first page hits should have something to do with our
site. On Omegasearch, your top hits will include a copier rental service, a
company selling thermal devices, and a couple of different media related companies,
all of whom are trying to sell you something. (Please do not click on any links,
don’t put any money in these scoundrel’s pockets.) If you want to have even
more fun, search again, using the query “remove Omegasearch + short-media.com”
Care to wager if your top link will take you back to this very article?

Hijackers like Omegasearch are often reincarnations of another version of themselves.
Omegasearch is actually “Lop.com”, and both names are copyrighted
by Search Web Now. In 6 months, after everyone has figured them out and gotten
rid of them, and their traffic declines, they will reincarnate as something
else.

How Did I Get Hijacked?

Okay, now that you know what you are dealing with, you can imagine that they
have no desire to make it easy for you to not come to their site any more. Most
hijackers, Omegasearch included, will have links marked “Help” or
“Support.” If you follow the links long enough, you may find some
helpful answers to questions like “How did (insert site name here) become
my homepage?” and “How do uninstall one of your software products?”
(They like to make themselves sound like they are providing you with “software
products”, not hijacking your browser.) Let’s start with the first question,
how did this site become your browser home/search page? According to Omegasearch:

This could happen one of several ways.

You could have clicked the ‘make start page’ link on the main Lop.com webpage.

You could have downloaded and installed one of our many software applications.
In the terms and conditions of any of our software products it is clearly stated
that we grant you a free license to use the software and by installing the software
on your computer you agree to use our search services in your web browser. Any
and all changes made to your system are clearly stated in the terms and conditions
and are fully uninstallable via the ‘Help’ then ‘uninstall’ option on any of
our software applications. Additionally a separate uninstall program may be
downloaded here

The likelihood of the first option being true is infinitesimally small.

The second option is much more likely: you may have installed some free utility
or software on your computer recently. Well, not everything free is really free.
If you succumbed to the temptation to “add smilies to your Outlook E-mail”
or were concerned that “Your computer’s date and time appeared to be incorrect”
or you really, really, really wanted a “Weatherbug” on your computer,
chances are that the “free” software you recently installed contained
the hijack software which has done the damage. Who really ever reads the fine
print in the End User License Agreement, right? By clicking next-next-next,
you inadvertently installed the hijacker on your box. You have now learned what
I call Heinlein’s Axiom: TANSTAAFL. There Ain’t No Such Thing As A Free Lunch.
That “free” software was just a hook, and you bit it, swallowed the
bait, and are now pumping money into the hijacker’s tackle box.

There is one more main method of getting hijacked that you should know about.
It’s what this writer likes to call a “drive-by” hijacking. This is
where your browser gets hijacked while you are browsing. Many users have low
security settings on their browsers. As alluded to above, ActiveX and Java permissions
are very important. Low security settings for these options allow malicious
scripts to execute on your computer without your permission, or often they trick
you by asking you to click OK to continue, which actually executes the script.
Drive-bys are commonly encountered when mistyping a website address into address
bar. Hijackers will scoop up typo’d versions of common site names, hoping to
snare more victims. People surfing for free porn, or “warez” are often
hijacked as well. When you suddenly get dozens of browser windows pop-up at
you, and the odd dialog box or two requesting permission to download something
to your computer, it is easy to get flustered and hit OK to the wrong dialog,
and the next thing you know, you are now a “happy” Omegasearch surfer…NOT!
If you want to know more about setting good security settings on Internet Explorer,
read Short-Media’s guide to defeating spyware.

How to Get Rid of Omegasearch?

If you go their Help page, you will find a handy link to an uninstaller.

DO NOT USE IT.

In most cases, the uninstaller will actually temporarily uninstall their homepage,
but the next time you open a browser window, you likely will see an “error”
message telling you that your browser is missing a component and cannot continue
unless you download this component by “clicking here.” If you have
already guessed that the missing component is actually the hijacker’s software,
score yourself 20 points.

So, armed with all this knowledge, here is how to remove Omegasearch, step
by step:

Step 1

If you are running Windows XP, disable the System Restore. Click on START MENU
-> Control Panel -> System. This will bring up the System Properties window.
Click on the System Restore tab, and click the check box beside “Turn Off
System Restore on all drives. Hit Apply, then OK. This will make sure that the
hijack settings do not get saved into your system restore points, and inadvertently
get reinstalled if you need to do a system restore in the near future.

Step 2

Download the program Hijack This from Short-Media’s download page. (All downloads
on our servers are virus scanned) and save it to desktop. Make a New Folder
called Hijack This, and move the program into there. This step is important,
as Hijack This will save backup’s of changes made, and you want them saved to
a Folder, not cluttering up your desktop.)


Step 3

Reboot your PC in SAFE MODE. If you do not know how to do this, it is very
simple. After rebooting, keep tapping the F8 key on your keyboard. Very soon,
you will see a text menu come up with several boot options. Choose the one that
says SAFE MODE, without any other options like Networking or Command Prompt.
By rebooting in safe mode, your PC runs only the processes necessary to boot
up, and makes no network / ethernet connections. This helps ensure that the
programs that are running the Omegsearch hijack are not active while you try
to clean them off your computer.

Step 4

Locate the Hijack This folder you made in Step 2 and open it. Find the Hijack
This program, and double-click to run it.

hjt01

Press the SCAN button. You will get a list like this:

hjt02

Now be VERY CAREFUL. Many of the items listed in the scan will be legitimate
items installed by software you actually want to use. Do not remove any items
unless you are sure they are not needed. If you are unsure, use the Save Log
feature to save your log as a text file, and post it here in our Security Forums, asking for advice.
One or more of our many knowledgeable users will be happy to help you clean
and tweak your settings. (To save a log, click Save Log, and call it HJTlog-date.txt.
Then open the .txt file, copy all the text, and paste it into your post in our
forums.)

Back to checking your scan. Look for and check off all of the following items:

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://omegasearch.com/searchbar.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://omegasearch.com/searchbar.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://omegasearch.com/passthrough/…p://about_:blank
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://omegasearch.com/searchbar.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://omegasearch.com/searchbar.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://omegasearch.com/searchbar.html
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://omegasearch.com/searchbar.html

The numbers might not match up to the ones here, but the strings will be basically
identical.

Now for the tricky part. Since this article was first published, we have discovered
many variations of the Omegasearch infection. When it installs itself on your
computer, Omegasearch randomly generates names of folders and files which are
part of the infection. Because we have helped many people clean this thing off
their computers, we have been able to identify certain key words used to create
the random names. We are posting this updated information in this thread on
our forums.

If any of the names of items here match those in your HJT log, select them
as well. If the items do not match identically, but you see some strange names
with similar key words, select them. If you are not sure, or not comfortable
making that jdugement call on your own, or if none of those key words match
your HJT log, then post the log to our Security Forum
and we will be happy to help you.

After selecting the correct items, click the Fix Checked button, and press Yes
to the confirmation prompt. Close Hijack This.

Step 5

To help clean the trash off of your computer, delete the files installed on
your hard drive by the installer. These are almost always located in the Program
Files folder, with a name you will be able to determine from your HJT log. For
instance, if the HJT entry says:

O4 – HKLM..Run: [bore atom] C:PROGRA~1GPLAXI~1Bluethat.exe

The files are located in C:PROGRAM FILES and then in a folder that starts
with GPLAXI and could have any characters in the name after those. You will
need to delete the entire folder. If you want to be sure that you are not deleting
something you actually want on your computer, you can either just not empty
the trash can yet, or instead of deleting, you can just rename the folder, or
move it from Program Files to somewhere else. Also, if you have your Program
Files folder on a different hard drive than C:, then you will need to check
there for any matches.

Once again, because the file names here are random, you can check our Updated
Information Thread
to try and match those names up. If you are unsure, post your log for help in
our Security Forum.

Step 6

Reboot your computer normally. Then, open a browser window, and check both
your home page and your search page. If you still have Omegasearch, re-run Hijack
This and post the log to our Security Forums for additional help.

If Omegasearch is gone from your computer, you need to re-enable XP system
restore, and create a new restore point. Click Start -> All Programs ->
Accessories -> System Tools -> System Restore. When the System Restore
Utility opens, click “Create a Restore Point” then click Next. Enter
a name for this Restore Point (I would just use the date, or “After Sweeping
Spyware” or something to that effect), and click Create. This will create
a new restore point that should not have the Omegasearch items in it.

After doing all that, I strongly recommend you read Short-Media’s article on
defeating
spyware
and pay particular attention to the section titled “An Ounce
of Prevention.” Also, if you notice that your hijack this log has entries
similar to the other ones mentioned in that article, use the Defeat Spyware
Cocktail of programs to cleanse your computer of spyware. Secure browser settings
and smarter surfing habits will help keep your computer free of this, and other
irritants.

If you came across this Short-Media.com guide because you had Omegasearch on
your computer, and you were desperately searching for a solution, I hope you
will stop by our forums,
register as a user (it’s free!) and join our growing community. Our knowledgeable
users have vast and varied tech experience, and will be happy to help you with
any other system problems or questions you may have.

Guide updated 15 April 04, Dexter

Comments

  1. Shorty
    Shorty An awesome read Dexter.

    I haven't been unlucky enough to suffer it .. but :eek:.. I never realised the kind of havoc it does cause :mad:
  2. primesuspect
    primesuspect Great article Dexter. :)

    People should understand that if they have OmegaSearch/C2.LOP/LOP.COM installed on their computer, it's usually a symptom of a larger problem, and chances are they have other adware/malware on their computers as well. I would highly recommend that anybody who has benefited from this article run a spybot scanner such as AdAware or SpyBot Search & Destroy (or both), because it's a very good bet that they have other malicious software going on.
  3. EyesOnly
    EyesOnly Nice guide. Let's hope i never have to follow it. :)
  4. Unregistered Spybot S&D will stop your system from being HJ'd. I would highly recommend everyone to install this puppy. It doesn't have any built in SB either! :D
  5. Dexter
    Dexter Good advice, guest.

    Spybot S&D version 1.2: http://download.com.com/3000-8022-10194058.html?tag=lst-0-2

    Dexter...
  6. wcube
    wcube Dexter,
    I need help. I went through and tried all the methods of removing omegasearch.com byt the bar at the bootom of my page just will not go away. Help
    Willie
  7. Kwitko
    Kwitko Run HiJackThis and copy and paste the log here. Perhaps you still have some remnants left over.
  8. Jessica
    Jessica Can't seem to get rid of omegasearch. Any help would be appreciated.

    thx
    Jess


    Scan saved at 12:03:38 AM, on 15/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\DEFAUL~1\Delete Web Proc.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\The Crook\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {DE761B33-CB30-71B5-BF7F-B2721AA000B4} - C:\PROGRA~1\CAKEFI~1\htmtwo.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Loadbalmlite - {E396CC0F-29EE-75D2-A5FA-BEDE2A709103} - C:\PROGRA~1\CAKEFI~1\htmtwo.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [book send] C:\PROGRA~1\DEFAUL~1\Delete Web Proc.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  9. Unregistered What a great team you lot are, got rid of it in seconds when i've been trying for two days.

    THANK YOU

    Clive
  10. Queiz
    Queiz I just wanted to say that I've got omega search twice now. I just formated my computer clean, back to surfin the web (i'm a pretty cautious web surfing.. never click on the yes to install apps and other things that promt always get turned down). I was surfing the web for 5 minutes before I open another web window and find that familiar application is back. This means that this app got installed by just my browser viewing a pop-up they had off some site. I also was only lookin at military sites for information on a plane when this happened (wasn't a military site as i've used these before and been fine, but a pop-up that came from one of the other links I selected from a search engine on military planes). Anyways, just makes you so agrivated with these people that do this, and all the trouble you have to go through to remove it when you haven't even installed anything! Just a heads up that omegasearch is full of crap when they say you have to consciously click yes to instal something, or supose to know that its being installed.
  11. shwaip
    shwaip @Jessica

    follow the instructions here to delete

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O2 - BHO: (no name) - {DE761B33-CB30-71B5-BF7F-B2721AA000B4} - C:\PROGRA~1\CAKEFI~1\htmtwo.dll
    O3 - Toolbar: Loadbalmlite - {E396CC0F-29EE-75D2-A5FA-BEDE2A709103} - C:\PROGRA~1\CAKEFI~1\htmtwo.dll
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - HKLM\..\Run: [book send] C:\PROGRA~1\DEFAUL~1\Delete Web Proc.exe
  12. quick116
    quick116 Hello!

    My Computer has been hijacked by Omegasearch :mean:

    I have run both Adaware pro and spybot without any effect.
    I have even edited the registry, as described in one of the other threads on the forum, but no go!

    All the entries containing omegasearch in the attached log from hijackthis, have also been deleted by means of the software, but omegasearch keeps coming back.

    Could anyone of you please advise?

    regards

    Quick116

    Logfile of HijackThis v1.97.7
    Scan saved at 18:08:11, on 15.04.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Eicon\Diva\DiTask.exe
    C:\Program Files\Eicon\Diva\Divamon.exe
    C:\Program Files\Eicon\Diva\watch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\PROGRA~1\1 acid web\Dashlogo.exe
    C:\Program Files\Norman\NPF\NPFMSG.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norman\NPF\NPFSVICE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Rune Klingsheim\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = omegasearch.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/no/nor/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/no/nor/gen/default.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/no/nor/gen/default.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=ftp://xbox@192.168.1.4/:21
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
    O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
    O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
    O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [ErrorAnte] C:\PROGRA~1\1 acid web\Dashlogo.exe
    O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NPF Messenger.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37971.5943518519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  13. mondi
    mondi @ quick116

    please go to this new thread for instructions

    omegasearch - quick116
  14. Queiz
    Queiz I posted a message earlier today. I did everything as instructed from the instructions on how to get ride of this hijacking criminal software. Not only does it keep coming back on reboots, but it never is able to change my start page, though it changes where its directed, it still loads http://omegasearch.com/passthrough/index.html?http://www.msn.com
    I have rebooted, run HijackThis and updated spybot updated it, did a full scan and immunitized. Rebooted and everything is back to omegasearch when it comes back up. Please help so I don't have to format again! Thanks :cool2:

    NOTE: R0 - HKCU... omegasearch line in the HijackThis deletes durring the current session, but is always there when I reboot. (Its been deleted 6 times now)


    Logfile of HijackThis v1.97.7
    Scan saved at 10:37:22 AM, on 4/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\PROGRA~1\Cool Type Hope\mpeg open.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Starr\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A64A1260-81B9-D7D1-1AC0-2FB1EC652C2E} - C:\PROGRA~1\MP3TRU~1\grim site.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O3 - Toolbar: iso great - {6D2FD553-C303-54AF-55F3-EB7A9944DB44} - C:\PROGRA~1\MP3TRU~1\grim site.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Pure once] C:\PROGRA~1\Cool Type Hope\mpeg open.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  15. ginipig
    ginipig I've yet to read any guides, but won't AdwareBlaster (or any other spyware-removal tool that offers I.E locks) protect consumers from the Omega-Syndrome?
  16. shwaip
    shwaip @queiz

    use the instructions here:
    http://www.short-media.com/forum/showthread.php?t=12173

    get rid of
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
    O2 - BHO: (no name) - {A64A1260-81B9-D7D1-1AC0-2FB1EC652C2E} - C:\PROGRA~1\MP3TRU~1\grim site.dll
    O4 - HKLM\..\Run: [Pure once] C:\PROGRA~1\Cool Type Hope\mpeg open.exe


    @anyone who can....
    can you put a link to this in the original article:

    http://www.short-media.com/forum/showthread.php?t=12173
  17. Dexter
    Dexter ATTENTION OMEGASEARCH POSTERS:

    Please do not post your Hijack This logs in this thread. Please go to our Security - Software/Virus/Trojan Forum located here. If you post your logs here, we may miss them, and not be able to help you...which we really want to do!

    ***IF YOU NEED TO POST YOUR HIJACK THIS LOG FOR HELP, PLEASE DO SO IN YOUR OWN NEW THREAD, AND CALL IT "OMEGASEARCH - (YOUR USERNAME)" DO NOT ADD YOUR LOG TO SOMEONE ELSE'S EXISTING THREAD. IF YOU ADD TO SOMEONE ELSE'S THREAD, WE MAY MISS YOUR NEW POST AND BE UNABLE TO HELP YOU.*****

    Make sure you first check the instructions for the names of the latest known file name variants in our Updated Instructions Post.

    While you are waiting for help with your post, please feel free to browse the rest of our site - we have what we feel is the best little Tech Community on the Net, with friendly and knowledgable users in every area of computing. If you have a question or a problem, we can probably answer or solve it.

    We also are dedicated to a very good cause: Folding For a Cure. Put your computer's spare power to work searching for the cure to diseases. Join our Team 93 today - we are one of the Top 10 Folding Teams in the World! Join a winning team, and help Fold for a Cure!
    :smokin:


    Dexter...
  18. Unregistered Omegasearch is positively EVIL!!!!! I tried deleting all references to it and to lop.com in my registry. I tried AdAware and Spybot S&D. I tried blocking it with my hosts file (even made hosts read-only!) and with Tools>InternetOptions>Security>Sites. Nothing worked!!! It kept coming back!!! Finally I solved the problem: Omegasearch had somehow managed to folder to my hard drive called c:\program files\bindjumpsafe with two files called holdlogo.exe and movethat.exe.

    Delete them all. However, to delete them, you have to boot into safe mode. That solved the problem for me.

    bill@technicalwrites.com
  19. cybermatic
    cybermatic Great article Dexter. Keep up the good work! :)
  20. Kwitko
    Kwitko If you have a log to post, please register first, then post in the Spyware/Virus/Trojan Discussion forum.

    All future HJT logs posted to this thread will be moved to the SVT forum, and all logs by unregistered posters will be deleted.

    There are many benefits to registering. Most important, we get to know who you are! You also become part of a great community of computer experts, you get to have a cool avatar of your choice, a cool sig of your choice, private messaging ability, and you can become part of our killer Folding@Home team.

    Joining Folding@Home, and specifically Team 93, has been shown to reduce cholesterol, improve your odds with the opposite sex, burn fat, clear up acne, and most important, give you a sense of pride and accomplishment knowing that you're helping science by unlocking the mysteries of cancer, Parkinson's Disease, Alzheimer's, and many other diseases.
  21. Blank_Frackis
    Blank_Frackis yeah many thanks for the guide, I've been struggling with this nonsense for about a month and your guide made it pretty simple. I just deleted all the files that followed the syntax of the ones you had listed to be on the safe side (after all I can easily download any files I inadvertently delete) and it worked. (L) for you
  22. Unregistered One of the OmegaSearch advertisers is University of Phoenoix. I suggest calling U of P's 1-800 number and telling them (at their expense) how much you disapprove of them advertising via pop-ups connected to OmegaSearch. Their # is 1-800-697-8223
  23. Unregistered Dex,

    Did get the Omegasearch bug as well, took about 2 hours to get rid of it, with several attempts, following the manuals on this site. If you don't trust something delete it or move it. In the end you will succeed.

    For Willy, I also had the most difficulty eliminating the bar at the bottom. What I did was delete all unknow toolbars from the Hijack this and also a file with MYWAY in the Pathname. Further more I checked with which file could be the source for my trouble. In my case it was DVDriper from shareware. I also deleted this. After that is was gone.

    Dex thanks for this article and this great site
  24. Dexter
    Dexter Dear Unregistered guest:

    Please do not post your HJT log here. As per the numerous posts above in this thread: please join the forums, and post your log in our Security forum. Your HJT log here will be deleted.

    Dexter...
  25. shadowland
    shadowland Please do not post HiJackThis logs in this thread.
    --Mr. Kwitko
  26. Unregistered Even with ad-aware, and a free download of pest patrol, I still got this damned thing. Thank you SO much for showing me how to get rid of it. I tried scanning my computer for files with the name, I ran both of the programs and deleted all the files, and I couldn't figure out how to fix it.

    When I got this I also got a ton of new bookmarks, a new homepage, and even when I repeatedly reset my homepage, it would go through omegasearch. Bastards.

    Taking just 5 minutes to follow these instructions worked perfectly. Thank you again.
  27. Kwitko
    Kwitko Please DO NOT post HiJackThis logs in this thread!
  28. Unregistered Another name Omegasearch goes under is Oozname.exe :)
  29. primesuspect
    primesuspect If you have a HijackThis log to post, please register on the forums and proceed to the appropriate forum to post your log. Also be sure to read the etiquette for posting a log. Thanks!
  30. Unregistered I just want to thank you guys for ths fix. The last time these hacks ended up on my system I ended up having to wipe my hard drive to get them off. The fix you guys offered up worked like a champ and the info about this omega comany was great. Now this will never happen to me again. Thank you guys very much!!!!

Howdy, Stranger!

You found the friendliest gaming & tech geeks around. Say hello!