Remove Omegasearch

MediaManMediaMan Powered by loose parts.
edited May 2004 in Science & Tech
Is your Internet searching going places you don't want to? Do you feel someone else is in control? Omegasearch may be the culprit and it's a pesky program you may have installed without knowing. This is Short-Media.com's how-to guide on what Omegasearch is, why you may not want it, and how to get rid of Omegasearch.

Read it here

Comments

  • ShortyShorty Manchester, UK Icrontian
    edited April 2004
    An awesome read Dexter.

    I haven't been unlucky enough to suffer it .. but :eek:.. I never realised the kind of havoc it does cause :mad:
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    Great article Dexter. :)

    People should understand that if they have OmegaSearch/C2.LOP/LOP.COM installed on their computer, it's usually a symptom of a larger problem, and chances are they have other adware/malware on their computers as well. I would highly recommend that anybody who has benefited from this article run a spybot scanner such as AdAware or SpyBot Search & Destroy (or both), because it's a very good bet that they have other malicious software going on.
  • EyesOnlyEyesOnly Sweden New
    edited April 2004
    Nice guide. Let's hope i never have to follow it. :)
  • edited April 2004
    Spybot S&D will stop your system from being HJ'd. I would highly recommend everyone to install this puppy. It doesn't have any built in SB either! :D
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Good advice, guest.

    Spybot S&D version 1.2: http://download.com.com/3000-8022-10194058.html?tag=lst-0-2

    Dexter...
  • edited April 2004
    Dexter,
    I need help. I went through and tried all the methods of removing omegasearch.com byt the bar at the bootom of my page just will not go away. Help
    Willie
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited April 2004
    Run HiJackThis and copy and paste the log here. Perhaps you still have some remnants left over.
  • edited April 2004
    Can't seem to get rid of omegasearch. Any help would be appreciated.

    thx
    Jess


    Scan saved at 12:03:38 AM, on 15/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\DEFAUL~1\Delete Web Proc.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\The Crook\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {DE761B33-CB30-71B5-BF7F-B2721AA000B4} - C:\PROGRA~1\CAKEFI~1\htmtwo.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Loadbalmlite - {E396CC0F-29EE-75D2-A5FA-BEDE2A709103} - C:\PROGRA~1\CAKEFI~1\htmtwo.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [book send] C:\PROGRA~1\DEFAUL~1\Delete Web Proc.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • edited April 2004
    What a great team you lot are, got rid of it in seconds when i've been trying for two days.

    THANK YOU

    Clive
  • edited April 2004
    I just wanted to say that I've got omega search twice now. I just formated my computer clean, back to surfin the web (i'm a pretty cautious web surfing.. never click on the yes to install apps and other things that promt always get turned down). I was surfing the web for 5 minutes before I open another web window and find that familiar application is back. This means that this app got installed by just my browser viewing a pop-up they had off some site. I also was only lookin at military sites for information on a plane when this happened (wasn't a military site as i've used these before and been fine, but a pop-up that came from one of the other links I selected from a search engine on military planes). Anyways, just makes you so agrivated with these people that do this, and all the trouble you have to go through to remove it when you haven't even installed anything! Just a heads up that omegasearch is full of crap when they say you have to consciously click yes to instal something, or supose to know that its being installed.
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited April 2004
    @Jessica

    follow the instructions here to delete

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O2 - BHO: (no name) - {DE761B33-CB30-71B5-BF7F-B2721AA000B4} - C:\PROGRA~1\CAKEFI~1\htmtwo.dll
    O3 - Toolbar: Loadbalmlite - {E396CC0F-29EE-75D2-A5FA-BEDE2A709103} - C:\PROGRA~1\CAKEFI~1\htmtwo.dll
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - HKLM\..\Run: [book send] C:\PROGRA~1\DEFAUL~1\Delete Web Proc.exe
  • edited April 2004
    Hello!

    My Computer has been hijacked by Omegasearch :mean:

    I have run both Adaware pro and spybot without any effect.
    I have even edited the registry, as described in one of the other threads on the forum, but no go!

    All the entries containing omegasearch in the attached log from hijackthis, have also been deleted by means of the software, but omegasearch keeps coming back.

    Could anyone of you please advise?

    regards

    Quick116

    Logfile of HijackThis v1.97.7
    Scan saved at 18:08:11, on 15.04.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Eicon\Diva\DiTask.exe
    C:\Program Files\Eicon\Diva\Divamon.exe
    C:\Program Files\Eicon\Diva\watch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\PROGRA~1\1 acid web\Dashlogo.exe
    C:\Program Files\Norman\NPF\NPFMSG.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norman\NPF\NPFSVICE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Rune Klingsheim\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = omegasearch.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/no/nor/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/no/nor/gen/default.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/no/nor/gen/default.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=ftp://xbox@192.168.1.4/:21
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
    O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
    O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
    O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [ErrorAnte] C:\PROGRA~1\1 acid web\Dashlogo.exe
    O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NPF Messenger.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37971.5943518519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • mondimondi Icrontian
    edited April 2004
    @ quick116

    please go to this new thread for instructions

    omegasearch - quick116
  • edited April 2004
    I posted a message earlier today. I did everything as instructed from the instructions on how to get ride of this hijacking criminal software. Not only does it keep coming back on reboots, but it never is able to change my start page, though it changes where its directed, it still loads http://omegasearch.com/passthrough/index.html?http://www.msn.com
    I have rebooted, run HijackThis and updated spybot updated it, did a full scan and immunitized. Rebooted and everything is back to omegasearch when it comes back up. Please help so I don't have to format again! Thanks :cool2:

    NOTE: R0 - HKCU... omegasearch line in the HijackThis deletes durring the current session, but is always there when I reboot. (Its been deleted 6 times now)


    Logfile of HijackThis v1.97.7
    Scan saved at 10:37:22 AM, on 4/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\PROGRA~1\Cool Type Hope\mpeg open.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Starr\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A64A1260-81B9-D7D1-1AC0-2FB1EC652C2E} - C:\PROGRA~1\MP3TRU~1\grim site.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O3 - Toolbar: iso great - {6D2FD553-C303-54AF-55F3-EB7A9944DB44} - C:\PROGRA~1\MP3TRU~1\grim site.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Pure once] C:\PROGRA~1\Cool Type Hope\mpeg open.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • ginipigginipig OH, NOES
    edited April 2004
    I've yet to read any guides, but won't AdwareBlaster (or any other spyware-removal tool that offers I.E locks) protect consumers from the Omega-Syndrome?
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited April 2004
    @queiz

    use the instructions here:
    http://www.short-media.com/forum/showthread.php?t=12173

    get rid of
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
    O2 - BHO: (no name) - {A64A1260-81B9-D7D1-1AC0-2FB1EC652C2E} - C:\PROGRA~1\MP3TRU~1\grim site.dll
    O4 - HKLM\..\Run: [Pure once] C:\PROGRA~1\Cool Type Hope\mpeg open.exe


    @anyone who can....
    can you put a link to this in the original article:

    http://www.short-media.com/forum/showthread.php?t=12173
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    ATTENTION OMEGASEARCH POSTERS:

    Please do not post your Hijack This logs in this thread. Please go to our Security - Software/Virus/Trojan Forum located here. If you post your logs here, we may miss them, and not be able to help you...which we really want to do!

    ***IF YOU NEED TO POST YOUR HIJACK THIS LOG FOR HELP, PLEASE DO SO IN YOUR OWN NEW THREAD, AND CALL IT "OMEGASEARCH - (YOUR USERNAME)" DO NOT ADD YOUR LOG TO SOMEONE ELSE'S EXISTING THREAD. IF YOU ADD TO SOMEONE ELSE'S THREAD, WE MAY MISS YOUR NEW POST AND BE UNABLE TO HELP YOU.*****

    Make sure you first check the instructions for the names of the latest known file name variants in our Updated Instructions Post.

    While you are waiting for help with your post, please feel free to browse the rest of our site - we have what we feel is the best little Tech Community on the Net, with friendly and knowledgable users in every area of computing. If you have a question or a problem, we can probably answer or solve it.

    We also are dedicated to a very good cause: Folding For a Cure. Put your computer's spare power to work searching for the cure to diseases. Join our Team 93 today - we are one of the Top 10 Folding Teams in the World! Join a winning team, and help Fold for a Cure!
    :smokin:


    Dexter...
  • edited April 2004
    Omegasearch is positively EVIL!!!!! I tried deleting all references to it and to lop.com in my registry. I tried AdAware and Spybot S&D. I tried blocking it with my hosts file (even made hosts read-only!) and with Tools>InternetOptions>Security>Sites. Nothing worked!!! It kept coming back!!! Finally I solved the problem: Omegasearch had somehow managed to folder to my hard drive called c:\program files\bindjumpsafe with two files called holdlogo.exe and movethat.exe.

    Delete them all. However, to delete them, you have to boot into safe mode. That solved the problem for me.

    bill@technicalwrites.com
  • cybermaticcybermatic Bendigo, Victoria, Australia
    edited April 2004
    Great article Dexter. Keep up the good work! :)
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited April 2004
    If you have a log to post, please register first, then post in the Spyware/Virus/Trojan Discussion forum.

    All future HJT logs posted to this thread will be moved to the SVT forum, and all logs by unregistered posters will be deleted.

    There are many benefits to registering. Most important, we get to know who you are! You also become part of a great community of computer experts, you get to have a cool avatar of your choice, a cool sig of your choice, private messaging ability, and you can become part of our killer Folding@Home team.

    Joining Folding@Home, and specifically Team 93, has been shown to reduce cholesterol, improve your odds with the opposite sex, burn fat, clear up acne, and most important, give you a sense of pride and accomplishment knowing that you're helping science by unlocking the mysteries of cancer, Parkinson's Disease, Alzheimer's, and many other diseases.
  • edited May 2004
    yeah many thanks for the guide, I've been struggling with this nonsense for about a month and your guide made it pretty simple. I just deleted all the files that followed the syntax of the ones you had listed to be on the safe side (after all I can easily download any files I inadvertently delete) and it worked. (L) for you
  • edited May 2004
    One of the OmegaSearch advertisers is University of Phoenoix. I suggest calling U of P's 1-800 number and telling them (at their expense) how much you disapprove of them advertising via pop-ups connected to OmegaSearch. Their # is 1-800-697-8223
  • edited May 2004
    Dex,

    Did get the Omegasearch bug as well, took about 2 hours to get rid of it, with several attempts, following the manuals on this site. If you don't trust something delete it or move it. In the end you will succeed.

    For Willy, I also had the most difficulty eliminating the bar at the bottom. What I did was delete all unknow toolbars from the Hijack this and also a file with MYWAY in the Pathname. Further more I checked with which file could be the source for my trouble. In my case it was DVDriper from shareware. I also deleted this. After that is was gone.

    Dex thanks for this article and this great site
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    Dear Unregistered guest:

    Please do not post your HJT log here. As per the numerous posts above in this thread: please join the forums, and post your log in our Security forum. Your HJT log here will be deleted.

    Dexter...
  • edited May 2004
    Please do not post HiJackThis logs in this thread.
    --Mr. Kwitko
  • edited May 2004
    Even with ad-aware, and a free download of pest patrol, I still got this damned thing. Thank you SO much for showing me how to get rid of it. I tried scanning my computer for files with the name, I ran both of the programs and deleted all the files, and I couldn't figure out how to fix it.

    When I got this I also got a ton of new bookmarks, a new homepage, and even when I repeatedly reset my homepage, it would go through omegasearch. Bastards.

    Taking just 5 minutes to follow these instructions worked perfectly. Thank you again.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Please DO NOT post HiJackThis logs in this thread!
  • edited May 2004
    Another name Omegasearch goes under is Oozname.exe :)
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited May 2004
    If you have a HijackThis log to post, please register on the forums and proceed to the appropriate forum to post your log. Also be sure to read the etiquette for posting a log. Thanks!
  • edited May 2004
    I just want to thank you guys for ths fix. The last time these hacks ended up on my system I ended up having to wipe my hard drive to get them off. The fix you guys offered up worked like a champ and the info about this omega comany was great. Now this will never happen to me again. Thank you guys very much!!!!
This discussion has been closed.