PDA

View Full Version : please help getting rid of Omegasearch

kjell
15 Apr 2004, 06:54am
Hi, I followed the instructions on the site, running Hijack this and all. Could I please get some help on what to delete here? Posted below is the most recent log. The top line (RO-...) is recurrant. I can press fix, but it comes back if I scan a while later.


Logfile of HijackThis v1.97.7
Scan saved at 10:44:41 PM, on 4/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\glueaudio\CompBook.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Shared Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Admin thunk] C:\PROGRA~1\glueaudio\CompBook.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



I tried running Norton antivirus too, and it does fine in identifying 1 file as a threat: Adware.Lop But unfortunately, and strangely, it will not delete it even if I press the delete command, instead Norton goes to the next step, giving the options 'Exclude' or 'Skip'.

I tried running Adaware on it too, but that's not working either.

I'd really appreciate some advice.

Thanks,

Kjell
shwaip
15 Apr 2004, 07:00am
follow these updated instructions:
http://www.short-media.com/forum/showthread.php?t=12173

to get rid of
O4 - HKLM\..\Run: [Admin thunk] C:\PROGRA~1\glueaudio\CompBook.exe
Dexter
15 Apr 2004, 05:42pm
follow these updated instructions:
http://www.short-media.com/forum/showthread.php?t=12173

to get rid of
O4 - HKLM\..\Run: [Admin thunk] C:\PROGRA~1\glueaudio\CompBook.exe

Also get rid of:

C:\PROGRA~1\glueaudio\CompBook.exe

and manually delete that from your computer.

Also have HJT fix this one, obviously:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank

Do this all in safe mode, and set a new system restore point, as outlined in the updated instructions above and in the original guide.

Come back and let us know if it worked or not.

And welcome to Short-Media, the best little Tech Community on the Net :)

Dexter...
kjell
15 Apr 2004, 09:55pm
Glad to have joined the short-media forum, thank you

Still having problems unfortunately...

When I attempt to manually delete C:\PROGRA~1\glueaudio\CompBook.exe an error box pops up w/ the message, "Cannot delete CompBook: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."

In the glueaudio folder in my program files, there are two icons besides 'Compbook': these are 'Creative' and 'linkgridnurb'. Compbook is the one I'm not presently able to delete in any case though.

Hijack this will not remove O4 - HKLM\..\Run: [Admin thunk] C:\PROGRA~1\glueaudio\CompBook.exe when I check it and press fix checked; I suppose that's because C:\PROGRA~1\glueaudio\CompBook.exe is still around.
Kwitko
15 Apr 2004, 09:57pm
Open Task Manager and end the CompBook.exe program, then delete the file. It might be listed under Processes and not Applications in the Task Manager.
Dexter
15 Apr 2004, 10:05pm
Also, make sure you have started your computer in SAFE MODE before running Hijack This.

Another thing to try is to rename the .exe file to .xxx and then reboot.

When you reboot, it will not be located not be located by the startup registries, and you should be able to repair it in HJT.

Dexter...
kjell
16 Apr 2004, 08:16am
Wonderful, I think it's gone now :)

Thanks for helping me out,

-Kjell
Dexter
16 Apr 2004, 10:20am
You're very welcome :)

We hope you will stick here at Short-Media. We have some great folks here with lots of tech knowledge, and we have a lot of fun here too. :)

Oh, and has anyone mentioned the word "Folding" to you yet...? ;)

Dexter...
shwaip
16 Apr 2004, 10:31am
I'm sure if he's read at least one of prof or mmonnin's posts it's been in there somewhere :D
mmonnin
16 Apr 2004, 02:22pm
Nope havent mentioned it to anyone that has asked for OmegaSearch help.
Dexter
16 Apr 2004, 09:53pm
Nope havent mentioned it to anyone that has asked for OmegaSearch help.


I've been doing that ;)

If we can get everyone we help on our Folding For A Cure team, we'll pump out some serious WU's!

Dexter...
Dexter
16 Apr 2004, 10:12pm
I've been doing that ;)

If we can get everyone we help on our Folding For A Cure team, we'll pump out some serious WU's!

Dexter...


KJELL - I moved your reply into a new thread in our Team 93 Forum, click here to find it and the answers to your questions:

http://www.short-media.com/forum/showthread.php?t=12412

Hope you join the Team!

Dexter...