To talk on Icrontic, just register!

It only takes 30 seconds.

Have an account? Sign in:

Forgot?

To reopen your thread, send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own thread instead.

 
Reply to Discussion Options
dbrugman
New to the neighborhood
dbrugman
1 Posts
12 Apr 2004, 2:46pm

Unhappy Omegasearch the undead!

I have also followed the steps in the guide to be rid of Omegasearch. I have tried numerous spy ware and have been struggling for weeks to be rid of this.
Help. Here is my last hijackthis log.

Scan saved at 7:38:20 AM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32 Logfile of HijackThis v1.97.7
\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINNT\System32\lxamsp32.exe
C:\PROGRA~1\ENCMAI~1\frag wma.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\Documents and Settings\Derek Brugman\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/i...ngtideintl.com
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [Play iso] C:\PROGRA~1\ENCMAI~1\frag wma.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKEN2001H&B\bagent.exe
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O9 - Extra button: Merriam-Webster (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...403.3845601852
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
Attached Files
File Type: doc hijackthis.doc (3.9 KB, 34 views)
Straight_Man
Playing with Virtual Painter
Straight_Man
3,716 Posts
12 Apr 2004, 3:10pm
OK, try this:

DISABLE McAfee Antivirus.

DISABLE the system restore service.

NOW, repeat the scans-- AFTER doing the below things.

REASON: There are quite a few things that McAfee does not get along with.

Also get cwshredder and run it, and update adaware to version 6 and then update the defs for that to the April, 2004 def updates.

I am not sure what you have is just or even really Omegasearch, looks like you have other thingfs going and possibly a compromised AV as well.

The .doc file did attach, and for those who attach files, note that the file name will show down at bottom of message but not be included in message text. It is a downloadable attachment. The kind of attachment used for this purpose is toally legal the way it was used.

BTW, for those of you who have problems with .doc files, get OpenOffice.org 1.1.1 and use soffice as a helper application for Mozilla or Opera or Netscape or possibly IE also. I run Linux on the surfing\personal box, do not use Microsoft Office to open .doc files. But soffice knows to open oowrite and import .doc type files handed to it becasue when I installed it I knew to tell it to use OOo for files of types .doc and the Excel types, and the presentation types used by PowerPoint. Can do this in Windows also. It CAN open files from Word as in up to Office XP, ditto Excel. EARLIER OOo could not do this, it stopped being able to really handle Word files at Word 2000 version files. And Mozilla here now knows to open .doc files in OOo-- just as it uses Acroread as a helper to open .pdf files.

John D.
Dexter
Former SM Staff Member
Dexter
3,580 Posts
12 Apr 2004, 3:18pm
Updated Removal Instructions here: http://www.short-media.com/forum/showthread.php?t=12173

Try that and post back to let us know.

Dexter...
__________________ "Forty-two," said Deep Thought, with infinite majesty and calm.

Put your computer's spare power to work searching for the cure to diseases: Folding@Home. Join Team 93 today! Join a winning team, and help Fold for a Cure!
Get spyware fighting tools at our Security Downloads Page. Get a better browser: Get Firefox. Get Firefox!

[folding_sig1]
mondi
dot.
mondi
798 Posts

» Subscriber

12 Apr 2004, 3:33pm
this entry is highly suspect:
O4 - HKLM\..\Run: [Play iso] C:\PROGRA~1\ENCMAI~1\frag wma.exe
looking over the new instructions and this entry... apart from the "jugs" references - it seems that the random file names follow this pattern:

the usual run reference: O4 - HKLM\..\Run:

then a category made up of "common" computer/internet expressions: eg [Camp Inter] and in this case [Play Iso]

the final exe then follows the same pattern - in this case frag wma.exe ... also it seems that the filename generator is not removing trailing spaces ... so the file is 2 words long.

thats from only two observations but theres a definite pattern if thats the right entry to remove ...

edit:// just looked at a new log, from Viscio, theres a very similar entry - this time 3 words long but with the same trailing spaces - ooze copy city.exe

also .. all three have "PROGRA~1" instead of "Program Files" even when other entries are correct ...

random musings I know but patterns are patterns
__________________

coj08

t1rhino
Icrontian
t1rhino
908 Posts
12 Apr 2004, 3:57pm
What is this Omegasearch thing everyone is talking about???
primesuspect
The Icrontic Guy
primesuspect
27,811 Posts
12 Apr 2004, 4:11pm
A really malicious and crappy piece of malware that resists efforts to uninstall it. It is the next incarnation of the notoriously scummy C2/LOP or lop.com "search helper".

Their corporate offices are at:

C2 Media Ltd.
Unit 12, 571 Finchley Road
Hampstead, London, NW3 7BN
United Kingdom
__________________ "I offer my genius to the world, all I ask is you pick up my expenses"
Dexter
Former SM Staff Member
Dexter
3,580 Posts
12 Apr 2004, 6:34pm
Check the Updated Omegasearch Removal Page for the latest info: http://www.short-media.com/forum/showthread.php?t=12173

Dexter...
Similar Threads
Thread Thread Starter Forum Replies Last Post
omegasearch removal samuraitony Resolved / Inactive 5 9 Jul 2004 10:21am
Remove Omegasearch MediaMan Technology Articles 30 24 May 2004 5:10am
Omegasearch again... Elven Rogue Resolved / Inactive 13 16 Apr 2004 10:56pm
Omegasearch issue - Please help! hymans Resolved / Inactive 3 7 Apr 2004 4:32pm

Go Back   Icrontic Forums > Malware Help > Spyware & Virus Removal > Resolved / Inactive
Reload this Page Omegasearch the undead!
Jump to
This Thread Search this Thread
Search this Thread:

Advanced Search

Today's Posts - Mark All Read - Contact Us - Icrontic.com - Archive - Top

Current time: 9:48am (GMT)
Powered by vBulletin®
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Get Vanilla instead. Trust me.