To talk on Icrontic, just register!

It only takes 30 seconds.

Have an account? Sign in:

Forgot?

To reopen your thread, send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own thread instead.

 
Reply to Discussion Options
music_head
New to the neighborhood
music_head
4 Posts
14 Apr 2004, 8:24pm

Angry Omegasearch

I followed the directions to the "T" to get rid of Omegasearch but it still seems to be taking over as my hompage. here im my hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 11:01:53 AM, on 14/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\junkdrawbyte\coal grey.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UZGHE9U5\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 64.159.91.200 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {F0641213-5975-D987-0121-2659ACDEF229} - C:\PROGRA~1\STYLEC~1\burnup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Pure Global] C:\PROGRA~1\junkdrawbyte\coal grey.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/...rInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...782.9871180556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

What happens is Omegasearch attaches itself to my original homepage as a sort of "passthrough" hompage to my own. I go into "internet options" to change it back but everytime I restart my computer it comes back. HELP PLEASE!!
mondi
dot.
mondi
798 Posts

» Subscriber

14 Apr 2004, 8:41pm
Hi there:

check out the updated instructions if you havent already..

heres what you need to get rid of:

C:\PROGRA~1\junkdrawbyte\coal grey.exe
O2 - BHO: (no name) - {F0641213-5975-D987-0121-2659ACDEF229} - C:\PROGRA~1\STYLEC~1\burnup.dll
O4 - HKLM\..\Run: [Pure Global] C:\PROGRA~1\junkdrawbyte\coal grey.exe

edit:// also:

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product...erInstaller.exe
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab

also, unless you play gamespot games, get rid of:

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab


please post an updated log after that if its still there.

also, could you please post the full name of the folder C:\PROGRA~1\STYLEC~1\ ... this will help us try and find patterns in the new variants.

thanks.

mondi
__________________

coj08

Dexter
Former SM Staff Member
Dexter
3,580 Posts
14 Apr 2004, 8:48pm
"C:\PROGRA~1\junkdrawbyte\coal grey.exe"...that's a random name we haven't seen yet....

Same with "STYLEC~1\burnup.dll"

* Dexter stands by to update the list...again...




Please let us know if Mondi's instructions helped you. And if they didn't, please post a fresh HJT log for further analysis.

Dexter...
__________________ "Forty-two," said Deep Thought, with infinite majesty and calm.

Put your computer's spare power to work searching for the cure to diseases: Folding@Home. Join Team 93 today! Join a winning team, and help Fold for a Cure!
Get spyware fighting tools at our Security Downloads Page. Get a better browser: Get Firefox. Get Firefox!

[folding_sig1]
mondi
dot.
mondi
798 Posts

» Subscriber

14 Apr 2004, 8:55pm
AND MORE !! ... im off form today..

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX

i thought that was needed for media player, but then realized that it should be system32 for the mplayer version...


edit:// wait ... it is ..

dex youve been advocating removing this ... should he??
Dexter
Former SM Staff Member
Dexter
3,580 Posts
14 Apr 2004, 8:58pm
Yes, we are seeing that MSDXM.OCX in most of the infestations....sigh.

Dexter...
primesuspect
The Icrontic Guy
primesuspect
27,799 Posts
14 Apr 2004, 9:17pm
That is on every windows XP computer out there. It's unnecessary, but it's not malicious. It just adds a toolbar button to IE.
__________________ "I offer my genius to the world, all I ask is you pick up my expenses"
Dexter
Former SM Staff Member
Dexter
3,580 Posts
14 Apr 2004, 9:23pm
So it is. Thanks Prime. We'll ignore that one from now on.

///EDIT: Hmmmmm. Doing some research on O3 - MSDXM.OCX, I see that in v5.x of IE, there was a known buffer eoverrun exploit in this file that allowed some remote control access over one's computer. I wonder if there is a new exploit....?


Dexter...
Similar Threads
Thread Thread Starter Forum Replies Last Post
Remove Omegasearch MediaMan Technology Articles 30 24 May 2004 5:10am
omegasearch big_ecky Resolved / Inactive 10 15 Apr 2004 5:06am
Omegasearch the undead! dbrugman Resolved / Inactive 6 12 Apr 2004 6:34pm
Updated Omegasearch Removal Information - Check here for the latest Omegasearch Info! Dexter Resolved / Inactive 0 12 Apr 2004 3:17pm

Go Back   Icrontic Forums > Malware Help > Spyware & Virus Removal > Resolved / Inactive
Reload this Page Omegasearch
Jump to
This Thread Search this Thread
Search this Thread:

Advanced Search

Today's Posts - Mark All Read - Contact Us - Icrontic.com - Archive - Top

Current time: 2:12pm (GMT)
Powered by vBulletin®
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Get Vanilla instead. Trust me.