Omegasearch again...

Elven-RogueElven-Rogue Scranton, PA
edited April 2004 in Spyware & Virus Removal
Heres a Hijack This log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\Macromed\iroffer\iroffer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Macromed\servu\ServUDaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\dent anti bird\oozeregstool.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\1\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\KAZAAL~1\MYSHAR~1\POKEMO~1.EXE -r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Dog this] C:\PROGRA~1\dent anti bird\oozeregstool.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16546b8230cd59c38900/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37905.7850231482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Any ideas how to get rid of it? Thanks.

Comments

  • DexterDexter Vancouver, BC Canada
    edited April 2004
    1 - Disable XP system restore.

    2 - Disable all Omegasearch items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html


    Disable:

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029


    These are some other hijack elements.

    3 - Re-enable XP system restore, and create a new restore point.

    4 - Reboot, check. If you still have Omegasearch, re-run Hijack This and repost log.

    There are a few other items you can clean up in there to tune up your system, I'm sure others will post those items in no time. :)

    Dexter...
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited April 2004
    Wow, this is the 4th Omegasearch thread we've had. What's up with this bad boy?
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    Gee, not even a "Hi my name is such and such, I was wondering if you could help... Thanks"

    :rolleyes:
  • Elven-RogueElven-Rogue Scranton, PA
    edited April 2004
    Stupid question... How do you create a new restore point?
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    If you don't know the answer, it's not a stupid question :)

    Disable system restore, then make your changes to get rid of the spyware / hijacking ware. Then re-enable system restore. Next click Start -> All Programs -> Accessories -> System Tools -> System Restore. When the System Restore Utility opens, click "Create a Restore Point" then click Next. Enter a name for this Restore Point (I would just use the date, or "After Sweeping Spyware" or something to that effect), and click Create. The utility will then take a snapshot of your system so that you can restore to that point sometime in the future.

    Windows XP automatically creates a Restore Point when any of the following occurs:

    An unsigned device driver is installed
    A new application is installed (if the installation program is compatible with System Restore
    Windows Update is used to update your system
    A Restore Point from earlier is restored
    A backup using the Backup Utility is restored.


    Dexter...
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    By the way, welcome to Short Media. We hope you will keep coming back here. We are a great tech site with some very knowledgeable members, and we manage to have a lot of fun here too. As PrimeSuspect hinted at above, please feel free to drop by the Short-Media Pub, and post a little message telling us about yourself.

    Also, I noticed something very important missing from your active process list! ;) You are not taking part in what we feel is the best cause on the internet:

    Folding For A Cure!

    Have a look at the General Questions FAQ on that link, and consider joining our Folding Team, which is among the Top 10 in the world!

    Dexter...
  • Elven-RogueElven-Rogue Scranton, PA
    edited April 2004
    Ok thatnks i actualy found an uninstaller for it before i got the last message though url is http://lop.com/new_uninstall.exe worked like a charm. I got rid of the other hijack elements you sugested though heres the new log:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
    C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
    C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\Macromed\iroffer\iroffer.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\PGPsdkServ.exe
    C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Macromed\servu\ServUDaemon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\1\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\KAZAAL~1\MYSHAR~1\POKEMO~1.EXE -r
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    O4 - Global Startup: PGPtray.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16546b8230cd59c38900/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37905.7850231482
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Any further help would be great. Ill be sure to check out the Short-Media Pub and sorry for no introduction, was tryign to get rid of the searchbar for almost a week... , just call me Wolf.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    I would say to definitely run adaware again, there's still a bunch of stinkers in that log.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited April 2004
    Get rid of these:
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\KAZAAL~1\MYSHAR~1\POKEMO~1.EXE -r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

    I'd also drop these just to free up resources:
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
  • MediaManMediaMan Powered by loose parts.
    edited April 2004
    Read Short-Media's guide to removing Omegasearch.
  • hwkuser
    edited April 2004
    I think the uninstaller from Lob.com will not work, because I read in the guide by short-media that lob.com is omegasearch..... or did it work for you?
  • Elven-RogueElven-Rogue Scranton, PA
    edited April 2004
    It worked for me. It is omegasearch yes but i think they legaly have to provide an uninstaller...
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Elven Rogue wrote:
    It worked for me. It is omegasearch yes but i think they legaly have to provide an uninstaller...

    It may have worked for now, but, ummm, who says they have to legally provide an uninstaller?

    What law in what country says that?

    And then you'd have to prove where the software actually came from. Although Omegasearch is based in the UK (Lop.com), they have "affliates" around the world. Affiliates are people who knowingly spread their software, in different varieties as we have seen here, and in return these affiliates get paid for spreading Omegasearch's crap.

    As I outlined in the Omegasearch Removal Guide, the hijackers have absolutely no benefit from helping you uninstall their program. In fact, if they do, they potentially lose money. Most uninstallers leave "time bombs" behind, or bugger up your IE in such a way that the only way to fix it is to put their toolbar back on again. Ask anyone who has ever had the pleasure of removing "Xupiter" from their system :mean:

    Bottom line, do not trust an uninstaller from a spammer or a hijacker.

    Case in point, this entry in your HJT log:

    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\KAZAAL~1\MYSHAR~1\POKEMO~1.EXE -r

    That is an EXE file in your KazaaLite shared folder. That file is in a STARTUP ENTRY of your registry. It has a command line switch "-r."

    What do you think that file is? Why would there be an Executable file, in your Kazaa Shared folder, being automatically started by your system when you reboot? Does that not make you suspicious? It makes me suspicious. And looking at that name, I'd put $5 on the table that the full name of that EXE file is POKEMON something. Trying to fool young kids into downloading something and running it on their computer, a VERY COMMON PLOY of hijackers, spammers, and "script kiddie" virus writers.


    What do you think that -r means? My thinking is as follows:

    a - your Omegasearch likely came onto your box because of something you downloaded through Kazaa.

    b - The uninstaller did not remove the initial installler file (C:\PROGRA~1\KAZAAL~1\MYSHAR~1\POKEMO~1.EXE)

    c - That program is launched every time you start your computer.

    d - The "-r" switch is quite probably an instruction to the computer to run that program's payload at either a preset time, or more likely a random time ("r".)

    That looks very much like a time bomb to me. I would not be surprised if your browser gets hijacked again in very short order. I would strongly recommend you delete that HJT entry, then find the file manually on your hard drive and delete it. I could be wrong about this...but I bet that I am not. :)

    Dexter...
This discussion has been closed.