omegasearch removal

Unknown

this is the log i get from hijackthis :
Logfile of HijackThis v1.97.7
Scan saved at 02:26:39, on 12/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\New okay mags\keep platform.exe
C:\progra~1\steam\steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tony\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F729E64-1C8B-7E5B-64F2-F3A468C51D77} - C:\PROGRA~1\AXISNA~1\Poke book.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ace user - {EF0DCA35-D833-CC08-77C2-6B84E8E3EF80} - C:\PROGRA~1\AXISNA~1\Poke book.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Skipooze] C:\PROGRA~1\New okay mags\keep platform.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
O4 - Startup: Hush Messenger.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37955.4393634259
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B6B50E8-A1FA-4EE8-BB30-DB59DB4A0FDE}: NameServer = 195.112.4.4,195.112.4.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{86F07E50-CCED-46F4-AE3A-EC4516A4AF48}: NameServer = 195.112.4.4,195.112.4.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8791B11-36E4-4166-AE6D-D905EE51876C}: NameServer = 195.112.4.4,195.112.4.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B6B50E8-A1FA-4EE8-BB30-DB59DB4A0FDE}: NameServer = 195.112.4.4,195.112.4.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B6B50E8-A1FA-4EE8-BB30-DB59DB4A0FDE}: NameServer = 195.112.4.4,195.112.4.7

i have gone through the process described on this site but omega search refuses to go away and its driving me nuts, any help would be very gratefull recieved !!
tony

primesuspect

Boot into safe mode, run HJT, and delete these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: (no name) - {1F729E64-1C8B-7E5B-64F2-F3A468C51D77} - C:\PROGRA~1\AXISNA~1\Poke book.dll
O3 - Toolbar: ace user - {EF0DCA35-D833-CC08-77C2-6B84E8E3EF80} - C:\PROGRA~1\AXISNA~1\Poke book.dll
O4 - HKLM\..\Run: [Skipooze] C:\PROGRA~1\New okay mags\keep platform.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Hush Messenger.lnk = ?
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/sh...ptionEngine.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe


Then, reboot, into safe mode again, and run AdAware.

Afterwards, post another HJT log if it's still there.

welcome to short-media

mmonnin

Welcome to SM. Hope you get the crap removed.

Dexter

Since the removal guide was written, we have found some more information on variations from other sources that there are variants of the Omegasearch hijacker. Please try the following steps in addition to the ones in the guide:

1 - start in safe mode

2 - Set windows to show hidden files and folders

3 - Close all browser windows and shut down all other programs(even folders)
that show in the taskbar. Start Hijackthis and place a check next to these items, then hit "Fix Selected "

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - D:\WINNT\system32\n3tpa1.dll
O4 - HKLM\..\Run: [miywipjd] D:\WINNT\dockqs.exe
O4 - HKLM\..\Run: [31254214.exe] D:\WINNT\System32\31254214.exe
O4 - HKLM\..\Run: [Belt] D:\WINNT\Belt.exe
04 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe

4 - Reboot into safe Mode and delete only these exact files
Be very carefull if your unsure of what to delete leave them be.

D:\PROGRA~1\ONEFOURJUGS
D:\WINNT\Belt.exe
D:\WINNT\System32\31254214.exe
D:\WINNT\dockqs.exe

While in safe mode run your anti virus program and do a full system scan

Let us know if that works for you.

Dexter...

Kwitko

Gurk, please do not post logs in other people's threads. I've moved your log here.

Abrasha

Well, like everyone else in this thread, I got hit today by the "best omega search" hijack. No matter that I changed my home page back to what it was before over and over again, the hijack stayed firmly in place.

I found my way to this forum, and read dexter's excellent post. Downloaded Hijack This 1.98, and ran it. I deleted what seemed to be the obvious lines, nothing changed. I deleted some more lines, same result.

I already had Ad-aware 6.0, which I had run, but the things it found and removed had made no difference.

Back to this forum, where in a different thread I found that I should also download and run Spybot-Search & Destroy 1.3. Well, Spybot worked like a charm. It found and removed what I had not been able to remove by hand.

I'm back in business with my old familiar home page. Google, what else!?!

Now I wonder, why some people need to remove lines by hand in Hijack This, while I was luckily able to do it automatically with Spybot.