Omegasearch the undead!
I have also followed the steps in the guide to be rid of Omegasearch. I have tried numerous spy ware and have been struggling for weeks to be rid of this.
Help. Here is my last hijackthis log.
Scan saved at 7:38:20 AM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32 Logfile of HijackThis v1.97.7
\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINNT\System32\lxamsp32.exe
C:\PROGRA~1\ENCMAI~1\frag wma.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\Documents and Settings\Derek Brugman\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.risingtideintl.com
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [Play iso] C:\PROGRA~1\ENCMAI~1\frag wma.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKEN2001H&B\bagent.exe
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O9 - Extra button: Merriam-Webster (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37403.3845601852
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Help. Here is my last hijackthis log.
Scan saved at 7:38:20 AM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32 Logfile of HijackThis v1.97.7
\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINNT\System32\lxamsp32.exe
C:\PROGRA~1\ENCMAI~1\frag wma.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\Documents and Settings\Derek Brugman\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.risingtideintl.com
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [Play iso] C:\PROGRA~1\ENCMAI~1\frag wma.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKEN2001H&B\bagent.exe
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O9 - Extra button: Merriam-Webster (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37403.3845601852
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
This discussion has been closed.
Comments
DISABLE McAfee Antivirus.
DISABLE the system restore service.
NOW, repeat the scans-- AFTER doing the below things.
REASON: There are quite a few things that McAfee does not get along with.
Also get cwshredder and run it, and update adaware to version 6 and then update the defs for that to the April, 2004 def updates.
I am not sure what you have is just or even really Omegasearch, looks like you have other thingfs going and possibly a compromised AV as well.
The .doc file did attach, and for those who attach files, note that the file name will show down at bottom of message but not be included in message text. It is a downloadable attachment. The kind of attachment used for this purpose is toally legal the way it was used.
BTW, for those of you who have problems with .doc files, get OpenOffice.org 1.1.1 and use soffice as a helper application for Mozilla or Opera or Netscape or possibly IE also. I run Linux on the surfing\personal box, do not use Microsoft Office to open .doc files. But soffice knows to open oowrite and import .doc type files handed to it becasue when I installed it I knew to tell it to use OOo for files of types .doc and the Excel types, and the presentation types used by PowerPoint. Can do this in Windows also. It CAN open files from Word as in up to Office XP, ditto Excel. EARLIER OOo could not do this, it stopped being able to really handle Word files at Word 2000 version files. And Mozilla here now knows to open .doc files in OOo-- just as it uses Acroread as a helper to open .pdf files.
John D.
Try that and post back to let us know.
Dexter...
looking over the new instructions and this entry... apart from the "jugs" references - it seems that the random file names follow this pattern:
the usual run reference: O4 - HKLM\..\Run:
then a category made up of "common" computer/internet expressions: eg [Camp Inter] and in this case [Play Iso]
the final exe then follows the same pattern - in this case frag wma.exe ... also it seems that the filename generator is not removing trailing spaces ... so the file is 2 words long.
thats from only two observations but theres a definite pattern if thats the right entry to remove ...
edit:// just looked at a new log, from Viscio, theres a very similar entry - this time 3 words long but with the same trailing spaces - ooze copy city.exe
also .. all three have "PROGRA~1" instead of "Program Files" even when other entries are correct ...
random musings I know but patterns are patterns
Their corporate offices are at:
C2 Media Ltd.
Unit 12, 571 Finchley Road
Hampstead, London, NW3 7BN
United Kingdom
Dexter...