Updated Omegasearch Removal Information - Check here for the latest Omegasearch Info!
Dexter
Vancouver, BC Canada
UPDATE NOTICE: This post contains outdated information and will no longer be updated.
For all Omegasearch related problems, please use our own FREE OmegakillerSM removal tool.
The original information is retained for archival and search purposes, but is now dated and should be used for general info only.
Since the Omegasearch Removal Guide was written, we have found much more information on variations from people who have posted here. There are many variants of the Omegasearch hijacker, and we have identified some patterens to the random file names generated by the installer. We will update this additional information page as new information becomes available.
***IF YOU NEED TO POST YOUR HIJACK THIS LOG FOR HELP, PLEASE DO SO IN YOUR OWN NEW THREAD, AND CALL IT "OMEGASEARCH - (YOUR USERNAME)" DO NOT ADD YOUR LOG TO SOMEONE ELSE'S EXISTING THREAD. IF YOU ADD TO SOMEONE ELSE'S THREAD, WE MAY MISS YOUR NEW POST AND BE UNABLE TO HELP YOU.*****
If the guide does not clean Omegasearch from your system, please try the following additional steps:
1 - Start in safe mode
2 - Close all browser windows and shut down all other programs(even folders) that show in the taskbar. MAKE SURE HIJACK THIS IS IN ITS OWN FOLDER!!!!! DO NOT RUN IT FROM "My Documents" or Desktop, or the root directory of C:. Put it in it's own folder called HJT. This is important. Removing items with HJT creates a bunch of BACKUP files. Those files will be created in whatever folder HJT was in. If that was your desktop, your desktop will now be littered with BACKUP files. So give those backups a nice safe home...a dedicated HJT folder.
Now, start Hijack This and run a scan.
Look for any entries that follow this type of patter, and if you have them put a check mark beside them and Fix Selected:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
04 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
O4 - HKLM\..\Run: [one face] C:\PROGRA~1\Style clock jugs\copy peak.exe
O4 - HKLM\..\Run: [SectCool] C:\PROGRA~1\Tray hide\ooze copy city.exe
O4 - HKLM\..\Run: [Play iso] C:\PROGRA~1\ENCMAI~1\frag wma.exe
04 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
C:\PROGRA~1\GPLAXI~1\Bluethat.exe
O4 - HKLM\..\Run: [bore atom] C:\PROGRA~1\GPLAXI~1\Bluethat.exe
O3 - Toolbar: ball manager chic - {4A832A68-B870-BA26-4FCE-0AE0AF7FC583} - C:\PROGRA~1\DARTST~1\32 proxy.dll
O4 - HKLM\..\Run: [nounbold] C:\PROGRA~1\BASHSP~1\transmemo.exe
O4 - HKLM\..\Run: [ByteFrag] C:\PROGRA~1\ENCRDR~1\litethat.exe
O4 - HKLM\..\Run: [free peak] C:\PROGRA~1\CASTME~1\nurb atom cash.exe
O2 - BHO: (no name) - {0204BF12-7A91-2672-26FF-58533F1533A6} - C:\PROGRA~1\SUPPOR~1\BallBird.dll
O2 - BHO: (no name) - {F0641213-5975-D987-0121-2659ACDEF229} - C:\PROGRA~1\STYLEC~1\burnup.dll
O4 - HKLM\..\Run: [Pure Global] C:\PROGRA~1\junkdrawbyte\coal grey.exe
O4 - HKLM\..\Run: [Deaf junk] C:\PROGRA~1\wave 2 vc\GridDraw.exe
O2 - BHO: (no name) - {3B500EEB-A955-BE31-99B3-CFEF24F79B0D} - C:\PROGRA~1\DARTDU~1\Balmbyte.dll
O4 - HKLM\..\Run: [JugsBash] C:\PROGRA~1\LogItchMath\Team Dead.exe
O4 - HKLM\..\Run: [corn web] C:\PROGRAM\DEAFBI~1\DEFY 01 THAT.exe
O4 - HKLM\..\Run: [Nurb Lite] C:\PROGRA~1\List Title For\data admin.exe
O2 - BHO: (no name) - {591A5051-66FB-4CDB-BB93-4C51E6A98767} - C:\PROGRA~1\SECOND~1\Plus great.dll
O3 - Toolbar: DVD LOVE COPY - {22225189-4FFC-085E-BA08-A13A6F412757} - C:\PROGRA~1\SECOND~1\Plus great.dll
O2 - BHO: (no name) - {037D536A-F052-65E0-CBE9-0BE58B2C0108} - C:\PROGRA~1\magsatom\new inside.dll
O3 - Toolbar: TimeMix - {EB3D7F53-171A-7DF7-6766-A4ECFF34BC5D} - C:\PROGRA~1\magsatom\new inside.dll
O4 - HKLM\..\Run: [dart beep] C:\PROGRA~1\FIVEBARBSETUP\Build mp3.exe
O4 - HKLM\..\Run: [mpegstyle] C:\PROGRA~1\MODEFI~1\City Mfcd.exe
O4 - HKLM\..\Run: [Admin thunk] C:\PROGRA~1\glueaudio\CompBook.exe
O2 - BHO: (no name) - {9ECEDC6B-C6E8-7F28-B650-F327DFA7B2DE} - C:\PROGRA~1\STARTB~1\Skipmp3.dll
O3 - Toolbar: Forflapbat - {AD50D826-F0F5-AEB7-9761-9E86A7A8A22F} - C:\PROGRA~1\STARTB~1\Skipmp3.dll
O4 - HKLM\..\Run: [inter rdr] C:\PROGRA~1\THUNKSLOW\KIND DASH.exe
O2 - BHO: (no name) - {E2470E80-3C69-AA41-37A3-D5D24FE7A7C2} - C:\PROGRA~1\EQDOGR~1\dupelite.dll
O3 - Toolbar: bore axis - {C2B93790-D22C-A6DF-B6CA-74B17C084CB4} - C:\PROGRA~1\EQDOGR~1\dupelite.dll
O4 - HKLM\..\Run: [tray title] C:\PROGRA~1\deafcashsurf\curb each new.exe
O4 - HKLM\..\Run: [DEAF SIZE] C:\PROGRA~1\Intra Beep\OWNSJOYAMEN.exe
O2 - BHO: (no name) - {13B69B0E-111C-47B1-5818-B245910E2916} - C:\PROGRA~1\ITCHTE~1\debug type.dll
O3 - Toolbar: ThunkGreyWindow - {83ECDCC0-3699-7A71-601E-41B3FEAAA992} - C:\PROGRA~1\ITCHTE~1\debug type.dll
O4 - HKLM\..\Run: [for store] C:\PROGRA~1\EXITLI~1\Copy Drive Extra.exe
O4 - HKLM\..\Run: [iso deaf] C:\PROGRA~1\PARTOP~1\blahview.exe
That is a sampling of entries we have seen in our forums. As you can see many of these follow the format:
O4 - HKLM\..\Run: + [random title]+ "PROGRA~1" + file name.exe
where the random title is made up of 2 words - no doubt designed to appear familiar to your typical internet user, the "Program Files" folder is truncated to PROGRA~1 (8.3 style) and the exe name is more than 1 word, with trailing spaces, again designed to appear "familiar."
3 - Reboot into safe Mode, and open My Computer. Go to Tools -> Folder Options -> View and Select "Show Hidden Files and Folders."
4 - Look for any of the files on your computer that follow this naming pattern. If you have them, delete them and be sure to empty your trash.
C:\PROGRAM FILES\ONEFOURJUGS
C:\PROGRAM FILES\Style clock jugs\copy peak.exe
C:\PROGRAM FILES\Tray hide\ooze copy city.exe
C:\PROGRAM FILES\ENCMAI~1\frag wma.exe
C:\PROGRAM FILES\ONEFOURJUGS\Browse axis.exe
C:\PROGRAM FILES\GPLAXI~1\Bluethat.exe
C:\PROGRAM FILES\CASTME~1\nurb atom cash.exe
C:\PROGRAM FILES\ENCRDR~1\litethat.exe
C:\PROGRAM FILES\BASHSP~1\transmemo.exe
C:\PROGRAM FILES\SUPPOR~1\BallBird.dll
C:\PROGRAM FILES\junkdrawbyte\coal grey.exe
C:\PROGRAM FILES\STYLEC~1\burnup.dll
C:\PROGRAM FILES\warn mfcd wait\Mix more vc.exe
C:\PROGRAM FILES\wave 2 vc\GridDraw.exe
C:\PROGRAM FILES\DARTDU~1\Balmbyte.dll
C:\PROGRAM FILES\LogItchMath\Team Dead.exe
C:\PROGRAM FILES\DEAF BITS FUNK\DEFY 01 THAT.EXE
C:\PROGRAM FILES\List Title For\data admin.exe
C:\PROGRAM FILES\SECOND~1\Plus great.dll
C:\PROGRAM FILES\magsatom\new inside.dll
C:\PROGRAM FILES\FIVEBARBSETUP\Build mp3.exe
C:\PROGRAM FILES\MODEFI~1\City Mfcd.exe
C:\PROGRAM FILES\glueaudio\CompBook.exe
C:\PROGRAM FILES\THUNKSLOW\KIND DASH.exe
C:\PROGRAM FILES\deafcashsurf\curb each new.exe
C:\PROGRAM FILES\EQDOGR~1\dupelite.dll
C:\PROGRAM FILES\Intra Beep\OWNSJOYAMEN.exe
C:\PROGRAM FILES\ITCHTE~1\debug type.dll
C:\PROGRAM FILES\EXITLI~1\Copy Drive Extra.exe
C:\PROGRAM FILES\Part Option Pile\blahview.exe
C:\PROGRAM FILES\Extra Else Software\Eq amok.dll
C:\PROGRAM FILES\hide flap web\Downloadsoap.exe
Wherever you may see "PROGRA~1" it means "Program Files." Anything else such as the "ENCMAI~1" will be Encmai*, where * = any combination of characters. Search for the closest possible match, then look for matches on the .EXE files in that directory, and delete them.
The names of these files and their locations may vary as described above. They may be located on another hard drive if you use a different drive for your Program Files.
5 - While in safe mode run your anti virus program and do a full system scan.
6 - Reboot normally, and see if you still have Omegaseach. If you do, re-run Hijack This and post a log here in our Security: Spyware / Virus / Trojans Forum.
NOTE: Also be alert in your Hijack This scan for entries with the words :
admin, amok, axis, bart, blah, blue, build, bore, byte, cash, city, coal, copy, curb, data, dart, dash, dead, deaf, five, flap, frag, funk, grey, jugs, list, memo, new, nurb, ooze, peak, that, vc (more to come as we find them....)
These seem to be some of the key words in some randomly generated names for the Omegasearch Installer. Check for these, or any words that match the names of the items in the "delete" list above.
Once you are free from Omegasearch, please tighten up your browser security, and practise safer browsing habits. Read this article to learn how to avoid being infected in the future. If you clean up Omegasearch from your computer, and then notice it comes back after you visit a certain website...stay away from that website
Don't install every free tool offered to you, even if your friends recommend it. If you aren't sure about something...CHECK WITH US FIRST! 
While you are waiting for help with your post, please feel free to browse the rest of our site - we have what we feel is the best little Tech Community on the Net, with friendly and knowledgable users in every area of computing. If you have a question or a problem, we can probably answer or solve it.
We also are dedicated to a very good cause: Folding For a Cure. Put your computer's spare power to work searching for the cure to diseases. Join our Team 93 today - we are one of the Top 10 Folding Teams in the World! Join a winning team, and help Fold for a Cure!
:smokin:
Dexter...
For all Omegasearch related problems, please use our own FREE OmegakillerSM removal tool.
The original information is retained for archival and search purposes, but is now dated and should be used for general info only.
Since the Omegasearch Removal Guide was written, we have found much more information on variations from people who have posted here. There are many variants of the Omegasearch hijacker, and we have identified some patterens to the random file names generated by the installer. We will update this additional information page as new information becomes available.
***IF YOU NEED TO POST YOUR HIJACK THIS LOG FOR HELP, PLEASE DO SO IN YOUR OWN NEW THREAD, AND CALL IT "OMEGASEARCH - (YOUR USERNAME)" DO NOT ADD YOUR LOG TO SOMEONE ELSE'S EXISTING THREAD. IF YOU ADD TO SOMEONE ELSE'S THREAD, WE MAY MISS YOUR NEW POST AND BE UNABLE TO HELP YOU.*****
If the guide does not clean Omegasearch from your system, please try the following additional steps:
1 - Start in safe mode
2 - Close all browser windows and shut down all other programs(even folders) that show in the taskbar. MAKE SURE HIJACK THIS IS IN ITS OWN FOLDER!!!!! DO NOT RUN IT FROM "My Documents" or Desktop, or the root directory of C:. Put it in it's own folder called HJT. This is important. Removing items with HJT creates a bunch of BACKUP files. Those files will be created in whatever folder HJT was in. If that was your desktop, your desktop will now be littered with BACKUP files. So give those backups a nice safe home...a dedicated HJT folder.
Now, start Hijack This and run a scan.
Look for any entries that follow this type of patter, and if you have them put a check mark beside them and Fix Selected:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...p://about_:blank
04 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
O4 - HKLM\..\Run: [one face] C:\PROGRA~1\Style clock jugs\copy peak.exe
O4 - HKLM\..\Run: [SectCool] C:\PROGRA~1\Tray hide\ooze copy city.exe
O4 - HKLM\..\Run: [Play iso] C:\PROGRA~1\ENCMAI~1\frag wma.exe
04 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
C:\PROGRA~1\GPLAXI~1\Bluethat.exe
O4 - HKLM\..\Run: [bore atom] C:\PROGRA~1\GPLAXI~1\Bluethat.exe
O3 - Toolbar: ball manager chic - {4A832A68-B870-BA26-4FCE-0AE0AF7FC583} - C:\PROGRA~1\DARTST~1\32 proxy.dll
O4 - HKLM\..\Run: [nounbold] C:\PROGRA~1\BASHSP~1\transmemo.exe
O4 - HKLM\..\Run: [ByteFrag] C:\PROGRA~1\ENCRDR~1\litethat.exe
O4 - HKLM\..\Run: [free peak] C:\PROGRA~1\CASTME~1\nurb atom cash.exe
O2 - BHO: (no name) - {0204BF12-7A91-2672-26FF-58533F1533A6} - C:\PROGRA~1\SUPPOR~1\BallBird.dll
O2 - BHO: (no name) - {F0641213-5975-D987-0121-2659ACDEF229} - C:\PROGRA~1\STYLEC~1\burnup.dll
O4 - HKLM\..\Run: [Pure Global] C:\PROGRA~1\junkdrawbyte\coal grey.exe
O4 - HKLM\..\Run: [Deaf junk] C:\PROGRA~1\wave 2 vc\GridDraw.exe
O2 - BHO: (no name) - {3B500EEB-A955-BE31-99B3-CFEF24F79B0D} - C:\PROGRA~1\DARTDU~1\Balmbyte.dll
O4 - HKLM\..\Run: [JugsBash] C:\PROGRA~1\LogItchMath\Team Dead.exe
O4 - HKLM\..\Run: [corn web] C:\PROGRAM\DEAFBI~1\DEFY 01 THAT.exe
O4 - HKLM\..\Run: [Nurb Lite] C:\PROGRA~1\List Title For\data admin.exe
O2 - BHO: (no name) - {591A5051-66FB-4CDB-BB93-4C51E6A98767} - C:\PROGRA~1\SECOND~1\Plus great.dll
O3 - Toolbar: DVD LOVE COPY - {22225189-4FFC-085E-BA08-A13A6F412757} - C:\PROGRA~1\SECOND~1\Plus great.dll
O2 - BHO: (no name) - {037D536A-F052-65E0-CBE9-0BE58B2C0108} - C:\PROGRA~1\magsatom\new inside.dll
O3 - Toolbar: TimeMix - {EB3D7F53-171A-7DF7-6766-A4ECFF34BC5D} - C:\PROGRA~1\magsatom\new inside.dll
O4 - HKLM\..\Run: [dart beep] C:\PROGRA~1\FIVEBARBSETUP\Build mp3.exe
O4 - HKLM\..\Run: [mpegstyle] C:\PROGRA~1\MODEFI~1\City Mfcd.exe
O4 - HKLM\..\Run: [Admin thunk] C:\PROGRA~1\glueaudio\CompBook.exe
O2 - BHO: (no name) - {9ECEDC6B-C6E8-7F28-B650-F327DFA7B2DE} - C:\PROGRA~1\STARTB~1\Skipmp3.dll
O3 - Toolbar: Forflapbat - {AD50D826-F0F5-AEB7-9761-9E86A7A8A22F} - C:\PROGRA~1\STARTB~1\Skipmp3.dll
O4 - HKLM\..\Run: [inter rdr] C:\PROGRA~1\THUNKSLOW\KIND DASH.exe
O2 - BHO: (no name) - {E2470E80-3C69-AA41-37A3-D5D24FE7A7C2} - C:\PROGRA~1\EQDOGR~1\dupelite.dll
O3 - Toolbar: bore axis - {C2B93790-D22C-A6DF-B6CA-74B17C084CB4} - C:\PROGRA~1\EQDOGR~1\dupelite.dll
O4 - HKLM\..\Run: [tray title] C:\PROGRA~1\deafcashsurf\curb each new.exe
O4 - HKLM\..\Run: [DEAF SIZE] C:\PROGRA~1\Intra Beep\OWNSJOYAMEN.exe
O2 - BHO: (no name) - {13B69B0E-111C-47B1-5818-B245910E2916} - C:\PROGRA~1\ITCHTE~1\debug type.dll
O3 - Toolbar: ThunkGreyWindow - {83ECDCC0-3699-7A71-601E-41B3FEAAA992} - C:\PROGRA~1\ITCHTE~1\debug type.dll
O4 - HKLM\..\Run: [for store] C:\PROGRA~1\EXITLI~1\Copy Drive Extra.exe
O4 - HKLM\..\Run: [iso deaf] C:\PROGRA~1\PARTOP~1\blahview.exe
That is a sampling of entries we have seen in our forums. As you can see many of these follow the format:
O4 - HKLM\..\Run: + [random title]+ "PROGRA~1" + file name.exe
where the random title is made up of 2 words - no doubt designed to appear familiar to your typical internet user, the "Program Files" folder is truncated to PROGRA~1 (8.3 style) and the exe name is more than 1 word, with trailing spaces, again designed to appear "familiar."
3 - Reboot into safe Mode, and open My Computer. Go to Tools -> Folder Options -> View and Select "Show Hidden Files and Folders."
4 - Look for any of the files on your computer that follow this naming pattern. If you have them, delete them and be sure to empty your trash.
C:\PROGRAM FILES\ONEFOURJUGS
C:\PROGRAM FILES\Style clock jugs\copy peak.exe
C:\PROGRAM FILES\Tray hide\ooze copy city.exe
C:\PROGRAM FILES\ENCMAI~1\frag wma.exe
C:\PROGRAM FILES\ONEFOURJUGS\Browse axis.exe
C:\PROGRAM FILES\GPLAXI~1\Bluethat.exe
C:\PROGRAM FILES\CASTME~1\nurb atom cash.exe
C:\PROGRAM FILES\ENCRDR~1\litethat.exe
C:\PROGRAM FILES\BASHSP~1\transmemo.exe
C:\PROGRAM FILES\SUPPOR~1\BallBird.dll
C:\PROGRAM FILES\junkdrawbyte\coal grey.exe
C:\PROGRAM FILES\STYLEC~1\burnup.dll
C:\PROGRAM FILES\warn mfcd wait\Mix more vc.exe
C:\PROGRAM FILES\wave 2 vc\GridDraw.exe
C:\PROGRAM FILES\DARTDU~1\Balmbyte.dll
C:\PROGRAM FILES\LogItchMath\Team Dead.exe
C:\PROGRAM FILES\DEAF BITS FUNK\DEFY 01 THAT.EXE
C:\PROGRAM FILES\List Title For\data admin.exe
C:\PROGRAM FILES\SECOND~1\Plus great.dll
C:\PROGRAM FILES\magsatom\new inside.dll
C:\PROGRAM FILES\FIVEBARBSETUP\Build mp3.exe
C:\PROGRAM FILES\MODEFI~1\City Mfcd.exe
C:\PROGRAM FILES\glueaudio\CompBook.exe
C:\PROGRAM FILES\THUNKSLOW\KIND DASH.exe
C:\PROGRAM FILES\deafcashsurf\curb each new.exe
C:\PROGRAM FILES\EQDOGR~1\dupelite.dll
C:\PROGRAM FILES\Intra Beep\OWNSJOYAMEN.exe
C:\PROGRAM FILES\ITCHTE~1\debug type.dll
C:\PROGRAM FILES\EXITLI~1\Copy Drive Extra.exe
C:\PROGRAM FILES\Part Option Pile\blahview.exe
C:\PROGRAM FILES\Extra Else Software\Eq amok.dll
C:\PROGRAM FILES\hide flap web\Downloadsoap.exe
Wherever you may see "PROGRA~1" it means "Program Files." Anything else such as the "ENCMAI~1" will be Encmai*, where * = any combination of characters. Search for the closest possible match, then look for matches on the .EXE files in that directory, and delete them.
The names of these files and their locations may vary as described above. They may be located on another hard drive if you use a different drive for your Program Files.
5 - While in safe mode run your anti virus program and do a full system scan.
6 - Reboot normally, and see if you still have Omegaseach. If you do, re-run Hijack This and post a log here in our Security: Spyware / Virus / Trojans Forum.
NOTE: Also be alert in your Hijack This scan for entries with the words :
admin, amok, axis, bart, blah, blue, build, bore, byte, cash, city, coal, copy, curb, data, dart, dash, dead, deaf, five, flap, frag, funk, grey, jugs, list, memo, new, nurb, ooze, peak, that, vc (more to come as we find them....)
These seem to be some of the key words in some randomly generated names for the Omegasearch Installer. Check for these, or any words that match the names of the items in the "delete" list above.
Once you are free from Omegasearch, please tighten up your browser security, and practise safer browsing habits. Read this article to learn how to avoid being infected in the future. If you clean up Omegasearch from your computer, and then notice it comes back after you visit a certain website...stay away from that website
Don't install every free tool offered to you, even if your friends recommend it. If you aren't sure about something...CHECK WITH US FIRST! While you are waiting for help with your post, please feel free to browse the rest of our site - we have what we feel is the best little Tech Community on the Net, with friendly and knowledgable users in every area of computing. If you have a question or a problem, we can probably answer or solve it.
We also are dedicated to a very good cause: Folding For a Cure. Put your computer's spare power to work searching for the cure to diseases. Join our Team 93 today - we are one of the Top 10 Folding Teams in the World! Join a winning team, and help Fold for a Cure!
:smokin:
Dexter...
0
This discussion has been closed.