Options

The Return of the OmegaSearch

Unknown
edited May 2004 in Spyware & Virus Removal
I've tried couple of times now, regarding myself as that cunning to fix this. But I can't get rid of it. Just keeping returning and returning.

There were some files I deleted in Program Files: (folder) '\Flaw Time\'dalereadme.exe' + dll and a bin file. Dont remember their name though. And in the registry: 'onelinkbags'
I don't know if they have anything to do with the Omegasearch.

This is my hijack Log:
*some remarks in the end

Logfile of HijackThis v1.97.7
Scan saved at 12:41:45, on 13.05.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\NSSRVICE.EXE
C:\Program Files\Norman\NVC\BIN\Zanda.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRAM FILES\NORMAN\nvc\BIN\NJEEVES.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAM FILES\NORMAN\nvc\BIN\nvcoas.exe
C:\PROGRAM FILES\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\cclaw.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\D-Tools\daemon.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NIP.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Billionton\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\BILLIO~1\BLUETO~1\BTSTAC~1.EXE
D:\Program Files\mIRC\mirc.exe
C:\WINNT\regedit.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Calle.COSMIC\Desktop\hijack\HijackThis.exe
D:\Program Files\AutoCAD 2004\acad.exe
c:\temp\~e5d141.tmp
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Telefonkatalogen - {BF1391FA-E192-4605-9480-33C48678BFC1} - C:\WINNT\tktoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE /LOAD
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Billionton\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Telefonkatalogen (HKLM)
O9 - Extra 'Tools' menuitem: Telefonkatalogen (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://flash.vg.no/codvg/cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553515000} - http://active.macromedia.com/flash/cabs/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF0F8640-83CE-442B-8DBE-541043302EF1}: NameServer = 217.13.4.24,217.13.7.140


remarks:
O3 - Toolbar: &Telefonkatalogen - {BF1391FA-E192-4605-9480-33C48678BFC1} - C:\WINNT\tktoolbar.dll is a online phone catalogue

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx is some online radio chan



Anyone know what to do to solve this, I'm happy to listen. It's getting on me nerves, and slows my comp.

Regards Callen

Comments

  • Callen
    edited May 2004
    I have noticed that Ad-Watch would not let me delete the strings in the registry. It blocks me as it thinks it is a browser hijack attempt.

    So then I looked through ad-watch settings and unchecked the IE registry bit. And then used the Hijacker prog to delete the startup page settings in the registry. Choosed accept when adwatch poped up. And re-enabled the ad watch settings.

    Now I'm getting myself an aspirin.

    Anyway, thanks for the helpful forum with lots of solutions. Helped me a lot, though I had to figure this myself. :)

    Have a nice day.

    regards Callen
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    You've still got:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.google.com/

    unless you managed to clean them out. Also, this:
    c:\temp\~e5d141.tmp

    worries me. I'd kill that if possible. I didn't notice any of the Omegasearch DLLs or EXEs in your log, so it looks like the only things remaining were the redirects. I guess Ad-Watch is keeping you clean.
  • Callen
    edited May 2004
    Ad-watch wouldn't let me delete those, so I had to adjust some settings. Then I was able to delete them.

    c:\temp\~e5d141.tmp

    Is a temp file that 3rd party Autocad plugin uses. Looked like it when a notepaded the file.

    It was that bloody Ad-Watch that troubled me. Didn't read any of that on the forum, but now I know. The rest of the forum was great, lots of info. Thanks guys.

    Callen
Sign In or Register to comment.