Omega Search - Augie

Augie · May 2004

Hi i'm not sure if this is the place but i too am having difficulty getting rid of omega and i have run hjt once, here is my log file, thanks to all who help
Augie
Logfile of HijackThis v1.97.7
Scan saved at 10:02:39 AM, on 5/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rk89h7tr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rk89h7tr.slt\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBEDEFBD-6845-4514-835B-42712F1B0C22} - (no file)
O2 - BHO: (no name) - {EC686204-4FCD-1E05-5793-D6166C9F137E} - C:\PROGRA~1\HTMFRE~1\pilegrid.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {7A497B34-9679-4933-8D56-D860EDD1E741} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O3 - Toolbar: PlaySettings - {617C0E1D-E659-9091-BF1A-0445B1536F07} - C:\PROGRA~1\HTMFRE~1\pilegrid.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cool tool] C:\PROGRA~1\hold bend junk\browse clock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\FRU\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38052.5042476852
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

muddocktor · May 2004

OK Augie, I'm a n00b at helping get this stuff out but I'll post some lines that definitely have to go for you.

Boot up in safe mode with system restore turned off and get rid of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...://www.msn.com/

The following I don't know about or aren't required for proper operation of windows or the app required:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
Don't know about these

O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {EBEDEFBD-6845-4514-835B-42712F1B0C22} - (no file)
O2 - BHO: (no name) - {EC686204-4FCD-1E05-5793-D6166C9F137E} - C:\PROGRA~1\HTMFRE~1\pilegrid.dll
O3 - Toolbar: (no name) - {7A497B34-9679-4933-8D56-D860EDD1E741} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: PlaySettings - {617C0E1D-E659-9091-BF1A-0445B1536F07} - C:\PROGRA~1\HTMFRE~1\pilegrid.dll
don't know about it but looks suspicious

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Real player crap, not needed for proper operation

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Not needed for proper operation of Quick Time, can be deleted

O4 - HKLM\..\Run: [cool tool] C:\PROGRA~1\hold bend junk\browse clock.ex
Don't know what it is, but looks kinda suspicious to me

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Seen Mr. Kwitko say this isn't needed

Hopefully, one of the more experienced hands at removing this stuff will drop in on your thread here and comment on the stuff I said looks suspicious and also see if they see anything else that looks bad in your HJT log.

Dexter · May 2004

Good job mud, evey single entry you quoted there needs to go.

So should:

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rk89h7tr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rk89h7tr.slt\prefs.js)

In addition, manually quarantine or delete the following files and their enclosing folders:

C:\PROGRAM FILES\hold bend junk\browse clock.ex

C:\PROGRAM FILES\HTMFRE~1\pilegrid.dll (Look for a folder that starts with the letters "htmfre".)

C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

Reboot in normal mode, and check for Omegasearch. Come back and let us know how it goes.

Dexter...

Augie · May 2004

Hi and thanks, it seems to have worked but only time will tell as this thing seems to reapper even after you think you got it. I also found in program files a folder called superbar with spuninst is there any link to the omega or is this something else, i don't like the looks of it
you guys are awesome
thanks

muddocktor · May 2004

Glad to help you out, Augie. I'm still trying to learn about this stuff myself and so far I've learned a lot. As far as the superbar and spuninst I'd quarantine them as Dexter said about the other folders and see it everything still works. If you don't have any problems with your programs running, then delete.

Augie · May 2004

thanks i did a search and it looks like spunnist is associated with a windows update so for now since it's doesn't seem to be causing me problems i will leave alone, the superbar i deleted, it just didn't feel right, again thanks you guys were great
Augie

muddocktor · May 2004

I just did a google search on spuninst and it looks like it's the uninstall files for a Windows service pack. Keep them around if you might want to roll back your service pack install. I don't have them on my XP Pro as my copy came with SP1 included.

Omega Search - Augie

Comments