Options

omegasearch removal - Gurk

Unknown
edited May 2004 in Spyware & Virus Removal
Logfile of HijackThis v1.97.7
Scan saved at 22:35:14, on 2004-05-19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\WTLXPan.Exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
C:\PROGRA~1\CASHEG~1\Pure Mfcd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.payfortraffic.net/search.htm
R3 - URLSearchHook: MailTo Class - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\mswsc10.dll (file missing)
O1 - Hosts: 5377608764 spywareforum.com
O1 - Hosts: 5377608764 www.spywareforum.com
O1 - Hosts: 5377608764 forum.spywareinfo.com
O1 - Hosts: 5377608764 nativehardcore.com
O1 - Hosts: 5377608764 www.nativehardcore.com
O1 - Hosts: 5377608764 approvedlinks.com
O1 - Hosts: 5377608764 www.approvedlinks.com
O1 - Hosts: 5377608764 searchv.com
O1 - Hosts: 5377608764 www.searchv.com
O1 - Hosts: 5377608764 selfbookmarks.com
O1 - Hosts: 5377608764 www.selfbookmarks.com
O1 - Hosts: 5377608764 searching-the-net.com
O1 - Hosts: 5377608764 www.searching-the-net.com
O1 - Hosts: 5377608764 ywebsearch.info
O1 - Hosts: 5377608764 www.ywebsearch.info
O1 - Hosts: 5377608764 ok-search.com
O1 - Hosts: 5377608764 www.ok-search.com
O1 - Hosts: 5377608764 ewebsearch.net
O1 - Hosts: 5377608764 www.ewebsearch.net
O1 - Hosts: 5377608764 www.008k.com
O1 - Hosts: 5377608764 autosearcher.com
O1 - Hosts: 5377608764 www.autosearcher.com
O1 - Hosts: 5377608764 www.selfbookmarks.com
O1 - Hosts: 5377608764 www.smutserver.com
O1 - Hosts: 5377608764 www.kinghost.com
O1 - Hosts: 5377608764 www.smuthosts.com
O1 - Hosts: 5377608764 livesexlist.com
O1 - Hosts: 5377608764 www.livesexlist.com
O1 - Hosts: 5377608764 www.thumbnailpost.com
O1 - Hosts: 5377608764 thumbnailpost.com
O1 - Hosts: 5377608764 adult-series.com
O1 - Hosts: 5377608764 www.adult-series.com
O2 - BHO: (no name) - {0CECAF47-D899-5D55-397C-2213068DC5E1} - C:\PROGRA~1\CREATI~1\proxy license.dll
O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Gustaf\Application Data\winlink\winlink.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WTLXPan] WTLXPan.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
O4 - HKLM\..\Run: [dumb debug] C:\PROGRA~1\CASHEG~1\Pure Mfcd.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0713E8A2-850A-101B-AFC0-4210102A8DA7} (Microsoft TreeView Control, version 5.0 (SP2)) - http://212.75.85.247/apps/comctl32.ocx
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.5661689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I've gone through the guide but i can't get rid of omegasearch. could anyone help me please?

Comments

  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Gurk, in the future, please post your log in its own thread, not in someone else's. Also, please read this thread on posting etiquette.

    Before beginning, make sure to put HiJackThis in its own folder in case you have to restore from the backups.

    Boot into safe mode, run HiJackThis, and delete the following:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...www.google.com/
    Omegasearch passthrough

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.payfortraffic.net/search.htm
    Pay-for-surfing sites are scum and usually require you to install some spyware app. Frankly, I'm convinced you're surfing to make *them* money, not you.

    R3 - URLSearchHook: MailTo Class - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\mswsc10.dll (file missing)
    Coolwebsearch DLL

    O1 - Hosts: 5377608764 spywareforum.com
    O1 - Hosts: 5377608764 www.spywareforum.com
    O1 - Hosts: 5377608764 forum.spywareinfo.com
    O1 - Hosts: 5377608764 nativehardcore.com
    O1 - Hosts: 5377608764 www.nativehardcore.com
    O1 - Hosts: 5377608764 approvedlinks.com
    O1 - Hosts: 5377608764 www.approvedlinks.com
    O1 - Hosts: 5377608764 searchv.com
    O1 - Hosts: 5377608764 www.searchv.com
    O1 - Hosts: 5377608764 selfbookmarks.com
    O1 - Hosts: 5377608764 www.selfbookmarks.com
    O1 - Hosts: 5377608764 searching-the-net.com
    O1 - Hosts: 5377608764 www.searching-the-net.com
    O1 - Hosts: 5377608764 ywebsearch.info
    O1 - Hosts: 5377608764 www.ywebsearch.info
    O1 - Hosts: 5377608764 ok-search.com
    O1 - Hosts: 5377608764 www.ok-search.com
    O1 - Hosts: 5377608764 ewebsearch.net
    O1 - Hosts: 5377608764 www.ewebsearch.net
    O1 - Hosts: 5377608764 www.008k.com
    O1 - Hosts: 5377608764 autosearcher.com
    O1 - Hosts: 5377608764 www.autosearcher.com
    O1 - Hosts: 5377608764 www.selfbookmarks.com
    O1 - Hosts: 5377608764 www.smutserver.com
    O1 - Hosts: 5377608764 www.kinghost.com
    O1 - Hosts: 5377608764 www.smuthosts.com
    O1 - Hosts: 5377608764 livesexlist.com
    O1 - Hosts: 5377608764 www.livesexlist.com
    O1 - Hosts: 5377608764 www.thumbnailpost.com
    O1 - Hosts: 5377608764 thumbnailpost.com
    O1 - Hosts: 5377608764 adult-series.com
    O1 - Hosts: 5377608764 www.adult-series.com
    Hosts file redirects. The hijacker points legit sites to its own, but strangely, in this case, both legit and pr0n sites are being redirected, and strange again is the fact that 5377608764 resolves to 255.255.255.255.

    O2 - BHO: (no name) - {0CECAF47-D899-5D55-397C-2213068DC5E1} - C:\PROGRA~1\CREATI~1\proxy license.dll
    Omegasearch DLL

    O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
    IEPageHelper parasite

    O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Gustaf\Application Data\winlink\winlink.dll (file missing)
    WinShow parasite

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    P2P Networking parasite

    O4 - HKLM\..\Run: [WTLXPan] WTLXPan.Exe
    Unsure of this one. Seems like a random filename. I would rename it WTLXPan.bak and check to see if any programs complain it's missing or don't function.

    O4 - HKLM\..\Run: [dumb debug] C:\PROGRA~1\CASHEG~1\Pure Mfcd.exe
    Omegasearch EXE

    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe

    Reboot and rerun HiJackThis to make sure your log is clean. You've got a CWS infection, so run CWShredder, available here. Make sure you run in safe mode. Follow up with Ad-Aware and/or Spybot. To protect against further infections, install SpywareBlaster. All 3 are available on our Security Downloads page.

    Please post a fresh log after you're finished.
  • Gurk
    edited May 2004
    Ok, Thanks for the help. I'm clean now. I found out that WTLXPan.exe was my soundcard program. I ran the CWShredder program as well but it couldn't find anything. Sorry for posting in someone elses thread, I was desperate and didn't know what i was doing.
  • Gurk
    edited May 2004
    Ah... Sorry that i forgot to introduce myself. My name is Gurk the desperate, strange, rude guy that needed to get rid of omegasearch :)

    I'm sure i'm not the first one that didn't read this thread before posting. I appreciate what you guys are doing. Thanks again ;)
Sign In or Register to comment.