Hijacked by best/omega-search.

Unknown

Please help! I've been trying for 20 days to get rid of this thing but it won't go away. I've tamed it considerably, and can easily regain control of my browser, but it keeps coming back every time I reboot.

This is my latest HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 5:09:24 PM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wcpsvit.exe
C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm1u.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Brian\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/p?v&k=pf_3
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKCU\..\Run: [5-2-170-33[1]] c:\windows\5-2-170-33[1].exe -m
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [olehelp] C:\Program Files\Common Files\svchost.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe
O4 - Startup: BJ Status Monitor Canon BJC-2000.lnk = C:\Documents and Settings\Brian\cnmss1u.exe
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/java/gmtb_etrade_i.cab
O16 - DPF: {89EDFBA2-F623-11D4-BA72-00C04F753F09} (EtradeBridgeChannel) - http://etrade.bridge.com/bc24/java/etradeinstall.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37606.5162384259
O16 - DPF: {A0777FF1-23AC-11D5-BA9B-00C04F753F09} (BridgeBC24) - http://etrade.bridge.com/bc24/java/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/java/gmtb_bridge_i.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7813A0D4-951C-43FB-96FC-C990058CF2B8}: NameServer = 206.13.28.12 206.13.29.12

shwaip

try downloading and running adaware as well as spybot S&D from the link in my sig. be sure to update them before you run the scan. after that, reboot and post a new log please

Dexter

This item here:

O4 - HKCU\..\Run: [olehelp] C:\Program Files\Common Files\svchost.exe

Is from a variant of CoolWebSearch, another type of Hijacker. You should download and run CW Shredder from: http://www.spywareinfo.com/~merijn/downloads.html

Make sure to follow the instructions on the page, you need to have the Microsoft VB runtime libraries installed on your system, there is a link on the page. Make sure to run CW Shredder in SAFE MODE.


Then, stay in SAFE MODE, put HJT into it's own folder, don't just leave it on your desktop, because it is going to create backup files, and you don't want those all over your desktop. Run HJT, and delete any of these entries that are left over after running the programs Shwaip advised, and the CW Shredder.

O4 - HKCU\..\Run: [5-2-170-33[1]] c:\windows\5-2-170-33[1].exe -m

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1

O4 - HKCU\..\Run: [olehelp] C:\Program Files\Common Files\svchost.exe

O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/mini...uginstaller.cab

FYI, weather.exe is "Weatherbug" which is known adware - it causes Pop-ads on your system.

Reboot normally, and see how it all worked. Come let us know!

Dexter...