Removing Omega Search

Unknown

Can anyone please advise me of what files NOT to remove

Logfile of HijackThis v1.97.7
Scan saved at 12:02:58, on 09/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\drivers\KodakCCS.exe
E:\WINNT\system32\nvsvc32.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\ScsiAccess.EXE
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
E:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
E:\WINNT\system32\ezSP_Px.exe
E:\PROGRA~1\FIRSTV~1\Blah Boob.exe
E:\WINNT\system32\internat.exe
E:\WINNT\system32\RUNDLL32.EXE
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
E:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
E:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
E:\Program Files\Trend Micro\PC-cillin 2000\Pop3Trap.exe
E:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.EXE
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\John\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DE4EF409-FA85-6A0E-BA0F-F58541358DDA} - E:\PROGRA~1\DENTEA~1\free move.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: FRAGUP - {3F561D26-EAF6-9873-1938-A4F8625D740A} - E:\PROGRA~1\DENTEA~1\free move.dll
O4 - HKLM\..\Run: [Pop3trap.exe] "E:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "E:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [ISSam] E:\winnt\system32\koran432.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] E:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [ezShieldProtector for Px] E:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ante base] E:\PROGRA~1\FIRSTV~1\Blah Boob.exe
O4 - HKLM\..\RunServices: [mmtask0] E:\WINNT\system32\mmtask0.exe
O4 - HKLM\..\RunServices: [ISSam] E:\winnt\system32\koran432.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Real-time Monitor.lnk = E:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37933.3980555556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Any help would be appreciated.

Kwitko

Welcome to Short-Media, faygo. Before we start, please read this thread, then download and install Ad-Aware and Spybot, both available from our Security Downloads page. You can find update instructions for both here. After running both, please post a fresh HiJackThis log.

faygo

Hi Mr.Kwitko I have already got Spybot and Adware installed and I have already run both programs within the last hour do u want me to do it again?

faygo

I have now run Spybot and Adware again and here are my results

Logfile of HijackThis v1.97.7
Scan saved at 12:58:47, on 09/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\drivers\KodakCCS.exe
E:\WINNT\system32\nvsvc32.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\ScsiAccess.EXE
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
E:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
E:\WINNT\system32\ezSP_Px.exe
E:\PROGRA~1\FIRSTV~1\Blah Boob.exe
E:\WINNT\system32\internat.exe
E:\WINNT\system32\RUNDLL32.EXE
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
E:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
E:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
E:\Program Files\Trend Micro\PC-cillin 2000\Pop3Trap.exe
E:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.EXE
E:\Program Files\Yahoo!\Messenger\YPager.exe
E:\Documents and Settings\John\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DE4EF409-FA85-6A0E-BA0F-F58541358DDA} - E:\PROGRA~1\DENTEA~1\free move.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: FRAGUP - {3F561D26-EAF6-9873-1938-A4F8625D740A} - E:\PROGRA~1\DENTEA~1\free move.dll
O4 - HKLM\..\Run: [Pop3trap.exe] "E:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "E:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [ISSam] E:\winnt\system32\koran432.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] E:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [ezShieldProtector for Px] E:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ante base] E:\PROGRA~1\FIRSTV~1\Blah Boob.exe
O4 - HKLM\..\RunServices: [mmtask0] E:\WINNT\system32\mmtask0.exe
O4 - HKLM\..\RunServices: [ISSam] E:\winnt\system32\koran432.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Real-time Monitor.lnk = E:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37933.3980555556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks!!!

Kwitko

Boot into safe mode and delete the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/...w.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {DE4EF409-FA85-6A0E-BA0F-F58541358DDA} - E:\PROGRA~1\DENTEA~1\free move.dll
O3 - Toolbar: FRAGUP - {3F561D26-EAF6-9873-1938-A4F8625D740A} - E:\PROGRA~1\DENTEA~1\free move.dll
Omegasearch passthroughs and BHO DLLs

O4 - HKLM\..\Run: [ISSam] E:\winnt\system32\koran432.exe
Filename seems too random. Nothing comes up in Google, either

O4 - HKLM\..\Run: [ante base] E:\PROGRA~1\FIRSTV~1\Blah Boob.exe
Omegasearch EXE that sticks around to make sure you stay infected.

O4 - HKLM\..\RunServices: [mmtask0] E:\WINNT\system32\mmtask0.exe
MMTask dialler. Made to look like legitimate Windows file.

O4 - HKLM\..\RunServices: [ISSam] E:\winnt\system32\koran432.exe

O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
If you don't use MSN Messenger, you can safely delete this.

O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
MS resource hog. Can be removed without affecting Office functionality

You might have to manually delete the Omegasearch DLL and EXE. Do a search for the files free move.dll and Blah boob.exe.

Reboot and post a fresh log.

faygo

Thanks Mr.Kwitko i have deleted what u told me and it seems to have solved the problem, the only thing is I'm unable to delete the Blah boob.exe. It keeps telling me that explorer.exe has an error then closes the window.

Is there anyway I can romove this pesky thing altogether???

thanks

Kwitko

First make sure that the browser is closed when you run HiJackThis. Second, try deleting it in safe mode.

primesuspect

The reason you can't delete it is because you're not in SAFE MODE. While the computer is booting, after the initial BIOS screen but before the windows startup, repeatedly hit the F8 key and a menu will come up offering the choice to boot into safe mode.