OmegaSearch
OmegaSearch was on this computer, and now that I've run OmegaKiller, it looks like it might be gone, but I'm not 100% certain yet, because I had also killed it manually (before trying OmegaKiller) only to have it come back a few hours later. Spybot couldn't find it, by the way, but was alerting me when it tried to change homepages, stuff in the registry, etc, and was letting me click deny to block it from doing so. But it was still annoying.
Wait. Nope. It's still here; It just tried to change another SearchAssistant browser page thing (I hit deny again). Damnit. BTW, I'm typing this in Firefox 0.9.3, and I don't have IE open at all, yet I see iexplore.exe in the processes list (in Win XP), twice, and if I try to kill either one of them it comes right back. I don't see anything else in there that looks suspicious, but I killed everything that did and removed it from startup using HijackThis, but apparently that was only a temporary setback to OmegaSearch. >_<
P.S. "OmegaKillerSM v1.1" said (and still says, I ran it several times) "no infections found, system clean."
Well, here's the hijackthis log from just now:
Logfile of HijackThis v1.97.7
Scan saved at 1:03:07 PM, on 8/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gecjkizrxqzatywetshbcaz.com//ZMyI55wEL8vpM0goxYtcxd5XhuFrrp8sqpqbPRd/3MWEZ_vWT/dQUKaMWanft5E.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B172C65-E41F-4ABD-8282-01C4D5628CE7}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9311697A-142B-4C9C-A6AD-71C151D4BE07}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B11177FF-2F98-4EEB-AC31-14778BE1BBF4}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{6B172C65-E41F-4ABD-8282-01C4D5628CE7}: NameServer = 192.168.0.1
Wait. Nope. It's still here; It just tried to change another SearchAssistant browser page thing (I hit deny again). Damnit. BTW, I'm typing this in Firefox 0.9.3, and I don't have IE open at all, yet I see iexplore.exe in the processes list (in Win XP), twice, and if I try to kill either one of them it comes right back. I don't see anything else in there that looks suspicious, but I killed everything that did and removed it from startup using HijackThis, but apparently that was only a temporary setback to OmegaSearch. >_<
P.S. "OmegaKillerSM v1.1" said (and still says, I ran it several times) "no infections found, system clean."
Well, here's the hijackthis log from just now:
Logfile of HijackThis v1.97.7
Scan saved at 1:03:07 PM, on 8/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gecjkizrxqzatywetshbcaz.com//ZMyI55wEL8vpM0goxYtcxd5XhuFrrp8sqpqbPRd/3MWEZ_vWT/dQUKaMWanft5E.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B172C65-E41F-4ABD-8282-01C4D5628CE7}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9311697A-142B-4C9C-A6AD-71C151D4BE07}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B11177FF-2F98-4EEB-AC31-14778BE1BBF4}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{6B172C65-E41F-4ABD-8282-01C4D5628CE7}: NameServer = 192.168.0.1
0
This discussion has been closed.
Comments
If the infection keeps coming back, then you need to figure out where you are browsing that is re-infecting you, and adjust your browsing habits accordingly
Dexter...