Options

I need help removing Omega

Hi,

I have what I beleive to be Omega on a computer. It causes revenue.net popups and hijacks the browser to search2000.com. I have used Adaware SE and Spybot with no luck.

I'll post my HijackThis log here hoping someone can help me.

Thanks in advance for any help.

EDIT: I just noticed Omega Killer. I will give that a go tomorrow and hopefully get rid of it, or should I scrub that idea and go with something else?

Logfile of HijackThis v1.98.2
Scan saved at 6:03:06 PM, on 22/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\CAPRPCSK.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\tp\hijack this\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ikigljhuxpjwqtecuxdajtdtt.com/ip8E2DcT5NSp_r/GmnUSFUMLV8RBKf_VeU4XHytIDuOkSAUuRR5/7DGrNfnM6/Ty.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.49.19:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {359CF6AD-E0E0-FFD4-8B4A-B09D7C28866E} - C:\PROGRA~1\SIGNLI~1\4 HTM.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DUPE PURE] C:\PROGRA~1\PHONEH~1\SHIMBIAS.exe
O4 - HKCU\..\Run: [SystemMonitor] "C:\Program Files\System Monitor\System Monitor.exe" /i
O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5A22B61-5006-43A9-A819-21AB54DFE198}: NameServer = 10.0.0.2

Comments

  • DexterDexter Vancouver, BC Canada
    edited September 2004
    Yep, please use OmegakillerSM. Then come back to this thread, let us know how it worked, and post a fresh HJT log for review.

    Dexter...
  • edited September 2004
    I used Omega Killer, and it worked, what a great product. I'm going to donate via PayPal.

    The only thing now is that Spybot keeps finding something called "DSO Exploit" and when it removes it, the thing just comes back. After doing some reading, it seems that it's a known problem with Spybot, so I'm not that worried at this stage.

    Here is the log taken after Omega Killer was run:

    Logfile of HijackThis v1.98.2
    Scan saved at 9:45:51 PM, on 29/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CAPRPCSK.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\tp\hijack this\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.49.19:80
    O1 - Hosts: 127.0.0.41 active-max.com
    O1 - Hosts: 127.0.0.238 www.active-max.com
    O1 - Hosts: 127.0.0.84 allaboutsearching.com
    O1 - Hosts: 127.0.0.230 amazingautossearch.com
    O1 - Hosts: 127.0.0.48 www.amazingautossearch.com
    O1 - Hosts: 127.0.0.38 www.contexualsearch.com
    O1 - Hosts: 127.0.0.80 crap2.com
    O1 - Hosts: 127.0.0.205 www.dialup2.com
    O1 - Hosts: 127.0.0.63 www.ecpm.com
    O1 - Hosts: 127.0.0.55 find-quick.com
    O1 - Hosts: 127.0.0.237 www.find-quick.com
    O1 - Hosts: 127.0.0.201 lop.com
    O1 - Hosts: 127.0.0.4 ao.lop.com
    O1 - Hosts: 127.0.0.92 srch.lop.com
    O1 - Hosts: 127.0.0.38 www.lop2.com
    O1 - Hosts: 127.0.0.83 search200.com
    O1 - Hosts: 127.0.0.39 www.mysearchnow.com
    O1 - Hosts: 127.0.0.91 www.netsearchsoft.com
    O1 - Hosts: 127.0.0.242 www.rub.to
    O1 - Hosts: 127.0.0.80 searchexe.com
    O1 - Hosts: 127.0.0.92 www.searchweb2.com
    O1 - Hosts: 127.0.0.91 www.spawnet.com
    O1 - Hosts: 127.0.0.59 tdmy.com
    O1 - Hosts: 127.0.0.212 www.tfil.com
    O1 - Hosts: 127.0.0.245 www.tdko.com
    O1 - Hosts: 127.0.0.225 wrn.net
    O1 - Hosts: 127.0.0.87 www.wrn.net
    O1 - Hosts: 127.0.0.89 www.mp3search.com
    O1 - Hosts: 127.0.0.97 www.lyricsdomain.com
    O1 - Hosts: 127.0.0.241 omega-search.com
    O1 - Hosts: 127.0.0.92 www.omega-search.com
    O1 - Hosts: 127.0.0.72 trinityacquisitions.com
    O1 - Hosts: 127.0.0.36 www.trinityacquisitions.com
    O1 - Hosts: 127.0.0.253 wethere.com
    O1 - Hosts: 127.0.0.88 asearchforyou.org
    O1 - Hosts: 127.0.0.37 www.asearchforyou.org
    O1 - Hosts: 127.0.0.24 intelesearch.com
    O1 - Hosts: 127.0.0.205 www.intelesearch.com
    O1 - Hosts: 127.0.0.83 www.isearchhere.com
    O1 - Hosts: 127.0.0.80 www.iwantosearch.com
    O1 - Hosts: 127.0.0.236 opensearch.org
    O1 - Hosts: 127.0.0.7 searchbee.net
    O1 - Hosts: 127.0.0.227 searchhotsex.com
    O1 - Hosts: 127.0.0.50 www.searchhotsex.com
    O1 - Hosts: 127.0.0.221 ifsearch.com
    O1 - Hosts: 127.0.0.35 www.ifsearch.com
    O1 - Hosts: 127.0.0.203 mastersearcher.com
    O1 - Hosts: 127.0.0.40 look-today.com
    O1 - Hosts: 127.0.0.250 aavc.com
    O1 - Hosts: 127.0.0.247 www.aavc.com
    O1 - Hosts: 127.0.0.56 acjp.com
    O1 - Hosts: 127.0.0.86 www.acjp.com
    O1 - Hosts: 127.0.0.225 www.ecmh.com
    O1 - Hosts: 127.0.0.34 wabu.com
    O1 - Hosts: 127.0.0.59 wabq.com
    O1 - Hosts: 127.0.0.97 maximumexperience.com
    O1 - Hosts: 127.0.0.27 www.maximumexperience.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {359CF6AD-E0E0-FFD4-8B4A-B09D7C28866E} - C:\PROGRA~1\SIGNLI~1\4 HTM.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKCU\..\Run: [SystemMonitor] "C:\Program Files\System Monitor\System Monitor.exe" /i
    O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C5A22B61-5006-43A9-A819-21AB54DFE198}: NameServer = 10.0.0.2
  • DexterDexter Vancouver, BC Canada
    edited September 2004
    brendon wrote:

    The only thing now is that Spybot keeps finding something called "DSO Exploit" and when it removes it, the thing just comes back. After doing some reading, it seems that it's a known problem with Spybot, so I'm not that worried at this stage.


    We have an explanation of that warning, please a description of how to set Spybot to ingnore those so that you will not see the warnings in the future, here:

    http://www.short-media.com/forum/showthread.php?t=19764


    You do still have a couple of items in your HJT log I want you to fix, including a BHO entry that looks like an Omegasearch straggler. Omegakiller v1.2 did not clean it, so it must be one of the newer file names. OmegakillerSM 1.3 is not released yet, so we will have to manually remove this.

    Please run HJT and fix the following (you can stay in normal mode to do these):



    O2 - BHO: (no name) - {359CF6AD-E0E0-FFD4-8B4A-B09D7C28866E} - C:\PROGRA~1\SIGNLI~1\4 HTM.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)


    Those last two have no files, so we will remove them from the HJT scan.


    Then manually locate this file:

    C:\PROGRAM FILES\SIGNLI~1\4 HTM.exe

    ("SIGNLI~1" will be a folder with a longer name, starting with SIGNLI.)


    and quarantine that file.

    Reboot, then post a follow up HJT log so we can make sure the infection is gone.

    Dexter...
Sign In or Register to comment.