Hijackthis logfile for Omegasearch

Forums: Computers
Email this Topic • Print this Page

Hi,
Could someone pleas help me to erase omegasearch from my Browser...it seems to link itself to my IE default startup page and after following 'Timberlandko' his steps of removing infected files with spybot, adadware, etcetara...still this logfile seems to come up.

A few things I've failed to be able to do are to run the smartkiller software and the spybot update. I wasn't able to open abe smartkiller after unzipping it as it said 'smartkiller cannot be found on your system'. Then I downloaded spybot but it gave an error message when I tried to run the update it said 'error retrieving update info file!

I'm not sure how this affected my 'cleaning' of omegasearch, but it still seems to show under my default internet homepage as a 'passthrough' site.

I would reallly appreciate your help!

Thanks....

Logfile of HijackThis v1.97.7
Scan saved at 9:22:58 PM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ANTEBI~1\Long Comp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Software download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = omegasearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - c:\Program Files\flcp\Flcp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F0F46755-DF44-D8F9-E148-42B950013C97} - C:\PROGRA~1\PLAYMA~1\software acid.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Second sect - {CD38CC98-8AB1-F61E-DF46-600E3E752ED5} - C:\PROGRA~1\PLAYMA~1\software acid.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [hidelies] C:\PROGRA~1\ANTEBI~1\Long Comp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [DKQXEKRU] C:\WINDOWS\DKQXEKRU.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl/
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38071.5178009259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Topic Stats
Top Replies
Link to this Topic

Type: Discussion • Score: 1 • Views: 1,771 • Replies: 8

No top replies

By the way...
I forgot to mention that I've tried to erase the Omegasearch files in Hijackthis and after rebooting my pc, they still showed up again, after running a second scan...
Is this because I should erase the files in a 'Save mode'...or doesn't this affect the removal.

Thanks again...

0 Replies

The spyware removal tools may not be able to fix certain highjackers unless run in safemode, which precisely is why the basic yuckware removal proceedure calls for them to be run in safemode.

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe is a Sun Java auto-updater; essentially, an unnescessary resource hog. I'd get rid of it, but its not critical to do.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = omegasearch.com are the core of your problem; get rid of them.

The presence of O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" puzzles me, as you say you've run AdAware, which should have caught and removed this. It can be removed manually, but its tricky to do, and its manual removal may cause connectivity problems or networking problems .. in fact often it does. It really is best to let AdAware take it out.

I have no idea what this - O4 - HKLM\..\Run: [DKQXEKRU] C:\WINDOWS\DKQXEKRU.exe - is, but it looks awfully suspicious to me. Maybe somebody else knows. Personally, I'd kill it on general principle; I was unable to find any reference to it on any security or privacy forums, nor on the websites of Microsoft or the vendors of other software you seem to have installed.

If you want WanaDoo for your homepage, leave O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl/ , otherwise, get rid of it.

Give this a shot:

Highlite Spybot in your start menu, then select "Uninstal". Following that, search for and delete files or folders named "spybot*", without the quotes, but with the asterisk. In "Search", select "Advanced Options", and select "Search System Folders", Search Hidden files and folders", and "Search subfolders". Make sure "Case Sensitive is not checked"

Now, connect to the internet andTry Downloading Spybot from this link. Just download it, don't open and install it yet. Likewise, download, but don't open or run, CoolWWWSearch.SmartKiller removal tool and CWSHREDDER.

Disable the System Restore. Click on START MENU -> Control Panel -> System. This will bring up the System Properties window. Click on the "System Restore" tab, and click to place a check in the box next to "Turn Off System Restore on all drives". Click "Apply", then "OK". You will lose your previously stored restore points.

Download and run the latest version of STINGER.

With no other browsers open, and while not connected to the internet, run HijackThis, examine the report for any reference to "Omegasearch", and check them off. Click the Fix Checked button, and click Yes to the confirmation prompt. Close Hijack This. Clear your browser's cache by going to the browser toolbar, selecting "Tools" then "Internet Options", and in the second panel of the "General" Tab, delete all Cookies and Files, Click "Apply", then "OK" to exit. Empty your recycle bin. Reboot normally.

Open and install SpyBot, then reconnect to the internet and, before doing anything else, with no other browser windows open, attempt once more to update it. If the update is successful, "Immunize", but do not run the program yet. Just close it. While you're at it, it wouldn't be a bad idea to have AdAware check for updates, too.

Now, reboot into safemode, unzip and run CoolWWWSearch.SmartKiller, letting it fix whatever, if anything, it finds. Now do the same with CWShredder. Now, open Spybot, select "Check for problems", and let it do its thing. When it is done, and while still in safemode, run AdAware, letting it too fix whatever it finds. Reboot normally.

That should sort things out for you, if you did it all, did it as directed, and did it in sequence. If all is well, re-enable System Restore by removing the check mark you placed there to disable it earlier.

0 Replies

Thanks for the info...I ran hijackthis a couple of times and now it seems that the omegasearch file is not in! I hope my pc is now fixed...!

I found something out too...it appeared that everytime I started up my PC, a program called Long Comp was automatically activated during my startup (this I found out in the start-up items folder in Systemconfig after running 'msconfig') On another forum I was told that this folder Ante-Bias Delete (which contained this Long Comp.exe file) was suspicious . After I disabled this item for startup and deleted this folder (and followed some of your steps too), it appeared that omegasearch was definately gone.

Now I'm wondering...I've disabled the Long Comp startup item, but how can I make it NOT show up in my start-up items under Systemconfig anymore...do you have any advise for me?

By the way...this is the logfile I now receive...does this mean everything is ok now? Can I click on (msconfig) General - Normal set-up and reboot. I'm also not sure whether I should launch a system restore now at this point...

Again...Thanks a lot for your help!

Logfile of HijackThis v1.97.7
Scan saved at 2:24:29 AM, on 4/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Software download\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl/
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38071.5178009259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0 Replies

Great to hear it seems to be working for ya. I know how frustrating this crap can get. Ya know, I dunno what that "Long Comp" thing is, exactly. I wasn't able to get any good info on it. I was gonna suggest you disable, but forgot to, but it seems you did anyway. To maybe figure out what and where it is on your machine you could do a search ... try searching for the textstring "long*" in "Search for a word or phrase" and aagin using Advanced Options to search everywhere. Same goes for "antebi*" ... there prolly will be a lot to sort through, but if you're diligent, you should be able to track it down and decide whether its a keeper or not. Otherwise, that's a much better looking log. You've got a bunch of unnescessary stuff loading at startup, but nothing potright malicious that I can see. If everything seems cool, I'd say it'd be ok to set a restore point. I'd empty all the caches, the Temp folder, and the recycle bin, then run defrag, all in safemode, first, then reboot normally, with the machine not connected to the internet, and set the restore point as soon as the machine was fully booted up, but do what you want ... I can only give you suggestions, not orders.

A final suggestion ... keep your security and privacy software up to date and enabled, and be smart ... even skeptical ... when you're out there on the net.

0 Replies

Thanks again for the quick reply...

I have a few final questions:

1. I forgot to mention that I did a search on this DKQXEKRU thing that looked suspicious. The only place I could find it was in C:\windows\pchealth\helpcenter\datacollector_135 en 254. I did not delete these files as they were part of a pchealth program and didn't know how crucial this delete would be. Should I delete it anyway, just in case, or is this a save file?

2. You mentioned that at start-up I have a lot of unnecessary processes running. I was wondering whether you could tell me some of the items I don't need, then I could disable them and maybe my pc startup will go faster.

3. What is your recommendation of safety precautions...I see a lot of tips out there for downloading all this 'immunity' software, but I would like to have the feedback of a real pro too! :wink:

Thanks again...

0 Replies

last one...

4. how crucial is it to store Spybot and other anti-spyware on C:\Programs ? Someone made a remark that it is not recommended to store it in a subfolder...but is this just for convenience reasons or does this influence the operating of the software as well? I have found it more convenient for myself to store all this software in a subfolder called 'software downloads'..

thx

0 Replies

To take your last question first, they belong in their own folders on the root drive ... just create desktop or taskbar shortcuts to 'em for ease of access. Now, as for that DKQ etc thing ...yeah, leave it alone.

At startup, all you really, really need is Explorer and Systray. Its convenient, and even practical and prudent to have some other stuff there, too, such as your security and privacy software, and the PC Health/Restore-related stuff, but just about everything else can be launched as needed, either from the task bar, if it has a shortcut there, or from the All Programs tree. Stuff like messenger and chat clients, most auto updaters (particularly Office Updaters), CD-Burner stuff, media players, and the like just eat resources when they're not in use.
If you're not using them, there's no reason to have them running in the background. Clean that stuff up, and your machine will be much more responsive.
For a good overview of what's what at startup, and what to do about it, see the "Startup Tips" section of Paul Collin's excellent Pacman's Portal. Not only does Paul discuss it at length, with great tips, there is a tremendously useful database of startup items, which is frequently updated. There are also links to all sorts of other usefull sites. You should be able to keep yourself busy for days after your first visit there ... and you'll likely learn a lot about stuff you prolly never even considered. Sadly, one of the best in the startup field, PC Forrest, recently has fallen off the web. I really miss that one.

I don't want to recommend any one security or privacy app over another. An antivirus, a firewall (I happen to use both software and a hardware firewall, but that's overkill, and I do it mostly just cuz I can Rolling Eyes

), and some sort of anti-spyware/anti-highjack software is what you oughtta have, which ones are up to you ... check 'em all out, read the reviews, talk to other folks, and, of course, consider your own budget. I have a bunch of 'puters, and run a variety of different stuff on various machines (being something of an idiot, I have a predeliction for "Lets see what happens" ... sometimes I see that something happens I really would have preferred had not happened - but at least with software, smoke and sparks and loud scary noises are very rare Mr. Green

). I've found largely the major vendors put out pretty good stuff, all with its own good points and weak points. The quality and usefulness of freeware and shareware varies all over the place, and support can be anything from quirky to non-existant ... again, find and read as many reviews as you can, then pick what seems best for you. Lots of stuff offers trial versions ... give an app a shot and see what you think ... buy it or dump it as fits your findings. For the ungeeky, stuff that requires the least tweaking and user input is probably best. And whatever you use, read and understand its documentation, and follow its instructions. The right answer to most user questions usually is somewhere along the lines of "Look on page 'X', the 'Y' line in the 'Z' paragraph"

0 Replies

Thanks for the tips...!

I found the 'omnisearch start-up bugs' in my HKEY Registry...they've hided themselves under The folder HKEY Current user -> Microsoft -> Search assistant -> ACMRU -> 5603. In this foldernr. The files ante~, long*, playma~, DKQXEKRU, and Ice age (the movie I downloaded which probably contained the omnisearch spyware) appear.
These were terminated in my Hijackthis, but showed up in this HKEY anyways.
How do I make sure that I delet these files effectively, so that I can make sure LONG COMP doesn't show up in my start-up items list anymore?

The problematic thing is that spbot*, smartkiller, spybot, xtarget.dll, Bittorent and soulseek also appear in this list. I'm afraid that when I delete the whole folder, I will not be able to use some of the 'save' apps.

This is what I've tried up till now:
File-Export (to make a backup of the REG folders 5603)
Delete folder ACMRU 5603
Then I went to the recycle bin but there was nothing there to empty (?)
Reboot the pc - and LONG COMP still shows up.

Am I following the right procedures here, or am I missing out on something ?

By the way, I cannot determine whether the Search Assistant folder itself is completely harmless, so I left some files in.
The folder Search Assistant contains the files:

Name Type Data
(default) REG_SZ (value not set)
Actor REG_SZ c:\windows\srchasst\chars\rover.acs
InstallDir REG_SZ c:\windows\srchasst\
Usagecount REG_DWORD 0x00000013 (19)

The subfolder of Search Assistant called 'Tips' contains a subfolder srchassctl, which again splits in subfolders fa0, fa1 up till fa9 and faa. These subfolders all contain the same information.

(default) REG_SZ (value not set)
Timesdisplayed REG_DWORD 0x00000000 (0)
Timesresisted REG_DWORD 0x00000000 (0)

Thanks again for your feedback...!

0 Replies

Hijackthis logfile for Omegasearch

Related Topics

Quick Links

My Account

able2know