omiga issue

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ajs, Feb 7, 2015.

  1. ajs

    ajs Private First Class

    Just got a new laptop and downloaded zone alarm and avg 2015. I seem to have inherited a browser hijacker and annoying advert thing. I have gone through the steps in the malware removal thread but it's still there. Only affects interner explorer, chrome browser is ok, although it does keep opening random pages and adverts. MG tools did not run. Logs attached

    Appreciate any help you can offer
     

    Attached Files:

    ajs, Feb 7, 2015
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Why did MGTools not run?

    I will ask you to try to run it again after we do the following:

    Rerun RogueKiller and have it fix these items:

    Code:
    ¤¤¤ Registry : 24 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\doviqexy (C:\Users\Gillian\AppData\Roaming\VOPackage\nszC9E2.tmpfs) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\serverca (C:\Users\Gillian\AppData\Local\ConvertAd\CASrv.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\serverjo (C:\Users\Gillian\AppData\Roaming\VOPackage\JOSrv.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\serversu (C:\Users\Gillian\AppData\Roaming\SoftwareUpdater\SUsrv.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPPD (\??\C:\Windows\system32\drivers\SPPD.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\doviqexy (C:\Users\Gillian\AppData\Roaming\VOPackage\nszC9E2.tmpfs) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serverca (C:\Users\Gillian\AppData\Local\ConvertAd\CASrv.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serverjo (C:\Users\Gillian\AppData\Roaming\VOPackage\JOSrv.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serversu (C:\Users\Gillian\AppData\Roaming\SoftwareUpdater\SUsrv.exe) -> Found
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://isearch.omiga-plus.com/web/?type=ds&ts=1423156451&from=face&uid=ST1500LM006XHN-M151RAD_S35UJ9AFB08281&q={searchTerms}  -> Found
[PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://isearch.omiga-plus.com/web/?type=ds&ts=1423156451&from=face&uid=ST1500LM006XHN-M151RAD_S35UJ9AFB08281&q={searchTerms}  -> Found
    Place a check mark at each of those and press the delete button.

    Now do the same for these items:

    Code:
    ¤¤¤ Tasks : 4 ¤¤¤
[Suspicious.Path] \\avaxvavya -- C:\Users\Gillian\AppData\Local\avaxvavya\avaxvavya.exe -> Found
[Suspicious.Path] \\Selection Tools Update -- C:\Users\Gillian\AppData\Roaming\WTools\Selection Tools\Selection Tools Update.exe (/T=86400) -> Found
[Suspicious.Path] \\SmartWeb Upgrade Trigger Task -- C:\Users\Gillian\AppData\Local\SmartWeb\SmartWebHelper.exe -> Found
    Now rerun Hitman and have it remove all that it finds.

    Reboot and rescan with both RogueKIller and Hitman and attach the new logs.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator)

    Attach the new log or explain why it doesn't run.
     
    TimW, Feb 7, 2015
    #2
  3. ajs

    ajs Private First Class

    THanks Tim. No idea why mgtools didnt run. It just disappeared! Will follow your instructions and try it again.
     
    ajs, Feb 8, 2015
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

    • Right click the Command Prompt entry and select Run As Administrator.
      • It is critical that you run it this way.

    • If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
    • Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    SN64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
     
    TimW, Feb 8, 2015
    #4
  5. ajs

    ajs Private First Class

    new logs attached. Im doing mgtools now
     

    Attached Files:

    ajs, Feb 9, 2015
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, those logs are clean.
     
    TimW, Feb 9, 2015
    #6
  7. ajs

    ajs Private First Class

    ran mgtools. log attached
     

    Attached Files:

    ajs, Feb 9, 2015
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not finding any malware in your logs. However, you have these three installed:
    AVG 2015
    McAfee LiveSafe - Internet Security
    ZoneAlarm Security

    If these are all providing Anti-virus protection, you need to uninstall all but one.

    Tell me what issues remain, if any.
     
    TimW, Feb 9, 2015
    #8
  9. ajs

    ajs Private First Class

    The only issue now is that when I open internet explorer omiga plus.com opens up instead of the home page I have set. Not a huge issue as I can close that page and surf normally. Just annoying that it is there and shouldn't be is all.

    McAfee came with the machine, 30 day trial so it will be gone. Is it OK to run the zone alarm firewall but use AVG 2015 for realtime scanning?

    Thanks for your help Tim
     
    ajs, Feb 9, 2015
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Feb 9, 2015
    #10
  11. ajs

    ajs Private First Class

    reset internet explorer. Omiga.com page still opening instead of my chosen page. Any other ideas? is it likely that other more malicious stuff is attached to Omiga? If not I can just stop using IE and use chrome instead.
     
    ajs, Feb 10, 2015
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Click on tools (Alt-X) and choose internet options. In the general tab, change your homepage.
     
    TimW, Feb 10, 2015
    #12
  13. ajs

    ajs Private First Class

    Tried that then deleted browser history and ran ccleaner. Homepage is set to bbc.co.uk but omiga still opens instead.

    Ran a search in windows explorer and found these:

    isearch.omiga-plus.[1]xml c\users\gillian.....etc\microsoft\ieeeplorer\DOMstore\n5x9k9t7

    isearch.omiga-plus (isearch.omiga-plus.com

    omiga-plus

    Can I do anything with these from the search page?
     
    ajs, Feb 10, 2015
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need the full path.
     
    TimW, Feb 10, 2015
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download SystemLook from one of the links below appropriate for your operating system and save it to your Desktop.
    Download 32 Bit

    Download 64 Bit

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :file
omiga
:folder
omiga
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    TimW, Feb 10, 2015
    #15
  16. ajs

    ajs Private First Class

    doesnt look like it found it Tim :(

    txt file attached
     

    Attached Files:

    ajs, Feb 11, 2015
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Hmmm...I will have to consult with my colleagues.
     
    TimW, Feb 11, 2015
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try it again with a different context:

    Please download SystemLook from one of the links below appropriate for your operating system and save it to your Desktop.
    Download 32 Bit

    Download 64 Bit


    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
omiga
:folderfind
omiga
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    TimW, Feb 11, 2015
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    @TimW,

    You need to check Internet Explorer's Properties. This may be hooked into the startup link
    • Right click on the shortcut of Internet Explorer and then do left click on the properties option. You’ll get a shortcut’s properties.
    • Click on shortcut tab and then delete the “http://isearch.omiga-plus.com/?type=hp&ts=1404028662etc” or similar string from Target field.
    • Need to delete the folowing or any similar URL: http://isearch.omiga-plus.com/?type=hp&ts=1404028662etc
    If not there then edit the any .lnk file used to load IE to see if it is in there.
     
    chaslang, Feb 13, 2015
    #19
  20. ajs

    ajs Private First Class

    sorry for the delay. been away for a few days. Thanks for the reply

    when I delete the shortcut and apply I get a message saying "the name in the target box is invalid. Make sure the file name and path are the same". I tried pasting another URL in there but it wouldnt accept it.

    C:\Users\Gillian\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\N5X9K9T7 contains a file called isearch.omiga-plus[1].xml

    Can I delete this file?
     
    ajs, Feb 18, 2015
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, you can delete that file. Let me know what happens.

    In the properties box try copying this into the target box:

    "C:\Program Files\Internet Explorer\iexplore.exe"
     
    Last edited: Feb 19, 2015
    TimW, Feb 19, 2015
    #21
  22. ajs

    ajs Private First Class

    Deleted the file but it has made no difference. Omiga search still opens up instead of selected homepage when opening IE. Any other thoughts?

    Not sure if this is connected but I opened up games app for the first time on this machine which took me to xbox games. It automatically signed me in to an account named icyraptorxxx. I have not created any account on xbox. Looking at the account profile it seems the gameertag was changed 2 days ago. The laptop was bought brand new from pc world.
     
    ajs, Feb 21, 2015
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try system look again>


    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :folderfind
omiga
:filefind
omiga
:regfind
omiga
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    TimW, Feb 21, 2015
    #23
  24. ajs

    ajs Private First Class

    systemlook txt attached.

    I hadn't noticed your earlier instruction re typing the ie explored address into the target box. This is now opening ie properly, not through the omiga search page. Hoping this means you have beaten it!

    What do I do to get rid of the registry files that systemlook found? Do I need to?

    Any thought on my comments re the xbox gamer account on this new machine?
     

    Attached Files:

    ajs, Feb 24, 2015
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    I don't know about the xbox issue. Provably something to pursue in the software forum.
     
    TimW, Feb 24, 2015
    #25
  26. ajs

    ajs Private First Class

    Got a message saying it was successfully added to the registry, Tim. Systemlook again now?
     
    ajs, Feb 25, 2015
    #26
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Might as well....rerun it as asked in post #23.
     
    TimW, Feb 25, 2015
    #27
  28. ajs

    ajs Private First Class

    Thats cleared it Tim. No files, folders or reg entries found. Thanks a million for your help.

    I've been noticing mini windows popping up from mimecast ocassionally. They stay for about 5 seconds then disappear again. I tried systemlook but it didn't find anything. Do you think this is anything to worry about?

    Thanks again :)
     
    ajs, Feb 25, 2015
    #28
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What browser are you using that has the pop-ups?
     
    TimW, Feb 25, 2015
    #29
  30. ajs

    ajs Private First Class

    Not entirely sure that I have always had a browser open when they have popped up Tim. It would have been Chrome as I wasnt using IE while the Omiga issue was happening. I'll keep a closer look over the next few days to get more info. Appreciate all your help.
     
    ajs, Feb 26, 2015
    #30
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No problem.
     
    TimW, Feb 26, 2015
    #31

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds