Jump to content


Photo

Greatsearch/CWS problem


  • This topic is locked This topic is locked
4 replies to this topic

#1 otherstuff1957

otherstuff1957

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 May 2004 - 02:25 AM

Many thanks for hosting this very useful forum! :D

I picked up a greatsearch.biz/ coolwebsearch virus a few days ago and have spent the past four evenings trying to get rid of it. :o I read the relevent articles here and then downloaded and used hijackthis, reglite, killbox, AVG, Ad-aware, CWshredder, etc... Nothing seemed to work! Finally I followed E. Brubakers advice and found and deleted a suspicious looking dll file. I don't know if that's what finally stopped this nasty bug, but I'm no longer having my homepage being hijacked to g-s.biz. :lol:

My remaining problem is the fact that when I run AVG, I still get a log stating that I have 11 viruses in my computer and that they are read-only, I cannot delete or move them! Here is a copy of my AVG log:

Results of Complete Test, date and time 5/20/2004 23:30:28 :

Testing C:\ serial 3537-1502
C:\_RESTORE\TEMP\A0010960.CPY Trojan horse Downloader.Small.6.I
C:\_RESTORE\TEMP\A0010986.CPY Trojan horse Downloader.Small.6.I
C:\_RESTORE\TEMP\A0010991.CPY Trojan horse Downloader.Small.6.I
C:\_RESTORE\TEMP\A0012609.CPY Trojan horse Downloader.Donn.Y
C:\_RESTORE\TEMP\A0012610.CPY Trojan horse Downloader.Small.5.I
C:\_RESTORE\TEMP\A0012611.CPY Trojan horse Downloader.Small.6.I
C:\_RESTORE\TEMP\A0012612.CPY Trojan horse Downloader.Donn.X
C:\_RESTORE\TEMP\A0012613.CPY Trojan horse Harnig.J
C:\_RESTORE\TEMP\A0012614.CPY Trojan horse Harnig.N
C:\_RESTORE\TEMP\A0012615.CPY Trojan horse Harnig.G
C:\_RESTORE\TEMP\A0012616.CPY Trojan horse Downloader.Istbar.DE

Test finished, duration 00:05:01.7 s
10566 objects tested, 11 found infected

I cannot find these files using the regular windows search, or with Killbox! Does anyone know how I can find and destroy these last files? I was going to try to find and delete them usind dos, but I'm using Windows ME for the first time and cannot figure out how to get to dos without opening windows. Any help or advice would be greatly appreciated.

#2 otherstuff1957

otherstuff1957

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 May 2004 - 02:33 AM

One more thing I forgot to mention, I ran a search on g-s.biz and found it in a number of files. Where I felt save doing so, I just deleted the file, otherwise I edited the file and wrote in yahoo.com in place greatsearch.biz.

In case this helps, here is a current Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 14:32:44, on 22/5/2547
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CASIO\PHOTO LOADER\PLAUTO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ACCESSORIES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\fsg_tmp\ginst_001_1234_4201.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 22 May 2004 - 08:26 AM

Hi,

I still get a log stating that I have 11 viruses in my computer

See: "Flush System Restore" (below)
Basically turn off System Restore and then ...

1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

c:\windows\temp <--delete the entire contents, not the folder

While still in Safe Mode:
Close all open windows, rescan with HijackThis and "Fix checked" the following:

O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\fsg_tmp\ginst_001_1234_4201.exe"

Restart normally, run a full system scan with AVG and reboot
Then enable System Restore and create a Restore Point.

Antivirus Tools Cannot Clean Infected Files in the _Restore Folder
http://support.micro...om/?kbid=263455 (ME)

Important!
Your system is severly out of date!
Visit Windows Update and install all the "Critical Updates"
http://v4.windowsupd.../en/default.asp

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 otherstuff1957

otherstuff1957

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 May 2004 - 09:35 AM

THANK YOU VERY MUCH WINHELP2002! You've just been added to my Christmas list :D . It worked like a charm. My AVG log is empty :D , here is my hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 21:35:46, on 23/5/2547
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CASIO\PHOTO LOADER\PLAUTO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ACCESSORIES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8130.1915393519

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 23 May 2004 - 10:09 AM

Hi,
You're welcome ... glad to see you have resolved your problem.

Your log looks clean now ... good job!
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button