Jump to content


Photo

Greatsearch hijack


  • Please log in to reply
8 replies to this topic

#1 jwaylo

jwaylo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2004 - 01:26 PM

Thanks all for Hijack This, the online links and help and everything you do.

I've been hijacked by greatsearch.biz, Appears it may be a variant of CoolWeb.

I've read and done everything you suggest. Have run AdAware, SpyBot, Spyblaster, CA's EZ Armor FW and AV all updated to 5-22. AA finds things that it can't get rid of. I can't change my startup page through any of the utilities I've used so I need some help. In the process I've created a problem with my dialup connection.

I run Win 98 and W2K on seperate paartitions. My problem is in the W2K one. BTW I work nights so I post at wierd times.

Here is my Hijack this log and thanks again.

Logfile of HijackThis v1.97.3
Scan saved at 11:19:02 AM, on 5/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
C:\Program Files\KeirNet\K9\K9.exe
C:\Program Files\SpywareInfo\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CompleteCache
O4 - Global Startup: Simply Transparent.lnk = C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
O12 - Plugin for .AIFF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\npstar.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .QT: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for .vbs: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://images.ancest...ll/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8036.5896527778
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8F595EF-81B1-47A5-8CC4-F7DA44B5FF64} (ImagePreview Class) - http://images.ancest...ll/MFImgVwr.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{03502BF8-E5AB-4E75-9AA7-B322C5E2AE93}: NameServer = 216.106.1.2 216.106.1.3

Edited by jwaylo, 23 May 2004 - 01:27 PM.


#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 May 2004 - 01:32 PM

Please copy the contents of the quote box to notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

Hit save as and give it the name clear.reg under the filename set file types to all files. Save it to the desktop.After done double click the clear.reg when asked to merge say yes and reboot.

Find this file system32.dll which is probably in either:
  • c:\windows\system32\system32.dll
  • c:\windows\system\system32.dll
... and delete it.

Then fix these with hijackthis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

Reboot and post a new HijackThis log for further analysis.

#3 jwaylo

jwaylo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 May 2004 - 02:08 PM

Did and done. Thanks.
Here is the latest log after following your directions. Looks good to me.
BTW I ran CWShreader current to 5-23 on this also and it couldn't clean it. Ad-Aware found the System32.dll file but couldn't delete it.

Logfile of HijackThis v1.97.7
Scan saved at 1:42:46 PM, on 5/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://msn.com/search/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Simply Transparent.lnk = C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
O12 - Plugin for .AIFF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\npstar.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .QT: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for .vbs: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://images.ancest...ll/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8036.5896527778
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8F595EF-81B1-47A5-8CC4-F7DA44B5FF64} (ImagePreview Class) - http://images.ancest...ll/MFImgVwr.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{03502BF8-E5AB-4E75-9AA7-B322C5E2AE93}: NameServer = 216.106.1.2 216.106.1.3


Thanks again.

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 28 May 2004 - 02:35 PM

Please run HijackThis and delete:
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#5 jwaylo

jwaylo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 May 2004 - 09:46 PM

Thanks, it seems I'm back to olmost normal. One more problem I can't figure out what to reset.
When I try to download Spywareguard, IE/Spyad or MVPS Hosts file I get and error message "You are not authorized to view this page." Error 403
If you would please point me in the right direction.

Thanks
J

#6 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 29 May 2004 - 01:42 AM

Do the following:
Click on "Start" => "Run" => and type in cmd and enter. This will bring up a command prompt. At the prompt type in ren c:\windows\system32\drivers\etc\hosts hosts.old. Try to download again. Let me know if that resolves the issue.

#7 jwaylo

jwaylo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 31 May 2004 - 12:47 AM

Didn't do the job.
I downloaded all of the suggested programs that I didn't already have using my Win 98 side. I copied them over to the W2K , installed and setup all. Shut down to a cold boot and tried to download one of them again with no success. I tried to download some icons from another freeware site and still got the same "You are not authorized to access this site." error 403.

I get the same error whether I'm on as Administrator or a power user.

What next?

J

#8 jwaylo

jwaylo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 31 May 2004 - 02:33 AM

This didn't work. I downloaded the items I didn't have using my Win 98 side and loaded them all on the W2k. Still not able to download from anywhere.

I may have misled you on the exact error message. it should be "HTTP error 403 forbidden". I searched this in MS knowledge base and came up with some solutions but am not sure which, if any, would apply. I also searched with IE 6 error 403.
I tried to do the one that says to edit the Internet Service Manager but couldn't figure out where to find it.

Thanks
J

#9 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 31 May 2004 - 10:05 AM

Can you please post another HijackThis log and in HijackThis, on the bottom right is a box named "Config", click on it. Then click on "Misc Tools" near the top. Just below that you should see a "Generate Startup List", can you click on that and post both logs here so I can see what is going on?

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button