Jump to content


Photo

Cool Web Search Trojan Variant?


  • Please log in to reply
9 replies to this topic

#1 brucelia

brucelia

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 26 May 2004 - 06:41 PM

Hi,I seem to have a variant of CWS Trojan which comes up on my browser as "Greatsearch.biz/ I have tried all removal tools but it just seems to stay regenerate itself everytime I reboot.
I found a file called ://shdoclc.dll/offcancl.htm#http://greatsearch.biz/
I have used CWShredder and Hijackthis and Spybot but still this Trojan tries to open my Start page in IE as its bogus search engine.
I have to reset my IE options and if I switch off the page it just comes back when I go into IE again.
ANY IDEAS!!anyone !!

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 26 May 2004 - 09:40 PM

Hi,
Post your HijackThis log and a StartupList log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 brucelia

brucelia

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 May 2004 - 09:39 PM

Logfile of HijackThis v1.97.7
Scan saved at 2:49:34 PM, on 5/23/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NEOWATCH\NWSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NeoWatch\NeoWatchTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Services Process] C:\WINNT\system32\config\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NeoWatch Startup.lnk = C:\Program Files\NeoWatch\NeoWatchTray.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOWATCH\NTXcontext.htm
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8057.8159837963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 brucelia

brucelia

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 May 2004 - 09:41 PM

StartupList report, 5/30/2004, 11:29:30 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\My Documents\StartupList.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NEOWATCH\NWSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\NeoWatch\NeoWatchTray.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\My Documents\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
NeoWatch Startup.lnk = C:\Program Files\NeoWatch\NeoWatchTray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
WinPatrol PLUS = C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
Synchronization Manager = mobsync.exe /logon

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssmarque.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll - {0D929918-C804-4756-B0AC-640EF3F061E9}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Norton AntiVirus AutoProtect.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
System: C:\WINNT\system32\system32.dll

--------------------------------------------------
End of report, 4,072 bytes
Report generated in 0.191 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 29 May 2004 - 10:19 PM

Hi,
Open Notepad and save the below as: "RemoveGreatsearch.reg"
In the "Save as type" drop-down section, select: All Files

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]


1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate "RemoveGreatsearch.reg", right-click and select: Merge, Ok the prompt.

Locate and delete the following:

C:\WINNT\system32\system32.dll <--this file
C:\WINNT\system32\config\services.exe <--this file
Note: do not delete - C:\WINNT\system32\services.exe

While still in Safe Mode:
Close all open windows, rescan with HijackThis and "Fix checked" the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O4 - HKLM\..\Run: [Services Process] C:\WINNT\system32\config\services.exe


Restart normally and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 brucelia

brucelia

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 31 May 2004 - 01:53 AM

Mike!! YES,I got rid of CWS Greatsearch .biz/ I can't thank you enough!!
I managed to follow your instuctions even.Tell me ,what do I do with the "Remove Great Search.reg" note pad file??? DELETE??
Here is the log file you asked for.Logfile of HijackThis v1.97.7
Scan saved at 10:16:05 AM, on 5/31/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com.au
O2 - BHO: (no name) - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - Global Startup: NeoWatch Startup.lnk = C:\Program Files\NeoWatch\NeoWatchTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

#7 brucelia

brucelia

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 31 May 2004 - 01:59 AM

Mike ! had some trouble with posting message but it seems OK now.

Edited by brucelia, 31 May 2004 - 02:03 AM.


#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 31 May 2004 - 05:20 AM

Hi,

what do I do with the "Remove Great Search.reg"

Yes, you can delete that ...

had some trouble with posting message

That doesn't look like a complete log? (but clean from what I can see)

Note: you shouldn't use the "Admininstrator" account for general purposes. You should create your own account (profile) and leave the Admininstrator account for troubleshooting, etc.

Just a thought ... :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#9 brucelia

brucelia

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 31 May 2004 - 05:52 PM

Hi, Mike,I thought the log was not complete either as some of the items to "Fix" in Hijack This did not appear but I may have got rid of them in a previous scan???
You are dealing with a novice here.
What about the "Remove Great Search.reg"file (Notepad)should I delete it??
Many thanks for your help.
Bruce.

#10 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 31 May 2004 - 06:41 PM

Hi,

What about the "Remove Great Search.reg"file (Notepad)should I delete it??

I already answered that ... look up in my last reply :unsure:

I would suggest adding some "Defense" to your system ...
See section: How To: Prevent this from happening again?
http://www.mvps.org/...02/unwanted.htm

Edited by WinHelp2002, 31 May 2004 - 06:43 PM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button