• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
brucelia

Cool Web Search Trojan Variant?

10 posts in this topic

Hi,I seem to have a variant of CWS Trojan which comes up on my browser as "Greatsearch.biz/ I have tried all removal tools but it just seems to stay regenerate itself everytime I reboot.

I found a file called ://shdoclc.dll/offcancl.htm#http://greatsearch.biz/

I have used CWShredder and Hijackthis and Spybot but still this Trojan tries to open my Start page in IE as its bogus search engine.

I have to reset my IE options and if I switch off the page it just comes back when I go into IE again.

ANY IDEAS!!anyone !!

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 2:49:34 PM, on 5/23/2004

Platform: Windows 2000 SP2 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\cisvc.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\NEOWATCH\NWSERVICE.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\PRPCUI.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\NeoWatch\NeoWatchTray.exe

C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [services Process] C:\WINNT\system32\config\services.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NeoWatch Startup.lnk = C:\Program Files\NeoWatch\NeoWatchTray.exe

O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOWATCH\NTXcontext.htm

O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm

O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)

O9 - Extra button: Copernic (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: NeoTrace It! (HKCU)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8057.8159837963

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

StartupList report, 5/30/2004, 11:29:30 AM

StartupList version: 1.52

Started from : C:\Documents and Settings\Administrator\My Documents\StartupList.EXE

Detected: Windows 2000 SP2 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\cisvc.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\NEOWATCH\NWSERVICE.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\Program Files\NeoWatch\NeoWatchTray.exe

C:\WINNT\System32\cidaemon.exe

C:\Documents and Settings\Administrator\My Documents\StartupList.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]

NeoWatch Startup.lnk = C:\Program Files\NeoWatch\NeoWatchTray.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

WinPatrol PLUS = C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

Synchronization Manager = mobsync.exe /logon

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\System32\ssmarque.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll - {0D929918-C804-4756-B0AC-640EF3F061E9}

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

Norton AntiVirus AutoProtect.job

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll

System: C:\WINNT\system32\system32.dll

 

--------------------------------------------------

End of report, 4,072 bytes

Report generated in 0.191 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Hi,

Open Notepad and save the below as: "RemoveGreatsearch.reg"

In the "Save as type" drop-down section, select: All Files

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"System"=-

[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]

[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]

[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

 

1) Restart in Safe Mode (see "How To:" below)

2) Enable Hidden Files (see "How To:" below)

 

Locate "RemoveGreatsearch.reg", right-click and select: Merge, Ok the prompt.

 

Locate and delete the following:

 

C:\WINNT\system32\system32.dll <--this file

C:\WINNT\system32\config\services.exe <--this file

Note: do not delete - C:\WINNT\system32\services.exe

 

While still in Safe Mode:

Close all open windows, rescan with HijackThis and "Fix checked" the following:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

O4 - HKLM\..\Run: [services Process] C:\WINNT\system32\config\services.exe

 

Restart normally and post a fresh log ...

Share this post


Link to post
Share on other sites

Mike!! YES,I got rid of CWS Greatsearch .biz/ I can't thank you enough!!

I managed to follow your instuctions even.Tell me ,what do I do with the "Remove Great Search.reg" note pad file??? DELETE??

Here is the log file you asked for.Logfile of HijackThis v1.97.7

Scan saved at 10:16:05 AM, on 5/31/2004

Platform: Windows 2000 SP2 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com.au

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com.au

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com.au

O2 - BHO: (no name) - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

O4 - Global Startup: NeoWatch Startup.lnk = C:\Program Files\NeoWatch\NeoWatchTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Share this post


Link to post
Share on other sites

Hi,

what do I do with the "Remove Great Search.reg"

Yes, you can delete that ...

had some trouble with posting message

That doesn't look like a complete log? (but clean from what I can see)

 

Note: you shouldn't use the "Admininstrator" account for general purposes. You should create your own account (profile) and leave the Admininstrator account for troubleshooting, etc.

 

Just a thought ... :wave:

Share this post


Link to post
Share on other sites

Hi, Mike,I thought the log was not complete either as some of the items to "Fix" in Hijack This did not appear but I may have got rid of them in a previous scan???

You are dealing with a novice here.

What about the "Remove Great Search.reg"file (Notepad)should I delete it??

Many thanks for your help.

Bruce.

Share this post


Link to post
Share on other sites

Hi,

What about the "Remove Great Search.reg"file (Notepad)should I delete it??

I already answered that ... look up in my last reply :unsure:

 

I would suggest adding some "Defense" to your system ...

See section: How To: Prevent this from happening again?

http://www.mvps.org/winhelp2002/unwanted.htm

Edited by WinHelp2002

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0