Jump to content


Photo

Browser hijacked by greatsearch.biz - Pls help!


  • This topic is locked This topic is locked
6 replies to this topic

#1 luckytexan

luckytexan

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 18 May 2004 - 10:14 PM

Please help... My browser's homepage has been set to greatsearch.biz, and I can't change it back to what it was. I've read the FAQ's, scanned system with Ad-Aware & Spybot S&D, and have gone through the steps listed in Mike Healan's article posted on this site "Hijack Removal", but I got a little lost on the Pacman list. I'm not a computer guy, but I can follow instructions. There are five "04" items that I'm not sure about. SysTray.exe and mstask.exe could be viral or legit... I don't know enough to tell from Pacman's description. There were 3 "04" items that didn't show up in the list. One seems to be a script blocker from Symantec (I'm running Norton AV 2001), Another to be associated with my printer. The third is hpztsb03.exe. Is this the culprit? I'm pasting my Hijack This log at end. If someone could look it over and advise, I'd appreciate it greatly. Thanks.

PS. greatsearch.biz showed back up in the log after I deleted it in step 1 of "Hijack Removal." I've also ran CWShredder, because the greatsearch.biz site sometimes displays "Cool Web Search" on the top IE bar, but it says my computer is clean. Also ran miniremoval_coolwebsearch_smartkiller.exe, but it says I'm clean, too.

Logfile of HijackThis v1.97.7
Scan saved at 9:25:38 PM, on 5/18/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP OFFICEJET 7100 SERIES\BIN\HPOGRP07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\PROGRAM FILES\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\DOWNLOAD APPS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dell.com/search/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\ACROBAT\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\ACROBAT\ACROIEFAVCLIENT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\ACROBAT\ACROIEFAVCLIENT.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [QAGENT] C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/do...py/iesnoopy.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://communities.m...al/msnchat4.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll

#2 luckytexan

luckytexan

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 19 May 2004 - 12:43 PM

bump

#3 luckytexan

luckytexan

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 20 May 2004 - 01:35 PM

bump.

I'm seeing that others have this same problem, and they say they are fixing it by deleting some .exe and .dll files. I'd sure like to hear an expert's opinion. thanks.

#4 luckytexan

luckytexan

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 20 May 2004 - 06:40 PM

bump

#5 jwrepost

jwrepost

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 May 2004 - 06:45 PM

lucky

best thing to do is find ed brubakers post on this site and follow his instructions. i tried more than i can remember and following his post was the only thing that got rid of it for me.

#6 luckytexan

luckytexan

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 May 2004 - 11:46 AM

Thanks, jwrepost. I printed out his post and will try it. I was hoping for an expert to give me some advice. This is my first time with forums, and I'm not as computer literate as most of the posters here. I guess I got the jitters, not sure who's advice I can trust. I'll try ed brubaker's instructions and see how I fare.

#7 luckytexan

luckytexan

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 24 May 2004 - 09:56 AM

For those who need help with greatsearch.biz, I followed ed brubaker's instructions (do a site search for "greatsearch.biz" and you'll find it), and I seemed to have gotten rid of it. Thanks, Ed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button