Jump to content


greatsearch.biz help!!!

  • Please log in to reply
1 reply to this topic

#1 natasha82



  • New Member
  • Pip
  • 1 posts

Posted 19 May 2004 - 10:14 AM

hi guys,
i was hoping someone would be able to help me out with my (not so) little greatsearch.biz problem. I have looked at quite a few posts and different sites and tried everything they have recommended. I have run ad-aware, spybot, CWS and HJT all found things but the problem still remains. I have "fixed" items R0 and R1 in my HJT list only to have them re-apear when i close and run HJT again. I deleted files dl.exe and dlm.exe. i couldnt find swchost.exe, sxchost.exe or reg33.exe as directed to delete in another post in this forum. I have tried everything, i hope someone can please help! i'll be forever thankfull....

Logfile of HijackThis v1.97.7
Scan saved at 2:13:28 AM, on 20/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8015.8874074074
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB30DFB-30F1-4791-8E4A-1FDA9B570F77}: NameServer =

thanks in advance....


#2 Ed Brubaker

Ed Brubaker


  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 04:51 PM

I posted on the Malware forum how I finally fixed this on my machine. You basically have to hand-delete any files that got loaded into your system when it got compromised. Find services.exe in WINDOWS\SYSTEM32\CONFIG and look at its properties. Write down the time and date it was created. Then delete with Killbox that file and any other files in that folder and in the SYSTEM32 folder that were created at the same time, as well. You'll find a bunch of them, probably. Use Killbox on them all and set it to delete on reboot.

Go look at the Malware forum, the thread is called "greatsearch defeated" or something like that. This virus actually has a lot of the properties of something called TROJ_BANKER.J which apparently tracks your key-strokes.

Edited by Ed Brubaker, 19 May 2004 - 04:54 PM.

Member of UNITE
Support SpywareInfo Forum - click the button