• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
natasha82

greatsearch.biz help!!!

2 posts in this topic

hi guys,

i was hoping someone would be able to help me out with my (not so) little greatsearch.biz problem. I have looked at quite a few posts and different sites and tried everything they have recommended. I have run ad-aware, spybot, CWS and HJT all found things but the problem still remains. I have "fixed" items R0 and R1 in my HJT list only to have them re-apear when i close and run HJT again. I deleted files dl.exe and dlm.exe. i couldnt find swchost.exe, sxchost.exe or reg33.exe as directed to delete in another post in this forum. I have tried everything, i hope someone can please help! i'll be forever thankfull....

 

Logfile of HijackThis v1.97.7

Scan saved at 2:13:28 AM, on 20/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\ctfmon.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\dwwin.exe

C:\Program Files\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [services Process] C:\WINDOWS\system32\config\services.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8015.8874074074

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB30DFB-30F1-4791-8E4A-1FDA9B570F77}: NameServer = 203.194.56.150 203.194.27.57

 

thanks in advance....

 

nat

Share this post


Link to post
Share on other sites

I posted on the Malware forum how I finally fixed this on my machine. You basically have to hand-delete any files that got loaded into your system when it got compromised. Find services.exe in WINDOWS\SYSTEM32\CONFIG and look at its properties. Write down the time and date it was created. Then delete with Killbox that file and any other files in that folder and in the SYSTEM32 folder that were created at the same time, as well. You'll find a bunch of them, probably. Use Killbox on them all and set it to delete on reboot.

 

Go look at the Malware forum, the thread is called "greatsearch defeated" or something like that. This virus actually has a lot of the properties of something called TROJ_BANKER.J which apparently tracks your key-strokes.

Edited by Ed Brubaker

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0