• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Ed Brubaker

Greatsearch.biz is killing me

5 posts in this topic

Here's the newest HT log.

 

I could not find any reg33.exe files, but I did delete krnldbge.dll from SYSTEM32/Config and SHIMGVWR.DLL from SYSTEM32. Also I've deleted the Services.exe file and one other .exe file both from SYSTEM32\CONFIG. These were all bad files connected to the greatsearch.biz, but also part of a virus called TROJ_BANKER.J A friend pointed this out to me. When I went into Safe Mode and deleted this stuff, he walked me through some regedit deletions, too, including deleting the file CURENT USER (not CURRENT USER) which is part of it, too.

 

So then in Safe Mode I ran HT and deleted all the greatsearch.biz links, and ran HT again and it came up clean. But when I rebooted, you can see it came back, even though all the deleted files are still gone. This thing is relentless. My ad-watch fires ten times in a row every five minutes. Has anyone actually gotten rid of this?

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:50:09 AM, on 5/19/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\DELLMMKB.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Workpace\WorkPace.exe

C:\PROGRA~1\Workpace\sv32_240.exe

C:\HT\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

O4 - Startup: WorkPace.LNK = C:\Program Files\Workpace\WorkPace.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\MYIE2\config/blacklist.htm

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd...ds/iaieplay.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7959.4471759259

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

I was infected with the Win32.Mersting.B (CoolWebSearch hijacker) trojan and I seem to have got rid of it. Your problem isn't the same as mine so I wouldn't know but here are some steps that might help:

 

If you haven't already identified the malicious DLL file that keeps generating these search pages, do so now:

1) Go to C:\WINDOWS\system32\

2) Go to View > Choose Details > and checked the box that says "Created". This will allow you to arrange your icons by the date CREATED. The DLL file that infected my computer was created on May 13, 2004.

3) Now right-click and choose Arrange Icons > Created

4) Depending on whether your files are listed in reverse chronological order or not, the most recently created DLL files should either be at the top or bottom. If you remember when your problem started, then look for a file that was created on that day. Another hint is that when you hover over the malicious file, it usually has no company name or additional info and looks generally suspicious.

5) Once you've located this file, you'll need a program called KillBox to kill it, because it can't be deleted the regular way. If you have KillBox, type in the address of your malicious file (C:\WINDOWS\system32\nameofyourfile.dll) into the address bar, and then go to Action > Delete On Reboot.

6) A window will pop up. Go to File > Add File and your file should be added into the blank space. Then go to Action > Process and Reboot. A message prompt you to reboot your PC. Reboot your PC as told and once that's over, your malicious file should be deleted.

 

7) BUT that's only the visible file. And the trick is that there is one remaining malicious file which is HIDDEN. It'll be somewhere in your System32 folder but you won't be able to see it, let alone know its name. To get round this, you'll need a program called Registrar Lite (see links below).

8) Download RegLite, then type this into the address bar at the top:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Once you've done that, a list of register keys will come up. Double click on AppInit_DLLs and in the "value" field, you should see the name of your hidden malicious file like this - C:\WINDOWS\system32\nameofyourfile.dll

9) The next step is kinda tricky because I don't think what worked for me will necessarily work for you but anyway, give it a try. Note down the name of your malicious file, and look for it in C:\WINDOWS\system32. IF your hidden file is now visible, do what I did....

 

10) Right-click on your file and rename it from "nameofyourfile.dll" to "nameofyourfile.doc" (ie. keep the filename so you can find it but change the DLL). you won't be able to change the attributes because your file is in read-only mode.

11) Once you've done that, go to your C drive, right-click and go to New > Folder. Give your folder a name, and I suggest you use the filename of your malicious file. So if your malicious file is called "ijmbwp.dll", call your folder "ijmbwp".

12) Go back to C:\WINDOWS\System32. Locate your file again, right-click then COPY and PASTE it into the new folder you've just created in step 11. Then press the "back" button, highlight that folder and move the whole thing into the recycle bin. Now empty your recycle bin. Your second malicious file should now be removed. But just to double check, go to Start > Search and type in the name of your file. If you find any files left with that name, delete them all.

13) Finally, run Spybot, Ad-Aware and HijackThis just to make sure you've deleted all the components associated with your trojan.

14) Your homepage should now be back to your own default, and the trojan should be gone. Some additional DLL files may have been created along with the two files you previously deleted but these can easily be removed from your System32 folder, but I'd recommend scanning your PC with a free virus scan from TrendMicro.

 

If none of that works, then maybe my solution doesn't apply to you but there are some helpful tips here anyway and I hardly think this problem is uniquely yours. In the meantime, get yourself an antivirus software (if you haven't already got one) and run Ad-Aware, Spybot, etc. at LEAST once a week.

 

BTW, keep in mind that anti-spyware programs and CWShredder will NOT remove the trojan from your computer. You really need to seek out those malicious DLL files and destroy them or else the problem will persist, one way or another.

 

Ad-Aware - http://www.lavasoftusa.com/support/download/

SpyBot - http://www.safer-networking.org/

Registrar Lite - http://www.resplendence.com/reglite

KillBox - http://download.broadbandmedic.com/

TrendMicro virus scan - http://housecall.trendmicro.com/

 

If you've done all that already, then Godspeed...this is one nasty trojan you're dealing with here. :(

Share this post


Link to post
Share on other sites

What happens if you deleted the files the regular way, or in Safe Mode, but not the hidden file? I can't find any of the files I deleted, so they aren't coming back, but the hidden file must still be there. If I find and destroy that, will it still work?

 

No one ever mentioned Killbox before, so I hope deleting them the regular way didn't make them hide further or something.

Share this post


Link to post
Share on other sites

All right. I was wishing there was some way to check to see any files created at a specific time. I know exactly when I got infected, and I found two files in the SYSTEM32 file that were created within a minute of each other -- One is system32.dll and the other is I believe an .exe file, the blue DOS box and it's named appsys. Should I use Killbox on both of those?

Share this post


Link to post
Share on other sites

Okay, well, I followed all your instructions, and got rid of those last two malicious files, then I did the reglite thing but the only thing that came up when I double-clicked in the value-name part was AppInit_DLLs, so I don't know what to do next.

 

But, getting rid of those last malicious files seemed to do the trick for now, at least. No more hijacks so far. Thanks.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0