Jump to content


Photo

Greatsearch.biz is killing me


  • This topic is locked This topic is locked
4 replies to this topic

#1 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 02:19 PM

Here's the newest HT log.

I could not find any reg33.exe files, but I did delete krnldbge.dll from SYSTEM32/Config and SHIMGVWR.DLL from SYSTEM32. Also I've deleted the Services.exe file and one other .exe file both from SYSTEM32\CONFIG. These were all bad files connected to the greatsearch.biz, but also part of a virus called TROJ_BANKER.J A friend pointed this out to me. When I went into Safe Mode and deleted this stuff, he walked me through some regedit deletions, too, including deleting the file CURENT USER (not CURRENT USER) which is part of it, too.

So then in Safe Mode I ran HT and deleted all the greatsearch.biz links, and ran HT again and it came up clean. But when I rebooted, you can see it came back, even though all the deleted files are still gone. This thing is relentless. My ad-watch fires ten times in a row every five minutes. Has anyone actually gotten rid of this?


Logfile of HijackThis v1.97.7
Scan saved at 11:50:09 AM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Workpace\WorkPace.exe
C:\PROGRA~1\Workpace\sv32_240.exe
C:\HT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: WorkPace.LNK = C:\Program Files\Workpace\WorkPace.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\MYIE2\config/blacklist.htm
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.c...ds/iaieplay.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7959.4471759259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 nightwish519

nightwish519

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2004 - 03:05 PM

I was infected with the Win32.Mersting.B (CoolWebSearch hijacker) trojan and I seem to have got rid of it. Your problem isn't the same as mine so I wouldn't know but here are some steps that might help:

If you haven't already identified the malicious DLL file that keeps generating these search pages, do so now:
1) Go to C:\WINDOWS\system32\
2) Go to View > Choose Details > and checked the box that says "Created". This will allow you to arrange your icons by the date CREATED. The DLL file that infected my computer was created on May 13, 2004.
3) Now right-click and choose Arrange Icons > Created
4) Depending on whether your files are listed in reverse chronological order or not, the most recently created DLL files should either be at the top or bottom. If you remember when your problem started, then look for a file that was created on that day. Another hint is that when you hover over the malicious file, it usually has no company name or additional info and looks generally suspicious.
5) Once you've located this file, you'll need a program called KillBox to kill it, because it can't be deleted the regular way. If you have KillBox, type in the address of your malicious file (C:\WINDOWS\system32\nameofyourfile.dll) into the address bar, and then go to Action > Delete On Reboot.
6) A window will pop up. Go to File > Add File and your file should be added into the blank space. Then go to Action > Process and Reboot. A message prompt you to reboot your PC. Reboot your PC as told and once that's over, your malicious file should be deleted.

7) BUT that's only the visible file. And the trick is that there is one remaining malicious file which is HIDDEN. It'll be somewhere in your System32 folder but you won't be able to see it, let alone know its name. To get round this, you'll need a program called Registrar Lite (see links below).
8) Download RegLite, then type this into the address bar at the top:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Once you've done that, a list of register keys will come up. Double click on AppInit_DLLs and in the "value" field, you should see the name of your hidden malicious file like this - C:\WINDOWS\system32\nameofyourfile.dll
9) The next step is kinda tricky because I don't think what worked for me will necessarily work for you but anyway, give it a try. Note down the name of your malicious file, and look for it in C:\WINDOWS\system32. IF your hidden file is now visible, do what I did....

10) Right-click on your file and rename it from "nameofyourfile.dll" to "nameofyourfile.doc" (ie. keep the filename so you can find it but change the DLL). you won't be able to change the attributes because your file is in read-only mode.
11) Once you've done that, go to your C drive, right-click and go to New > Folder. Give your folder a name, and I suggest you use the filename of your malicious file. So if your malicious file is called "ijmbwp.dll", call your folder "ijmbwp".
12) Go back to C:\WINDOWS\System32. Locate your file again, right-click then COPY and PASTE it into the new folder you've just created in step 11. Then press the "back" button, highlight that folder and move the whole thing into the recycle bin. Now empty your recycle bin. Your second malicious file should now be removed. But just to double check, go to Start > Search and type in the name of your file. If you find any files left with that name, delete them all.
13) Finally, run Spybot, Ad-Aware and HijackThis just to make sure you've deleted all the components associated with your trojan.
14) Your homepage should now be back to your own default, and the trojan should be gone. Some additional DLL files may have been created along with the two files you previously deleted but these can easily be removed from your System32 folder, but I'd recommend scanning your PC with a free virus scan from TrendMicro.

If none of that works, then maybe my solution doesn't apply to you but there are some helpful tips here anyway and I hardly think this problem is uniquely yours. In the meantime, get yourself an antivirus software (if you haven't already got one) and run Ad-Aware, Spybot, etc. at LEAST once a week.

BTW, keep in mind that anti-spyware programs and CWShredder will NOT remove the trojan from your computer. You really need to seek out those malicious DLL files and destroy them or else the problem will persist, one way or another.

Ad-Aware - http://www.lavasoftu...pport/download/
SpyBot - http://www.safer-networking.org/
Registrar Lite - http://www.resplendence.com/reglite
KillBox - http://download.broadbandmedic.com/
TrendMicro virus scan - http://housecall.trendmicro.com/

If you've done all that already, then Godspeed...this is one nasty trojan you're dealing with here. :(

#3 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 03:13 PM

What happens if you deleted the files the regular way, or in Safe Mode, but not the hidden file? I can't find any of the files I deleted, so they aren't coming back, but the hidden file must still be there. If I find and destroy that, will it still work?

No one ever mentioned Killbox before, so I hope deleting them the regular way didn't make them hide further or something.

#4 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 03:25 PM

All right. I was wishing there was some way to check to see any files created at a specific time. I know exactly when I got infected, and I found two files in the SYSTEM32 file that were created within a minute of each other -- One is system32.dll and the other is I believe an .exe file, the blue DOS box and it's named appsys. Should I use Killbox on both of those?

#5 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 04:09 PM

Okay, well, I followed all your instructions, and got rid of those last two malicious files, then I did the reglite thing but the only thing that came up when I double-clicked in the value-name part was AppInit_DLLs, so I don't know what to do next.

But, getting rid of those last malicious files seemed to do the trick for now, at least. No more hijacks so far. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button