Jump to content


Photo

greatsearch.biz defeated!


  • Please log in to reply
29 replies to this topic

#1 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 04:29 PM

Thankfully, I knew what time my system was compromised, and with everyone here and a few other places telling me where to look, I was able to delete all the right files after almost two days of searching. Here are the instructions that worked to find and delete the files:

If you haven't already identified the malicious DLL file that keeps generating these search pages, do so now:
1) Go to C:\WINDOWS\system32\
2) Go to View > Choose Details > and checked the box that says "Created". This will allow you to arrange your icons by the date CREATED. The DLL file that infected my computer was created on May 13, 2004.
3) Now right-click and choose Arrange Icons > Created
4) Depending on whether your files are listed in reverse chronological order or not, the most recently created DLL files should either be at the top or bottom. If you remember when your problem started, then look for a file that was created on that day. Another hint is that when you hover over the malicious file, it usually has no company name or additional info and looks generally suspicious.
5) Once you've located this file, you'll need a program called KillBox to kill it, because it can't be deleted the regular way. If you have KillBox, type in the address of your malicious file (C:\WINDOWS\system32\nameofyourfile.dll) into the address bar, and then go to Action > Delete On Reboot.
6) A window will pop up. Go to File > Add File and your file should be added into the blank space. Then go to Action > Process and Reboot. A message prompt you to reboot your PC. Reboot your PC as told and once that's over, your malicious file should be deleted.

7) BUT that's only the visible file. And the trick is that there is one remaining malicious file which is HIDDEN. It'll be somewhere in your System32 folder but you won't be able to see it, let alone know its name. To get round this, you'll need a program called Registrar Lite (see links below).
8) Download RegLite, then type this into the address bar at the top:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Once you've done that, a list of register keys will come up. Double click on AppInit_DLLs and in the "value" field, you should see the name of your hidden malicious file like this - C:\WINDOWS\system32\nameofyourfile.dll
9) The next step is kinda tricky because I don't think what worked for me will necessarily work for you but anyway, give it a try. Note down the name of your malicious file, and look for it in C:\WINDOWS\system32. IF your hidden file is now visible, do what I did....

10) Right-click on your file and rename it from "nameofyourfile.dll" to "nameofyourfile.doc" (ie. keep the filename so you can find it but change the DLL). you won't be able to change the attributes because your file is in read-only mode.
11) Once you've done that, go to your C drive, right-click and go to New > Folder. Give your folder a name, and I suggest you use the filename of your malicious file. So if your malicious file is called "ijmbwp.dll", call your folder "ijmbwp".
12) Go back to C:\WINDOWS\System32. Locate your file again, right-click then COPY and PASTE it into the new folder you've just created in step 11. Then press the "back" button, highlight that folder and move the whole thing into the recycle bin. Now empty your recycle bin. Your second malicious file should now be removed. But just to double check, go to Start > Search and type in the name of your file. If you find any files left with that name, delete them all.
13) Finally, run Spybot, Ad-Aware and HijackThis just to make sure you've deleted all the components associated with your trojan.
14) Your homepage should now be back to your own default, and the trojan should be gone. Some additional DLL files may have been created along with the two files you previously deleted but these can easily be removed from your System32 folder, but I'd recommend scanning your PC with a free virus scan from TrendMicro.

If none of that works, then maybe my solution doesn't apply to you but there are some helpful tips here anyway and I hardly think this problem is uniquely yours. In the meantime, get yourself an antivirus software (if you haven't already got one) and run Ad-Aware, Spybot, etc. at LEAST once a week.

BTW, keep in mind that anti-spyware programs and CWShredder will NOT remove the trojan from your computer. You really need to seek out those malicious DLL files and destroy them or else the problem will persist, one way or another.

Ad-Aware - http://www.lavasoftu...pport/download/
SpyBot - http://www.safer-networking.org/
Registrar Lite - http://www.resplendence.com/reglite
KillBox - http://download.broadbandmedic.com/
TrendMicro virus scan - http://housecall.trendmicro.com/


I didn't end up getting anything from the reglite scan, but Killboxing the last two malicious files appears to have done the trick. Just try to find out what time the services.exe file in SYSTEM32\CONFIG was created, and get rid of everything created in SYSTEM32 and SYSTEM32\CONFIG within a few minutes of that. All the Hijack This and Spybot and Adaware-ing got rid of remnants and stuff, but it just kept coming back before I got those last few files.

#2 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 05:46 PM

bump.

#3 totti

totti

    Member

  • Full Member
  • Pip
  • 79 posts

Posted 19 May 2004 - 05:56 PM

but i fuond these 3 files who changed about that time(2minutes):

appsys,
shimgvwr.dll
system32.dll


which should i delete?

#4 nightwish519

nightwish519

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2004 - 06:25 PM

I'm deep in this Trojan mess, as you can imagine, so even though I posted this to you, I thought I'd better email as well.

What happens if you deleted the files the regular way, or in Safe Mode, but not the hidden file? I can't find any of the files I deleted, so they aren't coming back, but the hidden file must still be there. If I find and destroy that, will it still work?

No one ever mentioned Killbox before, so I hope deleting them the regular way didn't make them hide further or something.

I know exactly when I got infected, and I just found two files in the SYSTEM32 file that were created within a minute of each other at right around that time -- One is system32.dll and the other is I believe an .exe file, the blue DOS box and it's named appsys. Should I use Killbox on both of those?


Hidden or not hidden, ALL files associated with this Trojan must be destroyed. If, by the "regular way", you mean moving them to the recycle bin then I'm surprised you were able to do it at all because when I was infected, my files couldn't be deleted that way. I had to use KillBox. In short, I did nothing more than seek out those malicious files and destroying them all so if you do the same, it'll probably be okay.

The thing with KillBox is that it doesn't seem to work on "hidden" files, and I had to use another method. Since the two files you mentioned probably can't be deleted the regular way, use Killbox. If that doesn't do the job, try renaming them (for example, from "system32.dll" to "system32.doc"), creating a new folder for both files in your C drive, and then moving both folders to your recycle bin. It worked for me so i hope it does for you. :)

but i fuond these 3 files who changed about that time(2minutes):

appsys,
shimgvwr.dll
system32.dll

which should i delete?


Chances are you'll need to delete them all. Go to your system32 folder and locate those files. Hover over each file and if you don't see a description or company name, it's probably a bogus file generated by the trojan. If that's the case, delete all 3 with KillBox and if that doesn't work, rename them, create 2 new folders for them in drive C, COPY and PASTE these files into their respective folders, then move all 3 folders into your recycle bin and empty your bin.

#5 totti

totti

    Member

  • Full Member
  • Pip
  • 79 posts

Posted 19 May 2004 - 06:31 PM

ok
1. how can i be sure its ok to delete all 3?
2what does "hover over" mean?
3. where should i see "description or company name"
4 is it posibly to rename them?
5 should i only make 2 new folders? for all 3?
6.appsys is not a dll.file and looks like a windows symbol a bit, maybe thats a ok file?


and most of all, thanx for trying to help me!

#6 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 08:06 PM

Just delete them. They're the same ones I had, and they probably aren't the only ones. If you move your mouse pointer over the file and leave it there a second a window will appear that tells you the properties of the files. If they don't say they're from Microsoft or some reputable company in that, then they're bad. Use Killbox on them.

I deleted most of my previous files in Safe Mode, so that may have made a difference, but Killbox had no problems at all.

#7 infected

infected

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 09:48 PM

Hello Ed:

You are my hero!!!!!

I did what you instructed and guess what? The monster is gone....forever I hope.

Thanks for posting that info., you have probably saved many folks. Now, if I go through this again, I'll know where to look, what to look for, and know how to kill it.


Thanks again!!!!

#8 totti

totti

    Member

  • Full Member
  • Pip
  • 79 posts

Posted 20 May 2004 - 03:51 AM

bump

#9 totti

totti

    Member

  • Full Member
  • Pip
  • 79 posts

Posted 20 May 2004 - 04:29 AM

ok, now i used killbox to delete the 3 files ond it worked good but when i used reglite it didnt find any hidden files? but maybe i didnt have one couse now my startpage is back to normal and hopefully now everything is allright!!

big thanx ed brubaker!!!!!!!!!!!

#10 Redrock818

Redrock818

    Member

  • New Member
  • Pip
  • 1 posts

Posted 20 May 2004 - 10:51 AM

Hey all, i followed the directions maybe a little to well and deleted those files (with killbot) from around the time of corruption in system32/config..
and i found i deleted the necessary ones to start windows.. so i reinstalled WinXP but want to get back my old settings and everything, is there just a way to get back those files and get rid of the new XP i installed?

#11 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 20 May 2004 - 10:53 AM

I didn't find any hidden files either. You should be fine. That was instructions for a similar hijacker from last week. The instructions came to me on another thread, from nightwish, actually. He saved my sanity, and I figured, if I could do this, with my lack of tech-xpertise, anyone could do it.

#12 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 20 May 2004 - 10:54 AM

You learn so much about computers when shit like this takes over yours.

#13 infected

infected

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 May 2004 - 12:18 PM

Man, this monster got me again just a couple of minutes ago. This time, I know what website it came from.

Followed the same instructions and PRESTO....the ugly thing is gone again.

Once you get the hang to correcting this problem, those nasty .DLL's stick out like a sore thumb. Its too kewl!!!!

Just wondering if those anti-spyware programs will really work in preventing this particular type of spyware from installing on my system again. Programs such as CWShredder, Spybot, Zerospyware, ZeroAds, etc... don't seem to catch this particular booger.

Fausto

#14 Ed Brubaker

Ed Brubaker

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 20 May 2004 - 12:43 PM

I don't think they stop this one. It seems like it was invented specifically to go around them or something. It installs itself into your machine like a cookie, I think.

Upgrade your security setting to Medium High at least, or use Mozilla instead of IE and disable ActiveX on IE.

#15 infected

infected

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 May 2004 - 01:07 PM

Ed:

I can't use anything other than IE because I use AOL. I do have my security settings set at medium-high, however I doubt this will do anything to stop this monster.

Anyways, now that I got the hang in correcting this, I think I can deal with it, just have to be careful on what websites I can go to I guess. I found this latest .DLL by monitoring the time I visited a couple of websites this morning. The .DLL stood out like a sore thumb. I noticed that it is coded? to IE(search)? I used "hijackthis" and there they were, saying BOO at me. I fixed them then went and grabbed the "KillBox" and away the nasty booger went. Using Registrar Lite, I found his partner hiding. Followed your procedures and away that nasty little guy went.

Fausto

#16 jwrepost

jwrepost

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 May 2004 - 03:29 PM

Ed

Just want to express my thanks for your info on getting rid of greatsearch.biz. I battled this bitch for the past three days on my own, and it was only your instruction which finally ridded me of it. Thanks again for taking the time and sharing the info.

take care of your self

J.W.

#17 halsadick

halsadick

    Member

  • New Member
  • Pip
  • 1 posts

Posted 20 May 2004 - 04:00 PM

Me too. I followed your instructions and it worked. I had the same three files others mentioned:

appsys.exe
shimgvwr.dll
system32.dll

KillBox nailed them.

Note that you can get KillBox at : http://download.broadbandmedic.com/

#18 totti

totti

    Member

  • Full Member
  • Pip
  • 79 posts

Posted 20 May 2004 - 05:44 PM

-halsadick
feels good you had the same 3 like i had.

-ed
yes ones learn some about computers when shit like this happends. And most of all where to go to for help!

#19 jwrepost

jwrepost

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 May 2004 - 10:36 PM

bump

#20 totti

totti

    Member

  • Full Member
  • Pip
  • 79 posts

Posted 21 May 2004 - 04:33 AM

now i wonder i f should remove these 3 too, found them in a config directory:

services
krnlbdge.dll
svchost

they were created the same bad time....

anyone?

#21 luckytexan

luckytexan

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 May 2004 - 02:13 PM

8) Download RegLite, then type this into the address bar at the top:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Once you've done that, a list of register keys will come up. Double click on AppInit_DLLs and in the "value" field, you should see the name of your hidden malicious file like this - C:\WINDOWS\system32\nameofyourfile.dll


I'm running WindowsMe. There is no "Windows" subdirectory under "CurrentVersion." I also looked under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" tried the subdirectories there, but nothing. I'm not sure where else to look for the hidden file.

Having no luck with RegLite, I ran a search for "appsys.*, shimgvwr.dll, system32.dll", and came up with nothing. (I had already deleted system32.dll with KillBox, I was just being safe. Not sure if Search will find hidden files though.) Ran Ad-Aware and SpyBotS&D, fixing what they found, then ran HiJackThis, and had it fix the items that listed "greatsearch.biz" I had to set IE's hompage manually, but it seems to be staying put.

Thanks, Ed.

#22 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 21 May 2004 - 02:21 PM

A grain of caution with this fix. If you determine the wrong file your windows will no longer work.
system32.dll is related to jksearch.biz and greatsearch.biz
The load from the shellserviceobjectdelayload key. Its visible in a startuplist.

Deleting the files takes care of it but there are still remants left over in the registry.


Appinit only applies to Windows 2000 or Windows XP.

But i believe this one is not using Appinit anyway. Its definately usings shellserviceobjectdelayload key.
Which is common to all Operating systems.

Edited by shadowwar, 21 May 2004 - 02:23 PM.




#23 nando

nando

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 22 May 2004 - 08:01 AM

Thank you Mister Ed I followed your instructions and the infection is away.I only had to delete one file with Killbox, it was enough to clean definitively the registry.

#24 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 22 May 2004 - 08:15 AM

Run a startuplist nando and you will most likely still see the file in the registry.



#25 totti

totti

    Member

  • Full Member
  • Pip
  • 79 posts

Posted 22 May 2004 - 10:08 AM

well should i delete these 3 too?

services
krnlbdge.dll
svchost

#26 totti

totti

    Member

  • Full Member
  • Pip
  • 79 posts

Posted 22 May 2004 - 05:14 PM

bump

#27 luckytexan

luckytexan

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 24 May 2004 - 10:04 AM

Run a startuplist nando and you will most likely still see the file in the registry.


What is that? Shadowwar said that remnents are left in the registry if you only delete the system32.dll file. Should I be worried about that? If so, how do I get rid of it?

#28 nando

nando

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 24 May 2004 - 10:39 AM

Well, Shadowwar was right, I made a query " greatsearch.biz"in the registry with Registrar lite and found in a key users a line "http://greatsearch.b...iz/dial.php"the one who downloaded a few virus, pl.exe, and xldl.exe.But after delete system32.dll this line is inoperative and I deleted too.

#29 Subby

Subby

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 May 2004 - 09:53 AM

I created a account just to thank you for all this advice given to others. It was very helpful for me too. Keep on the good work.! :-)

#30 Kerr_82

Kerr_82

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 12:46 PM

Ed -

Thank you, thank you, thank you!!! I cannot say that enough!! I couldn't even get on to post after a while so the odd's of me getting help were pretty slim. I couldn't post my log or anything. So with my own searching and with you posting how to get rid of the dll's it's FINALLY gone! And I can finally get back into folders and everything. It took me nearly 6 days cos I've never had a virus or anything before and had NO idea what was going on... but I'm quite proud of myself for figuring a lot of it out, hehe.

Thank you again ****BIG HUGS****

Kerr




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button