|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
April 22nd, 2004, 08:04 PM
|
|||
|
|||
greatsearch.biz is hell!
Hi all!
Thanks for viewing my post. Here's the problem: myhomepage is changed to greatsearch.biz. I get a message on a blue background saying "WARNING:SPYWARE DETECTED" and advising me to download a software to protect myself.I used Hijackthis and the post is below: Logfile of HijackThis v1.97.7 Scan saved at 02:34:21, on 23-Apr-04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jump.altavista.com/start/ie4 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - (no file) O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file) O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\UPDATE.EXE /startup O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .midi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: Yahoo! Hearts - http://download.yahoo.com/games/clients/y/hr1_x.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...999.5535300926 I also found out the following files in my C drive: C:/windows/reg33.exe c:/windows/msstasks.exe C:/windows/mstaskss.exe C:/windows/dl.exe <i tried but cannot delete:"file used by windows" message> C:/windows/dlm.exe <i tried but cannot delete:"file used by windows" message> C:/windows/dlm.htm C:/windows/dl.htm C:/windows/system/appsys.exe C:/windows/system/lsd_f3.dll <i tried but cannot delete:"program perform illegal operation" message> I would like to know if they should be deleted? Besides I cant use IE because when i click on a button in IE>"invalid operation" and IE must close and i am using another computer Thanks a lot for replying! |
|
#2
April 23rd, 2004, 03:54 AM
|
||||
|
||||
|
Re: greatsearch.biz is hell!
Hi tim2004,
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/ O2 - BHO: (no name) - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - (no file) O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file) O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe Download and run: http://www.spywareinfoforum.com/~mer...CWShredder.exe Use the Fix button and follow the instructions you will receive. Then reboot into safe mode and delete: C:\WINDOWS\dl.exe C:\WINDOWS\dlm.exe C:/windows/reg33.exe c:/windows/msstasks.exe How to disable the Teknum updater: http://www.handybits.com/update_service.asp Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#3
April 24th, 2004, 09:42 AM
|
|||
|
|||
Re: greatsearch.biz is hell!
Hi!
I followed the instructions and it seems that the problem has disappeared.I have again posted a new Hijackthis log just in case i may have missed something: Logfile of HijackThis v1.97.7 Scan saved at 17:15:14, on 24-Apr-04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jump.altavista.com/start/ie4 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.sports.yahoo.com/foot/engl/pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jump.altavista.com/start/ie4 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.sports.yahoo.com/foot/engl/pl O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - User Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .midi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: Yahoo! Hearts - http://download.yahoo.com/games/clients/y/hr1_x.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...999.5535300926 Thanksalot! |
|
#4
April 24th, 2004, 11:48 AM
|
||||
|
||||
Re: greatsearch.biz is hell!
Good job tim2004,
That is a clean log. Have a look here on some pointers how to keep it that way: http://www.wilderssecurity.com/showthread.php?t=27971 Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
