Greatsearch.biz and Dorkodrom.com

Hot Rod · May 7, 2004

Hello,

Thank you in advance for reading my post.

I seem to have been hijacked by greatsearch.biz and friends. Based on my research on this forum and others, I believe that this may be (?) a variant of CWS. I have tried to resolve the problem independently, using combinations of the latest versions of Ad Aware, SpyBot and CWS--but with no success (I am missing something). Thus, I post my HijackThis log below:

Logfile of HijackThis v1.97.7
Scan saved at 9:14:52 PM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\user32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\winupd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\algd.exe
c:\windows\svchost.exe
C:\WINDOWS\System32\olehelp.exe
C:\WINDOWS\vhchost.exe
C:\Documents and Settings\BTF\My Documents\Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
F1 - win.ini: run=C:\WINDOWS\System32\services\y.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Default Operation] C:\WINDOWS\vhchost.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://apps.aahs.org/wfica/wfica.cab

I am sure that the dorkodrom and greatsearch items need to go, and I am pretty sure that at least one of the "F" items needs to go, but because I am new to this I am asking for assistance.

Any replies would be greatly appreciated.

Unzy · May 8, 2004

Hi Hot Rod,

Have only HijackThis running and fix :

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
F1 - win.ini: run=C:\WINDOWS\System32\services\y.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Default Operation] C:\WINDOWS\vhchost.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe

Restart PC after doing so in Safe Mode : Here's How and remove :

C:\WINDOWS\System32\user32.exe <- this file
C:\WINDOWS\System32\services\ <- this folder
C:\WINDOWS\winupd.exe <- this file
C:\WINDOWS\vhchost.exe <- this file
C:\WINDOWS\SVCHOST.EXE <- this file NOTE : ONLY the one in the WINDOWS folder, NOT the one in SYSTEM32 folder, that one is legit!
C:\WINDOWS\System32\olehelp.exe <- this file

Clean temp internet files

Restart again in normal mode

Download and run this program for cleaning purposes :

CWShredder

Open -> 'fix' -> click 'next'

Hope this helps

Cheers,

Hot Rod · May 9, 2004

Unzy,

Thank you for the reply. I followed all of your instructions exactly, but here is what happened:

1. The windows\svchost.exe file could not be found to delete. I revealed all hidden file types, but it just was not there.

2. The windows\olehelp.exe file could not be found to delete. I revealed all hidden file types, but it just was not there.

3. Th System32\user32.exe would not allow deletion, access was denied by windows via the standard windows deletion error.

So, after following your advice, this was the log I had:

Logfile of HijackThis v1.97.7
Scan saved at 2:29:43 PM, on 5/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\user32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\windows\cvchost.exe
C:\windows\dllhelp.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\BTF\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhelp.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://apps.aahs.org/wfica/wfica.cab
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecurity/ActiveXTester/ActiveXTester.ocx

Now, you can see that svchost.exe is not showing up, nor is olehelp.exe-- however, now we have cvchost.exe and dllhelp.exe. Frustrated, I did some renaming and managed to get rid of user32.exe and even cvchost.exe, but this did not solve the problem. FYI, I found an interesting file named mstaskss.exe in the C:\windows folder, and this file has the same icon as the former user32.exe.

Anyway, I installed SWG and SWB on my system to prevent further changes to my system until I can get this resolved. Every 5 minutes or so, this new software advises me that something is attempting to change my homepage to dorkodrom.com.

Here is the latest copy of a HJT log for my computer:

Logfile of HijackThis v1.97.7
Scan saved at 3:24:06 PM, on 5/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\windows\dllhelp.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\BTF\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capitalonline.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhelp.exe
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://apps.aahs.org/wfica/wfica.cab
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecurity/ActiveXTester/ActiveXTester.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF91D3BE-8F26-4B24-AE3B-A47DFE3CA7F1}: NameServer = 207.69.188.185 207.69.188.186

All of your help is greatly appreciated.

Best Regards

Pieter_Arntz · May 10, 2004

Hi Hot Rod,

Bring up taskmanager and stop this process:
dllhelp.exe

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm

O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhelp.exe
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe

Then reboot into safe mode and delete:
c:\windows\dllhelp.exe
c:\windows\cvchost.exe

Regards,

Pieter

Hot Rod · May 10, 2004

Pieter,

Thank you for your reply. I will follow your instructions shortly to try to get rid of this problem. I do, however, have an additional related question. The windows folder contains two files, "loadnew.exe" and "mstaskss.exe" that seem unusual. The creation times and dates very closely approximate those associated with some of the files I deleted following Unzy's instructions (i.e., I think that they may be associated with or be part of my dorkodrom problem).

I would appreciate any thoughts you or anyone else might have re: these files. In any event, I will follow your advice above and post a new HJT log when complete.

Kindest Regards

Pieter_Arntz · May 11, 2004

I think I know what that is.
To make sure download a trial of TDS-3 from http://tds.diamondcs.com.au/index.php?page=download
and update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update
Then click System Testing > Full System scan.

I think mstaskss will be flagged as a Webdownloader.

Regards,

Pieter

Log in or Sign up

Greatsearch.biz and Dorkodrom.com

Hot Rod Registered Member

Unzy Registered Member

Hot Rod Registered Member

Pieter_Arntz Spyware Veteran

Hot Rod Registered Member

Pieter_Arntz Spyware Veteran

Log in or Sign up

Greatsearch.biz and Dorkodrom.com

Hot Rod Registered Member

Unzy Registered Member

Hot Rod Registered Member

Pieter_Arntz Spyware Veteran

Hot Rod Registered Member

Pieter_Arntz Spyware Veteran

Useful Searches