Greatsearch.biz and Dorkodrom.com

Discussion in 'adware, spyware & hijack cleaning' started by Hot Rod, May 7, 2004.

Thread Status:
Not open for further replies.
  1. Hot Rod

    Hot Rod Registered Member

    Joined:
    May 7, 2004
    Posts:
    3
    Hello,

    Thank you in advance for reading my post.

    I seem to have been hijacked by greatsearch.biz and friends. Based on my research on this forum and others, I believe that this may be (?) a variant of CWS. I have tried to resolve the problem independently, using combinations of the latest versions of Ad Aware, SpyBot and CWS--but with no success (I am missing something). Thus, I post my HijackThis log below:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:14:52 PM, on 5/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\user32.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\winupd.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\algd.exe
    c:\windows\svchost.exe
    C:\WINDOWS\System32\olehelp.exe
    C:\WINDOWS\vhchost.exe
    C:\Documents and Settings\BTF\My Documents\Downloads\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
    F1 - win.ini: run=C:\WINDOWS\System32\services\y.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
    O4 - HKLM\..\Run: [Default Operation] C:\WINDOWS\vhchost.exe
    O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
    O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: Real.com (HKLM)
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://apps.aahs.org/wfica/wfica.cab

    I am sure that the dorkodrom and greatsearch items need to go, and I am pretty sure that at least one of the "F" items needs to go, but because I am new to this I am asking for assistance.

    Any replies would be greatly appreciated.
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Hot Rod,

    Have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
    F1 - win.ini: run=C:\WINDOWS\System32\services\y.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
    O4 - HKLM\..\Run: [Default Operation] C:\WINDOWS\vhchost.exe
    O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
    O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe

    Restart PC after doing so in Safe Mode : Here's How and remove :

    C:\WINDOWS\System32\user32.exe <- this file
    C:\WINDOWS\System32\services\ <- this folder
    C:\WINDOWS\winupd.exe <- this file
    C:\WINDOWS\vhchost.exe <- this file
    C:\WINDOWS\SVCHOST.EXE <- this file NOTE : ONLY the one in the WINDOWS folder, NOT the one in SYSTEM32 folder, that one is legit!
    C:\WINDOWS\System32\olehelp.exe <- this file

    Clean temp internet files

    Restart again in normal mode

    Download and run this program for cleaning purposes :

    CWShredder

    Open -> 'fix' -> click 'next'

    Hope this helps

    Cheers,
     
  3. Hot Rod

    Hot Rod Registered Member

    Joined:
    May 7, 2004
    Posts:
    3
    Unzy,

    Thank you for the reply. I followed all of your instructions exactly, but here is what happened:

    1. The windows\svchost.exe file could not be found to delete. I revealed all hidden file types, but it just was not there.

    2. The windows\olehelp.exe file could not be found to delete. I revealed all hidden file types, but it just was not there.

    3. Th System32\user32.exe would not allow deletion, access was denied by windows via the standard windows deletion error.

    So, after following your advice, this was the log I had:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:29:43 PM, on 5/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\user32.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\windows\cvchost.exe
    C:\windows\dllhelp.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\BTF\Desktop\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\user32.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
    O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhelp.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: Real.com (HKLM)
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://apps.aahs.org/wfica/wfica.cab
    O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecurity/ActiveXTester/ActiveXTester.ocx

    Now, you can see that svchost.exe is not showing up, nor is olehelp.exe-- however, now we have cvchost.exe and dllhelp.exe. Frustrated, I did some renaming and managed to get rid of user32.exe and even cvchost.exe, but this did not solve the problem. FYI, I found an interesting file named mstaskss.exe in the C:\windows folder, and this file has the same icon as the former user32.exe.

    Anyway, I installed SWG and SWB on my system to prevent further changes to my system until I can get this resolved. Every 5 minutes or so, this new software advises me that something is attempting to change my homepage to dorkodrom.com.

    Here is the latest copy of a HJT log for my computer:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:24:06 PM, on 5/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\windows\dllhelp.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\BTF\Desktop\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capitalonline.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhelp.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: Real.com (HKLM)
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://apps.aahs.org/wfica/wfica.cab
    O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecurity/ActiveXTester/ActiveXTester.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EF91D3BE-8F26-4B24-AE3B-A47DFE3CA7F1}: NameServer = 207.69.188.185 207.69.188.186

    All of your help is greatly appreciated.

    Best Regards
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Hot Rod,

    Bring up taskmanager and stop this process:
    dllhelp.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm

    O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhelp.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe

    Then reboot into safe mode and delete:
    c:\windows\dllhelp.exe
    c:\windows\cvchost.exe

    Regards,

    Pieter
     
  5. Hot Rod

    Hot Rod Registered Member

    Joined:
    May 7, 2004
    Posts:
    3
    Pieter,

    Thank you for your reply. I will follow your instructions shortly to try to get rid of this problem. I do, however, have an additional related question. The windows folder contains two files, "loadnew.exe" and "mstaskss.exe" that seem unusual. The creation times and dates very closely approximate those associated with some of the files I deleted following Unzy's instructions (i.e., I think that they may be associated with or be part of my dorkodrom problem).

    I would appreciate any thoughts you or anyone else might have re: these files. In any event, I will follow your advice above and post a new HJT log when complete.

    Kindest Regards
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.