Help!! http://greatsearch.biz/ virus!!

Discussion in 'adware, spyware & hijack cleaning' started by sanj, May 20, 2004.

Thread Status:
Not open for further replies.
  1. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    I've managed to be infected with the http://greatsearch.biz/ virus also. It is really annoying as I have tried everything.
    I have downloaded
    *Ad-aware 6.0
    *HijackThis
    *Spybot - Search & Destroy

    This is the log file..

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.e

    It would be really appreciated if someone was to tell me what to do next.
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi sanj,

    Have only HijackThis running and fix :

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.e

    Restart PC after doing so and download :

    CWShredder

    Open -> 'fix' -> click 'next'

    Hope this helps

    Cheers,
     
  3. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    Hey..Unzy
    I've tried the method which you said, but it still wouldn't get rid of the infected files. The CWShredder doesn't find any files which are infected also. Could it be that the Hijackthis.exe is faulty?
    Is there another method to get rid of it?
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Not faulty, we're missing something, and it is not picked up by HT.

    Can you do a search for reg22.exe and reg33.exe via start -> search -> files/folders and let me know if one of those came up?

    Can you also please tell me what windows you have?

    Thnx!

    Cheers,
     
  5. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    Hey

    I've done as you have said and it hasn't detected any of the files stated above.

    I have Windows 98 Second Edition

    Thnx! For the help!! Very much appreciated!!
     
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ok,

    Can you download this program? :

    Startdreck.zip

    Unzip to folder

    DoubleClick: 'StartDreck.exe'
    Hit: config
    hit: Unmark all

    Check these boxes only:
    Registry -> run keys
    System/drivers -> Running processes

    hit >ok.

    Post the contents of the log here pelase

    Thnx!

    Cheers,
     
  7. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    I've downloaded..

    Here is the log from the Startdreck

    StartDreck (build 2.1.5 public BETA) - 2004-05-20 @ 13:51:38
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    *MessengerPlus2="C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    »RunOnce
    »Default User
    »Run
    *MessengerPlus2="C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadQM=loadqm.exe
    *AVG_CC=C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    *zBrowser Launcher=C:\Program Files\Logitech\iTouch\iTouch.exe
    *Installed=1
    *NoChange=1
    *Installed=1
    *Installed=1
    »RunOnce
    »RunServices
    *Avgserv9.exe=C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    *SchedulingAgent=mstask.exe
    *MessengerPlus2="C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    »RunServicesOnce
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFEF1D9B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFFC907=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFFDEB7=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFFE47F=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFFF357=C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    *FFFF8B87=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFE43B7=C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
    *FFFE11DF=C:\WINDOWS\EXPLORER.EXE
    *FFFD5A07=C:\WINDOWS\SYSTEM\RNAAPP.EXE
    *FFFD0083=C:\WINDOWS\SYSTEM\TAPISRV.EXE
    *FFFC57CB=C:\WINDOWS\TASKMON.EXE
    *FFFC64FF=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFC1633=C:\WINDOWS\LOADQM.EXE
    *FFFCCA6F=C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    *FFFCECE3=C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
    *FFF97863=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFFB0693=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    *FFFACBA3=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFFA8033=C:\WINDOWS\SYSTEM\MDM.EXE
    *FFFAD74F=C:\WINDOWS\TEMP\STARTDRECK.EXE
    »Application specific
     
  8. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    Any help??
     
  9. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi,

    Restart PC in Safe Mode : Here's How and remove :

    C:\WINDOWS\SYSTEM\SYSTEM32.DLL <- this dll

    Then open HijackThis and fix all greatsearch entries again

    Open registry :

    start -> run -> type regedit and press enter

    press ctrl+f

    in the find box type greatsearch and press enter

    rightclick + delete all entries found

    press F3 to find next

    When done close registry and clean temp internet files

    Restart again in normal mode

    Update IE asap at windowsupdate.com

    Finally you can merge this quote with the registry :

    Open notepad and copypaste quote into it :

    hit save as
    give it the name clear.reg
    under the filename set file types to all files.
    save it to the desktop.

    After done double click the clear.reg
    when asked to merge say yes

    Hope this helps

    Cheers,
     
  10. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    Hey Unzy

    I did the methods for the first stage of deleting C:\WINDOWS\SYSTEM\SYSTEM32.DLL <- this dll.. but I couldn't find it. So should I carry on to do the instructions stated below this one?

    Thnx
     
  11. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    Ok I merged the files from below but didn't do the first steps.. is that ok?
     
  12. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Well you should know if you're still hijacked

    But do a search via start -> search -> files/fodlers for this file :

    SYSTEM32.DLL

    Cheers,
     
  13. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    Yes I found the file.. Should I delete it now in normal mode?
     
  14. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Yes please delete it

    Then if you still see any entries left pointing to greatsearch fix those with hijackthis

    Hope this helps

    Cheers,
     
  15. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    I've done it.. I think I am rid of the virus.. I have posted the log below.. Could you confirm that it is gone from the log?

    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    D:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38128.2596180556

    Thanxs
     
  16. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Yea YOU have done it!

    Looks clean again

    Fix these as well :

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

    Hope all is well again

    Cheers,
     
  17. sanj

    sanj Registered Member

    Joined:
    May 20, 2004
    Posts:
    10
    Location:
    England
    Thank You sooo MUCH!!
     
  18. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    You're welcome

    Glad we were able to help

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.