Log Check Please (greatsearch.biz)

Discussion in 'adware, spyware & hijack cleaning' started by Buck, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. Buck

    Buck Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    1
    Hi;

    A friend of mine computer has got "greatsearch.biz" on her pc. Can you please review the following HiJackThis log and point me in the right direction? Thank you in advance - Bruce


    Oh! I ran Ad-Ware 6 prior to running HiJackThis.



    Logfile of HijackThis v1.97.7
    Scan saved at 11:26:03 AM, on 6/9/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v5.00 SP1 (5.00.3105.0105)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\REG33.EXE
    C:\WINDOWS\DL.EXE
    C:\WINDOWS\DLM.EXE
    C:\WINDOWS\WINUPD.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE
    C:\PROGRAM FILES\3COM\MODEMMGR\PROGRAM\MDMMGR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\MY DOCUMENTS\DOWNLOAD\HIJACKTHIS1977.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terafinder.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terafinder.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.terafinder.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terafinder.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NetMouse] C:\GNET95\gmnet.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
    O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [dllhelp] c:\windows
    O4 - Startup: 3Com Modem Manager.lnk = C:\Program Files\3Com\ModemMgr\Program\mdmMgr.exe
    O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.41/1133cf00169817427701/netzip/RdxIE.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37664.5669097222
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/048f751dbbcc30456006/netzip/RdxIE601.cab
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Buck,


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terafinder.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terafinder.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.terafinder.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terafinder.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/

    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
    O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe

    O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [dllhelp] c:\windows

    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.41/1133cf00169817427701/netzip/RdxIE.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/048f751dbbcc30456006/netzip/RdxIE601.cab
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US.cab

    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot into safe mode and delete:
    C:\WINDOWS\REG33.EXE
    C:\WINDOWS\DL.EXE
    C:\WINDOWS\DLM.EXE
    C:\WINDOWS\WINUPD.EXE
    C:\WINDOWS\svchost.exe <= NOT a Windows 98 file

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.