Motor-Search Hijack - (Hijackthis log)

Discussion in 'adware, spyware & hijack cleaning' started by Ron Vanh, Apr 19, 2004.

Thread Status:
Not open for further replies.
  1. Ron Vanh

    Ron Vanh Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    2
    Hi Folks:

    Have noticed some other threads here with the same issue as I have so I looked around and did the things suggested:

    ran Adaware 6 (with the suggested settings)
    ran Spybot S&D and fixed any problems
    then ran Hijackthis in scan mode and have the results.

    I appreciate the help to advise what to fix

    One other not I tried to remove the Java Virtual Machine that seems toi have been the doorway in for the problem but I was unable to install since it indicated I was missing an .inf file. I then went to the Microsoft update site and installed all the suggested critical patches

    Thanks a bunch!

    Logfile of HijackThis v1.97.7
    Scan saved at 12:52:46 PM, on 4/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\OfficeScan NT\ntrtscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\OfficeScan NT\tmlisten.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\Program Files\OfficeScan NT\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\Atiptaxx.exe
    C:\Program Files\OfficeScan NT\Pccntmon.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Infotriever\Agent\infoclient.exe
    C:\Program Files\Palm\Downloads\Books\MBP\webcomp.exe
    C:\Documents and Settings\rvanhuuksloot\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.motor-search.info/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.motor-search.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.motor-search.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.motor-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.motor-search.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.motor-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.motor-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.motor-search.info/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = Proxy.sts.siemens.com:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

    intra.*;*.siemens.de;*.sts.siemens.com;scd*.siemens.*;metroinmotion.ridemetro.org;<local>;*.ts.siemens.de;*pc*.ps*;

    ez-x.ssl.siemens.com;prora2*;web1.e-travel.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://intra.sts.siemens.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://intra.sts.siemens.com/
    O1 - Hosts: 216.200.3.38 altavista.com
    O1 - Hosts: 216.200.3.38 www.altavista.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [zsysdll32.dll] C:\WINNT\system\sysdll32.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
    O4 - Startup: Mobipocket Web Companion.lnk = C:\Program Files\Palm\Downloads\Books\MBP\webcomp.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

    Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Sametime Meeting Room Client ST30SP1 -

    http://collaborations.pg.siemens.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

    http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) -

    http://collaborations.pg.siemens.com/sametime/STMeetingRoomClient/STJNILoader.cab
    O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) -

    http://download.infotriever.com/bin/ifhelper.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sts.siemens.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sts.siemens.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sts.siemens.com
    O19 - User stylesheet: C:\WINNT\winstyle.css
    O19 - User stylesheet: C:\WINNT\winstyle.css (HKLM)
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    First download CWshredder from First download CWshredder from https://www.wilderssecurity.com/showthread.php?t=14086

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.motor-search.info/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.motor-search.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.motor-search.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.motor-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.motor-search.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.motor-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.motor-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.motor-search.info/search.html
    O1 - Hosts: 216.200.3.38 altavista.com
    O1 - Hosts: 216.200.3.38 www.altavista.com
    O4 - HKLM\..\Run: [zsysdll32.dll] C:\WINNT\system\sysdll32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O19 - User stylesheet: C:\WINNT\winstyle.css
    O19 - User stylesheet: C:\WINNT\winstyle.css (HKLM)


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINNT\winstyle.css
    C:\WINNT\system\sysdll32.exe

    Now Run Cwshreddder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then
    Reboot normally & post a new log to check
     
  3. Ron Vanh

    Ron Vanh Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    2
    Thanks a lot for the very speedy reply!

    Did as suggested (had a problem with safe mode since I needed Safemode with Network in order to log on to my computer) once I had that undercontrol all went fine. Thanks from California ! :cool:

    Here's the log after the fixes:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:49:55 PM, on 4/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\OfficeScan NT\ntrtscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\OfficeScan NT\tmlisten.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\Program Files\OfficeScan NT\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\Atiptaxx.exe
    C:\Program Files\OfficeScan NT\Pccntmon.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Infotriever\Agent\infoclient.exe
    C:\Program Files\Palm\Downloads\Books\MBP\webcomp.exe
    C:\Documents and Settings\rvanhuuksloot\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Http://intra.sts.siemens.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = Proxy.sts.siemens.com:8080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://intra.sts.siemens.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://intra.sts.siemens.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
    O4 - Startup: Mobipocket Web Companion.lnk = C:\Program Files\Palm\Downloads\Books\MBP\webcomp.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Sametime Meeting Room Client ST30SP1 - http://collaborations.pg.siemens.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://collaborations.pg.siemens.com/sametime/STMeetingRoomClient/STJNILoader.cab
    O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sts.siemens.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sts.siemens.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sts.siemens.com



    Thanks
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi Ron Vanh,

    Your log is clean now. Your problems should be fixed.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.