web browser highjacked by trojan.bookmarker-please help

[cdjones]

I believe my Notebook computer has been highjacked by an advertising trojan virus. (I have an HP Pavillion Notebook computer. 1.8 Gig P4 and 512DDR ram running Windows XP. Browser is Explorer 6.) Norton notified me of the infection but by then it was too late. The trojan has changed my homepage to a search engine called www.motor-search.com. It has also put bookmarks on my desktop and in my favorites. I ran Spy-bot and removed it but it re-launches everytime windows is started. My question is how to hack the registry to delete the thing. I see Symantec has a Trojan.Bookmarker section but that is for a trojan that installs a start page called Webcoolsearch.com. Would the instructions be the same? Or are the removal steps specific to the trojan that one has? Any help would be greatly appreciated! Thank you!

 

[Slowlearner]

Download AVG's free antivirus software (from a different computer) and run it on your note book. It should find and kill the virus.

 

[imported_Phil]

Google for CWShredder, this should remove Coolwebsearch if you have it. Failing that, do as Slowlearner suggested and get yourself AVG Free Edition or Avast! 4 Home Edition and nuke that little blighter

 

[OZEE]

Here's your answer

 

[cdjones]

Thanks to all who have responded...below is a copy of my highjack this scan. If I delete the correct items in the scan will this kill it or will again be re-generated whwn windows starts. Spy-bot and Ad-Aware both said it was gone only to return upon boot-up. I need a pro to look below and tell me what to delete to make this night-mare go away!!! Thanks in advance!

Logfile of HijackThis v1.97.7
Scan saved at 12:48:03 PM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\RadioSvr.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.motor-search.info/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.motor-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.motor-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.motor-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.motor-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.motor-search.info/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.motor-search.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.motor-search.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.motor-search.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.motor-search.info/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.motor-search.info/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\DOWNLO~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {6BB8F8F1-EFD5-45A0-87BA-74A0E7AFD10B} - (no file)
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - C:\Downloads\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Downloads\FlashGet\jc_link.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/13c85f28be0873db6b19/netzip/RdxIE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.8995833333
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD5BC9CE-B1C1-4A9E-B17A-A69C997F96E2}: NameServer = 204.127.202.4,216.148.227.68
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

 

[johnjkr1]

Be sure to check msconfig for any weird items before rebooting.

 

[cdjones]

Ok, so far I've tried Spybot-Ad-Aware( both detect and delete the thing but it comes back on re-boot), CWS Shredder (does not detect), CWS Smart killer removal tool (does not detect), highjack this (detects-see log above) AVG and Norton(both do not detect). Also ran Spywareblaster- although I think this is more of a preventive measure. This spyware/trojan is the devil and I want it gone!! Can anyone look at the log report from highjack this and tell me what to delete to get rid of this thing? ARRRGGHH!!!! Thanks in advance!

 

[mechBgon]

Two suggestions:

1) disable System Restore and delete all System Restore files, so Windows doesn't maintain a stash of infected files for it to hide in (here's how). Afterwards, run your scans again. Make sure there are NO files or filetypes exempt from the scan.

2) find the folder where this thing lives, delete the contents, but leave the folder. You may need to enable viewing of hidden and system files, including operating-system files, in order to reveal it. Assuming your hard drive uses the NTFS file system, right-click the folder, go to the Security tab, and remove ALL permissions to it. Now your pet will be thwarted by the existence of a non-enterable folder right where it wants to go. :evil:

 

[cdjones]

Turns out this was the problem...HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe Now its gone and so is my trojan!! I wish to thank everyone who gave their input!

 

[plhys]

disgust;

Also see http://www.able2know.com/forums/about21407.html, has some more information about C:\WINDOWS\system\systeminit.exe