Searchmeup And Searchportal Hijack

[johanschut]

Hey, can please any body help me? I got a Hijack by http://www.searchmeup.com/search.php?aid=1057 (it will take me to an other website) and by http://www.searchportal.info/cjpartner2 (it will take me to an other website and it put links in the top of a website). They are very frustrating me and I hope that they can deleted.
Ad-Aware SE Personal can not find it. I deleted in HijackThis all the R0 and R1 objects but they wil come back after I restart the compu. I am not sure what I can delete.
PS: CWShredder v1.59.1 is always deleting -CWS.Yexe but it is coming back if I restart the compu.

Thnx in advance


Logfile of HijackThis v1.97.7
Scan saved at 22:02:15, on 17-9-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\STARTER.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\INETCJ2\SERVICES.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR2.1\SPYDOCTOR.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\CHRISTIAN\DOWNLOADS (3-5-04)\HIJACKTHIS (9-5-04)\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F1 - win.ini: run=C:\WINDOWS\INETCJ2\SERVICES.EXE
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetcj2\1.01.08.dll
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [SystemBoot] C:\WINDOWS\wer.exe
O4 - HKLM\..\Run: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
O4 - HKLM\..\Run: [Key2] C:\WINDOWS\SYSTEM\lid.exe
O4 - HKLM\..\Run: [SysCab] C:\WINDOWS\SYSCAB\SYSCAB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [fupyf] C:\WINDOWS\fupyf.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETCJ2\SERVICES.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
O4 - HKCU\..\Run: [YAW Autostart] "C:\PROGRAM FILES\SCHUTZPROGRAMM\yaw.exe"
O4 - HKCU\..\Run: [ieupdate] C:\WINDOWS\SYSTEM\MCPD2B5.EXE
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00084\GD-DIAL.EXE -remove
O4 - HKCU\..\Run: [i6o2thc8v8] C:\WINDOWS\8JNMFXVGRW.EXE
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETCJ2\SERVICES.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR2.1\SPYDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://63.217.31.12/dial/058361nl.exe
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.98/058364nl.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...d2a17da00b23:4ff7baeb194429046b6c11329cd693ee

 

[LineOFire]

Due to the length of these instructions, they might be separated into multiple posts!

You may want to print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Please close all browsers and windows and have HijackThis fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
F1 - win.ini: run=C:\WINDOWS\INETCJ2\SERVICES.EXE
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetcj2\1.01.08.dll
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [SystemBoot] C:\WINDOWS\wer.exe
O4 - HKLM\..\Run: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
O4 - HKLM\..\Run: [Key2] C:\WINDOWS\SYSTEM\lid.exe
O4 - HKLM\..\Run: [SysCab] C:\WINDOWS\SYSCAB\SYSCAB.EXE
O4 - HKLM\..\Run: [fupyf] C:\WINDOWS\fupyf.exe
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETCJ2\SERVICES.EXE
O4 - HKLM\..\RunServices: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
O4 - HKCU\..\Run: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
O4 - HKCU\..\Run: [ieupdate] C:\WINDOWS\SYSTEM\MCPD2B5.EXE
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00084\GD-DIAL.EXE -remove
O4 - HKCU\..\Run: [i6o2thc8v8] C:\WINDOWS\8JNMFXVGRW.EXE
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETCJ2\SERVICES.EXE
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://63.217.31.12/dial/058361nl.exe
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.98/058364nl.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cabO16
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...b6c11329cd693ee


Reconfigure Windows 98 to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Click the View menu, and then click Folder Options. Select the View tab.

In the Hidden files section select "Show all files".
Uncheck the box next to "Hide file extensions for known file types".
Click Apply, and then click OK.

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
To get back to normal mode just restart the computer as you normally would.

Please delete these folders using Windows Explorer(if present):

C:\Program Files\GlobalDialer
C:\WINDOWS\inetcj2

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\8JNMFXVGRW.EXE
C:\WINDOWS\fupyf.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\UPTODATE.EXE
C:\WINDOWS\wer.exe
C:\WINDOWS\wininet32.exe
C:\WINDOWS\SYSTEM\wnsapicc.exe
C:\WINDOWS\SYSTEM\lid.exe
C:\WINDOWS\SYSTEM\MSZTCE.EXE
C:\WINDOWS\SYSTEM\runonce.exe

Now run CWShredder again. It should find some things and delete them.

Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan.