1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Searchmeup And Searchportal Hijack

Discussion in 'Virus & Other Malware Removal' started by johanschut, Sep 17, 2004.

Thread Status:
Not open for further replies.
  1. johanschut

    johanschut Thread Starter

    Joined:
    Sep 17, 2004
    Messages:
    1
    Hey, can please any body help me? I got a Hijack by http://www.searchmeup.com/search.php?aid=1057 (it will take me to an other website) and by http://www.searchportal.info/cjpartner2 (it will take me to an other website and it put links in the top of a website). They are very frustrating me and I hope that they can deleted.
    Ad-Aware SE Personal can not find it. I deleted in HijackThis all the R0 and R1 objects but they wil come back after I restart the compu. I am not sure what I can delete.
    PS: CWShredder v1.59.1 is always deleting -CWS.Yexe but it is coming back if I restart the compu.

    Thnx in advance


    Logfile of HijackThis v1.97.7
    Scan saved at 22:02:15, on 17-9-04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\WINDOWS\STARTER.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\WINDOWS\INETCJ2\SERVICES.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\WINDOWS\WININET32.EXE
    C:\PROGRAM FILES\SPYWARE DOCTOR2.1\SPYDOCTOR.EXE
    C:\WINDOWS\RUNWIN32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\WINDIAL32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\RUNWIN32.EXE
    C:\CHRISTIAN\DOWNLOADS (3-5-04)\HIJACKTHIS (9-5-04)\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    F1 - win.ini: run=C:\WINDOWS\INETCJ2\SERVICES.EXE
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetcj2\1.01.08.dll
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [SystemBoot] C:\WINDOWS\wer.exe
    O4 - HKLM\..\Run: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
    O4 - HKLM\..\Run: [Key2] C:\WINDOWS\SYSTEM\lid.exe
    O4 - HKLM\..\Run: [SysCab] C:\WINDOWS\SYSCAB\SYSCAB.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [fupyf] C:\WINDOWS\fupyf.exe
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETCJ2\SERVICES.EXE
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
    O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
    O4 - HKCU\..\Run: [YAW Autostart] "C:\PROGRAM FILES\SCHUTZPROGRAMM\yaw.exe"
    O4 - HKCU\..\Run: [ieupdate] C:\WINDOWS\SYSTEM\MCPD2B5.EXE
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00084\GD-DIAL.EXE -remove
    O4 - HKCU\..\Run: [i6o2thc8v8] C:\WINDOWS\8JNMFXVGRW.EXE
    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETCJ2\SERVICES.EXE
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR2.1\SPYDOCTOR.EXE" /Q
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
    O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
    O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
    O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://63.217.31.12/dial/058361nl.exe
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.98/058364nl.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...d2a17da00b23:4ff7baeb194429046b6c11329cd693ee
     
  2. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    Due to the length of these instructions, they might be separated into multiple posts!

    You may want to print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

    Please close all browsers and windows and have HijackThis fix these entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
    F1 - win.ini: run=C:\WINDOWS\INETCJ2\SERVICES.EXE
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetcj2\1.01.08.dll
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [SystemBoot] C:\WINDOWS\wer.exe
    O4 - HKLM\..\Run: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
    O4 - HKLM\..\Run: [Key2] C:\WINDOWS\SYSTEM\lid.exe
    O4 - HKLM\..\Run: [SysCab] C:\WINDOWS\SYSCAB\SYSCAB.EXE
    O4 - HKLM\..\Run: [fupyf] C:\WINDOWS\fupyf.exe
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETCJ2\SERVICES.EXE
    O4 - HKLM\..\RunServices: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
    O4 - HKCU\..\Run: [SystemReg] C:\WINDOWS\SVCHOST.EXE run
    O4 - HKCU\..\Run: [ieupdate] C:\WINDOWS\SYSTEM\MCPD2B5.EXE
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00084\GD-DIAL.EXE -remove
    O4 - HKCU\..\Run: [i6o2thc8v8] C:\WINDOWS\8JNMFXVGRW.EXE
    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETCJ2\SERVICES.EXE
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://63.217.31.12/dial/058361nl.exe
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.98/058364nl.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cabO16
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...b6c11329cd693ee


    Reconfigure Windows 98 to show hidden files:
    Double-click the My Computer icon on the Windows desktop.
    Click the View menu, and then click Folder Options. Select the View tab.

    In the Hidden files section select "Show all files".
    Uncheck the box next to "Hide file extensions for known file types".
    Click Apply, and then click OK.

    Boot into Safe Mode:
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
    To get back to normal mode just restart the computer as you normally would.

    Please delete these folders using Windows Explorer(if present):

    C:\Program Files\GlobalDialer
    C:\WINDOWS\inetcj2

    Please delete these files using Windows Explorer(if present):

    C:\WINDOWS\8JNMFXVGRW.EXE
    C:\WINDOWS\fupyf.exe
    C:\WINDOWS\runwin32.exe
    C:\WINDOWS\SVCHOST.EXE
    C:\WINDOWS\UPTODATE.EXE
    C:\WINDOWS\wer.exe
    C:\WINDOWS\wininet32.exe
    C:\WINDOWS\SYSTEM\wnsapicc.exe
    C:\WINDOWS\SYSTEM\lid.exe
    C:\WINDOWS\SYSTEM\MSZTCE.EXE
    C:\WINDOWS\SYSTEM\runonce.exe

    Now run CWShredder again. It should find some things and delete them.

    Now you can restart the computer normally.
    Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/275159

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice