Can't get rid of www.searchportal.info/10039

This is the first time I have posted a thread in the need of assistance, so please forgive me if I did something incorrectly. I have followed the instructions on what to do prior to posting a thread. I downloaded the recommended tools and used the other listed tools to try and get rid of the searchportal.info/10039 hijacker. It keeps coming back. I need further assistance, please help.

What is found through Spybot, As-Aware SE, CWshredder always show up in fuutre scans as if they were not removed. I have found CWS.Yexe but can't remove it permanently. As I said, I followed all instructions, but the problem of my home page being redirected to a different home page keeps coming back. I ran the tools in safe mode, (Ad-Aware SE - I immunized, VX2 plug in, CC cleaner, Spybot, Spyware Blaster, Avert Stinger, CW shreeder, Kiil2me, aboutBuster, HS Remove, Housecall, Trojan scan, Bit Defender) but I was unable to connect to the internet in safe mode so I needed to do some of them in normal mode (Trend Micro, Symantec Security check). I checked for all udpates prior to running the programs.

Here is what I found with the scans:
Stinger: nothing
Ad-Aware: 1 registry keys identified
42 registry vlaues identified
Spybot: coolwebsearch.Yexe
Error: cabrotorDatie C:\windows\win.ini karm nicht geoffnet
weiden Process cannot access because it is being used by
another process
CWshredder: nothing found but it has had CWS.Yexe before
Kill2Me: nothing
about Buster: No ADS. Removed C:\windows\System 32\nthst.dll
Housecall: found and deleted - C:\windows\system 32\teknet.exe tmp
Trojan scan: nothing
Bit Defender: showed some trojans but I was not able to figure out how to delete.

I have downloaded HJT, but have not run. I did read the instructions on this program.

I hope I followed your instructions carefully and I am know in need of further assistance to remove searchportal.info. I have been able to remove other hijackers in the past using info on your site but now can't get rid of this one.

What can you advise for me to do now. Waiting your reply.

My system has XP Pro, 2.6 pentium processor, 1Gig of DDR Ram, 160 Gig HD. I have the free version of Zone Alarm running. On boot up I get a WINlogin.exe waning seeking access, I always deny this. I also have Norton Corporate Edition anti-virus and file definitions are up to date. I downloaded a free trial of Spy subtract. Venus flytrap is enabled.

Please help and thanks for such a great web site. I have told many other people about Major Geeks, very impressive and helpful.

 

Hi PJ,

It looks like you've pretty much exhausted the Tutorial's options.
Please go ahead and send us a HijackThis Log.

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there I'll try to check back when I get a chance - That's likely to be tomorrow evening, though.

Best,
PP

 

PP, thanks for the quick reply. I hope I have followed your instructions carefully. I have the latest version of HJT. Ran a log. One thing to note was that I could not get Norton to close in the sytsem tray or my ATI graphics icon. I hope I have saved the HJT log correctly as a txt file. I feel I have not.

I saved it in a program file and am attaching it. Let me know what I need to do again, differtnly or next to solve the problem with seachportal. info.

Thanks.

 

Hi Pj,

You still had quite a bit running, including IE - we'll deal

Please download this tool: http://www.cexx.org/lspfix.zip

I'll get back to you tomorrow.

PP

 

please note the read me .txt that comes with the software

 

Thnx, jarcher - But I never said to run it In fact, as Chas noted, I overreacted to the 010s.

Chas - Thanks & have a safe trip!

PJ - Please follow Chaslang's instructions and then attach a fresh log. I'll try to check back tonight.

PP

 

I didn't look at the log, i just wanted that in there
just in case of a mis-communication, I should have said not to run it.
my bust. . . .
but I learned the hard way!!!

 

Well, I followed the instructions from Chas and the hijacker is still there. Other things have shown up as well. Now when I visit the Major Geeks site and try to access this site and/or I find I can't access the threads. I get an error and then Internet Explorer shuts down. There is also a seach tool bar at the top of your website. I am accessing your site from a different PC. This toolbar is on other webpages as well, but not everyone. It is on yahoo.com.

As for the feedback on the directions from Chas this is what I found. In Task Manager Og.exe was not present. I ended runner.exe. I was not able to end winlogon.exe. Received a message saying this was a critical system process and it could not be ended.

Did the fixes in HJT. Booted in safe mode. System restore has been shut off and hidden files enabled. C:\WINDOWS\inetdata\winlogon.exe folder also showed the following: Configuration setting icons for crontab.ini, keyword.ini, titles.ini, id.ini. They all were created on the same date and time, 11/9/04, 10:42pm. This is about the time I started experiencing problems with the hijacker. Also present in the folder was services.exe icon. Created 10/17.
Also, I changed runner.exe to runner.bad.exe.

When rebooting after all this in normal mode I received errors on boot up as desktop was loading. C:/windows/inetdata/winlogon.exe cannot find. Then a Desktop warning that windows could not load or run same as above.

I then shut all browsers and what was in the system tray and ran HJT. As it completed a dialer popped up and then a web page appeared and an icon was placed on the desktop. I traced it to C: Program Files\websiteviewer\.

So, now I have a few more problems than before. What is the deal with no longer being able to review threads on Major Geeks and what do I do next?

I have attached the latest HJT log.

Need some assistance, please

 

Here is another update to my latest situation. I ran SPybot, Ad-Aware SE, CWSHredder again in normal mode and that took care of the toolbar thing and the inability to access your site. I still found that the original problems were still there as I described in my first post. The tools find them and delete or fix but then they come back again. The CWS.Yexe is always being found and coming back.As well as the searchportal.info homepage.

I think this all started when I upgraded to a newer version of ZoneAlarmFree. ZOne Alarm shuts down and then I get an infulx of viruses. Same thing happened today when I accessed the internet after running HJT. I had not turned Zone Alarm back on.

Not sure this helps in resolution, but it is the latest in my quest for a clean system.

 

Hi PJ,

Look in Add or Remove Programs fo any strange entries (toolbars, etc. . .) and let me know what you find.

You must be careful with winlogon - it is a legitimate process, only not from where it is running in your log.

New Instructions:

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Open HijackThis and look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\inetdata\winlogon.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

Stay in safe mode and scan with HijackThis again. Check the boxes for the following:
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

Make sure All Browser Windows are Closed when you Click FIX.

Now, Navigate to C:\WINDOWS\inetdata and DELETE the entire folder.

Reboot to Normal Windows and Scan with HijackThis and attach that log. Again, update us on any problems.

*** I missed your last post since we posted at about the same time. Try the above instructions and attach another log. If you see a Searchportal entry in HJT, FIX it as well.


Best luck
PP

 

PP, did as instructed to the letter. Still have the searchportal.info/10039 hijacker.

I have attached the HJT log. When I scanned and fixed in Safe Mode (ALL browser windows were closed) I did find a R0 searchportal reference, it was the first line, I checked it. Another thing of note was on the F3, and 04's you said to fix they ended in "inetdata\services.exe".

I deleted the inetdata folder and then emptied the recycle bin before rebooting.

In normal mode I did a scan with CCLeaner, Ad-AwareSE, CWShredder and Spysubtract. Ad-Aware found 44 critical items most referenced as CoolWebSearch. Same ones I have had in previous scans. I removed them again and then scanned again and they were not found, but I expect them to return in a future scan. CWShredder found CWS.Yexe. Spybot found CWS.Yexe again and that Cabrotor error that I mentioned in a previous post again. Spysubtract found 4 things, 3 coolwebsearch.

In Ad-Aware SE the log references HKEY_current user.software'microsoft/ windows\... malware coolwebsearch findings, several of them, 40+. These are the ones that keep coming back in future scans.

No zone alarm access warnings anymore, which is progress.

Task Manager showed the following. I am not sure what these are so I will list several.
services.exe (2), vsmon.exe, RcMan.exe, CTSSVCCDA.exe, scardsvk.exe, spoolsv.exe, EM_exec.exe, svchost.exe (5), jusched.exe, IAAnotif.exe, LVcom.exe, RxMond.exe, Isass.exe, winlogon.exe, csrss.exe, smss.exe. There were many others, but only a few others that I didn't know what they were.

What do we try next?

 

Hi PJ,

What are the symptoms of searchportal.info/10039 ?

What does this do - Google Desktop Search Capture? I'm not familiar with it.

I do not see any evidence of CWS in you log. I know that Intermute seems to be having a few issues with false positives lately. But that doesn't explain the Ad-aware result.

Reboot to Normal Windows and scan with HJT and attach that log.
Also scan with Ad-aware and attach that log as well.

And. . . We'll go from there. It's getting late, so I probably won't be able to get back to you until tomorrow evening. Hopefully we'll get to the bottom of this!

Best

PP

 

My tiny brain must be sleep-deprived!!

The CWS.Yexe was that Inetdata folder that you deleted. It should be gone. Your anti-spyware tools might be detecting the HijackThis backups.

Just a thought.

'til tomorrow,
PP

 

Here are the two logs you asked for. I deleted Google desktop search tool to see if that would help. It is a new tool that searches your hard drive.

I am out until Sunday night so I will not be responding to your posts til then. Searchportal.info takes over the home page. Services.exe is back and the was in the intermute folder I deleted. CWS.Yexe was not in that folder.

 

PP, my plans changed and I will be around this weekend. I will be checking to see what to try next. Again, thanks for the assistance. This is getting interesting.

I failed to mention what I found in Add/Remove, Nothing unusual, Everything was legit.

One other thing, I keep getting windows upate install notifications. I install, it shows completed and then a few minutes later it pops back up in the systems tray that a new install is ready to install. Appears to be the same install I just did. I do have automatic updates turned on. Even so, I keep getting notification to install. The icon is not in the systems tray all the time, but when it shows up, it keeps coming back after I install. Not sure if this is a problem. If I do a Windows update manually I keep getting notificatioin that Services Pack 2 shows it needs to be installed (1 install, 0kb, 0 minutes), but Add/Remove programs shows it is installed. Also, in Safe Mode the desktop shows that Service Pack 1 is in. Do you think there is a problem with Windows update. I don't think this potential issue is related to the searchportal.infor hijacker. Just something else I have noticed.

 

Hi PJ,

I don’t know what is up with the Windows Updates.

The CWS is back, as you noticed (the Inetdata). I am tied up right now and probably won’t be able to check back until tonight.

I’d like you to attach a more complete Ad-awareSE log.
Before you scan, under Advanced Options, check these Logfile Detail Options:
Include Additional Object Information
Include Environment Information

When you scan, turn OFF the “Search for negligible risk entries”

Please save the entire log and attach it. With any luck, we’ll get to the bottom of this. I’ll see if I can find out more about CWS.Yexe.

Best,
PP

 

PP, thanks for the reply. I have made some progress. I reinstalled SP2 and now I am certain it took. I am attacing a few logs from a more recent HJT I just did with everything running. Also, a new Adaware file. Also, in another post I will add a Spybot log that shows where CoolWWWSearch.Yexe (note the name change, I have been mis naming it) is located in the registry. Spybot can't fix since it says it is being used by another process.

Also, I was using Windows Explorer and came across the inetdata folder again, in it were the same configuration settings and services.exe. The folder was located at: C:\WINDOWS\inetdata. I could not delete sevices.exe, I got an error when I tried. I did delete the configuration settings and left them in the recycle bin. After doing this my home page is NOT BEING HIJACKED. Don't know if this will coninue, but it is not being redirected right now and I have tested it multiple times over a period of an hour.

When I did the most recent scan with HJT, I got three errors.
1. Mod Registry_Ini Get String(sFile=systems.ini,sSection=boot, sValue=shell)
2. " " " " " =win.ini " =windows," =load)
3. " " " " " " " " =run)

I imagine that this is the result of me moving the configuration settings in inetdata to the recycle bin, but wanted to mention this.

No weird things happening on my PC right now, but I can't delete services.exe. and the different scans keep showing same findings.

Check out the attached logs and let me know what you think. I will let you know if searchportal comes back. The Adaware log was run before I got your directions. I will send another one based on your specs.

One question, can I delete the CoolWWWsearch.yexe file in the registry? I have it up in the registy editor.

 

PP, here is the latest Ad-Aware log, much cleaner, but not totally clean, 6 critical items. Also included is the Spybot log.

Let me know your thoughts when you find time. Thanks for the excellent help!

Home page has still not been rehijacked. Let me know on deleting the CoolWWWsearch.Yexe file in registry. Any clue on getting rid of C:\WINDOWS\inetdata folder that includes services.exe?

 

Hi PJ,

I don't think it was a good idea to install SP2 while this is on your machine, but maybe we can deal with it.

I don't know how excellent my help has been - We are back to square 1 Plus, the other threads I am advising are equally bogged down!!

You were able to delete that folder once before. We just have to figure out how to keep it from coming back!

Regarding the CWS in the registry, HijackThis removes those entries. Also, this variant is not new - CWShredder should take care of it. I wonder why Ad-awareSE couldn't fix it?

Anyhoo, let’s try this again. So happy I’m able to Copy & Paste!!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and check the boxes for the following:
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

Now, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\inetdata\services.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode, navigate to and DELETE:

C:\WINDOWS\inetdata <--- The entire folder

Next, while still in Safe Mode, Run CWShredder and let it fix what it finds.

Then, Run Ad-awareSE and let it Fix what it finds.

Then run CCleaner.

Then Go to Start > Run and type: cleanmgr. It will scan your system for excess crap. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now, Reboot to Normal Windows and Click Start > Control Panel > Network & Internet Connections > Internet Options > Programs Tab > Reset Web Settings > OK

Next, scan with HijackThis and attach a fresh log. Maybe this overkill will do the trick!!
Let me know if you run into any problems.

I’m heading out for a bit – Probably check back tomorrow evening.
Try to enjoy the weekend!!!

Best
PP

 

PP, did as instructed and have attached the HJT log. F3, 04HKLM... and 04HKCU... are still there.

CWShredder found CWS.Yexe, as usual.
Ad-Aware in safe mode found nothing with both a smart system and full system scan.

Home page is NOT being hijacked.

 

PP, just scanned in normal mode with every tool I have and NOTHING WAS FOUND. Looks like everything is gone.

I thank you greatly for the excellent support. Not sure what you will see in the HJT log, but my system is working well. Let me know what I should do next, if anything. Once I hear back from you I will turn system restore back on.

Major Geeks is great!

 

I hope you're not being a bit hasty! Your last log shows everything still there.

Were you able to delete the Inetdata Folder?

It might be a good idea to use Windows Explorer to run a search of your computer for Inetdata and see where all instances of it are lurking. Let me know what you find.

I do not know why it keeps coming back - It really shouldn't be this difficult to remove. My last set of instructions should have done it with no problem!

Although, if the problem is not showing in your subsequent scans, then that's a good sign!

PP

 

PP, I had looked around earlier today and the file is gone. Did the Windows explorer search and systems.ini in C:\windows has it. This is a configurations setting.

Should I delete it?

 

I am leaning toward saying yes. Or, at least renaming it. What is the full path listed?
See the below from Merijn's site:

Variant 27: CWS.Yexe - Whatever
Approx date first sighted: January 17, 2004
Log reference: http://forums.tomcoyote.org/index.php?showtopic=3174
Symptoms: IE start page hijacked to search.thestex.com
Cleverness: 2/10
Manual removal difficulty: Involves deleting some Registry values and keys, deleting one folder and restoring the IE homepage
Identifying lines in HijackThis log:

F1 - win.ini: run=C:\WINNT\system32\services\y.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System\services\1.00.07.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\y.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\y.exe


This variant uses a filename often seen as installer for either CWS or Lop.com (y.exe), but uses it as the actual hijacker file. It loads from win.ini as well as system.ini in a weird way that shouldn't even work, and installs a BHO with seemingly the purpose to react to certain keywords on webpages. Removing the BHO and the autorunning y.exe file fixes this hijack.

CWS.Yexe.2: Possibly a mutation of this variant exists that uses the filename services.exe instead of y.exe.

--------------------------------------------------------------------------
Your variation is C:\WINDOWS\inetdata\services.exe .

I think it would probably be OK to delete anything related to Inetdata.
Bear in mind, though, that services.exe is a legitimate process in other folders.

I suggest running through my instructions from a couple posts ago again and, when you get to the part about deleting the Inetdata folder, search for it and delete it everywhere you find it.

Then, Reboot and post a fresh HJT log. Hopefully we'll get it!

PP

 

PP, here is the latest log. I just reran the instructions from below. I've been been busy this week. Thanks for the guidance. I think my system is finally clean. Let me know your thoughts.

Thanks for the help. By the way, I have read the story you have going in the Lounge. Getting interesting.

Let me know if I have a clean bill of health and I will turn on system restore.

Thanks!
PJ

 

You HJT log looks good! Looks like you got everything.

Happy to help The story was kind of an experiment. When I get some time, I plan to try something different - Stay tuned!

Looks OK - System Restore is up to you. Some people like to wait for a reboot or two until they are sure everything is back to normal.

You're welcome While you are here, take a look at Chaslang's recommendations HERE:How to protect yourself from malware!

Regards,
PP

 

I did the prevent malware suggestions. Many thanks to you PP and Major Geeks. You all have a great web site!!

 

Please help me remove http://www.searchportal.info/10039/

Hi

Please gide me as to how can i get rid of

http://www.searchportal.info/10039/

thanks
nitwit