SearchPortal Help!

Hello. Hope someone can help. This blasted searchportal bug is making my homepage searchportal. I downloaded the most recent HiJackThis version 1.98.2. here is the log from the scan. Someone help, this thing is the worst ever.

Logfile of HijackThis v1.98.2
Scan saved at 7:55:11 PM, on 12/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Kazaa Lite\clean.kmd
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\inetdim\winlogon.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=4239
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/10010/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F3 - REG:win.ini: run=C:\WINDOWS\inetdim\winlogon.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [72204cac3e9d] C:\WINDOWS\System32\adsnt139.exe
O4 - HKLM\..\Run: [dpmocc] C:\WINDOWS\System32\dpmocc.exe
O4 - HKLM\..\Run: [4c9effea1be8] C:\WINDOWS\System32\appmgr30.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

fantastic

Newbie Poster

7 posts since Dec 2004

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Download CWShredder from here and run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Internet Explorer, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/10010/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

F3 - REG:win.ini: run=C:\WINDOWS\inetdim\winlogon.exe

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [72204cac3e9d] C:\WINDOWS\System32\adsnt139.exe
O4 - HKLM\..\Run: [dpmocc] C:\WINDOWS\System32\dpmocc.exe
O4 - HKLM\..\Run: [4c9effea1be8] C:\WINDOWS\System32\appmgr30.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

C:\WINDOWS\inetdim<----folder
C:\PROGRA~1\Web Offer<-folder

C:\WINDOWS\System32\adsnt139.exe<----file
C:\WINDOWS\System32\dpmocc.exe<----file
C:\WINDOWS\System32\appmgr30.exe<----file

Reboot normally after doing this & post another log please.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

I did everything you said. Searchportal is still there.
New LOG

Logfile of HijackThis v1.98.2
Scan saved at 5:57:38 PM, on 12/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=4239
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/10010/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F3 - REG:win.ini: run=C:\WINDOWS\inetdim\winlogon.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [72204cac3e9d] C:\WINDOWS\System32\adsnt139.exe
O4 - HKLM\..\Run: [dpmocc] C:\WINDOWS\System32\dpmocc.exe
O4 - HKLM\..\Run: [4c9effea1be8] C:\WINDOWS\System32\appmgr30.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

fantastic

Newbie Poster

7 posts since Dec 2004

Reputation Points: 10

Solved Threads: 0

7 Years Ago

You need to go through everything I posted previously as everything is still there :). Please follow the instructions exactly.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

WOOHOOOOOO!!!! thanx crunchie - that little S.O.B appears to be gone. my precious google is back as the homepage. wquick question. is it ok to keep ad-aware's AD WATCH running?

fantastic

Newbie Poster

7 posts since Dec 2004

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Yes. Did you manage to clear all the baddies I listed?

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

all baddies removed - one issue now is that when i turn on Ad-Watch - it instantly corrects registry changes and turns my homepage directly back to search portal - the only way for me to keep whatever homepage i want is to disable AD-WATCH, any help with this?

fantastic

Newbie Poster

7 posts since Dec 2004

Reputation Points: 10

Solved Threads: 0

7 Years Ago

now that i have used IE a bit more. i am noticing search portal appears more and more often. i can still change google back to the homepage, but every so often it is changed back to search portal.

fantastic

Newbie Poster

7 posts since Dec 2004

Reputation Points: 10

Solved Threads: 0

7 Years Ago

sorry to reply again - every 5 minutes or so SEARCHPORTAL is the homepage- i keep changing it but after a few minutes it just comes right back.

fantastic

Newbie Poster

7 posts since Dec 2004

Reputation Points: 10

Solved Threads: 0

7 Years Ago

I do not have Adwatch, but has it got some sort of configuration for setting\changing your homepage?

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

ok CRUNCHIE - i think i got it here.there doesnt appear to be a setting for homepages. for anyone who may have trouble with this..... it appears as though Ad-Watch thinks changing the homepage back to WHATEVER YOU WANT is a registry change, so it revert back to search portal. what i did was turn off automatic choosing and than changed the homepage to www.google.com . Ad-Watch than asked me if i was sure i wanted to edit the registry. I chose yes. than a minute or 2 later when search portal tried to change the homepage again, Ad-Watch asked me and i selected "AUTOMATIC" and "BLOCK" - things are running smoothly and i hope this helps someone cuz it helped me... THANX FOR UR HELP CRUNCHIE

fantastic

Newbie Poster

7 posts since Dec 2004

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool. Type search portal in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them here.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

This article has been dead for over three months

You