1
   

searchmeup

Forums: Computers
Email this Topic Print this Page
 
 
CC Rider
 
Reply Thu 29 Apr, 2004 12:13 pm
I’ve been hijacked!! I guess it’s searchmeup or some variation. On Internet connect, windial32 starts, sometimes creates a new connection, sometimes changes my own connection settings to proxy. As I surf, many instances of windial32 start as well as wininet32 & runwin32. Of course, my homepage changes to searchmeup.
I’ve tried CWShredder, Ad-aware (updated) & Spy-Bot S & D (updated) in reg. Mode and safe mode. I also ran Panda’s online scan. I read all the relative posts and tried the responses. It keeps coming back! These programs clean it up but when I reboot and reconnect it’s all back! Any ideas??:-(

Here's my hijackthis log -->

Logfile of HijackThis v1.97.7
Scan saved at 12:13:18 PM, on 4/29/2004
Platform: Windows 95 a (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\RUNWIN32.EXE
B:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.50.170.20 www.google.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = tm.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 64.7.161.12,64.7.161.13
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 2,795 • Replies: 5
No top replies

 
timberlandko
 
  1  
Reply Thu 29 Apr, 2004 06:57 pm
The items highlighted below in red strike me as definite "Gotta Go Away"s ... first, I'd recommend, while disconnected from the internet, and with no other apps running or windows open, have HiJackThis fix them. The items highlighted in blue are possible problems, and may or may not be related either to spyware/adware, or to a trojan or virus. When that has been done, reboot, then connect to the internet. Next, I'd recommend Stinger from Network Associates, a free standalone removal tool for current frequently-encountered virus, trojan, and worm infestations. Stinger is updated regularly, and should be downloaded immediately before each run. Download it to a folder of its own on your C: drive, and when the download is complete, disconnect from the internet and run it by clicking on the icon in that folder. You also show evidence of a couple of CoolWebSearch variants. I'd recommend you get and run CoolWebShredder, another frequently updated removal tool for the most commonly encountered browser and search hijackers. Again, it should be downloaded into its own folder on your C: drive, and run, by clicking its icon, then selecting the "Fix" option, while disconnected from the internet. Run this after you have Stinger and rebooted.


Quote:
Logfile of HijackThis v1.97.7
Scan saved at 12:13:18 PM, on 4/29/2004
Platform: Windows 95 a (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\WINDOWS\WINDIAL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\RUNWIN32.EXE
B:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.50.170.20 www.google.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
[color-darkblue]O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe[/color]
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = tm.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 64.7.161.12,64.7.161.13


Additionally, I would recommend strongly that you upgrade both your operating system, if at all within the capability of your machine and your means to do so, and your browser. At the very least, go to Windows Update and do what you can.
0 Replies
 
CC Rider
 
  1  
Reply Fri 30 Apr, 2004 03:29 pm
Thanks so much timberlandko!

You saved me. I'm not sure what worked but I did all that you said and I did it in safe mode. I also went in and deleted the execeutables in the windows directory named: windial32, runwin32, rundll32, and wininet32 and two suspicious looking executables in the root directory named "q" and "p". Hopefully that wasn't a mistake but things seem to be working now. I also deleted all entries in the registry that pointed to "searchmeup."

The only evidence I'm getting now is
1)Spybot S&D Resident keeps picking up a requested download for "Avenue A., Inc." It blocks when I tell it to but it's persistent as I surf -- a real pain in the neck. Any ideas here?

also
2)I have my connection set up to "always dial when a connection is not present" but now I have to manually connect rather than the automatic connect when you try to open a page on the net.
0 Replies
 
timberlandko
 
  1  
Reply Fri 30 Apr, 2004 04:15 pm
Yer weccum, and thanks for the feedback.


On Spybot's "Immunize" page, there should be a dropdown in the bottom panel which will let you select "Block all bad pages silently". I think once you've selected that, closed Spybot, and rebooted, you should be unbothered by those alerts.

For your dialup connection, along with the "Always dial", I believe you have to also select, from the connection prompt, both "Save Password" and "Connect Automatically". I'm a little hazy on dialup stuff (and quite happy to be so Mr. Green ), but if that doesn't sort it out for you, I'm sure the Helpdesk of your ISP can set you straight.
0 Replies
 
CC Rider
 
  1  
Reply Fri 30 Apr, 2004 07:36 pm
I know what you mean about the dial-up. I'd like to put it behind me too. But for us rural dwellers, there's few options. Sad I'm looking at $10-$15/mo. for my dial-up vs. $50-$60 for Speednet or satellite. And then as I understand, satellite only gets you high speed coming down and regular dial-up going up anyway. Unfortunately, we're not worthy when it comes to cable or DSL period! Crying or Very sad And so it's 56k for me!
0 Replies
 
timberlandko
 
  1  
Reply Fri 30 Apr, 2004 09:00 pm
Don't despair; broadband is spreading. I'll flat out guarantee you I live in a rural area. I may have DSL, but my road ain't paved, my nearest neighbors are about 1/2 mile away, and a trip to town for anything takes about 45 minutes round trip if you just go there, grab something, and come right back. This county only has one traffic light, and its only been in place a little over a year. Except during summer tourist season, it mostly just blinks red in all four directions, and its over 30 miles from where I live.
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » searchmeup
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 12/22/2025 at 11:23:43