searchmeup

Discussion in 'adware, spyware & hijack cleaning' started by John Deumers, May 8, 2004.

Thread Status:
Not open for further replies.
  1. John Deumers

    John Deumers Registered Member

    Joined:
    May 8, 2004
    Posts:
    8
    Location:
    Zoetermeer, Holland
    How can I get rid of all those lines with searchmeup.
    After removing these and change these lines in the registery, there keep coming back!!!
    Anyone can help? o_O
    After this there is a logfile:

    Logfile of HijackThis v1.91.0
    Scan saved at 11:01:59, on 8-5-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchmeup.com/search.php?aid=1057
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchmeup.com/search.php?aid=1057
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 69.50.170.20 www.google.com
    O1 - Hosts: 69.50.170.21 search.yahoo.com
    O1 - Hosts: 69.50.170.22 search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [hpppta] G:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] G:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] G:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://cl55.biz/tracker/eu_cax.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.real-euros.com/EPlugin_NL.cab
    O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
     
    John Deumers, May 8, 2004
    #1
  2. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi John Deumers, and welcome to the forum.

    I have moved your post from the SpywareBlaster forum into this one where it will get the appropriate attention for this hijacker.

    Regards,

    snap
     
    snapdragin, May 8, 2004
    #2
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Thnx Pattie :)

    Hi John,

    Have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchmeup.com/search.php?aid=1057
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchmeup.com/search.php?aid=1057
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O1 - Hosts: 69.50.170.20 www.google.com
    O1 - Hosts: 69.50.170.21 search.yahoo.com
    O1 - Hosts: 69.50.170.22 search.msn.com

    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe

    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://cl55.biz/tracker/eu_cax.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.real-euros.com/EPlugin_NL.cab

    Restart PC after doing so and remove :

    C:\WINDOWS\runwin32.exe <- this file

    Hope this helps

    Cheers,
     
    Unzy, May 8, 2004
    #3
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    can you post a new log with an updated version of hjt, yours is well out of date and there should be a couple of other entries with this pest

    go to http://www.thespykiller.co.uk and download 'Hijack This!'.
     
    dvk01, May 8, 2004
    #4
  5. John Deumers

    John Deumers Registered Member

    Joined:
    May 8, 2004
    Posts:
    8
    Location:
    Zoetermeer, Holland
    Thank you all for helping me out.

    DVK I've donwloaded a new version of hijack and made a log as you can see below.

    Logfile of HijackThis v1.97.7
    Scan saved at 13:17:08, on 9-5-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    G:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    G:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    G:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    G:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    G:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NTS\WANADO~1\app\pppoeservice.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    G:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    G:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    G:\Program Files\Hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [hpppta] G:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] G:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] G:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A13A26F2-A569-49AE-AE8B-F9E3DB290BC9}: NameServer = 195.96.96.97 195.96.96.33

    THanx
     
    John Deumers, May 9, 2004
    #5
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    it all looks clear now, but

    It looks clear now, but when I see this entry
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    it normally means that some start ups have been disabled using MSconfig

    open msconfig and enable EVERYTHING on the start up tab and post a new full hijackthis log so we can check
     
    dvk01, May 9, 2004
    #6
  7. John Deumers

    John Deumers Registered Member

    Joined:
    May 8, 2004
    Posts:
    8
    Location:
    Zoetermeer, Holland
    Hi Derek,

    You've examined the file thoroughly; that's great.

    And again I send a logfile.
    After erasing the entries and so on, what else do have to do for cleaning up my machine?

    Logfile of HijackThis v1.97.7
    Scan saved at 18:30:59, on 9-5-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    G:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    G:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    G:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    G:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    G:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\PROGRA~1\NTS\WANADO~1\app\pppoeservice.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    G:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    G:\Program Files\Hijack\HijackThis.exe
    G:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [hpppta] G:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] G:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] G:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKCU\..\Run: [svchost] c:\windows\system32\svchost.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    John Deumers, May 9, 2004
    #7
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...