searchmeup?

richard.rodriguez · Jul 6, 2005

Hi

I am running WinME and have recently started experiencing problems. I have gone through the ReadMe First article in this forum step by step and have only ommitted the online scans due tonot being able to get online in Safe Mode. I did, however, run the Trend Micro one in normal mode but couldn't get the Symantec one to load.

Having run all the steps up to but not including the Optional ones I am still experiencing the same problems.

1) when I type a URL into the address bar of IE for the first time since switching on the screen freezes and the PC starts processing something which takes about 2 minutes to complete. Then, RealPlayer starts up and gives me an error message. After that, everything works normally and it only does this once

2) in FireFox I notice I get a Search box on the right hand side of most tabs saying "Realted searches" and then a list of links which all have www.searchmeup.com in the URL

I could do with some advice about where to go next

Thanks

Rich

the new tech guy · Jul 6, 2005

Sounds like you have adware inside your machine. What might help is if you run adaware and do a full system scan. That might solve your problems.
-the new tech guy

chaslang · Jul 7, 2005

the new tech guy said:

Sounds like you have adware inside your machine. What might help is if you run adaware and do a full system scan. That might solve your problems.
-the new tech guy
Click to expand...

Have you read the READ ME FIRST sticky. If so, you would realize that since the user has run the READ ME FIRST he has already run Ad-Aware SE along with a load of other scanners.

chaslang · Jul 7, 2005

richard.rodriguez,

Please follow the steps below exactly:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

richard.rodriguez · Jul 7, 2005

I have already run Ad-aware but i did a Smart System Scan in Safe Mode. I have run the Full System Scan but only in normal mode.

I have attached the HJT log.

Thanks

chaslang · Jul 7, 2005

I see no evidence of searchmeup in your HJT log. Take a look for a file named nvidia32.exe (make sure viewing of hidden files is enabled per the READ ME). Look in each of the below folders
c:\
c:\windows
c:\windows\system
c:\windows\system32

Tell me if you find it. Also look for the following two files in those folders:
systime.exe
explorer32.exe

However, you must have HJT fix the below lines:

O15 - Trusted Zone: http://www.c2h2.co.uk
O15 - Trusted Zone: http://www.peterborough.net
O15 - Trusted Zone: http://*.autotrader.co.uk
O15 - Trusted Zone: http://www.multimap.com
O15 - Trusted Zone: http://uk.yell.com
O15 - Trusted Zone: http://www.ntlworld.com
O15 - Trusted Zone: http://www.snowpatrol.net
O15 - Trusted Zone: http://*.zonelabs.com
O15 - Trusted Zone: http://www.thesun.co.uk
O15 - Trusted Zone: http://www.dreamteamfc.com
O15 - Trusted Zone: http://www.phpbuilder.com
O15 - Trusted Zone: http://www.soundblaster.com
O15 - Trusted Zone: http://*.creative.com
O15 - Trusted Zone: http://www.purevolume.com
O15 - Trusted Zone: http://*.ebay.co.uk
O15 - Trusted Zone: http://www.parkers.co.uk
O15 - Trusted Zone: http://*.paypal.com
O15 - Trusted Zone: http://www.yetisports.org
O15 - Trusted Zone: http://*.yetisports.org
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://*.mini-iq.co.uk
O15 - Trusted Zone: http://www.bca.co.uk
O15 - Trusted Zone: http://www.volkswagen.co.uk
O15 - Trusted Zone: http://www.hm.com
O15 - Trusted Zone: http://www.sms.ac
O15 - Trusted Zone: http://www.fasthosts.co.uk
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.dsa.gov.uk
O15 - Trusted Zone: http://*.inlandrevenue.gov.uk
O15 - Trusted Zone: http://www.micronetshowroom.com
O15 - Trusted Zone: http://www.metlounge.org.uk
O15 - Trusted Zone: http://www.iam.org.uk
O15 - Trusted Zone: http://*.egg.com
O15 - Trusted Zone: http://www.hss.com
O15 - Trusted Zone: http://www.lightbulbs-direct.com
O15 - Trusted Zone: http://www.alex-soft.net
O15 - Trusted Zone: http://*.ntl.com
O15 - Trusted Zone: http://www.breathe.com
O15 - Trusted Zone: http://www.intimates.tv
O15 - Trusted Zone: http://www.citizensbank.com
O15 - Trusted Zone: http://www.asos.com
O15 - Trusted Zone: http://uk.footballmanager.yahoo.net
O15 - Trusted Zone: http://uk.bb.footballmanager.yahoo.net
O15 - Trusted Zone: http://ww.hotmail.com
O15 - Trusted Zone: http://memberservices.passport.net
O15 - Trusted Zone: http://messenger.msn.com
O15 - Trusted Zone: http://www.al-ko.co.uk
O15 - Trusted Zone: http://www.gpdltd.co.uk
O15 - Trusted Zone: http://www.gpdltdtest.co.uk
O15 - Trusted Zone: http://www.alico.com
O15 - Trusted Zone: http://www.nokia.com
O15 - Trusted Zone: http://*.nokia.com
O15 - Trusted Zone: http://www.friday-ad.co.uk
O15 - Trusted Zone: http://www.hotornot.com
O15 - Trusted Zone: http://*.w3.org
O15 - Trusted Zone: http://www.ukreg.com
O15 - Trusted Zone: http://www.greater-peterborough.co.uk
O15 - Trusted Zone: http://www.fashionjunkie.net
O15 - Trusted Zone: http://uk.pricerunner.com
O15 - Trusted Zone: http://www.pricerunner.co.uk
O15 - Trusted Zone: http://www.natwest.com
O15 - Trusted Zone: http://www.euro-car-parts.com
O15 - Trusted Zone: http://www.hammerite-diy.com
O15 - Trusted Zone: http://*.palmos.com
O15 - Trusted Zone: http://palmgear.mykbpro.com
O15 - Trusted Zone: http://www.loans.co.uk
O15 - Trusted Zone: http://www.confused.com
O15 - Trusted Zone: http://www.ringo.com
O15 - Trusted Zone: http://www.moremagazine.co.uk
O15 - Trusted Zone: http://www.campingfrance.com
O15 - Trusted Zone: http://*.mappy.com
O15 - Trusted Zone: http://www.pagesgarden.com
O15 - Trusted Zone: http://www.rapidhoster.co.uk
O15 - Trusted Zone: http://www.musicianschannel.tv
O15 - Trusted Zone: http://www.round-the-bend.co.uk
O15 - Trusted Zone: http://www.valdauthie.fr
O15 - Trusted Zone: http://www.spywareguide.com
O15 - Trusted Zone: http://www.boro-bands.co.uk
O15 - Trusted Zone: http://www.luckybullet.co.uk
O15 - Trusted Zone: http://www.radiohead.com
O15 - Trusted Zone: http://forms.real.com
O15 - Trusted Zone: http://www.sexpos.net
O15 - Trusted Zone: http://www.rcmmarketing.co.uk
O15 - Trusted Zone: http://www.virginmobile.com
O15 - Trusted Zone: http://*.lycos.co.uk
O15 - Trusted Zone: http://www.thisinterview.co.uk
O15 - Trusted Zone: http://www.total-image-nation.co.uk
O15 - Trusted Zone: http://security.norton.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08974b5d5421372e7905/netzip/RdxIE601.cab

This is good example as to why nothing should be added to the Trusted Zone. It makes it way to easy to hide bad stuff in there when you start adding this many lines to the TZ. In most cases, items do not need to be added to the TZ. It is rare that this is a necessity.

richard.rodriguez · Jul 7, 2005

OK.

I've searched for those .exe files throughout my hard drive and cannot find them at all.

In relation to the Trusted Zone, the only difference between my TZ and RZ is that Javascript is enabled for trusted sites. Is there a better way to accomplish this task ?

Thanks so far

Rich

chaslang · Jul 8, 2005

I'm not really sure if those sites all require Java scripting but I do not disable Java Scripts myself. I always have them enabled and I never have malware issues on my properly protected PC.

You can decide for yourself what to do, but I would not have that long list of items in the TZ. It is already pretty long and if something managed to sneak in that was bad (especially if named similar to other good sites) you would not easily notice the problem.

I have nothing in the TZ and have never needed anything to be there.

richard.rodriguez · Jul 8, 2005

I've deleted all that garbage from my TZ now. I reckon the last bit

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08974b5...ip/RdxIE601.cab

must have been the root of the problem, being as it always ended with RealPlayer starting up.

You'll notice I use past tense in that sentence, the problem with IE and RealPlayer appears to have gone now.

The 'searchmeup' pop-up still appears on some pages viewed in FireFox, how can I get rid of it? I've run a search for files containing 'searchmeup' and turned out this:

1) C:\_RESTORE\ARCHIVE\RG42CC602A.CAB
2) C:\WINME\USER.DAT
3) C:\WINME\All Users\Application Data\Spybot - Search & Destroy\Backups\regUsers.reg
4) C:\Virus & Trojan\CWShredder\cwshredder.exe

Should I do anything with the RESTORE file?

chaslang · Jul 9, 2005

richard.rodriguez said:

1) C:\_RESTORE\ARCHIVE\RG42CC602A.CAB

Should I do anything with the RESTORE file?
Click to expand...

The very first step of the READ ME FIRST tells you to disable System Restore.
Why is it enabled?

What version of Firefox are you running?

After doing that go to the thread indicated below make sure all of these steps have been completed. Eespecially DO NOT skip step 1 as you must check to make sure you have all of your Windows Updates. Searchmeup will take advantage of missing security patches.

How to Protect yourself from malware!

Log in or Sign up

searchmeup?

richard.rodriguez Private E-2

the new tech guy Guest

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

richard.rodriguez Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

richard.rodriguez Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

richard.rodriguez Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member