Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

aaawebsearch


  • Please log in to reply

#1
amaluyt

amaluyt

    New Member

  • Member
  • Pip
  • 6 posts
I am struggling my but off to get rid of aaawebsearch - have read the replies and each one indicates that I have to run Hijackthis. Well, I've tried, but the program automatically ends seconcds after starting - I get a message saying that this programme has to end - WHY and how can I solve this? aaawebsearch is driving me crazy. i am currently using Spy Subtract, but it does not seem to be getting rid of the culprit
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Were you trying HijackThis version 1.99 ?

If so, try version 1.98.2
http://www.wildersse...chmentid=138934
It ususally crashes on the services and version 1.98.2 didn't list those.

Regards,

Pieter
  • 0

#3
amaluyt

amaluyt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Yep, just tried it - still giving me the message that the programme needs to end.
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Download, unzip and run asviewer from : http://www.diamondcs...p?page=asviewer

Click Main > Save to make a text file.
Post the content of that file please.

Regards,

Pieter

Edited by Metallica, 26 January 2005 - 09:32 AM.

  • 0

#5
amaluyt

amaluyt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I did what u said - how do I get that text file posted in here? I tried to open the text file, but it does not want to open - sorry I am not a great computer boffin. by the way, are u from South Africa - i ask because of the spelling of your name?
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Rightclick the file and choose Open with ... Notepad

Then copy and past the content into your next post.

Not South-Africa, but the language fits. I'm Dutch.

Regards,

Pieter
  • 0

#7
amaluyt

amaluyt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Got hijackthis working - deleted some of the stuff that looked suspicious - this is what is left:


Logfile of HijackThis v1.98.2
Scan saved at 8:21:27 AM, on 1/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetdim\winlogon.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\capdfvd8.exe
C:\Program Files\Irdeh\Pgcrq.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\WINDOWS\System32\pd7.exe
C:\Program Files\AdStatus Service\AdStatKeep.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\Program Files\AdStatus Service\AdStatServ.exe
C:\DOCUME~1\HAROLD~1\LOCALS~1\Temp\Rar$EX00.522\HijackThis.exe
C:\DOCUME~1\HAROLD~1\LOCALS~1\Temp\Rar$EX00.336\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10010/
R3 - URLSearchHook: (no name) - {20054858-C27C-B966-2549-096D1F1723E1} - C:\WINDOWS\system32\capdfvd8.exe
F3 - REG:win.ini: run=C:\WINDOWS\inetdim\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [mnrmnckqksg] C:\WINDOWS\System32\amovzsqa.exe
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikI6MyiY] C:\WINDOWS\pwmksnf.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [zel] C:\WINDOWS\zel.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Bar Ding lolt] analiz.exe
O4 - HKLM\..\Run: [fFb7mk] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [fFb7m"igY] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Wrzntq] C:\Program Files\Roupp\Xhcvjgj.exe
O4 - HKLM\..\Run: [Shehwh] C:\Program Files\Irdeh\Pgcrq.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [buvit] C:\WINDOWS\buvit.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [srmx] C:\WINDOWS\srmx.exe
O4 - HKLM\..\Run: [lmv] C:\WINDOWS\lmv.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - HKLM\..\Run: [gCNLZD] C:\WINDOWS\uhculvx.exe
O4 - HKLM\..\Run: [twvex] C:\WINDOWS\twvex.exe
O4 - HKCU\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKCU\..\Run: [Attb] C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099917012742
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B92BCC37-4B58-4BAA-BCC9-ED8E1BB9D24C}: NameServer = 196.25.255.34,196.25.255.3
  • 0

#8
amaluyt

amaluyt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
This is the as viewer file

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for HAROLD SCHENK@PRIVATE-UJM5GC3, 01-28-2005
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=wwxww
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\win.ini [windows]\run
C:\WINDOWS\inetdim\winlogon.exe
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mnrmnckqksg
C:\WINDOWS\System32\amovzsqa.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Unshare
C:\Program Files\safe-share\SafeShare.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINDOWS\system32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ikI6MyiY
C:\WINDOWS\pwmksnf.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows ControlAd
C:\Program Files\Windows ControlAd\WinCtlAd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\zel
C:\WINDOWS\zel.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\XPSP2 Firewall
C:\WINDOWS\system32\xpsp2fw.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AC61D24E
C:\WINDOWS\system32\capdfvd8.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ControlPanel
C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Bar Ding lolt
analiz.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fFb7mk
C:\WINDOWS\knplk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tsl
C:\PROGRA~1\COMMON~1\tsa\tsl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fFb7m"igY
C:\WINDOWS\knplk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Wrzntq
C:\Program Files\Roupp\Xhcvjgj.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shehwh
C:\Program Files\Irdeh\Pgcrq.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Admanager Controller
C:\Program Files\Admanager Controller\AdManCtl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\buvit
C:\WINDOWS\buvit.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdStatus Service
C:\Program Files\AdStatus Service\AdStatServ.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmx
C:\WINDOWS\srmx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lmv
C:\WINDOWS\lmv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xp_system
C:\WINDOWS\inetdim\winlogon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service
C:\WINDOWS\System32\pd7.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gCNLZD
C:\WINDOWS\uhculvx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\twvex
C:\WINDOWS\twvex.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AC61D24E
C:\WINDOWS\system32\capdfvd8.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Attb
C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xp_system
C:\WINDOWS\inetdim\winlogon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service
C:\WINDOWS\System32\pd7.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Bar Ding lolt
analiz.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\SpySubtract.lnk
C:\Program Files\interMute\SpySubtract\SpySub.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\System32\Userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
C:\WINDOWS\inetdim\winlogon.exe
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10010/
R3 - URLSearchHook: (no name) - {20054858-C27C-B966-2549-096D1F1723E1} - C:\WINDOWS\system32\capdfvd8.exe
F3 - REG:win.ini: run=C:\WINDOWS\inetdim\winlogon.exe

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [mnrmnckqksg] C:\WINDOWS\System32\amovzsqa.exe

O4 - HKLM\..\Run: [ikI6MyiY] C:\WINDOWS\pwmksnf.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [zel] C:\WINDOWS\zel.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe

O4 - HKLM\..\Run: [Bar Ding lolt] analiz.exe
O4 - HKLM\..\Run: [fFb7mk] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [fFb7m"‰žigY] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Wrzntq] C:\Program Files\Roupp\Xhcvjgj.exe
O4 - HKLM\..\Run: [Shehwh] C:\Program Files\Irdeh\Pgcrq.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [buvit] C:\WINDOWS\buvit.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [srmx] C:\WINDOWS\srmx.exe
O4 - HKLM\..\Run: [lmv] C:\WINDOWS\lmv.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - HKLM\..\Run: [gCNLZD] C:\WINDOWS\uhculvx.exe
O4 - HKLM\..\Run: [twvex] C:\WINDOWS\twvex.exe
O4 - HKCU\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKCU\..\Run: [Attb] C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab

Reboot into safe mode and delete:
C:\WINDOWS\inetdim\winlogon.exe
C:\WINDOWS\System32\amovzsqa.exe
C:\WINDOWS\pwmksnf.exe
C:\Program Files\Windows ControlAd <= entire folder
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\knplk.exe
C:\PROGRAM FILES\COMMON FILES\tsa <= entire folder
C:\WINDOWS\knplk.exe
C:\Program Files\Admanager Controller <= entire folder
C:\WINDOWS\buvit.exe
C:\Program Files\AdStatus Service<= entire folder
C:\WINDOWS\srmx.exe
C:\WINDOWS\inetdim\winlogon.exe
C:\WINDOWS\System32\pd7.exe
C:\WINDOWS\uhculvx.exe
C:\WINDOWS\system32\capdfvd8.exe
C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe

Then do an online virusscan for example here: http://housecall.antivirus.com/

Regards,

Pieter
  • 0

#10
amaluyt

amaluyt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
iI'll try and let u know
wel te danke!
  • 0

#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
OK :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP