aaawebsearch
Started by
amaluyt
, Jan 26 2005 06:43 AM
#1
Posted 26 January 2005 - 06:43 AM
#2
Posted 26 January 2005 - 07:52 AM
Were you trying HijackThis version 1.99 ?
If so, try version 1.98.2
http://www.wildersse...chmentid=138934
It ususally crashes on the services and version 1.98.2 didn't list those.
Regards,
Pieter
If so, try version 1.98.2
http://www.wildersse...chmentid=138934
It ususally crashes on the services and version 1.98.2 didn't list those.
Regards,
Pieter
#3
Posted 26 January 2005 - 09:27 AM
Yep, just tried it - still giving me the message that the programme needs to end.
#4
Posted 26 January 2005 - 09:31 AM
Download, unzip and run asviewer from : http://www.diamondcs...p?page=asviewer
Click Main > Save to make a text file.
Post the content of that file please.
Regards,
Pieter
Click Main > Save to make a text file.
Post the content of that file please.
Regards,
Pieter
Edited by Metallica, 26 January 2005 - 09:32 AM.
#5
Posted 27 January 2005 - 01:13 AM
I did what u said - how do I get that text file posted in here? I tried to open the text file, but it does not want to open - sorry I am not a great computer boffin. by the way, are u from South Africa - i ask because of the spelling of your name?
#6
Posted 27 January 2005 - 06:11 AM
Rightclick the file and choose Open with ... Notepad
Then copy and past the content into your next post.
Not South-Africa, but the language fits. I'm Dutch.
Regards,
Pieter
Then copy and past the content into your next post.
Not South-Africa, but the language fits. I'm Dutch.
Regards,
Pieter
#7
Posted 28 January 2005 - 12:26 AM
Got hijackthis working - deleted some of the stuff that looked suspicious - this is what is left:
Logfile of HijackThis v1.98.2
Scan saved at 8:21:27 AM, on 1/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetdim\winlogon.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\capdfvd8.exe
C:\Program Files\Irdeh\Pgcrq.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\WINDOWS\System32\pd7.exe
C:\Program Files\AdStatus Service\AdStatKeep.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\Program Files\AdStatus Service\AdStatServ.exe
C:\DOCUME~1\HAROLD~1\LOCALS~1\Temp\Rar$EX00.522\HijackThis.exe
C:\DOCUME~1\HAROLD~1\LOCALS~1\Temp\Rar$EX00.336\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10010/
R3 - URLSearchHook: (no name) - {20054858-C27C-B966-2549-096D1F1723E1} - C:\WINDOWS\system32\capdfvd8.exe
F3 - REG:win.ini: run=C:\WINDOWS\inetdim\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [mnrmnckqksg] C:\WINDOWS\System32\amovzsqa.exe
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikI6MyiY] C:\WINDOWS\pwmksnf.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [zel] C:\WINDOWS\zel.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Bar Ding lolt] analiz.exe
O4 - HKLM\..\Run: [fFb7mk] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [fFb7mú"ü‰üžigÝY] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Wrzntq] C:\Program Files\Roupp\Xhcvjgj.exe
O4 - HKLM\..\Run: [Shehwh] C:\Program Files\Irdeh\Pgcrq.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [buvit] C:\WINDOWS\buvit.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [srmx] C:\WINDOWS\srmx.exe
O4 - HKLM\..\Run: [lmv] C:\WINDOWS\lmv.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - HKLM\..\Run: [gCNLZD] C:\WINDOWS\uhculvx.exe
O4 - HKLM\..\Run: [twvex] C:\WINDOWS\twvex.exe
O4 - HKCU\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKCU\..\Run: [Attb] C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099917012742
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B92BCC37-4B58-4BAA-BCC9-ED8E1BB9D24C}: NameServer = 196.25.255.34,196.25.255.3
Logfile of HijackThis v1.98.2
Scan saved at 8:21:27 AM, on 1/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetdim\winlogon.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\capdfvd8.exe
C:\Program Files\Irdeh\Pgcrq.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\WINDOWS\System32\pd7.exe
C:\Program Files\AdStatus Service\AdStatKeep.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\Program Files\AdStatus Service\AdStatServ.exe
C:\DOCUME~1\HAROLD~1\LOCALS~1\Temp\Rar$EX00.522\HijackThis.exe
C:\DOCUME~1\HAROLD~1\LOCALS~1\Temp\Rar$EX00.336\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10010/
R3 - URLSearchHook: (no name) - {20054858-C27C-B966-2549-096D1F1723E1} - C:\WINDOWS\system32\capdfvd8.exe
F3 - REG:win.ini: run=C:\WINDOWS\inetdim\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [mnrmnckqksg] C:\WINDOWS\System32\amovzsqa.exe
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikI6MyiY] C:\WINDOWS\pwmksnf.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [zel] C:\WINDOWS\zel.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Bar Ding lolt] analiz.exe
O4 - HKLM\..\Run: [fFb7mk] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [fFb7mú"ü‰üžigÝY] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Wrzntq] C:\Program Files\Roupp\Xhcvjgj.exe
O4 - HKLM\..\Run: [Shehwh] C:\Program Files\Irdeh\Pgcrq.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [buvit] C:\WINDOWS\buvit.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [srmx] C:\WINDOWS\srmx.exe
O4 - HKLM\..\Run: [lmv] C:\WINDOWS\lmv.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - HKLM\..\Run: [gCNLZD] C:\WINDOWS\uhculvx.exe
O4 - HKLM\..\Run: [twvex] C:\WINDOWS\twvex.exe
O4 - HKCU\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKCU\..\Run: [Attb] C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099917012742
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B92BCC37-4B58-4BAA-BCC9-ED8E1BB9D24C}: NameServer = 196.25.255.34,196.25.255.3
#8
Posted 28 January 2005 - 12:33 AM
This is the as viewer file
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for HAROLD SCHENK@PRIVATE-UJM5GC3, 01-28-2005
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=ðÕöwÿÿÿÿæõwxõw²õw
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\win.ini [windows]\run
C:\WINDOWS\inetdim\winlogon.exe
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mnrmnckqksg
C:\WINDOWS\System32\amovzsqa.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Unshare
C:\Program Files\safe-share\SafeShare.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINDOWS\system32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ikI6MyiY
C:\WINDOWS\pwmksnf.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows ControlAd
C:\Program Files\Windows ControlAd\WinCtlAd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\zel
C:\WINDOWS\zel.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\XPSP2 Firewall
C:\WINDOWS\system32\xpsp2fw.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AC61D24E
C:\WINDOWS\system32\capdfvd8.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ControlPanel
C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Bar Ding lolt
analiz.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fFb7mk
C:\WINDOWS\knplk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tsl
C:\PROGRA~1\COMMON~1\tsa\tsl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fFb7mú"ü‰üžigÝY
C:\WINDOWS\knplk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Wrzntq
C:\Program Files\Roupp\Xhcvjgj.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shehwh
C:\Program Files\Irdeh\Pgcrq.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Admanager Controller
C:\Program Files\Admanager Controller\AdManCtl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\buvit
C:\WINDOWS\buvit.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdStatus Service
C:\Program Files\AdStatus Service\AdStatServ.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmx
C:\WINDOWS\srmx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lmv
C:\WINDOWS\lmv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xp_system
C:\WINDOWS\inetdim\winlogon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service
C:\WINDOWS\System32\pd7.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gCNLZD
C:\WINDOWS\uhculvx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\twvex
C:\WINDOWS\twvex.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AC61D24E
C:\WINDOWS\system32\capdfvd8.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Attb
C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xp_system
C:\WINDOWS\inetdim\winlogon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service
C:\WINDOWS\System32\pd7.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Bar Ding lolt
analiz.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\SpySubtract.lnk
C:\Program Files\interMute\SpySubtract\SpySub.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\System32\Userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
C:\WINDOWS\inetdim\winlogon.exe
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for HAROLD SCHENK@PRIVATE-UJM5GC3, 01-28-2005
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=ðÕöwÿÿÿÿæõwxõw²õw
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\win.ini [windows]\run
C:\WINDOWS\inetdim\winlogon.exe
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mnrmnckqksg
C:\WINDOWS\System32\amovzsqa.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Unshare
C:\Program Files\safe-share\SafeShare.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINDOWS\system32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ikI6MyiY
C:\WINDOWS\pwmksnf.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows ControlAd
C:\Program Files\Windows ControlAd\WinCtlAd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\zel
C:\WINDOWS\zel.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\XPSP2 Firewall
C:\WINDOWS\system32\xpsp2fw.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AC61D24E
C:\WINDOWS\system32\capdfvd8.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ControlPanel
C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Bar Ding lolt
analiz.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fFb7mk
C:\WINDOWS\knplk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tsl
C:\PROGRA~1\COMMON~1\tsa\tsl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fFb7mú"ü‰üžigÝY
C:\WINDOWS\knplk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Wrzntq
C:\Program Files\Roupp\Xhcvjgj.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shehwh
C:\Program Files\Irdeh\Pgcrq.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Admanager Controller
C:\Program Files\Admanager Controller\AdManCtl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\buvit
C:\WINDOWS\buvit.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdStatus Service
C:\Program Files\AdStatus Service\AdStatServ.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmx
C:\WINDOWS\srmx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lmv
C:\WINDOWS\lmv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xp_system
C:\WINDOWS\inetdim\winlogon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service
C:\WINDOWS\System32\pd7.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gCNLZD
C:\WINDOWS\uhculvx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\twvex
C:\WINDOWS\twvex.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AC61D24E
C:\WINDOWS\system32\capdfvd8.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Attb
C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xp_system
C:\WINDOWS\inetdim\winlogon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service
C:\WINDOWS\System32\pd7.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Bar Ding lolt
analiz.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\SpySubtract.lnk
C:\Program Files\interMute\SpySubtract\SpySub.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\System32\Userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
C:\WINDOWS\inetdim\winlogon.exe
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
#9
Posted 28 January 2005 - 03:39 AM
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10010/
R3 - URLSearchHook: (no name) - {20054858-C27C-B966-2549-096D1F1723E1} - C:\WINDOWS\system32\capdfvd8.exe
F3 - REG:win.ini: run=C:\WINDOWS\inetdim\winlogon.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [mnrmnckqksg] C:\WINDOWS\System32\amovzsqa.exe
O4 - HKLM\..\Run: [ikI6MyiY] C:\WINDOWS\pwmksnf.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [zel] C:\WINDOWS\zel.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKLM\..\Run: [Bar Ding lolt] analiz.exe
O4 - HKLM\..\Run: [fFb7mk] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [fFb7mú"ü‰üžigÝY] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Wrzntq] C:\Program Files\Roupp\Xhcvjgj.exe
O4 - HKLM\..\Run: [Shehwh] C:\Program Files\Irdeh\Pgcrq.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [buvit] C:\WINDOWS\buvit.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [srmx] C:\WINDOWS\srmx.exe
O4 - HKLM\..\Run: [lmv] C:\WINDOWS\lmv.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - HKLM\..\Run: [gCNLZD] C:\WINDOWS\uhculvx.exe
O4 - HKLM\..\Run: [twvex] C:\WINDOWS\twvex.exe
O4 - HKCU\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKCU\..\Run: [Attb] C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
Reboot into safe mode and delete:
C:\WINDOWS\inetdim\winlogon.exe
C:\WINDOWS\System32\amovzsqa.exe
C:\WINDOWS\pwmksnf.exe
C:\Program Files\Windows ControlAd <= entire folder
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\knplk.exe
C:\PROGRAM FILES\COMMON FILES\tsa <= entire folder
C:\WINDOWS\knplk.exe
C:\Program Files\Admanager Controller <= entire folder
C:\WINDOWS\buvit.exe
C:\Program Files\AdStatus Service<= entire folder
C:\WINDOWS\srmx.exe
C:\WINDOWS\inetdim\winlogon.exe
C:\WINDOWS\System32\pd7.exe
C:\WINDOWS\uhculvx.exe
C:\WINDOWS\system32\capdfvd8.exe
C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
Then do an online virusscan for example here: http://housecall.antivirus.com/
Regards,
Pieter
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10010/
R3 - URLSearchHook: (no name) - {20054858-C27C-B966-2549-096D1F1723E1} - C:\WINDOWS\system32\capdfvd8.exe
F3 - REG:win.ini: run=C:\WINDOWS\inetdim\winlogon.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [mnrmnckqksg] C:\WINDOWS\System32\amovzsqa.exe
O4 - HKLM\..\Run: [ikI6MyiY] C:\WINDOWS\pwmksnf.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [zel] C:\WINDOWS\zel.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKLM\..\Run: [Bar Ding lolt] analiz.exe
O4 - HKLM\..\Run: [fFb7mk] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [fFb7mú"ü‰üžigÝY] C:\WINDOWS\knplk.exe
O4 - HKLM\..\Run: [Wrzntq] C:\Program Files\Roupp\Xhcvjgj.exe
O4 - HKLM\..\Run: [Shehwh] C:\Program Files\Irdeh\Pgcrq.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [buvit] C:\WINDOWS\buvit.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [srmx] C:\WINDOWS\srmx.exe
O4 - HKLM\..\Run: [lmv] C:\WINDOWS\lmv.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O4 - HKLM\..\Run: [gCNLZD] C:\WINDOWS\uhculvx.exe
O4 - HKLM\..\Run: [twvex] C:\WINDOWS\twvex.exe
O4 - HKCU\..\Run: [AC61D24E] C:\WINDOWS\system32\capdfvd8.exe
O4 - HKCU\..\Run: [Attb] C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdim\winlogon.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
Reboot into safe mode and delete:
C:\WINDOWS\inetdim\winlogon.exe
C:\WINDOWS\System32\amovzsqa.exe
C:\WINDOWS\pwmksnf.exe
C:\Program Files\Windows ControlAd <= entire folder
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\knplk.exe
C:\PROGRAM FILES\COMMON FILES\tsa <= entire folder
C:\WINDOWS\knplk.exe
C:\Program Files\Admanager Controller <= entire folder
C:\WINDOWS\buvit.exe
C:\Program Files\AdStatus Service<= entire folder
C:\WINDOWS\srmx.exe
C:\WINDOWS\inetdim\winlogon.exe
C:\WINDOWS\System32\pd7.exe
C:\WINDOWS\uhculvx.exe
C:\WINDOWS\system32\capdfvd8.exe
C:\Documents and Settings\HAROLD SCHENK\Application Data\redc.exe
Then do an online virusscan for example here: http://housecall.antivirus.com/
Regards,
Pieter
#10
Posted 28 January 2005 - 03:45 AM
iI'll try and let u know
wel te danke!
wel te danke!
#11
Posted 28 January 2005 - 03:50 AM
OK
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users