Possible Browser Hijack Attempt: What needs to be repaired?

Question

Bizzybot 0 Newbie Poster

19 Years Ago

After scanning w/ Ad-Aware it states: Possible Browser Hijack (Object Type: Regkey) and Possible restriction from adding/ removing toolbars. When i try to load internet explorer it takes me directly to: C:\WINDOWS\system32\msblank.html. Here is my results from HijackThis. Any advice or hints on whats best to remove or what can be done to eradicate this problem? Thank you :eek:

Scan saved at 6:20:13 PM, on 9/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\popcorn72.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\Owner\LOCALS~1\Temp\MegaHost.dll (file missing)
O2 - BHO: C:\WINDOWS\q3666562_disk.dll - {B212D577-05B7-4963-911E-4A8588160DFA} - C:\WINDOWS\q3666562_disk.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F95B661-430A-4757-9D1A-FABE8A650CDC}: NameServer = 69.50.168.179,85.255.112.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{D260A5F3-599D-4F76-A77E-78CC0CB406C4}: NameServer = 69.50.168.179,85.255.112.22
O20 - Winlogon Notify: style32 - C:\WINDOWS\q3666562_disk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

windows-virus

5 Contributors
8 Replies
272 Views
2 Days Discussion Span
Latest Post 19 Years Ago Latest Post by swatkat

crunchie 990 Most Valuable Poster

19 Years Ago

Hi. Welcome to the Daniweb forums :).

You are running hijackthis from a temporary folder. You need to create a new folder in a permanent directory of your choice, (a folder on the desktop is fine) name the new folder hijackthis and move or unzip hijackthis.exe into that folder.
Once you have done that, rescan with hijackthis and post the new log.

chrisbliss18 26 Posting Shark

19 Years Ago

You really don't have much to worry about with cookies (at least I don't). I find if I keep scanning with Ad-Aware, it will always find something it doesn't like. A clean system apparently doesn't exist to the developer of Ad-Aware.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Bizzybot 0 Newbie Poster · Answer 1 · 2005-09-16T00:41:04+00:00

Okay, I think I managed to Move the HijackThis program onto the destop (in a new folder). Here is the results of the Scan. Also, After downloading a spyware scanner (named Xoft Spy) i got different results and I attempted to remove a couple of the highligted items in HijackThis program. After I did that, I am able to keep my home page but when I check for any spyware (on Ad-Aware) it says i still have 2 new critical objects at the time. Here they are: (2) Tracking Cookie , Data miner, Cookie owner@Mediaplex.com and Cookie owner@doubleclick[1]txt. Both of these are found while deepscanning C: files on Ad-Aware. I aplogize for the excessive wordiness but I thought any extra info would help to address the problem and what I can to do fix it. Here is my new HijackThis scan. :)

Logfile of HijackThis v1.99.1
Scan saved at 2:28:05 PM, on 9/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijack Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\Owner\LOCALS~1\Temp\MegaHost.dll (file missing)
O2 - BHO: C:\WINDOWS\q3666562_disk.dll - {B212D577-05B7-4963-911E-4A8588160DFA} - C:\WINDOWS\q3666562_disk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F95B661-430A-4757-9D1A-FABE8A650CDC}: NameServer = 69.50.168.179,85.255.112.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{D260A5F3-599D-4F76-A77E-78CC0CB406C4}: NameServer = 69.50.168.179,85.255.112.22
O20 - Winlogon Notify: style32 - C:\WINDOWS\q3666562_disk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Bizzybot 0 Newbie Poster · Answer 2 · 2005-09-16T01:37:27+00:00

In the process of trying to remove the hijacker program i have managed to create another user and i have a guest user in my computer. I am not exactly sure how to remove the guest and 2nd user, but eventually i want it to be "Owner" only on the icon at the intro to Windows XP. I managed to do so research and found a possbile solution to the problem of the hijacker program ( since i fear it is on the other user as well as the owner. It seems i should try to turn off the System Resore option in "Properties" section of "My Computer" ( on the desktop). It states that files are back up which may be carrying them over only to re-infect my computer once again. Hopefully after a few trys at ad-aware removal I can get positive results. From what i under stand on the issue of removing extra users on your computer, you have to use another computer in order to revome them but I havnet had a chance to attempt this. If I am incorrect, please post me w/ the correct information. Thank you!

Below are my results of the HijackThis Scan on my 2nd user ( i accidentally created ).

Logfile of HijackThis v1.99.1
Scan saved at 3:39:03 PM, on 9/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\System32\wpabaln.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eric\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\Owner\LOCALS~1\Temp\MegaHost.dll (file missing)
O2 - BHO: C:\WINDOWS\q3666562_disk.dll - {B212D577-05B7-4963-911E-4A8588160DFA} - C:\WINDOWS\q3666562_disk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKCU\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F95B661-430A-4757-9D1A-FABE8A650CDC}: NameServer = 69.50.168.179,85.255.112.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{D260A5F3-599D-4F76-A77E-78CC0CB406C4}: NameServer = 69.50.168.179,85.255.112.22
O20 - Winlogon Notify: style32 - C:\WINDOWS\q3666562_disk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

chrisbliss18 26 Posting Shark · Answer 3 · 2005-09-16T01:56:36+00:00

You don't need to use another computer to remove them. Just use the account on your system that has Administrator rights, go to User Accounts in the Control Panel, and modify your users from there.

Bizzybot 0 Newbie Poster · Answer 4 · 2005-09-16T02:40:28+00:00

I have managed to remove extra users and isolate the problem to one specific detail from the results from Xoft Spy (after using their scanning program). Here are the results:

Vendor: Downloader-ME

Category: Trojan

Object Type: File

Danger Level: Threat

Location( there are four of them):

C:\WINDOWS\System32\msblank.html
C:\WINDOWS\System32\winctrl16.html
C:\WINDOWS\System32\winctrl32.html
C:\WINDOWS\System32\winctrl64.html

Here is my results from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 4:38:30 PM, on 9/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Eric\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\Owner\LOCALS~1\Temp\MegaHost.dll (file missing)
O2 - BHO: C:\WINDOWS\q3666562_disk.dll - {B212D577-05B7-4963-911E-4A8588160DFA} - C:\WINDOWS\q3666562_disk.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F95B661-430A-4757-9D1A-FABE8A650CDC}: NameServer = 69.50.168.179,85.255.112.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{D260A5F3-599D-4F76-A77E-78CC0CB406C4}: NameServer = 69.50.168.179,85.255.112.22
O20 - Winlogon Notify: style32 - C:\WINDOWS\q3666562_disk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

If you can help me to remove the trojans w/o re-installing or paying a website to remove them please feel free to reply w/ advice on what steps to take next. Thank you

dygital 0 Newbie Poster · Answer 5 · 2005-09-16T08:38:38+00:00

I can recommend CCleaner to clean up your system temp directories and stuff, clean cookies, and even scrub your registry. Truly a good program, freeware, and legit.

CCleaner - www.ccleaner.com

Next, with HijackThis - "FIX" the folllowing:

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
tipIDs[tipIDs.length] = "43"O17 - HKLM\System\CCS\Services\Tcpip\..\{4F95B661-430A-4757-9D1A-FABE8A650CDC}: NameServer = 69.50.168.179,85.255.112.22
tipIDs[tipIDs.length] = "44"O17 - HKLM\System\CCS\Services\Tcpip\..\{D260A5F3-599D-4F76-A77E-78CC0CB406C4}: NameServer = 69.50.168.179,85.255.112.22
tipIDs[tipIDs.length] = "45"O20 - Winlogon Notify: style32 - C:\WINDOWS\q3666562_disk.dll

swatkat 14 Practically a Master Poster · Answer 6 · 2005-09-17T01:28:33+00:00

Hi,
There could be hidden files related to this Trojan. Let's find it! Download WinPFind.zip and extract it to a folder completely. Inside this folder, there will be a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the "Start Scan" button and wait for it to finish. When it is done, it will show the results of the scan. Click on the "Copy to Clipboard" button and then paste the contents of the log here.

Along with this, please post a fresh HijackThis log.