Options

Need Help

Unknown
edited December 2005 in Spyware & Virus Removal
Good Day
I have a Downloader-AFH trojan I need to get rid of. Here is my HJT file.
Logfile of HijackThis v1.99.1
Scan saved at 12:52:23 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40B.tmp.exe
C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40C.tmp.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\System32\rundll32.exe
C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\17.tmp
C:\WINDOWS\system32\cmd.exe
C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=63796
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=63796
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [40B.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40B.tmp.exe
O4 - HKLM\..\Run: [40C.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40C.tmp.exe
O4 - HKLM\..\Run: [40B.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40B.tmp.exe
O4 - HKLM\..\Run: [40C.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40C.tmp.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [A.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [D.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [19.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\19.tmp.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: ms.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/account/downloads/executables/ie/IDA.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://sterling.view22.com/view22/view22RTE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {EAE11EB6-E1C6-43B7-AF23-1DBC52C80FD6} (My3DCtrl Control) - http://www.exform.com/dev/ActiveX/3DCtrl.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Thanks

Comments

  • TroganTrogan London, UK
    edited December 2005
    Hi, lets try and get your computer cleaned up. Follow these steps :)


    Step 1
    Please move HJT to its own folder on your C: so backups can be created. Do this before continuing.


    Step 2
    Download CWShredder 2.19 from here. EXIT for now


    Step 3
    Download Ewido Security Suite
    1. Install ewido security suite
    2. When installing the program, under "Additonal Options" uncheck..
      • Install background guard
      • Install scan via context menu
    3. Launch ewido, there should now be an icon on your desktop, double-click it.
    4. The program will now open to the main screen.
    5. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    6. You will need to update ewido to the latest definition files:
      • On the left hand side of the main screen click update.
      • Then click on Start Update.
    7. The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display "Update successful")
    8. EXIT Ewido


    Step 4
    View hidden files and folders - explained here

    Go into Safe Mode - explained here


    Step 5
    Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=63796
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=63796
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=63796
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=63796
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

    O4 - HKLM\..\Run: [40B.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40B.tmp.exe
    O4 - HKLM\..\Run: [40C.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40C.tmp.exe
    O4 - HKLM\..\Run: [40B.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40B.tmp.exe
    O4 - HKLM\..\Run: [40C.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\40C.tmp.exe
    O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\7.tmp.exe
    O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\7.tmp.exe
    O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\A.tmp.exe
    O4 - HKLM\..\Run: [A.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\A.tmp.exe
    O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\D.tmp.exe
    O4 - HKLM\..\Run: [D.tmp.exe] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\D.tmp.exe
    O4 - HKLM\..\Run: [19.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\19.tmp.exe


    Step 6
    Open CWShredder and click the FIX button. Close ALL browsers first. Run the scan twice

    Step 7
    Open Ewdio

    Close ALL Browsers before scanning
    1. Click on scanner.
    2. Click on Complete System Scan, the scan will now begin.
    3. While the scan is in progress you will be promted to clean files, click OK.
    4. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
    5. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
    6. Click Save Report.
    7. Now save the report .txt file to your desktop.

    Now close ewido security suite.


    Step 7
    Reboot into Normal Mode


    Step 8
    Go to Start > Run > type cleanmgr. Choose the C: and click OK - the scan may take a few mins. On the next screen select Temporary Internet Files and Temporary Files. Then, click OK


    Step 9
    Post a new HJT log :)
  • BeegleJ
    edited December 2005
    Thanks
    CWshredder doesn't find anything and the Downloader-AFH is still there. Here is the HJT.
    Logfile of HijackThis v1.99.1
    Scan saved at 2:52:12 PM, on 12/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\Temporary Directory 6 for hijackthis_199.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=63796
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=63796
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=63796
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=63796
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [F.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\F.tmp.exe
    O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\E.tmp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Startup: ms.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/account/downloads/executables/ie/IDA.cab
    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://sterling.view22.com/view22/view22RTE.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {EAE11EB6-E1C6-43B7-AF23-1DBC52C80FD6} (My3DCtrl Control) - http://www.exform.com/dev/ActiveX/3DCtrl.cab
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

    Ideas?
  • TroganTrogan London, UK
    edited December 2005
    You still havn't moved HJT. Please move HJT along with any "backups" to its own folder on your C: so backups can be created. Do this before continuing.
    ---

    Please DISABLE McAfee temporarly as it can interfere with the fix.
    ---

    Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=63796
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=63796
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=63796
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=63796
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=63796

    O4 - HKLM\..\Run: [F.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\F.tmp.exe
    O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\JOHN&S~1\LOCALS~1\Temp\E.tmp.exe
    O4 - Startup: ms.exe

    O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce...bles/ie/IDA.cab
    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://sterling.view22.com/view22/view22RTE.cab
    ---

    Now, reboot your computer!!!
    ---


    Visit at least two of the following sites for an online virus scan: Post the results from the scans.

    BitDefender Free Online Virus Scan
    http://www.bitdefender.com/scan/licence.php
    Make sure you tick AutoClean under Scan Options.

    Panda ActiveScan
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm
    Make sure you tick Disinfect automatically under Scan Options.

    Housecall at TrendMicro
    http://housecall.trendmicro.com/housecall/start_corp.asp
    Make sure you tick Auto Clean.

    eTrust Antivirus Web Scanner
    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
    ---


    Post a new HJT log along with the results from the on-line scans :)
Sign In or Register to comment.