|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#1
|
|||
|
|||
virus/malware inside explorer.exe?
Hi,
My girlfriend has a problem with malware again. usually I can fix those little things with HJT or ad-aware or smth similar but this is very different. Problem is the usual : popups, wierd shortcuts on desktop generated by this little red error cross on taskbar BUT thing is that when i run the machine in safemode then it tags along! I've scanned the machine with several programs already and my brain is starting to fry. In task manager there is no suspicious process. so i suspect it is inside explorer.exe most liklely. though i can be mistaken ![]() most programs find nothing and if they do and i fix them, all is back in like 4 seconds. all help is appreciated. P.S. I'll upload some screens i took from my GF pc. maybe it'll help. check @ www.tac.ee/~vahur all pictures titled 'crap' are the ones. |
#2
|
||||
|
||||
That's quite a little collection she has accumulated cody1109.
![]() Go here and download the latest version of Hijack This. Unzip it and click on scan. Most of the files listed will be harmless and/or required so do not make any changes, just click on Save Log, copy it and post it back in this thread. Also run Hijack This again and click on Config > Misc Tools > Open Uninstall Manager and click on Save List. Save the log to your Desktop and then post it in this thread. |
#3
|
|||
|
|||
here's the logs
uninstall list ACE Mega CoDecS Pack - PlayerXP Ace MP3 To WAV Converter Ad-Aware SE Personal Adobe Acrobat 5.0 Ahead Nero - Burning Rom AntiVir/XP BitTornado 0.2.0 Canon PhotoRecord Canon PIXMA iP3000 Canon Utilities Easy-PhotoPrint Canon Utilities Easy-PrintToolBox CD-LabelPrint Convert DOC to PDF For Word 1.00 CuteFTP 7 Home Easy-WebPrint HijackThis 1.99.1 HijackThis 1.99.1 J2SE Runtime Environment 5.0 Update 1 J2SE Runtime Environment 5.0 Update 2 Java 2 Runtime Environment, SE v1.4.2_06 Macromedia Flash MX Microsoft Office XP Professional with FrontPage MSN Messenger 7.0 Nimo Codecs Pack v5.0 (Remove Only) NOD32 antivirus system Sentinel System Driver 5.41.1 (32-bit) SoulSeek Client 156c SpywareBlaster v3.3 Switch Uninstall The Cleaner TRADOS 6.5 Freelance Winamp (remove only) WinRAR archiver and HJT : Logfile of HijackThis v1.99.1 Scan saved at 14:10:27, on 16.05.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\Program Files\The Cleaner\tca.exe C:\Program Files\The Cleaner\tcm.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe C:\Program Files\Common Files\Adobe\Web\AOM.exe C:\WINDOWS\system32\mspaint.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0390/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe |
#4
|
||||
|
||||
Aside from a hijacked start page, that log doesnt show much. Let's try Silent Runners and see what it reports. Go here and download and run Silent Runners.vbs. It generates a log too. Please post the information back in this thread.
Also go here and download FindIt's.zip to your Desktop. Unzip the files and doubleclick on FindIt's.bat to run it. A text file will open when it has finished scanning but it may take awhile, so please be patient. Post the results please. |
#5
|
|||
|
|||
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS] "ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" [null data] "Easy-PrintToolBox" = "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."] "NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."] "AVGCtrl" = ""C:\Program Files\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] "tcactive" = "C:\Program Files\The Cleaner\tca.exe" ["MooSoft Development"] "tcmonitor" = "C:\Program Files\The Cleaner\tcm.exe" ["MooSoft Development"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{B089FE88-FB52-11d3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\ INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [null data] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is disabled. HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Marek\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "Marek" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: imon.dll [null data], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Dormant Explorer Bars in "View, Explorer Bar" menu HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\ (Default) = "Easy-WebPrint" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ""C:\Program Files\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS] NOD32 Kernel Service, NOD32krn, "C:\Program Files\Eset\nod32krn.exe" [null data] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- and Microsoft Windows XP [Version 5.1.2600] The current date is: E 16.05.2005 PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» One or more CON code pages invalid for given keyboard code »»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Dont delete file's in the section without guidance If any doubt back them up first * UPX! C:\WINDOWS\TSC.EXE »»»»» lagitamate file's can/will show in this section. * UPX! C:\WINDOWS\System32\INETWH32.DLL * UPX! C:\WINDOWS\System32\ROBOEX32.DLL * UPX! C:\WINDOWS\VSAPI32.DLL »»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. Volume in drive C has no label. Volume Serial Number is E099-4E4E Directory of C:\WINDOWS\SYSTEM32 »»»»» Checking for SAHAgent ico files. Volume in drive C has no label. Volume Serial Number is E099-4E4E Directory of C:\WINDOWS\system32 13.05.2005 00:18 766 Air Tickets.ico 13.05.2005 00:18 4ÿ286 Big Tits.ico 13.05.2005 00:18 766 BlackJack.ico 13.05.2005 00:18 2ÿ238 Britney Spears.ico 13.05.2005 00:18 2ÿ238 Car Insurance.ico 13.05.2005 00:18 2ÿ238 Cigarettes.ico 13.05.2005 00:18 4ÿ606 Credit Card.ico 13.05.2005 00:18 2ÿ238 Cruises.ico 13.05.2005 00:18 2ÿ238 Forex Trading.ico 13.05.2005 00:18 4ÿ286 Lesbian Sex.ico 13.05.2005 00:18 2ÿ238 MP3.ico 13.05.2005 00:18 2ÿ238 Online Betting.ico 13.05.2005 00:18 766 Online Casino.ico 13.05.2005 00:18 4ÿ286 Oral Sex.ico 13.05.2005 00:18 766 Party Poker.ico 13.05.2005 00:18 766 Pharmacy.ico 13.05.2005 00:18 766 Phentermine.ico 13.05.2005 00:18 4ÿ286 Pornstars.ico 13.05.2005 00:18 4ÿ534 Remove Spyware.ico 13.05.2005 00:18 2ÿ238 Viagra.ico 20 File(s) 48ÿ784 bytes 0 Dir(s) 2ÿ192ÿ547ÿ840 bytes free »»»»»»»»»»»»»»»»»»»»»»»». |
#6
|
|||
|
|||
here you go
![]() |
#7
|
||||
|
||||
Silent Runners has identified the culprit. We will have to edit the registry to get rid of the startup. Go here and download Cody.reg to your Desktop. Doubleclick on it to merge it with the registry but do not reboot yet.
Download Killbox from here, unzip the file to your Desktop and have it ready to use. Close Internet Explorer and any open windows and run Hijack This again. Check the below entry and click on Fix Checked. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0390/ When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts) and run Killbox again. Copy and paste the full file path of the below files in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter. C:\WINDOWS\System32\param32.dll C:\WINDOWS\System32\Air Tickets.ico C:\WINDOWS\System32\Big Tits.ico C:\WINDOWS\System32\BlackJack.ico C:\WINDOWS\System32\Britney Spears.ico C:\WINDOWS\System32\Car Insurance.ico C:\WINDOWS\System32\Cigarettes.ico C:\WINDOWS\System32\Credit Card.ico C:\WINDOWS\System32\Cruises.ico C:\WINDOWS\System32\Forex Trading.ico C:\WINDOWS\System32\Lesbian Sex.ico C:\WINDOWS\System32\MP3.ico C:\WINDOWS\System32\Online Betting.ico C:\WINDOWS\System32\Online Casino.ico C:\WINDOWS\System32\Oral Sex.ico C:\WINDOWS\System32\Party Poker.ico C:\WINDOWS\System32\Pharmacy.ico C:\WINDOWS\System32\Phentermine.ico C:\WINDOWS\System32\Pornstars.ico C:\WINDOWS\System32\Remove Spyware.ico C:\WINDOWS\System32\Viagra.ico Reboot and post a new Hijack This log and a new Silent Runners log. Also let us know if this PC still has a problem. |
#8
|
|||
|
|||
well done
![]() all seems to clear up, though i scanned with HJT and fixed the one startuppage which did not return. here are the logs : "Silent Runners.vbs", revision 36, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS] "ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" [null data] "Easy-PrintToolBox" = "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."] "NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."] "AVGCtrl" = ""C:\Program Files\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] "tcactive" = "C:\Program Files\The Cleaner\tca.exe" ["MooSoft Development"] "tcmonitor" = "C:\Program Files\The Cleaner\tcm.exe" ["MooSoft Development"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{B089FE88-FB52-11d3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\ INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [file not found] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is disabled. HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Marek\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "Marek" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: imon.dll [null data], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Dormant Explorer Bars in "View, Explorer Bar" menu HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\ (Default) = "Easy-WebPrint" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ""C:\Program Files\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS] NOD32 Kernel Service, NOD32krn, "C:\Program Files\Eset\nod32krn.exe" [null data] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- and HJT Logfile of HijackThis v1.99.1 Scan saved at 1:37:49, on 17.05.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\Program Files\The Cleaner\tca.exe C:\Program Files\The Cleaner\tcm.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe |
#9
|
||||
|
||||
The malware startup is still showing in Silent Runners although the file has been deleted so its not such a big deal. The Hijack This log is clean.
If you would like to get rid of the registry entry too, go here and download, unzip and run the Registry Search Tool. Type param32.dll in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them. |
#10
|
|||
|
|||
REGEDIT4
; RegSrch.vbs © Bill James ; Registry search results for string "param32.dll" 17.05.2005 18:25:19 ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D56A120 3-1452-EBA1-7294-EE3377770000}\InProcServer32] @="C:\\WINDOWS\\System32\\param32.dll" |
#12
|
|||
|
|||
thanks a bunch
![]() i'll cry in forums if i'm in trouble. again. :P -Cody |
#13
|
||||
|
||||
LOL. You are welcome Cody.
![]() |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Need help removing malware (HJT + malwarebytes antimalware logs inside) | sadgoat | Malware Removal | 14 | August 30th, 2009 09:01 PM |
Can't open files from inside Windows Explorer | heyrandy | Windows XP | 6 | December 3rd, 2008 02:19 AM |
Trojan/malware (hjt log inside) | UgaUga | Malware Removal | 27 | September 16th, 2008 08:35 PM |
Malware? Virus? Trojan? (HJT, ewido logs inside) | AlphaShadow | Malware Removal | 4 | June 8th, 2006 02:59 AM |
MALWARE! Please help! HJ This logfile inside! | bravesirrobin12 | Malware Removal | 17 | November 1st, 2005 01:01 AM |
All times are GMT +1. The time now is 04:18 AM.