TechSpot

Win32 file opens on start up

By Dave H
Jun 27, 2006
  1. I got a trojan horse which has now been removed but every time i start up my system the Win32 file opens up. How do i stop this happening?. Please remember i am a novice so step by step guide appreciated thanks
     
  2. iss

    iss TechSpot Chancellor Posts: 2,896

    it sounds like you stil have the trojan. did you disable system restore before removing the trojan? if not then it probably reinstalled itself. to completely remove many viruses and most trojans system restore must be disabled. this deletes all the restore points. (many virus and trojans embed themselves in system resotre and reinstall themselves that way.) after you clean out the trojan you can then re enable system restore.
     
  3. Peddant

    Peddant TS Rookie Posts: 1,644

    Some trojans try to reinstall themselves via a copy put in the system32 folder.
    If your anti-spyware program removes the executable,that still leaves a registry key to cause problems.

    One fix is to go into msconfig start up and uncheck the relevant entry(if there).

    Another is to run CCleaner

    Or you can try the Microsoft registry method HERE and remove/modify the offending run key.
     
  4. HiJackThis1.99

    HiJackThis1.99 TS Rookie Posts: 87

    The solution is the registry.
    There are two places which startup tasks are kept.

    -Use at your own risk-
    (Do not worry if you follow this carefully and do not mess around with the regedit files not harm can come)
    Location 1)
    1)Start
    2)Run
    3)Type "regedit" and click enter
    4)HKEY_LOCAL_MACHINE
    4.5)Software
    5)Microsoft
    6)Windows
    7)Current Version
    8)Run
    9)Now select the string (on the right screen) which is the trojan, you should know by its name or lack of name or something weird title.

    Location 2)
    1)Start
    2)Run
    3)regedit and enter
    4)HKEY_USERS
    5)S-1-5-21-404946625-3632811157-4202547865-1006
    6)Software
    7)Microsoft
    8)Windows
    9)Current Version
    10)Run
    Again as before search and destroy that string

    I recommend to check both these locations
     
  5. Dave H

    Dave H TS Rookie Topic Starter Posts: 81

    Hya I have tried the previous advice on this problem but it is still happening on start up. I have looked for wierd names and no names in the regedit scequence but still have the problem. Am I doing it wrong I have followed previous instructions on all 3 replies I have had. Is there another way?

    thanks
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I have merged your new thread into this one.

    Please don`t start anymore new threads for this subject. Thanks.

    A couple of things you might try are.

    A system restore to before the problem occured. Unless of course you`ve deleted your restore points as advised by iss.

    Go and read this thread HERE. and post a HJT log as a .txt attachment into this thread. I`l take a look and tell you if your system is free from infections.

    Regards Howard :)
     
  7. Dave H

    Dave H TS Rookie Topic Starter Posts: 81

    Here is the Hjt file

    I have done as you requested I hope it is right I could not find the title to change but think this is ok.

    Thanks
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    EasyBits Magic Desktop Services for Windows NT (ezntsvc)

    close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ezShellStart.exe
    ezNTSvc.exe
    AOLDial.exe

    Close task manager.



    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\ezShellStart.exe

    O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - (no file)

    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    O23 - Service: EasyBits Magic Desktop Services for Windows NT (ezntsvc) - EasyBits Software Corp. - C:\WINDOWS\system32\ezNTSvc.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\ezNTSvc.exe
    C:\WINDOWS\system32\ezShellStart.exe

    Reboot into normal mode and turn system restore back on.

    Let us know if this helps.

    Regards Howard :)
     
  9. Dave H

    Dave H TS Rookie Topic Starter Posts: 81

    still appears

    I have tried this twice and checked both times step by step but the file still appears. Any ideas. must say enjoyed trying to solve the problem.


    Thanks
    Dave H
     
  10. Peddant

    Peddant TS Rookie Posts: 1,644

    Have you tried unchecking everything in msconfig start up ?
     
  11. Dave H

    Dave H TS Rookie Topic Starter Posts: 81

    msconfig start up just tried

    Yes I have just tried it and I still got the file at start up I have also gone through every bit of advice again. Does this mean I will have to stay with it? Why do people make these things happen? Do they get a kick out some one elses expense. Any other advice would be appreciated may be I have done something wrong I will try all advice again.


    Thanks for everyones help so far

    Dave H
     
     
  12. Peddant

    Peddant TS Rookie Posts: 1,644

    Howard normally likes to see a fresh log after the removal instructions have been given.Just to be sure.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Yes Peddant, normally I do, but in this case I don`t think it`d be of much help.

    However, what I do suggest is Dave H goes HERE and follows all the instructions exactly.

    The reason I`d like him to do that, is because I`m wondering if he has some kind of infection that doesn`t show up in a HJT log. The above instructions, may well get rid of anything nasty that`s lurking undetected by HJT.

    On the other hand, it might not do any good, but I feel it`s worth a try.

    Regards Howard :)
     
  14. Dave H

    Dave H TS Rookie Topic Starter Posts: 81

    Fresh Log

    will start on the next step as advised




    Thanks
    Dave H
     
  15. Dave H

    Dave H TS Rookie Topic Starter Posts: 81

    Sorry wrong place again

    Sorry posted wrong again understand now and yes well appreciated for what you all do



    Dave H
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    One of those entries I asked you to fix are still there.

    Download the Pocket kill box from HERE. Extract it, but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    ezNTSvc

    close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ezShellStart.exe
    ezNTSvc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: EasyBits Magic Desktop Services for Windows NT (ezntsvc) - EasyBits Software Corp. - C:\WINDOWS\system32\ezNTSvc.exe

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths to enter into killbox.

    C:\WINDOWS\system32\ezNTSvc.exe
    C:\WINDOWS\system32\ezShellStart.exe

    Once your computer has rebooted, turn system restore back on.

    let us know how your system is running.


    Regards Howard :)
     
  17. Peddant

    Peddant TS Rookie Posts: 1,644

    Kelly`s Korner has a script file that claims to stop system32 opening.
    Number 260 right hand side HERE

    We`ve reached the anythings worth a try phase.
     
  18. Dave H

    Dave H TS Rookie Topic Starter Posts: 81

    Its fixed

    I ran ewido and it found 40 spyware after deleting win32 file does not open anymore. Thanks to everyone who helpedwith the advice. I enjoyed trying to solve the problem. i learn more on this site than i did on a 6 month IT course.
    Well done and again thankyou.

    Dave H
     
  19. Peddant

    Peddant TS Rookie Posts: 1,644

    :confused: It`s odd they weren`t in your HJT.If you could mention some of their names,it would be useful to know.A log maybe ?

    Glad it`s fixed anyway.Next time somebody gets that problem,they can come to you.:)
     
  20. Dave H

    Dave H TS Rookie Topic Starter Posts: 81

    report of deleted spy-ware

    I have highlighted and copied the report can I paste on here dont want to do something wrong.


    Dave
     
  21. Peddant

    Peddant TS Rookie Posts: 1,644

    If you can attach it as a .txt that would be nice,but if you can`t,Howard will let you off,if you paste it in :)
     
  22. Peddant

    Peddant TS Rookie Posts: 1,644

    Interesting - Howard will advise.
     
  23. Dave H

    Dave H TS Rookie Topic Starter Posts: 81

    OOps sorry

    Sorry i should of waited for advise. They are just a list of names. I would appreciate if you let me know what caused it. I share this computer with my son. So i can advise


    Thanks
    Dave
     
  24. Peddant

    Peddant TS Rookie Posts: 1,644

    No problem.It was me who asked you to post the log :)

    I could probably give you half an answer,but Howard wil give you a full one.
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    The two most interesting entries in your Ewido log are these.

    C:\Program Files\EasyBits For Kids\ezDialUp.exe -> Heuristic.Win32.Dialer : Ignored.
    C:\Program Files\EasyBits For Kids\ezRasStatus.exe -> Heuristic.Win32.Dialer : Ignored.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Easybits for kids.

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ezDialUp.exe
    ezRasStatus.exe

    Close task manager.

    Delete the following bold entries(if there).

    C:\Program Files\EasyBits For Kids

    Reboot into normal mode and turn system restore back on.

    Run a fresh Ewido scan and post the log as a .txt attachment please.

    Regards Howard :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.