Win32 file opens on start up

Status
Not open for further replies.

Dave H

Posts: 79   +1
I got a trojan horse which has now been removed but every time i start up my system the Win32 file opens up. How do i stop this happening?. Please remember i am a novice so step by step guide appreciated thanks
 
it sounds like you stil have the trojan. did you disable system restore before removing the trojan? if not then it probably reinstalled itself. to completely remove many viruses and most trojans system restore must be disabled. this deletes all the restore points. (many virus and trojans embed themselves in system resotre and reinstall themselves that way.) after you clean out the trojan you can then re enable system restore.
 
Some trojans try to reinstall themselves via a copy put in the system32 folder.
If your anti-spyware program removes the executable,that still leaves a registry key to cause problems.

One fix is to go into msconfig start up and uncheck the relevant entry(if there).

Another is to run CCleaner

Or you can try the Microsoft registry method HERE and remove/modify the offending run key.
 
The solution is the registry.
There are two places which startup tasks are kept.

-Use at your own risk-
(Do not worry if you follow this carefully and do not mess around with the regedit files not harm can come)
Location 1)
1)Start
2)Run
3)Type "regedit" and click enter
4)HKEY_LOCAL_MACHINE
4.5)Software
5)Microsoft
6)Windows
7)Current Version
8)Run
9)Now select the string (on the right screen) which is the trojan, you should know by its name or lack of name or something weird title.

Location 2)
1)Start
2)Run
3)regedit and enter
4)HKEY_USERS
5)S-1-5-21-404946625-3632811157-4202547865-1006
6)Software
7)Microsoft
8)Windows
9)Current Version
10)Run
Again as before search and destroy that string

I recommend to check both these locations
 
Hya I have tried the previous advice on this problem but it is still happening on start up. I have looked for wierd names and no names in the regedit scequence but still have the problem. Am I doing it wrong I have followed previous instructions on all 3 replies I have had. Is there another way?

thanks
 
I have merged your new thread into this one.

Please don`t start anymore new threads for this subject. Thanks.

A couple of things you might try are.

A system restore to before the problem occured. Unless of course you`ve deleted your restore points as advised by iss.

Go and read this thread HERE. and post a HJT log as a .txt attachment into this thread. I`l take a look and tell you if your system is free from infections.

Regards Howard :)
 
Here is the Hjt file

I have done as you requested I hope it is right I could not find the title to change but think this is ok.

Thanks
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

EasyBits Magic Desktop Services for Windows NT (ezntsvc)

close the services window.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ezShellStart.exe
ezNTSvc.exe
AOLDial.exe

Close task manager.



Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\ezShellStart.exe

O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - (no file)

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O23 - Service: EasyBits Magic Desktop Services for Windows NT (ezntsvc) - EasyBits Software Corp. - C:\WINDOWS\system32\ezNTSvc.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\ezNTSvc.exe
C:\WINDOWS\system32\ezShellStart.exe

Reboot into normal mode and turn system restore back on.

Let us know if this helps.

Regards Howard :)
 
still appears

I have tried this twice and checked both times step by step but the file still appears. Any ideas. must say enjoyed trying to solve the problem.


Thanks
Dave H
 
msconfig start up just tried

Yes I have just tried it and I still got the file at start up I have also gone through every bit of advice again. Does this mean I will have to stay with it? Why do people make these things happen? Do they get a kick out some one elses expense. Any other advice would be appreciated may be I have done something wrong I will try all advice again.


Thanks for everyones help so far

Dave H
 
Howard normally likes to see a fresh log after the removal instructions have been given.Just to be sure.
 
Peddant said:
Howard normally likes to see a fresh log after the removal instructions have been given.Just to be sure.

Yes Peddant, normally I do, but in this case I don`t think it`d be of much help.

However, what I do suggest is Dave H goes HERE and follows all the instructions exactly.

The reason I`d like him to do that, is because I`m wondering if he has some kind of infection that doesn`t show up in a HJT log. The above instructions, may well get rid of anything nasty that`s lurking undetected by HJT.

On the other hand, it might not do any good, but I feel it`s worth a try.

Regards Howard :)
 
Sorry wrong place again

Sorry posted wrong again understand now and yes well appreciated for what you all do



Dave H
 
One of those entries I asked you to fix are still there.

Download the Pocket kill box from HERE. Extract it, but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

ezNTSvc

close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ezShellStart.exe
ezNTSvc.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O23 - Service: EasyBits Magic Desktop Services for Windows NT (ezntsvc) - EasyBits Software Corp. - C:\WINDOWS\system32\ezNTSvc.exe

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths to enter into killbox.

C:\WINDOWS\system32\ezNTSvc.exe
C:\WINDOWS\system32\ezShellStart.exe

Once your computer has rebooted, turn system restore back on.

let us know how your system is running.


Regards Howard :)
 
Kelly`s Korner has a script file that claims to stop system32 opening.
Number 260 right hand side HERE

We`ve reached the anythings worth a try phase.
 
Its fixed

I ran ewido and it found 40 spyware after deleting win32 file does not open anymore. Thanks to everyone who helpedwith the advice. I enjoyed trying to solve the problem. i learn more on this site than i did on a 6 month IT course.
Well done and again thankyou.

Dave H
 
Dave H said:
I ran ewido and it found 40 spyware
:confused: It`s odd they weren`t in your HJT.If you could mention some of their names,it would be useful to know.A log maybe ?

Glad it`s fixed anyway.Next time somebody gets that problem,they can come to you.:)
 
report of deleted spy-ware

I have highlighted and copied the report can I paste on here dont want to do something wrong.


Dave
 
If you can attach it as a .txt that would be nice,but if you can`t,Howard will let you off,if you paste it in :)
 
OOps sorry

Sorry i should of waited for advise. They are just a list of names. I would appreciate if you let me know what caused it. I share this computer with my son. So i can advise


Thanks
Dave
 
Dave H said:
Sorry i should of waited for advise.
No problem.It was me who asked you to post the log :)

I could probably give you half an answer,but Howard wil give you a full one.
 
The two most interesting entries in your Ewido log are these.

C:\Program Files\EasyBits For Kids\ezDialUp.exe -> Heuristic.Win32.Dialer : Ignored.
C:\Program Files\EasyBits For Kids\ezRasStatus.exe -> Heuristic.Win32.Dialer : Ignored.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Easybits for kids.

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ezDialUp.exe
ezRasStatus.exe

Close task manager.

Delete the following bold entries(if there).

C:\Program Files\EasyBits For Kids

Reboot into normal mode and turn system restore back on.

Run a fresh Ewido scan and post the log as a .txt attachment please.

Regards Howard :)
 
Status
Not open for further replies.
Back