Jump to content

Hijack.Shell infected Explorer.exe


Recommended Posts

Hi Guys,

Need your help on this case. My problem is that whenever I restart my PC, my windows will show nothing but the My Document folder. No wallpaper, no task bar. I just have to start Task Manager and run Explorer.exe.

Malwarebyte able to detect this Hijack.Shell on Explorer.exe. But everytime I remove it, it will happen the same thing. By the way this is my Hijack This log, please check and help.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:02:48 AM, on 12/9/2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

D:\PROGRAM FILES\PANDA SECURITY\PANDA GLOBAL PROTECTION 2010\WebProxy.exe

D:\Windows\system32\taskhost.exe

D:\Windows\system32\Dwm.exe

D:\Windows\explorer.exe

D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

D:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

D:\Program Files\iTunes\iTunesHelper.exe

D:\Program Files\Panda Security\Panda Global Protection 2010\ApVxdWin.exe

D:\Windows\System32\igfxtray.exe

D:\Windows\System32\hkcmd.exe

D:\Windows\System32\igfxpers.exe

D:\Program Files\uTorrent\uTorrent.exe

D:\Windows\system32\igfxsrvc.exe

D:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Mozilla Firefox\plugin-container.exe

D:\Windows\system32\NOTEPAD.EXE

D:\Windows\system32\SearchFilterHost.exe

D:\Users\Home\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - D:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe jrnh.aso ldsgtn

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL (file missing)

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll

O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - D:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (file missing)

O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll

O4 - HKLM\..\Run: [RtHDVCpl] D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre7\bin\jusched.exe"

O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe

O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun

O4 - HKLM\..\Run: [bCSSync] "D:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "D:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [AppleSyncNotifier] D:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask .exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Security\Panda Global Protection 2010\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "D:\Program Files\Panda Security\Panda Global Protection 2010\Inicio.exe"

O4 - HKLM\..\Run: [igfxTray] D:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] D:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] D:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [AlcoholAutomount] "D:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] D:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] D:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://D:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: @D:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra 'Tools' menuitem: @D:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B12A5EE-55B8-443C-8D3D-9ABB3FE19255}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B12A5EE-55B8-443C-8D3D-9ABB3FE19255}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CS2\Services\Tcpip\..\{0B12A5EE-55B8-443C-8D3D-9ABB3FE19255}: NameServer = 202.188.0.133,202.188.1.5

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - D:\Windows\system32\ASTSRV.EXE

O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

O23 - Service: KMService - Unknown owner - D:\Windows\system32\srvany.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: Panda Software Controller - Panda Security, S.L. - D:\Program Files\Panda Security\Panda Global Protection 2010\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - D:\Program Files\Panda Security\Panda Global Protection 2010\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - D:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - D:\Program Files\Panda Security\Panda Global Protection 2010\pavsrvx86.exe

O23 - Service: Panda Host Service (PSHost) - Unknown owner - d:\program files\panda security\panda global protection 2010\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - D:\Program Files\Panda Security\Panda Global Protection 2010\PsImSvc.exe

O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - D:\Program Files\Panda Security\Panda Global Protection 2010\PskSvc.exe

O23 - Service: SolidConverterPDFv4ReadSpool (SCPDFV4ReadSpool) - Solid Documents, LLC - D:\Windows\Installer\MSI3BBB.tmp

O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)

O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - D:\Program Files\Panda Security\Panda Global Protection 2010\TPSrv.exe

--

End of file - 9419 bytes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++

This is the log from Malwarebyte

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4594

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

12/9/2010 5:38:40 AM

mbam-log-2010-09-12 (05-38-40).txt

Scan type: Full scan (C:\|D:\|G:\|)

Objects scanned: 395089

Time elapsed: 6 hour(s), 34 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe jrnh.aso ldsgtn) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

D:\Program Files\WinRAR\WinRAR_KEYGEN.exe (RiskWare.Agent.CK) -> Quarantined and deleted successfully.

G:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

G:\Program Files\WinRAR\WinRAR_KEYGEN.exe (RiskWare.Agent.CK) -> Quarantined and deleted successfully.

G:\RECYCLER\S-1-5-21-1220945662-57989841-839522115-1003\Dc62\defrag.exe (Worm.Autorun.;) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi, Nurashid NM :P

;)

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Standard Registry to All
    • Under File Scans, change File age to 30

    [*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.

Link to post
Share on other sites

Hi,

Somehow I manage to rectify the problem. What I did was change the value of the Registry Key to 'explorer.exe'

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe jrnh.aso ldsgtn) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.