• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Fwahaha

Explorer.dll trojan file

9 posts in this topic

I have just recently installed AVG anti-virus and now it has found a problem which it can't fix. It has found a trojan within c:\windows\system32\explorer.dll . It also says in the logfile that it is named psw.sclog.c and psw.slog.b. . AVG has no information on this particluar set of files. The only thing that I have noticed from this is that nearly half of the smileys on the left side of the create post thing are not there along with many other pictures online. This is new. This is probably becuase of something else, but I need help removing this trojan either way.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:13:54 AM, on 5/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\program files\aim\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Grisoft\AVG6\avgw.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Documents and Settings\Bob\My Documents\installers\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [AIM] C:\program files\aim\aim.exe -cnetwait.odl

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38093.780462963

O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

Good luck helping me and thanks.

Share this post


Link to post
Share on other sites

Hi,

1) Restart in Safe Mode (see "How To:" below)

2) Enable Hidden Files (see "How To:" below)

 

Locate and delete the following:

 

c:\windows\system32\explorer.dll

 

While still in Safe Mode:

Close all open windows, rescan with HijackThis and "Fix checked" the following:

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)

O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)

 

Restart normally and run a full system AVG scan, reboot and post a fresh log ...

Share this post


Link to post
Share on other sites

Hi,

is explorer.dll not a neccessary file for my computer to run

No, "explorer.dll" is NOT a valid file, it's most likely this one: Backdoor.IRC.Ratsou.B

 

Or this one > PWS-SCKeylog

It also says in the logfile that it is named psw.sclog.c and psw.slog.b.

AVG does not use the same naming methods as the other major AV apps. But I'd say that is a pretty close match.

Share this post


Link to post
Share on other sites

What of the pictures not showing up? I have not noticed this problem until the time that this trojan showed up. I know this may be slightly off topic, but it is bothering me!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0