 |  |  |  |  |  |  |  |
 |
HI ALL.NEED A LITTLE HELP
HAVE A PROG THAT TRYS TO ACCESS THE NET FROM MY PC.. DONT KNOW WHAT IT IS SO IVE BLOCKED IT.
THIS IS WHERE MCAFEE SAYS IT IS...C:WINDOWS\system32\sys32\EOMD.EXE
BUT WHEN ITRY TO FIND IT IN SYSTEM32 ITS NOT THERE....TASK MANAGER SAYS ITS RUNNING.
VIRUS SCAN DID NOT FIND ANYTHING....A LITTLE HELP FOLKS...MANY THANKS.
HAVE A PROG THAT TRYS TO ACCESS THE NET FROM MY PC.. DONT KNOW WHAT IT IS SO IVE BLOCKED IT.
THIS IS WHERE MCAFEE SAYS IT IS...C:WINDOWS\system32\sys32\EOMD.EXE
BUT WHEN ITRY TO FIND IT IN SYSTEM32 ITS NOT THERE....TASK MANAGER SAYS ITS RUNNING.
VIRUS SCAN DID NOT FIND ANYTHING....A LITTLE HELP FOLKS...MANY THANKS.
DOGS CAN LOOK UP
•
•
Join Date: May 2006
Posts: 599
Reputation: 
Solved Threads: 36
A.K.A. The Laughing Man
Look at the Stickies and download HiJack This from those directions run it and copy and paste the log to here. Thx.
"I thought what I'd do was, I'd pretend I was one of those Deaf-Mutes"..."Or should I?"--The Laughing Man
Check out my sig pic.
Check out my sig pic.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
hope you looked in sys32... if you didn't do an Explorer Search... sys32 is fake folder anyway.
Deep, deep in the woods, but walking about.
Hey. I just detected the same prog in my computer. My activearmor from nvidia caught it. and this is the log i received.
c:\windows\system32\sys32\eomd.exe is attempting to access the network. Process ID: 1800, Socket Type: client, Protocol: TCP, Destination IP: 64.233.163.27, Destination Port: 25, Source IP: , Source Port: 0.
NOD32 detected as a keylogger. In that sys32 folder, there are eomd.001, eomd.002, eomd.003, etc... What did you do recently?
1. reinstalled windows.
2. downloaded adobe reader.
3. installed nero.
those are the things i did recently and my activearmor caught it. I am trying to get rid of it from my computer. any help is appreciated. Thanks.
c:\windows\system32\sys32\eomd.exe is attempting to access the network. Process ID: 1800, Socket Type: client, Protocol: TCP, Destination IP: 64.233.163.27, Destination Port: 25, Source IP: , Source Port: 0.
NOD32 detected as a keylogger. In that sys32 folder, there are eomd.001, eomd.002, eomd.003, etc... What did you do recently?
1. reinstalled windows.
2. downloaded adobe reader.
3. installed nero.
those are the things i did recently and my activearmor caught it. I am trying to get rid of it from my computer. any help is appreciated. Thanks.
•
•
Join Date: May 2006
Posts: 599
Reputation:
Solved Threads: 36
A.K.A. The Laughing Man
Well in that case just delete the folder
C:Windows/System32/Sys32/
That should get rid of that keylogger, but i would still like a HJT log to make sure nothing else got infected.
C:Windows/System32/Sys32/
That should get rid of that keylogger, but i would still like a HJT log to make sure nothing else got infected.
"I thought what I'd do was, I'd pretend I was one of those Deaf-Mutes"..."Or should I?"--The Laughing Man
Check out my sig pic.
Check out my sig pic.
After I deleted the file, I ran CCleaner and this is my log.
Thanks for all the help.
Logfile of HijackThis v1.99.1
Scan saved at 7:12:32 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\My Documents\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O13 - Gopher Prefix:
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeThanks for all the help.
•
•
Join Date: May 2006
Posts: 599
Reputation:
Solved Threads: 36
A.K.A. The Laughing Man
There is only one thing in your log that is malicious and it is the 013
entry. Have you noticed that when you type something into the address bar(in IE at least) that if you don't put http:// it will change it to something else. Because thats what the 013 is doing.
To get rid of that run HJT and put a checkmark next to the following.
O13 - Gopher Prefix:
Now click fix checked.
There you go your all clean.
entry. Have you noticed that when you type something into the address bar(in IE at least) that if you don't put http:// it will change it to something else. Because thats what the 013 is doing.
To get rid of that run HJT and put a checkmark next to the following.
O13 - Gopher Prefix:
Now click fix checked.
There you go your all clean.
"I thought what I'd do was, I'd pretend I was one of those Deaf-Mutes"..."Or should I?"--The Laughing Man
Check out my sig pic.
Check out my sig pic.
|
Similar Threads
- svchost.exe using 100% cpu! (Windows NT / 2000 / XP)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Help!! I Have The "new Poly Win32 Virus" Plz Help
- Next Thread: pmkhg.dll & mljgggg.dll
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exploit facebook fake gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirecting reliability report research risk rogueantivirus samhain sans scareware school search security sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted usa virus viruses war warning windows worm yahoo zeroday
