Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackThis Log


  • Please log in to reply
16 replies to this topic

#1 eden517

eden517

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 11 February 2005 - 01:11 PM

I have a PC that has been infected with some adware/spyware. I have done the following so far and inclueded the HiJackThis log:

Save Hijackthis.exe in a permanent folder named hijackthis on the root of your C:\drive. Double-click on My Computer; double-click on your hard drive, (usually the C:\drive) right-click on a blank area, choose New, choose Folder, name the folder hijackthis. Now, place Hijackthis.exe in this folder.

Second, before using HijackThis, let's try to remove as much as we can with a few malware utilities.

Step 1:
Please go to Start, Settings, Control Panel, Add/Remove Programs, and uninstall any unknown or suspicious looking programs and/or toolbars. After the uninstall process is complete, reboot the PC and see if your symptoms have disappeared. If the same symptoms still exist following the reboot, proceed to Step 2.

Step 2:
Download and install the latest version of Ad-Aware SE here

NOTE: If you are still using Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.
Please configure the program by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file.

Please do not run a scan with Ad-Aware yet.

Step 3:
Download CWShredder™ Version 2.1 here and save it to its own folder named CWShredder. Save it at the root of the C:\drive the same location as HijackThis.

Please do not run a scan with CWShredder yet.

Step 4:
Download and install the Microsoft AntiSpyware program here.
Please configure the program by following these instructions here. Before scanning click on "File" then click "Check for Updates" to make sure you have the latest reference files.

Please do not run a scan with the Microsoft AntiSpyware program yet.

Step 5:
Download and install the latest version of Spybot here.
Please configure the program by following these instructions here. Before scanning click on "Search for Updates" then click "Download Updates" to make sure you have the latest reference files.

Please do not run a scan with Spybot yet.

Step 6:
Download and install CCleaner here.

Please do not run the CCleaner utility yet.

Step 7:
Download the eScan Antivirus Toolkit here. Save it to the desktop. Before running the program, we need to update the signature files first.

Step 8:
Updating the eScan Antivirus Toolkit with the latest files:
1.) Double-click on the mwav.exe file saved to the desktop; it will extract the program files to new folder called Kaspersky at the root of the C:\drive in Windows, C:\Kaspersky.
2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file.
3.) Double-clicking on the kavupd.exe file open the command prompt (DOS screen) and update the program with all the latest signature files. By default, the update process creates a folder on the root of the C:\drive called Downloads. This is where the updated files are placed.
4.) After the update is complete, copy and paste these new updated signature files (from the C:\Downloads folder) to the C:\Kaspersky folder where eScan originally extracted the antivirus program files.

Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 9:
If you think you have the about:blank hijacker or you experience long delays trying to go to websites or you are redirected to various search pages or get constant popup ads, please download CWShredder™ Version 2.1 here. Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis. There is a variant of the Coolwebsearch trojan that closes several anti-spyware programs when you try to open them. If this is happening to you, download the CoolWWWSearch.SmartKiller removal tool here first and run it. After it completes its scan, CWShredder and HijackThis should run properly.

Please do not run a scan with the CWShredder utility yet.

Step 10:
Please enable all hidden files and folders in Windows. For instructions click here

Step 11:
Please reboot into Safe Mode. For instructions click here

Step 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:
1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.
2.) Double-click on the mwavscan.com file; this will open the eScan program.
3.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are checked.
4.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
6.) Click the Scan Clean (or Scan) button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed.

Step 13:
From Safe Mode, run the CWShredder program you downloaded earlier. Double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

Step 14:
From Safe Mode, run the Microsoft AntiSpyware program you downloaded and configured earlier, click "Spyware Scan", "Spyware Options" click "Full System Scan" place checks in all boxes, let it scan the hard drive and delete all entries it finds.

Step 15:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

Step 16:
From Safe Mode, run the Spybot program you downloaded and configured earlier, click "Check for problems", let it scan the hard drive and delete all entries it finds.

Step 17:
From Safe Mode, open CCleaner, click on Options, Settings, uncheck the box "Only delete files in Windows Temp folders older than 48 hours", click OK. Using the default settings, click Run Cleaner and let it scan for all files and folders. (You'll see the results in the large Progress window.) Click Exit and reboot the PC. Now all the temp files and folders are clean, even your index.dat files are gone.

Step 18:
When you have completed scanning with all the malware removal utilities above, please reboot the PC back into Normal mode. (Windows)

Step 19:
Now reboot back into Normal Mode (Windows) and open HijackThis, click on "Do a system scan and save and save a logfile", copy and paste the entire contents of the logfile here for review.

Logfile of HijackThis v1.99.0
Scan saved at 1:05:34 PM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\LDClient\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDENAD.com
O17 - HKLM\Software\..\Telephony: DomainName = EDENAD.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDENAD.com
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\LDClient\LOCALSCH.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk® Management Agent - Unknown - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

After running this, the Microsoft AntiSpam is still catching e2give trying to install or do something.

Thank you in advance.

BC AdBot (Login to Remove)

 


m

#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 11 February 2005 - 02:24 PM

I don't see any E2Give files running in your log.

Click Start, Settings, Control Panel Add/Remove Programs look for anything E2Give and click Remove.

Go to this location: C:\Program Files\E2Give <----Remove this folder
Go to this location: C:\E2G <----Remove this folder

The eScan (Kaspersky) utility should have successfully deleted this Trojan. The DLLs associated with it are iebhos.dll and iechos.dll

#3 eden517

eden517
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 11 February 2005 - 03:01 PM

Before running through the steps. I tried to remove E2Give through Add/Remove programs. But nothing happened when I tried it and it stayed in the Add/Remove Program list. So I deleted the E2g folder through Windows Explorer. I did a search for the 2 dlls associated with E2Give, and found nothing.

Right now, the Microsoft AntiSpam is blocking E2Give from installing when the computer is starting up. I get two popups, and that's it. No other problems are occurring. I am thinking that maybe I should install E2Give and then try and uninstall it to see if that gets rid of it. But I probably run the risk of adding adware back on the system. What do you think?

#4 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 11 February 2005 - 04:04 PM

I am thinking that maybe I should install E2Give and then try and uninstall it to see if that gets rid of it. What do you think?
No, don't reinstall.

So I deleted the E2g folder through Windows Explorer
That should take care of it. Here is a registry fix as well.

Copy the contents of the Quote Box to Notepad. Name the file as e2givefix.reg. Change the Save as Type to All Files. Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\E2G]
[-HKEY_CLASSES_ROOT\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_CLASSES_ROOT\AppID\IeBHOs.DLL]
[-HKEY_CLASSES_ROOT\IeBHOs.Control.1]
[-HKEY_CLASSES_ROOT\IeBHOs.Control]
[-HKEY_CLASSES_ROOT\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_CLASSES_ROOT\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]


Then double-click on the e2givefix.reg file, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Edited by SirJon, 11 February 2005 - 04:06 PM.


#5 eden517

eden517
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 11 February 2005 - 04:42 PM

I tried the regedit fix, and unfortunately something is still trying to install E2Give upon startup. Microsoft AntiSpy is flagging it.

#6 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 11 February 2005 - 04:52 PM

Does the MS Antispyware give you a filename?
By the way, did you reboot the PC after deleting the E2G folder and after using the e2givefix.reg file? If you didn't, please do. After rebooting the PC, post a new HJT log here for review.

Edited by SirJon, 11 February 2005 - 04:55 PM.


#7 eden517

eden517
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 11 February 2005 - 04:57 PM

It says that E2Give is trying to install, no particular file name. I did reboot after using the reg fix. I deleted the E2G folder this morning before running through the steps.

#8 eden517

eden517
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 11 February 2005 - 05:01 PM

Logfile of HijackThis v1.99.0
Scan saved at 5:01:26 PM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\LDClient\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\prutpct.exe
C:\WINDOWS\System32\prutpct.exe
C:\Lotus 6\Notes\NLNOTES.EXE
C:\Lotus 6\Notes\nNOTESMM.EXE
C:\Lotus 6\Notes\ntaskldr.EXE
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [prutpct] C:\WINDOWS\System32\prutpct.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eden.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDENAD.com
O17 - HKLM\Software\..\Telephony: DomainName = EDENAD.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDENAD.com
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\LDClient\LOCALSCH.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk® Management Agent - Unknown - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#9 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 11 February 2005 - 05:36 PM

I figured something was running. :thumbsup:

Please close ALL open windows AND browsers and open HijackThis, click on “Do a system scan only” and put checks next to all the following, then click "Fix Checked"

R3 - Default URLSearchHook is missing
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O4 - HKCU\..\Run: [prutpct] C:\WINDOWS\System32\prutpct.exe


These are not malware, but unneeded resource hogs; they are safe to delete in HJT also.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

NOTE: Right-click on the bottom Windows taskbar, select Task Manager, click on the Processes tab, scroll down and find prutpct.exe click End Process. Now delete the file below.

Please delete the following files and/or folders:
Go to Start, Search, For Files or Folders, and type in each file or folder name.
Make sure the E2G folder is gone.
C:\Program Files\E2G\ <----Delete this folder
C:\WINDOWS\System32\prutpct.exe <----Delete this file.

Now reboot the PC and open HijackThis, click on "Do a system scan and save and save a logfile", copy and paste the entire contents of the logfile here for review.

#10 eden517

eden517
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 14 February 2005 - 02:22 PM

Did all that you asked. When I rebooted, the popup never came telling me E2give was trying to install. Did notice that the one entry: 04.....prutpct.exe was still in the log below.

Logfile of HijackThis v1.99.0
Scan saved at 2:13:17 PM, on 2/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\LDClient\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [prutpct] C:\WINDOWS\System32\prutpct.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eden.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDENAD.com
O17 - HKLM\Software\..\Telephony: DomainName = EDENAD.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDENAD.com
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\LDClient\LOCALSCH.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk® Management Agent - Unknown - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#11 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 14 February 2005 - 10:10 PM

Nice Work! :thumbsup:
Your log is looking better all the time.

Please disable Microsoft AntiSpyware in Windows before using HJT. Right click on the ORANGE icon down in the lower RH taskbar and click Shutdown Microsoft AntiSpyware, now click Yes to the Are You Sure? prompt.

Please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":
O4 - HKCU\..\Run: [prutpct] C:\WINDOWS\System32\prutpct.exe

Once the PC has been rebooted, Microsoft AntiSpyware will start back up with Windows.

Edited by SirJon, 14 February 2005 - 10:11 PM.


#12 eden517

eden517
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 15 February 2005 - 09:31 AM

Here is the latest log. The only remnants I see is in Add/Remove Programs. It says E2Give Plug In. But there is no size information. Should I go ahead and try to Remove it through there. I believe it has been there from the start, and when I tried to remove it at the start of all this, it didn't do a thing. So it is probably just listed there but not really installed. What do you think?

Logfile of HijackThis v1.99.0
Scan saved at 9:19:46 AM, on 2/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\LDClient\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\userinit.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eden.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDENAD.com
O17 - HKLM\Software\..\Telephony: DomainName = EDENAD.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDENAD.com
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\LDClient\LOCALSCH.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk® Management Agent - Unknown - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#13 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 15 February 2005 - 12:07 PM

Download RegSrch.vbs here. Extract, and double-click RegSrch.vbs and enter "E2Give" (without the quotes) and click ok. This will find all occurrences of it left in the registry. Please post the results of the scan here for review.

#14 eden517

eden517
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 15 February 2005 - 01:45 PM

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "e2give" 2/15/2005 1:42:59 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin]
"DisplayName"="E2give Plug-in"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin]
"HelpLink"="mailto:support@e2give.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin]
"Publisher"="e2give, LLC (click here to read license agreement)"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin]
"URLInfoAbout"="http://e2give.com/license.html"

#15 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 15 February 2005 - 02:20 PM

Nice Work! :thumbsup:

Copy the contents of the Quote Box to Notepad. Name the file as e2give.reg. Change the Save as Type to All Files. Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin]


Now double-click on the e2give.reg file and when it prompts to merge, say Yes and this will clear some registry entries left behind by the malware infections.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users