first of all I would like to thank you for last time help...

I got lots of emails from different people with "postcard", I immediately knew its
some virus or something, so I immediately erased it!
after couple of day I got an msg from a friend on msn telling me he sent me a post card (now I know he didn't write me anything but was something that took over msn)
I opened it and then I got this sucker!

I run a test on spybot and it cleaned the problem, I run avg anti spyware and
it found warezove and deleted it...
but this morning AVAST AV tells me that outgoing emails (automatic email sent from my computer without my awareness) contains warezove virus...
spybot now only find "Stration" on the reg, tells that the problem is fixed but the stration comes back every time
appreciate your help

here is my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 11:08:53 AM, on 2/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\user12\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bankhapoalim.co.il/wps/portal/!ut/p/_.cmd/cs/ce/7_0_A/s./7_0_2E5/_s.7_0_A/7_0_2E5?categoryID=540&contentID=12582
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O1 - Hosts: 198.198.198.200 ntserver
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ??÷? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Domain.Local
O17 - HKLM\Software\..\Telephony: DomainName = Domain.Local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Domain.Local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Domain.Local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: e1.dll
O20 - Winlogon Notify: mprwanp - C:\WINDOWS\system32\mprwanp.dll
O20 - Winlogon Notify: mqtrupnp - C:\WINDOWS\system32\mqtrupnp.dll (file missing)
O20 - Winlogon Notify: wmvmgr - C:\WINDOWS\SYSTEM32\wmvmgr32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

Hi, welcome to Safer Networking Forums!

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

Protexis

*Reboot
_______________________

*Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.


*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O1 - Hosts: 198.198.198.200 ntserver
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - AppInit_DLLs: e1.dll
O20 - Winlogon Notify: mprwanp - C:\WINDOWS\system32\mprwanp.dll
O20 - Winlogon Notify: mqtrupnp - C:\WINDOWS\system32\mqtrupnp.dll (file missing)
O20 - Winlogon Notify: wmvmgr - C:\WINDOWS\SYSTEM32\wmvmgr32.dll

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.

*Configure your machine to view hidden files:

Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.

*Using Windows Explorer, find and delete these files:

C:\WINDOWS\system32\mprwanp.dll
C:\WINDOWS\system32\mqtrupnp.dll
C:\WINDOWS\SYSTEM32\wmvmgr32.dll

*Click Start > Search > Click "All Files and Folders".
Under "Advanced Options", make sure the following are checked:
Search System Folders.
Search Hidden Files And Folders.
Search Subfolders.
Then into the search box, copy and paste the following (one at a time):

e1.dll

Then, click Search after you copy and paste each of those. After that, delete all instances of those files.

Empty your Recycle bin.

Reboot.
______________________________

Download combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Hi there mate, thanks for your help...

I've been trying to deal with this problem myself, I tried lots of ways to delete e1.dll, it first I got a message that it's being used but eventually I’ve managed to delete it, but it seems to get back.

I already installed HJT to my desktop and run a check,
I've checked everything that mentioned e1.dll but it gave me an error...

I will try everything from top as you wrote tomorrow morning,
Thanks again for your help! Really appreciate it!

i think this line:
O1 - Hosts: 198.198.198.200 ntserver

is critical for me... i need it to log in to the server... correct me if I'm wrong,

Hi,


I already installed HJT to my desktop and run a check,
I've checked everything that mentioned e1.dll but it gave me an error...

What error is that?


i think this line:
O1 - Hosts: 198.198.198.200 ntserver

is critical for me... i need it to log in to the server... correct me if I'm wrong,

I'm sorry, I didn't know that the pc is connected to a server..
________________

I'll wait for the results :)

HJT error log:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: e1.dll confwmv.dll wmvstat.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Hi, the following instructions is equal to fixing this entry in HijackThis:

O20 - AppInit_DLLs: e1.dll
________________________

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.
________________________

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.reg in the File name and save it to your desktop.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-




Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.
_________________________

After doing the above, follow the instructions up to the reboot..

Since the tool combofix has been pulled out temporarily, we will replace it with another scan..

*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune

Important: Make sure all your browsers are closed before running ATF Cleaner..

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


*Download Superantispyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE)
Load Superantispyware and click the check for updates button.
Once the update is finished click the scan your computer button.
Check Perform Complete Scan and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
Copy and paste the log onto the forum.

On your next reply, please post a fresh HijackThis log, SUPERantispyware log and a description on how your machine is running.

e1 doesn't appear on the new HJT scan, but I cannot delete the following files:


C:\WINDOWS\system32\mprwanp.dll
C:\WINDOWS\system32\mqtrupnp.dll
C:\WINDOWS\SYSTEM32\wmvmgr32.dll

Do the following to delete the files then follow through with the scan in the previous instruction.

Download Killbox (http://www.bleepingcomputer.com/files/killbox.php)

Open Killbox.exe

Check the following boxes:

Delete on Reboot

Highlight all the entries in the quote box below and the Copy them.


C:\WINDOWS\system32\mprwanp.dll
C:\WINDOWS\system32\mqtrupnp.dll
C:\WINDOWS\SYSTEM32\wmvmgr32.dll

Then in Killbox, click File>>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.

Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

A second message will ask to Reboot now? You will need to click Yes to allow the reboot.

Note: Killbox will let you know if a file does not exist.

How is it going MotiDeli?

Due to lack of feedback, this thread is now closed and archived. If you want it reopened, please pm (private message) me and I'll unlock it for you. This only applies to the original topic starter.