Hi,

Spybot finds repeatedly the E2Give on my computer. After a removal, it needs only seconds befor it reappears.

I have followed the instructions on your "Before you post a log" thread and here are the log of my virusscanner (I did not use, as proposed an online scanner, as it turned out the everyone of them i tried needs the IE and I wanted to do the check without a running explorer.exe or iexplorer.exe process since the E2Give is a BHO and thus linked with the IE) and the HJT log. I am trying to get the computer clean for a week now and so I would be very glad if someone could help me in any way.



AntiVir PersonalEdition Classic
Erstellungsdatum der Reportdatei: Sonntag, 28. Mai 2006 06:08

Es wird nach 393378 Virenstämmen gesucht.

Lizenznehmer: AntiVir PersonalEdition Classic
Seriennummer: 0000149996-WURGE-0001
Plattform: Windows XP
Windowsversion: (Service Pack 2) [5.1.2600]
Benutzername: Sandra
Computername: SCHNUCKI

Versionsinformationen:
AVSCAN.EXE : 7.0.0.38 593960 05.02.2006 09:18:45
AVSCAN.DLL : 7.0.0.38 57384 05.02.2006 09:18:45
LUKE.DLL : 7.0.0.37 118824 05.02.2006 09:18:45
LUKERES.DLL : 7.0.0.37 32808 05.02.2006 09:18:45
ANTIVIR0.VDF : 6.32.0.60 4323840 05.02.2006 09:18:45
ANTIVIR1.VDF : 6.34.1.87 2215424 05.02.2006 09:18:45
ANTIVIR2.VDF : 6.34.1.148 146432 05.02.2006 09:18:45
ANTIVIR3.VDF : 6.34.1.152 8192 05.02.2006 09:18:45
AVEWIN32.DLL : 7.0.0.16 1229312 05.02.2006 09:18:45
AVPREF.DLL : 7.0.0.1 53288 05.02.2006 09:18:45
AVREP.DLL : 6.34.1.130 622632 05.02.2006 09:18:45
AVRPBASE.DLL : 7.0.0.0 2162728 06.05.2006 20:29:33
AVPACK32.DLL : 7.0.0.4 335912 05.02.2006 09:18:45
AVREG.DLL : 6.31.0.90 27688 05.02.2006 09:18:45
NETNT.DLL : 6.32.0.0 6696 05.02.2006 09:18:45
NETNW.DLL : 6.32.0.0 9768 05.02.2006 09:18:45
RCIMAGE.DLL : 7.0.0.63 1613864 05.02.2006 09:18:45
RCTEXT.DLL : 7.0.0.62 73768 05.02.2006 09:18:45

Konfiguration für den aktuellen Suchlauf:
Job Name......................: Lokale Laufwerke
Konfigurationsdatei...........: C:\Programme\AntiVir PersonalEdition Classic\alldrives.avp
Bootsektoren..................: C,D
Durchsuche Speicher...........: 0
Laufende Programme............: 1
Prüfe alle Dateien............: 1
Durchsuche Archive............: 1
Maximale Rekursionstiefe......: 20
Smart Extensions..............: 1
Makrovirenheuristik...........: 1
Dateiheuristik................: -1
Primäre Aktion................: 1
Sekundäre Aktion..............: 0

Beginn des Suchlaufs: Sonntag, 28. Mai 2006 06:08


Der Suchlauf über gestartete Prozesse wird begonnen:
Es wurden 61 Prozesse durchsucht

Es wird begonnen die Bootsektoren zu durchsuchen:

Bootsektor 'C:\'
[HINWEIS] Es wurde kein Virus gefunden!
Bootsektor 'D:\'
[HINWEIS] Es wurde kein Virus gefunden!

Scan der Registry auf Verweise zu ausführbaren Dateien.
Die Registry wurde durchsucht ( 35 Dateien ).


Der Suchlauf über die ausgewählten Dateien wird begonnen:

C:\PAGEFILE.SYS
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\hiberfil.sys
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\SCARDSRV.TMP
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\direct32.dll
[WARNUNG] Die Datei konnte nicht gelesen werden!
C:\WINDOWS\system32\config\system.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\config\software.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\config\default.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\config\SECURITY
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\config\SAM
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\config\SAM.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\config\SYSTEM
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\config\SOFTWARE
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\config\DEFAULT
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\Sandra\NTUSER.DAT
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\Sandra\ntuser.dat.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\Sandra\Lokale Einstellungen\Temp\Perflib_Perfdata_628.dat
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\Sandra\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\Dokumente und Einstellungen\Sandra\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\System Volume Information\_restore{170E633B-3AE6-4EFC-B4CA-027579D51DB4}\RP141\A0016768.dll
[FUND] Ist das Trojanische Pferd TR/VB.qn.C
[WARNUNG] Die Datei wurde ignoriert.
C:\System Volume Information\_restore{170E633B-3AE6-4EFC-B4CA-027579D51DB4}\RP142\A0016861.dll
[FUND] Ist das Trojanische Pferd TR/VB.qn.C
[WARNUNG] Die Datei wurde ignoriert.
D:\opera7_mail\storage\mbox1913.mbs
[FUND] Enthält Signatur der Phish-Datei/Email PHISH/Bankfraud.B
[WARNUNG] Bei der Datei handelt es sich um eine Mailbox. Um Ihre Emails nicht zu beeinträchtigen wird diese Datei nicht repariert oder gelöscht!
D:\opera7_mail\storage\mbox2192.mbs
[FUND] Enthält Signatur des Wurmes WORM/Sober.I.Base64A
[WARNUNG] Bei der Datei handelt es sich um eine Mailbox. Um Ihre Emails nicht zu beeinträchtigen wird diese Datei nicht repariert oder gelöscht!




Ende des Suchlaufs: Sonntag, 28. Mai 2006 06:39
Benötigte Zeit: 31:58 min

Der Suchlauf wurde vollständig durchgeführt.

4263 Verzeichnisse wurden überprüft
236947 Dateien wurden geprüft
4 Viren bzw. unerwünschte Programme wurden gefunden
0 Dateien wurden gelöscht
0 Viren bzw. unerwünschte Programme wurden repariert
0 Dateien wurden in die Quarantäne verschoben
0 Dateien wurden umbenannt
8740 Archive wurden durchsucht
31 Warnungen
0 Hinweise

-----------------
Please note: c:\programme\E2P\IeBHOs.dll was not found during the scan, because at time of scan, it was not there (removed by spybot and iexplorer was not running). It appeared a short time afterwards as I started an explorer.exe.
It is not mentioned in the AntiVir log, but the signature files very up to date.
-----------------
Logfile of HijackThis v1.99.1
Scan saved at 07:51:40, on 28.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SCARDS32.EXE
C:\Programme\Multimedia\VNC4\WinVNC4.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\ASUS\ASUS Live Update\ALU.exe
C:\Programme\ASUS\ASUS Probe\AsusProb.exe
C:\Programme\ASUS\Wireless Console\wcourier.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\ASUS\Power4 Gear\BatteryLife.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\programme\multimedia\Quicktime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\PROGRA~1\INTERNET\AIM95\aim.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programme\Office_Ordner\Palm\Hotsync.exe
C:\Programme\Internet\Trillian\trillian.exe
C:\Programme\Office_Ordner\OpenOffice\program\soffice.exe
C:\Programme\Office_Ordner\OpenOffice\program\soffice.BIN
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Programme\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Internet\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Programme\Dealio\Dealio.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A434A638-7429-2C64-F9C2-094289011A86} - C:\WINDOWS\wotwecda.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Programme\Dealio\Dealio.dll (file missing)
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programme\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Programme\ASUS\ASUS Probe\AsusProb.exe
O4 - HKLM\..\Run: [Wireless Console] C:\Programme\ASUS\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programme\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\Internet\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [au] "C:\Programme\Dealio\DealioAu.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\programme\multimedia\Quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\INTERNET\AIM95\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programme\Office_Ordner\OpenOffice\program\quickstart.exe
O4 - Startup: Palm Registration.lnk = C:\Programme\Office_Ordner\Palm\register.exe
O4 - Startup: Trillian.lnk = C:\Programme\Internet\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Programme\Office_Ordner\Palm\Hotsync.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Programme\Dealio\res\DealioSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\INTERNET\AIM95\aim.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Programme\Dealio\Dealio.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {271A3CF5-5A54-447B-A08F-BE805F0DA60B} (DataDesign DDBAC Plug-In) - https://www.seb-banking.de/hbci/plugin/AXFOAM.CAB
O20 - AppInit_DLLs: direct32.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - SCM Microsystems - C:\WINDOWS\SCARDS32.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programme\Multimedia\VNC4\WinVNC4.exe" -service (file missing)

HI

First .. I don't speak German, so there are some lines in your AntiVir log that I can't read...

Do not worry about running IE ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Programme\E2G\IeBHOs.dll (file missing)

O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Programme\Dealio\Dealio.dll (file missing)

O2 - BHO: (no name) - {A434A638-7429-2C64-F9C2-094289011A86} - C:\WINDOWS\wotwecda.dll

O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Programme\Dealio\Dealio.dll (file missing)


Do a free on-line virus scan here :-

Panda Activescan (http://www.pandasoftware.com/activescan/)<<<< click here

and here :-

Houscall (http://housecall.trendmicro.com/)<<<< click here

Do both scans <<< Important

Delete all infected files found ... if houscall lists them as uncleanable ... click the "delete" button.

The Pandascan will also find adware which it will not remove unless you pay...just save the log and post it in your next post here ...

Then do this :-

Please download and run these :-

Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your passward when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

THEN........

Download ewido security suite (http://www.ewido.net/en/download/)install, update and run it.

Please set up as :-

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. Run Ewido --- When you run it for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on update in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful")

5. You may need to manually update the definitions which you can get HERE (http://www.ewido.net/en/download/updates/)

6. Exit Ewido. DO NOT scan yet.

Boot into safemode...and scan with Ewido

7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.

Important - You need to click "Save report" and Save it to your desktop, or you wont have a log

reboot

post a new hijackthis log + the ewido log

cheers

steam

Forum software first complained about post to long (84k). Ok I fixed this. But then it complained about 24 images I'd have in my post. I don't know of a single one, so I don't know, what I should change on my post. I have saved my post to a textfile now. Maybe you can tell me, how to proceed.

Thanks

Hi

OK .. you have 3 logs for me ?

1. Pandascan
2. Ewido
3. new hijackthis log

Try posting them one at a time to a different post... if one of them wont post, we'll try to work out why...

steam

First of all, thanks for the quick response. Here are my results:

I did both recommanded virus scans.


During fixing, the housecall browser window crashed.
There some 20 or 30 entries it found and, after my command, cleaned. Five entries where left, it could not clean. But suggested tips for manual removal, but there where none. It did not which files where affected either. It just new names for it, which were: ADW_SE.60338, ADW_SE.60339, ADW_SE.60340 (these where the three on the screen at time of crashing).

The Panda-Log is attached in zip format. It is 64kb long and was rejected in the message itself and as a text attachment. The ewido logs are also attached as zip-files.



Here is the log of HijackThis:
____________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 08:13:59, on 30.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\internet\ewido anti-malware\ewidoctrl.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SCARDS32.EXE
C:\Programme\Multimedia\VNC4\WinVNC4.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programme\ASUS\Wireless Console\wcourier.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\ASUS\Power4 Gear\BatteryLife.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Internet\ICQLite\ICQLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\INTERNET\AIM95\aim.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programme\Office_Ordner\Palm\Hotsync.exe
C:\Programme\Office_Ordner\OpenOffice\program\soffice.exe
C:\Programme\Office_Ordner\OpenOffice\program\soffice.BIN
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Internet\Opera_8\Opera.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Programme\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMan] _SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] _C:\Programme\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ASUS Probe] _C:\Programme\ASUS\ASUS Probe\AsusProb.exe
O4 - HKLM\..\Run: [Wireless Console] C:\Programme\ASUS\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [SynTPLpr] _C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] _C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programme\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] _C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] _"C:\programme\multimedia\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\Internet\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\INTERNET\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\Internet\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programme\Office_Ordner\OpenOffice\program\quickstart.exe
O4 - Startup: Palm Registration.lnk = C:\Programme\Office_Ordner\Palm\register.exe
O4 - Startup: Trillian.lnk = C:\Programme\Internet\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Programme\Office_Ordner\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\INTERNET\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Internet\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Internet\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {271A3CF5-5A54-447B-A08F-BE805F0DA60B} (DataDesign DDBAC Plug-In) - https://www.seb-banking.de/hbci/plugin/AXFOAM.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: direct32.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\internet\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - SCM Microsystems - C:\WINDOWS\SCARDS32.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programme\Multimedia\VNC4\WinVNC4.exe" -service (file missing)
____________________________________________________________

As for now, no dll appeared in the c:\programme\E2G directory. This is definitely a sign for progress.
Another change: Every time I open I page with IExplorer, I get asked if I want to allow execution of ActiveX and PlugIns. Even for pages, that do not have any of these. So far, I always answered no, but as far as I want to do online banking again, I have to answer yes there and I am afraid that this will activate the E2Give again

Any further suggestions?
Bye

Hi

Your logs give a lot of good information ...

A lot of the files which were not deleted/cleaned are in temp/temporary internet files or cookies...

Did you run Ccleaner as I asked you to ? ... because I would expect it to remove a lot of those files, if you did run Ccleaner according to my instructions, then we will have to remove them manually ... which will take a lot longer...

steam

Unfortunately.
And I checked most of the options it provides. I have no log of this, though. With the time, I come to the conclusion, it would take less time to install the computer from scratch. I already invested more the 10 hours of work, and the progress is not very much.
Keyquestions remains: which defense tools to use, to prevent a repetition of this problem?

I already invested more the 10 hours of work, and the progress is not very much.


I can't agree there...

You have removed over 100 files containing the following:-

Virus:Trj/Downloader.IGY
Virus:W32/Klez.I
Virus:Trj/Citifraud.A
Virus:W32/Netsky.D.worm
Virus:W32/Bagle.BK.worm!CME-245
Virus:W32/Netsky.C.worm
Virus:W32/Netsky.P.worm
Virus:W32/Bagle.BE.worm!CME-245
Virus:W32/Sober.A.worm
Virus:W32/Bagle.GS.worm!CME-328
Virus:W32/Sober.I.worm
Virus:W32/Gibe.C.worm
Virus:W32/Sober.A.worm
Virus:W32/Sober.F.worm
Virus:W32/Netsky.X.worm
Virus:W32/Gaobot.JBS.worm

You have also removed most of the E2G infection + countless other spyware & adware...

I'm sorry if we are not moving fast enough for you...

However I do agree with you about a reformat & reinstall... If I had let my computer get into such a condition, I would not be happy to use on-line banking unless it was wiped clean and I had a fresh new install...

Have a look here for advice on how to keep your computer safe in the future... :-

http://forums.spybot.info/showthread.php?t=279

steam

Thanks for your help anyway :-)

At least I've learned some things about malware and tools against it.

Thank you steamwiz. :)


Sarsaparille this topic is closed.
If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.