prutec e trojan- my hijackthis.log!

[rfahey]

Hello All,
I would appear to be unable to rid my computer of a virus. My software identifies it as prutec e and I have deleted every file it has been detected in. However this does not seem to solve the matter. I have followed the posted instructions to the letter before posting my NEW logfile having analyzed it with the hijack this analyze program. I hope someone can help or at least tell me if it's gone!
Regards,
Rfahey

===================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 17:10:55, on 24/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Realtek\Rtl8180\RtlWake.exe
C:\Documents and Settings\Admin\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucd.ie/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [mfcctr] C:\WINDOWS\system32\mfcctr.exe
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS


End of KRC HijackThis Analyzer Log.
==============================

[tinag]

Hi there --

Before proceeding, please print this page or copy it to Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it.

If you can't download a required program by simply clicking its link, please try right-clicking that link instead. Then click Save (Target) As.. and save the file to your computer.

Now, the fix..

Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

To get rid of lingering installation files, you should empty your Temp folders. (You should do this periodically anyway; even benign software leaves a lot of junk there.) Download and install CleanUp! (alternate link), then run it and click the CleanUp! button. When it asks whether you want to log off, click Yes.

Reboot your system into Safe Mode by repeatedly tapping the F8 key until the menu appears, then selecting Safe Mode.

Open Hijack This and click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any):

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [mfcctr] C:\WINDOWS\system32\mfcctr.exe

Please close all other windows, including browsers, then click Fix checked.

If it still exists, delete the file indicated in RED:
C:\WINDOWS\system32\mfcctr.exe

Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes.

Reboot your system into normal mode.

Since you've already run one online virus scan, let's skip that for now and see where we've gotten.

So in your next post, we need to see a fresh HijackThis log. If you're still experiencing problems, please describe them in a little more detail so we can decide on a next step.

[rfahey]

Hi Tinaq,
Thanks for taking the time to look at my problem. I've followed your instructions after printing them out. One of the files you mentioned was still present when I ran hijack this in Safe Mode ( 549B5CA7 etc.) and I deleted it. There were 60MB of temporary files on my computer, so much for windows XP clean up! I then saw a file called HKCU.\..\ Run:[ptech]C:\Windows\system32\ptech.exe. I had a virus called ptech on my computer before, about two month ago, called prutec d and found it to be an application called ptech in my system32 folder. For that reason I deleted this file from my hijackthis log too. I hope I did the right thing. Next I ran clean up again, it was fine. Upon rebooting in Normal mode I ran Hijackthis again. Interestingly the file you mentioned 04 HKCU\..\Run:[mfcctr]C:\\Windows\system32\mfcctr.exe had appeared as had FDD3B846 etc. I deleted those and ran hijack this again. This is the log I'm posting now, I don't see anything in it that looks suspicious to me!

Logfile of HijackThis v1.99.1
Scan saved at 12:07:10, on 25/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Realtek\Rtl8180\RtlWake.exe
C:\Documents and Settings\Admin\Desktop\hjt\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucd.ie/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

[rfahey]

Tinaq,
I've just received this noticfication from my antiviral software: 'troj/prutec - e' detected in C:\system volume information\ _restore{CBCA8CD-C876-458D - 8D18 - AE871B695001}\RP208\ A0085949.exe.
So it would appear the virus is still lurking. Would I be right in thinking it's in my registry and that is why I can't find and erase the source?

Rfahey

[tinag]

Hi again --

Your HijackThis log is clean. The virus notification you received indicates that there's a copy of one of the old infected files still in your System Restore snapshot. We'll take care of that by resetting System Restore; that way, if you ever have to do a restore in future, you don't risk accidentally reinfecting your system:

First, turn off System Restore: right-click My Computer and click Properties. Click the System Restore tab and check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, existing restore points will be deleted. Click Yes to do this, then click OK.

Next, reboot your system.

Finally, re-enable System Restore and create a new Restore Point: right-click My Computer and click Properties. Click the System Restore tab and uncheck "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply and then OK.

Just to be safe, let's run one more online virus scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. If you don't have high-speed Internet access, plan on this taking a while. If the scan finds files it can't clean, please note their names/locations and include them in your next post. Also let us know whether you're experiencing any problems with the machine. If not, we can then tie up a few loose ends.

Tina

[rfahey]

Tina,
Thank you so much for your help, I've done exactly what you instructed and it would appear to have solved the problem. I haven't received any notifications of viruses in past while!

Ruth