e2give

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

windows defender will not delete the e2give spyware. it will detect e2give
and say it was removed successfully but it keeps coming back. i can not
figure out how to remove it. does anybody have any ideas?
 
windows defender was not able to detect e2give in safe mode. i ran a full
system scan and nothing was detected in safe mode. e2give is still detected
when windows is running normally.
 
ok, well on my most rescent scan with windows defender, e2give wasn't
detected, but i'm still having problems. There must be something else that
is'nt being detected.
On websites certain links or certain words in links the aren't working. for
example at yahoo.com all the links should be blue but some are green instead.
It seems like certain key words are green. if i click on the green link i
get the wrong page. At yahoo.com i clicked on "real estate" (which was
green) and was directed to this site.
http://www.sendtec.com/direct-response-television.aspx

help please
 
I just removed this not one week ago.

E2give installs a dll (i think it was ***win32.dll....cant remember the full
name, it was 3 characters and then win32.dll)

I think it installs the dll into this registry position:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Either that, or it was:
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

Can't recall. Anyways, I think it runs within legitimate programs due to
this registry entry. The program caused Ad-aware to constantly crash on the
machine I was fixing, and the dll LOADED EVEN WHEN IN SAFE MODE. I killed it
by booting off of a Windows XP CD-ROM and running recovery console. I used
DOS commands to delete it in there and rebooted. Only then could I remove
the registry key without it automatically putting it back. Oh, there is also
another exe that E2Give drops. It has a random name and is set to autostart
under these three registry positions:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

If you don't remove those entries and delete the exe, it will automatically
reinstall the ***win32.dll upon system boot. You NEED TO MAKE SURE YOU KILL
THESE, CHANCES ARE, THESE ENTRIES WILL ONLY EXIST IN ONE USER'S ACCOUNT.
This would cause e2give to be "gone" until you logged on as the infected
user. (This happened to me.)

Someone with more knowledge of Windows internals will have to explain what
the .dll hook actually does. I'm really not sure. All I knew is that I had
to delete it, and I did.

Ok, what I would do is go to http://www.sysinternals.com and download
Autoruns. Autoruns allows you to see all of the autostart entries set in
your computer. Using that program, find and identify the autorun entries for
the randomly named exe file, which will allow you to identify the name and
location of it. Delete the entries after writing down the info. Identify
the full name of the .dll that is hooking running programs and write it's
full path down. Then, boot off of an XP cd and run Recovery Console. In
there, delete the .dll hook and the randomly named exe. Reboot into safe
mode. After that, run Ad-aware, Windows Defender, and Spybot-S&D to remove
the rest of the junk. Then, use autoruns to delete the registry entry for
the .dll hook. Remember, at this point, the file no longer exists, so the
registry entry doesn't really do anything.

Oh, and if anyone has a better method of removing this lousy piece of
garbage, post it here. This is what I did on the fly. It worked pretty well
too!

~Aaron~
 
thanks everyone

Aaron said:
I just removed this not one week ago.

E2give installs a dll (i think it was ***win32.dll....cant remember the full
name, it was 3 characters and then win32.dll)

I think it installs the dll into this registry position:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Either that, or it was:
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

Can't recall. Anyways, I think it runs within legitimate programs due to
this registry entry. The program caused Ad-aware to constantly crash on the
machine I was fixing, and the dll LOADED EVEN WHEN IN SAFE MODE. I killed it
by booting off of a Windows XP CD-ROM and running recovery console. I used
DOS commands to delete it in there and rebooted. Only then could I remove
the registry key without it automatically putting it back. Oh, there is also
another exe that E2Give drops. It has a random name and is set to autostart
under these three registry positions:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

If you don't remove those entries and delete the exe, it will automatically
reinstall the ***win32.dll upon system boot. You NEED TO MAKE SURE YOU KILL
THESE, CHANCES ARE, THESE ENTRIES WILL ONLY EXIST IN ONE USER'S ACCOUNT.
This would cause e2give to be "gone" until you logged on as the infected
user. (This happened to me.)

Someone with more knowledge of Windows internals will have to explain what
the .dll hook actually does. I'm really not sure. All I knew is that I had
to delete it, and I did.

Ok, what I would do is go to http://www.sysinternals.com and download
Autoruns. Autoruns allows you to see all of the autostart entries set in
your computer. Using that program, find and identify the autorun entries for
the randomly named exe file, which will allow you to identify the name and
location of it. Delete the entries after writing down the info. Identify
the full name of the .dll that is hooking running programs and write it's
full path down. Then, boot off of an XP cd and run Recovery Console. In
there, delete the .dll hook and the randomly named exe. Reboot into safe
mode. After that, run Ad-aware, Windows Defender, and Spybot-S&D to remove
the rest of the junk. Then, use autoruns to delete the registry entry for
the .dll hook. Remember, at this point, the file no longer exists, so the
registry entry doesn't really do anything.

Oh, and if anyone has a better method of removing this lousy piece of
garbage, post it here. This is what I did on the fly. It worked pretty well
too!

~Aaron~
Click to expand...
 
Back
Top