Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Adaware.purityscan and other problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Adaware.purityscan and other problems

Unread postby joelvelasco » June 29th, 2008, 6:22 pm

Hi, I am using Windows XP and have been infected by at least one (probably more) viruses or malware items. When I run symantec antivirus it sometimes detects a few viruses (that seem to differ every time) but usually including adaware.purityscan. The program says it cleans it and requires a reboot. When I do this, it usually boots up and immediately symantec pops up that there is a problem with a netdde.exe file (usually with a few question marks in various places in the address). Pretty soon symantec will auto-detect various viruses and eventually it will be the purityscan thing again and ask me to reboot. So I have been running full scans and rebooting the computer many many times in the last two days and no progress seems to be made (but different problems seem to occur each time).

Thank you so much for any help you can give me. Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:15 AM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://philosophy.wisc.edu/velasco/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {75A4654D-394D-4DA5-8763-08025121BF1D} - C:\WINDOWS\system32\xxywWOGX.dll
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {97275b55-66f3-cef9-3bd4-31e4df5fc64e} - {e46cf5fd-4e13-4db3-9fec-3f6655b57279} - C:\WINDOWS\system32\zworbe.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139181484\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [f83dfad9] rundll32.exe "C:\WINDOWS\system32\syokvjtv.dll",b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BMfb0ec945] Rundll32.exe "C:\WINDOWS\system32\pbvlojtt.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Hategpuc] "C:\Documents and Settings\Joel Velasco\Application Data\??stem\n?tdde.exe"
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\SSTEM3~1\cmd.exe" -vt ndrv
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Joel Velasco\Desktop\From old Computer\AIM95\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://engine.vogclub.com/activex/vogweb29.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wisc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wisc.edu
O20 - Winlogon Notify: efcAQhgd - efcAQhgd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11070 bytes
joelvelasco
Active Member
 
Posts: 13
Joined: June 29th, 2008, 11:16 am
Advertisement
Register to Remove

Re: Adaware.purityscan and other problems

Unread postby Shaba » July 2nd, 2008, 3:14 am

Hi joelvelasco

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Adaware.purityscan and other problems

Unread postby joelvelasco » July 2nd, 2008, 11:04 am

ComboFix 08-07-01.3 - Joel Velasco 2008-07-02 9:40:19.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.140 [GMT -5:00]

Running from: C:\Documents and Settings\Joel Velasco\Desktop\ComboFix.exe

* Created a new restore point



WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



C:\Documents and Settings\Joel Velasco\Application Data\STEM~1

C:\Documents and Settings\Joel Velasco\Application Data\STEM~1\n?tdde.exe

C:\Program Files\Spruce

C:\Program Files\Spruce\Spruce.dll

C:\Program Files\Spruce\Spruce.dll.intermediate.manifest

C:\Program Files\Spruce\Spruce.exe

C:\Program Files\Spruce\Spruce.original

C:\Program Files\Spruce\SpruceRg.dll

C:\Program Files\Spruce\un_SpruceSetup_17737.exe

C:\Program Files\Spruce\un_SpruceSetup_17737.txt

C:\Program Files\Spruce\X_Spruce.exe

C:\Program Files\Spruce\X_Spruce.log

C:\Program Files\Temporary

C:\Program Files\WinAble

C:\Temp\vtmp2

C:\WINDOWS\cookies.ini

C:\WINDOWS\pskt.ini

C:\WINDOWS\sstem3~1

C:\WINDOWS\sstem3~1\cmd.exe

C:\WINDOWS\sstem3~1\s?stem32\

C:\WINDOWS\system32\hmfmoqhd.dll

C:\WINDOWS\system32\htwjieqe.ini

C:\WINDOWS\system32\MSINET.oca

C:\WINDOWS\system32\pac.txt

C:\WINDOWS\system32\pbvlojtt.dll

C:\WINDOWS\system32\syokvjtv.dll

C:\WINDOWS\SYSTEM32\vtjvkoys.ini

C:\WINDOWS\SYSTEM32\XGOWwyxx.ini

C:\WINDOWS\SYSTEM32\XGOWwyxx.ini2

C:\WINDOWS\system32\xhwjgpda.ini

C:\WINDOWS\system32\xxywWOGX.dll

C:\WINDOWS\system32\zworbe.dll

C:\WINDOWS\uninst2.htm

C:\WINDOWS\unist1.htm



.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.



-------\Service_npf





((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))

.



2008-06-29 11:31 . 2008-06-29 11:31 <DIR> d-------- C:\Program Files\Trend Micro

2008-06-28 23:08 . 2008-06-28 23:08 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico

2008-06-28 19:51 . 2008-06-28 19:51 <DIR> d-------- C:\Program Files\ToniArts

2008-06-26 20:10 . 2008-07-02 09:35 110,419 --a------ C:\WINDOWS\BMfb0ec945.xml

2008-06-26 19:05 . 2008-06-26 19:05 <DIR> d-------- C:\Program Files\Uniblue

2008-06-26 19:05 . 2008-06-26 19:05 <DIR> d-------- C:\Documents and Settings\Joel Velasco\Application Data\Uniblue

2008-06-26 19:02 . 2008-06-28 19:48 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}

2008-06-26 18:22 . 2008-06-26 18:23 79,388,822 --a------ C:\SYM_REGISTRY_BACKUP.reg

2008-06-26 14:13 . 2008-06-26 14:13 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico

2008-06-26 14:05 . 2008-06-26 14:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\modtrux01

2008-06-26 14:05 . 2008-06-26 14:05 <DIR> d-------- C:\Temp\syschk3

2008-06-11 02:22 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

2008-06-08 22:16 . 2008-06-08 22:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\vntiho01



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-02 14:52 --------- d-----w C:\Program Files\Symantec AntiVirus

2008-06-29 02:04 --------- d-----w C:\Program Files\Viewpoint

2008-06-29 00:59 --------- d-----w C:\Program Files\Mozilla Thunderbird

2008-06-29 00:59 --------- d-----w C:\Documents and Settings\Joel Velasco\Application Data\uTorrent

2008-06-29 00:51 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-06-29 00:50 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-05-14 03:49 --------- d-----w C:\Documents and Settings\Joel Velasco\Application Data\AdobeUM

2008-05-09 00:36 20,416 ----a-w C:\Documents and Settings\Joel Velasco\Application Data\GDIPFONTCACHEV1.DAT

2008-05-08 14:38 --------- d-----w C:\Program Files\Plaxo

2008-05-08 14:37 --------- d-----w C:\Program Files\Magic Workstation

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2005-04-17 19:00 18,312 ----a-w C:\Documents and Settings\Jennifer Velasco\Application Data\GDIPFONTCACHEV1.DAT

2003-07-29 05:15 307,200 ----a-w C:\Program Files\internet explorer\plugins\djvu0407.dll

2003-07-29 05:15 303,104 ----a-w C:\Program Files\internet explorer\plugins\djvu0409.dll

2003-07-29 05:15 311,296 ----a-w C:\Program Files\internet explorer\plugins\djvu040c.dll

2003-07-29 05:15 299,008 ----a-w C:\Program Files\internet explorer\plugins\djvu0411.dll

2003-07-29 05:15 299,008 ----a-w C:\Program Files\internet explorer\plugins\djvu0412.dll

2003-07-29 05:15 290,816 ----a-w C:\Program Files\internet explorer\plugins\djvu0804.dll

2003-07-29 05:15 122,880 ----a-w C:\Program Files\internet explorer\plugins\DjVuCntl.dll

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Hategpuc"="C:\Documents and Settings\Joel Velasco\Application Data\??stem\n?tdde.exe" [?]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 10:53 68856]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]

"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 21:11 57344]

"HostManager"="C:\Program Files\Common Files\AOL\1139181484\ee\AOLSoftware.exe" [2006-04-20 12:10 50792]

"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-09-20 09:35 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]

"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59 124520]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-09-20 09:32 77824]

"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]

"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]



C:\Documents and Settings\Joel Velasco\Start Menu\Programs\Startup\

Spruce - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir [2007-12-26 20:25:10 178390]



C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56 217194]



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"vsmon"=2 (0x2)



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"C:\\Program Files\\Starcraft\\StarCraft.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Common Files\\AOL\\1139181484\\ee\\aolsoftware.exe"=

"C:\\Program Files\\Common Files\\AOL\\1139181484\\ee\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\SecureFX\\SecureFX.exe"=

"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"62515:UDP"= 62515:UDP:WiscVPN Client Service



R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 04:52]

R2 AsfAlrt;AsfAlrt;C:\WINDOWS\System32\drivers\AsfAlrt.sys [2002-12-18 04:31]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;C:\WINDOWS\system32\drivers\A302.sys [2003-04-15 10:39]



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\AutoPlay.exe -c



.

Contents of the 'Scheduled Tasks' folder

"2008-07-01 15:43:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

- - - - ORPHANS REMOVED - - - -



WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKCU-Run-Ncao - C:\WINDOWS\SSTEM3~1\cmd.exe

HKCU-Run-Aim6 - (no file)

HKLM-Run-f83dfad9 - C:\WINDOWS\system32\syokvjtv.dll

HKLM-Run-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe

HKLM-Run-BMfb0ec945 - C:\WINDOWS\system32\pbvlojtt.dll

Notify-efcAQhgd - efcAQhgd.dll





**************************************************************************



catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-02 09:51:59

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



C:\WINDOWS\explorer.exe [1752] 0x8223EDA0



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\SYSTEM32\LEXBCES.EXE

C:\WINDOWS\SYSTEM32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\Program Files\iTunes\iTunes.exe

.

**************************************************************************

.

Completion time: 2008-07-02 10:01:07 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-02 15:00:59



Pre-Run: 20,913,664,000 bytes free

Post-Run: 21,403,254,784 bytes free



191 --- E O F --- 2008-06-20 08:01:36
joelvelasco
Active Member
 
Posts: 13
Joined: June 29th, 2008, 11:16 am

Re: Adaware.purityscan and other problems

Unread postby Shaba » July 2nd, 2008, 2:50 pm

Hi

Please post a fresh HijackThis log as well :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Adaware.purityscan and other problems

Unread postby joelvelasco » July 2nd, 2008, 3:26 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:57 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\AOL\1139181484\ee\AOLSoftware.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://philosophy.wisc.edu/velasco/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139181484\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Hategpuc] "C:\Documents and Settings\Joel Velasco\Application Data\??stem\n?tdde.exe"
O4 - Startup: Spruce - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Joel Velasco\Desktop\From old Computer\AIM95\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://engine.vogclub.com/activex/vogweb29.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wisc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wisc.edu
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10173 bytes
joelvelasco
Active Member
 
Posts: 13
Joined: June 29th, 2008, 11:16 am

Re: Adaware.purityscan and other problems

Unread postby Shaba » July 3rd, 2008, 3:36 am

Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\WINDOWS\BMfb0ec945.xml
C:\Documents and Settings\Joel Velasco\Start Menu\Programs\Startup\Spruce - Auto Update.lnk 

DirLook::
C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}

Folder::
C:\WINDOWS\SYSTEM32\modtrux01
C:\Temp\syschk3
C:\WINDOWS\SYSTEM32\vntiho01

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hategpuc"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Adaware.purityscan and other problems

Unread postby joelvelasco » July 3rd, 2008, 10:13 am

During the combofix run an updater for adobe flash player popped up but nothing else did (I did not click on anything - and my internet connection was disabled at the time). Here is the combofix log followed by the hijack log.

Thanks


ComboFix 08-07-01.3 - Joel Velasco 2008-07-03 8:59:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.234 [GMT -5:00]
Running from: C:\Documents and Settings\Joel Velasco\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joel Velasco\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Joel Velasco\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
C:\WINDOWS\BMfb0ec945.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Joel Velasco\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
C:\Temp\syschk3
C:\WINDOWS\BMfb0ec945.xml
C:\WINDOWS\SYSTEM32\modtrux01
C:\WINDOWS\SYSTEM32\vntiho01

.
((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-06-29 11:31 . 2008-06-29 11:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 23:08 . 2008-06-28 23:08 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico
2008-06-28 19:51 . 2008-06-28 19:51 <DIR> d-------- C:\Program Files\ToniArts
2008-06-26 19:05 . 2008-06-26 19:05 <DIR> d-------- C:\Program Files\Uniblue
2008-06-26 19:05 . 2008-06-26 19:05 <DIR> d-------- C:\Documents and Settings\Joel Velasco\Application Data\Uniblue
2008-06-26 19:02 . 2008-06-28 19:48 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}
2008-06-26 18:22 . 2008-06-26 18:23 79,388,822 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-06-26 14:13 . 2008-06-26 14:13 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-06-11 02:22 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 14:52 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-29 02:04 --------- d-----w C:\Program Files\Viewpoint
2008-06-29 00:59 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-29 00:59 --------- d-----w C:\Documents and Settings\Joel Velasco\Application Data\uTorrent
2008-06-29 00:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 00:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-14 03:49 --------- d-----w C:\Documents and Settings\Joel Velasco\Application Data\AdobeUM
2008-05-09 00:36 20,416 ----a-w C:\Documents and Settings\Joel Velasco\Application Data\GDIPFONTCACHEV1.DAT
2008-05-08 14:38 --------- d-----w C:\Program Files\Plaxo
2008-05-08 14:37 --------- d-----w C:\Program Files\Magic Workstation
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2005-04-17 19:00 18,312 ----a-w C:\Documents and Settings\Jennifer Velasco\Application Data\GDIPFONTCACHEV1.DAT
2003-07-29 05:15 307,200 ----a-w C:\Program Files\internet explorer\plugins\djvu0407.dll
2003-07-29 05:15 303,104 ----a-w C:\Program Files\internet explorer\plugins\djvu0409.dll
2003-07-29 05:15 311,296 ----a-w C:\Program Files\internet explorer\plugins\djvu040c.dll
2003-07-29 05:15 299,008 ----a-w C:\Program Files\internet explorer\plugins\djvu0411.dll
2003-07-29 05:15 299,008 ----a-w C:\Program Files\internet explorer\plugins\djvu0412.dll
2003-07-29 05:15 290,816 ----a-w C:\Program Files\internet explorer\plugins\djvu0804.dll
2003-07-29 05:15 122,880 ----a-w C:\Program Files\internet explorer\plugins\DjVuCntl.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D} ----

2008-06-28 19:48 293 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\uniblue registrybooster.dat
2008-06-26 19:05 1631 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\uniblue registrybooster.par
2008-06-26 19:05 105 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\instance.dat
2008-06-26 19:05 0 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\{E63E34A7-E552-412B-9E40-FD6FC5227ABA}
2008-06-26 19:04 0 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\OFFLINE\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}
2008-06-26 19:04 0 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}
2008-06-03 03:21 579156 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\mia.lib
2008-06-03 03:21 269312 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\uniblue registrybooster.msi
2008-06-03 03:21 2357785 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\uniblue registrybooster.exe
2008-06-03 03:21 2087030 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\uniblue registrybooster.res
2008-05-27 08:29 5733 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\2877B6A4\517D4EA1\anim.gif
2008-05-22 02:23 43302 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\68E067BF\517D4EA1\RegistryBooster_108.ico
2008-05-05 06:01 99608 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\E9E51D07\517D4EA1\StartRegistryBooster.exe
2008-05-05 06:01 1923352 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\C18B0827\517D4EA1\RegistryBooster.exe
2008-05-05 06:01 111896 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\B4575DD0\517D4EA1\KillRBProcess.exe
2008-04-30 08:32 6168576 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\9C09D838\517D4EA1\RegistryBooster.dll
2008-04-30 08:30 36734 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\EB1DA750\517D4EA1\IniFile.ini
2008-04-24 04:02 765952 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\B359E065\517D4EA1\UBVarRB.dll
2007-06-04 14:34 6144 --ahs---- C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\Thumbs.db
2007-03-29 05:28 2144022 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\28B858DD\517D4EA1\RB.chm
2006-09-18 09:53 497496 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\12912B06\517D4EA1\XceedZip.dll
2006-09-18 09:53 405504 --a------ C:\Documents and Settings\All Users\Application Data\{F9AC68EC-7828-47BE-96E8-705EE2D1CF7D}\Default\98A7578C\517D4EA1\QHTM.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 10:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 21:11 57344]
"HostManager"="C:\Program Files\Common Files\AOL\1139181484\ee\AOLSoftware.exe" [2006-04-20 12:10 50792]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59 124520]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-09-20 09:32 77824]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56 217194]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139181484\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139181484\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SecureFX\\SecureFX.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62515:UDP"= 62515:UDP:WiscVPN Client Service

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 04:52]
R2 AsfAlrt;AsfAlrt;C:\WINDOWS\System32\drivers\AsfAlrt.sys [2002-12-18 04:31]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;C:\WINDOWS\system32\drivers\A302.sys [2003-04-15 10:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\AutoPlay.exe -c

.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 15:43:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 09:02:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-03 9:05:51
ComboFix-quarantined-files.txt 2008-07-03 14:04:53
ComboFix2.txt 2008-07-02 15:01:09

Pre-Run: 21,395,255,296 bytes free
Post-Run: 21,382,877,184 bytes free

152 --- E O F --- 2008-06-20 08:01:36


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:04 AM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\AOL\1139181484\ee\AOLSoftware.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://philosophy.wisc.edu/velasco/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139181484\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Joel Velasco\Desktop\From old Computer\AIM95\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://engine.vogclub.com/activex/vogweb29.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wisc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wisc.edu
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9865 bytes
joelvelasco
Active Member
 
Posts: 13
Joined: June 29th, 2008, 11:16 am

Re: Adaware.purityscan and other problems

Unread postby Shaba » July 3rd, 2008, 10:16 am

Hi

Please make sure that all programs are closed when installing Java.

  1. Click here to visit Java's website.
  2. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
  3. Select Windows from the drop-down list for Platform.
  4. Select Multi-language from the drop-down list for Language.
  5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  6. Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
  7. Double click on jre-6u6-windows-i586-p.exe to install Java.
  8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
  9. Read through the requirements and privacy statement and click on Accept button.
  10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  11. When the downloads have finished, click on Settings.
  12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  13. Click on My Computer under Scan.
  14. Once the scan is complete, it will display the results. Click on View Scan Report.
  15. You will see a list of infected items there. Click on Save Report As....
  16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  17. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Adaware.purityscan and other problems

Unread postby joelvelasco » July 3rd, 2008, 10:47 am

Very soon after I posted my last message, a Symantec AntiVirus notification popped up which says that an auto scan found a threat - the threat is Adware.Purityscan (spelled correctly here - sorry if it was always "Adware" instead of "Adaware") The file listed is "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2\A0000013.exe" and the location is listed as "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2"
Then soon the Auto-Protect Results popped up with the risk listed as Adware.Purityscan and action recommended is Roboot Required - Quarantine with the Filename as A0000013.exe

I have not done anything about this and I will go to the Java website anyway and follow your instructions
joelvelasco
Active Member
 
Posts: 13
Joined: June 29th, 2008, 11:16 am

Re: Adaware.purityscan and other problems

Unread postby joelvelasco » July 3rd, 2008, 10:51 am

I tried to run the Java program and Java Web Start 1.4.2_03 did pop up and it says starting application but then another window popped up with says Security Warning "Warning:Failed to verify the authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. Installing and running this code is not allowed. Then I have to click on an Exit box.
joelvelasco
Active Member
 
Posts: 13
Joined: June 29th, 2008, 11:16 am

Re: Adaware.purityscan and other problems

Unread postby Shaba » July 3rd, 2008, 10:57 am

Hi

Symantec notice is fine, there are viruses in system restore for sure.

You can try to re-download java, if still no go, we use another way.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Adaware.purityscan and other problems

Unread postby joelvelasco » July 3rd, 2008, 11:07 am

Just re-clicked on java file (1215096538107-integrated Properties) listed as a JNLP File and saved on my desktop. But the security warning about the authenticity immediately popped up again so nothing happened.
joelvelasco
Active Member
 
Posts: 13
Joined: June 29th, 2008, 11:16 am

Re: Adaware.purityscan and other problems

Unread postby Shaba » July 3rd, 2008, 11:16 am

Hi

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Adaware.purityscan and other problems

Unread postby joelvelasco » July 3rd, 2008, 11:39 am

Internet connection appears to be working fine but I can't seem to connect to update Malwarebytes' Anti-Malware. The installation file was downloaded and setup was run. When I run the program it looks for an update. First, it said looking for "It-Mate.col.uk" After a few minutes I gave up and reopened the program. Under the Update tab I have tried update mirror Malwarebytes.org and MalwareSupport.com and in all three cases, the update window pops up and it looks for something without ever progressing. Should I go ahead and run the full scan without an update? Or is there something I can try to get an update?
joelvelasco
Active Member
 
Posts: 13
Joined: June 29th, 2008, 11:16 am

Re: Adaware.purityscan and other problems

Unread postby Shaba » July 3rd, 2008, 11:51 am

Hi

Try this link before that. If download is successful, execute that file when mbam is closed.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 266 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware