BleepingComputer.com: System32 Window won't go away

quietman7 thank you for the information. I am going to read over all the suggestions and the added info on Autoruns. Also, I really appreciated your explanation about running antivirus programs on Safe Mode. I never knew what made the difference.

Before I take any further action. I think I need to clarify something that may or may not make a difference. When I mentioned that I didn't see Pure Networks or any of the other programs on my system I was referring to Romeo29's suggestion that I remove it from the Add/Remove Programs.

I do however, have two Pure Networks files when I run a search.

One is in C:\Program Files but it is empty called Pure Networks

The other is in C:\Program Files\Common Files called Pure Networks Platform and has many "things" in it.

I don't know if any of this is pertinent. But, before I go ahead with your suggestions, I was wondering if the program is even necessary? Can I just remove it completely? I didn't have this problem until I remedied the prior problem which was the System32 window. So, I'm not even sure I was utilizing Pure Networks or not. Anywho, quite simply I'm wondering if it is something useful or can be safely removed.

After reading this you still advise the Autorun Mbam, and Rooter.exe let me know.

Thanks for your time.

Quote

That explanation was specifically for MBAM because of the way the tool is designed but is generally applicable to anti-rootkit tools which use special drivers designed to work in normal mode.

With other anti-malware and anti-virus programs, using safe mode may be more effective. Why use safe mode? The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using "Safe Mode" reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files when performing scans with anti-virus and anti-malware tools.

About Pure Networks

Quote

Pure Networks also used Port Magic which came bundled with AOL 9.0 Optimized SE software. It was supposed to automatically configure in-home Internet gateways to improve access and performance for applications such as instant messaging, online gaming, streaming music and video. When I used AOL, I never used this application so I just left it alone. Others removed in completely without any adverse affects on their machines. Many users are not always aware of programs that come bundled with software such as AOL and so they never use it or even realize it has been installed.

The program would have installed in C:\Program Files. If you used Add/Remove it may have uninstalled Pure Networks but left an empty folder which is not unusual with some programs which do not always completely remove themselves. The folder in C:\Program Files\Common Files\Pure Networks Platform is a related folder. Again, many software applications will install additional folders and files in the Common Files folder and the uninstallers do not remove them fully. Because of this some vendors will provide additional uninstaller tools to remove all remnants of their software. I did not see anything like that for Pure Networks when doing a quick search but you could always contact the vendor and ask.

Quote

Yes.

quietman7 Thanks again for the great information. I'm off to work and will tackle this when I return. I will let you know what turns up.

Not a problem.

Ok...things are looking good. I ran the Autorun and deleted anything associated with Pure Networks. Rebooted with NO Pure Networks Platform errors. Yeah!


BTW... When I was searching the Autorun I saw the suspicion entry that Romeo29 had noticed. see post #19
e ==> [C:\WINDOWS\System32\eimgvo.exe]

I didn't do anything to it but, I thought I mentioned that I did see it and should I go back in and delete?

Ran MBAM. No detections found. Here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2572
Windows 5.1.2600 Service Pack 3

8/10/2009 1:33:31 PM
mbam-log-2009-08-10 (13-33-31).txt

Scan type: Quick Scan
Objects scanned: 91139
Time elapsed: 11 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Going to tackle the Rooter.exe and will post back.
Kendra

EDIT: I forgot to mentioned I read the additional info about AutoRun and unless you really think it's something to keep onboard, I was going to delete it. Should I delete it before I do the Rooter.exe or does it not make a difference?

This post has been edited by kamerlet: 10 August 2009 - 01:01 PM

Quote

Yes. I also said it was suspicious in Post #30. Since the file was not found on your system, that entry can be removed.

Quote

It makes no difference but I would keep it as AutoRuns is a handy tool to have.

This post has been edited by quietman7: 10 August 2009 - 01:17 PM

My sincere apologies quietman7. I feel like such a knucklehead. You most certainly did reference those suspicious files. I guess I was obsessing so much on the whole Pure Networks and Network Magic files that I didn't even notice. My bad.

Ok let's see first I went back and did the Autorun again and took out:

C:\WINDOWS\JDJTFPVBH.exe
C:\WINDOWS\System32\eimgvo.exe

Reran the MBAM. No malicious items detected.

Followed up with the Rooter.exe and tried to follow all the suggests before running it to get the purest results. Here is the scan results.

***********************************

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 1 Stepping 2, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 7.0.5730.11
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:32 Go - Free:11 Go )
D:\ [CD_Rom]
E:\ [Removable]
.
Scan : 16:09.11
Path : C:\Documents and Settings\Owner\Desktop\Rooter.exe
User : Owner ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (432)
______ \??\C:\WINDOWS\system32\csrss.exe (480)
______ \??\C:\WINDOWS\system32\winlogon.exe (504)
______ C:\WINDOWS\system32\services.exe (548)
______ C:\WINDOWS\system32\lsass.exe (560)
______ C:\WINDOWS\system32\svchost.exe (708)
______ C:\WINDOWS\system32\svchost.exe (768)
______ C:\WINDOWS\System32\svchost.exe (832)
______ C:\WINDOWS\System32\svchost.exe (880)
______ C:\WINDOWS\System32\svchost.exe (936)
______ C:\WINDOWS\Explorer.EXE (1240)
______ C:\WINDOWS\system32\spoolsv.exe (1328)
______ C:\windows\system\hpsysdrv.exe (1656)
______ C:\HP\KBD\KBD.EXE (1672)
______ C:\Program Files\Common Files\AOL\1183654668\ee\AOLSoftware.exe (1928)
______ C:\Program Files\iTunes\iTunesHelper.exe (1936)
______ C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe (1948)
______ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE (1960)
______ C:\Program Files\Java\jre6\bin\jusched.exe (1992)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (2004)
______ C:\WINDOWS\system32\ctfmon.exe (2024)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (2040)
______ C:\WINDOWS\System32\svchost.exe (200)
______ C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (360)
______ C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe (468)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (740)
______ C:\WINDOWS\System32\drivers\CDAC11BA.EXE (816)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1156)
______ C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe (1472)
______ C:\WINDOWS\System32\nvsvc32.exe (1172)
______ C:\WINDOWS\System32\svchost.exe (1572)
______ C:\WINDOWS\system32\wdfmgr.exe (1300)
______ C:\Program Files\Viewpoint\Common\ViewpointService.exe (1820)
______ C:\WINDOWS\wanmpsvc.exe (1908)
______ C:\WINDOWS\system32\java.exe (2672)
______ C:\Program Files\iPod\bin\iPodService.exe (3240)
______ C:\WINDOWS\System32\alg.exe (3396)
______ C:\WINDOWS\System32\svchost.exe (2444)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (2400)
______ C:\Documents and Settings\Owner\Desktop\Rooter.exe (3604)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:4613865984)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:4613898240 | Length:35393863680)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\Scan.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 16:10.45
.
C:\Rooter$\Rooter_1.txt - (10/08/2009 | 16:10.45)

Every thing looks ok. How is your computer running now...any more issues?

quietman7, I'm so happy to report everything seems great! Thanks so much for hanging in there with me. I couldn't have done it without your guidance and I'm just so jazzed that I learned so much.

Kendra

Not a problem but we really have our BC Advisors (Romeo29, Budapest) to thank for the bulk of the work in this thread.

Now you should Create a New Restore Point to enable your computer to "roll-back" to a clean working state if you encounter future issues. The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

I'm in total agreement. Kudos to Budapest who guided me thru a nasty antivirus removal prior to this. He's super-terrific. And a big thank you to Romeo29 as well.

I went ahead and created a new Restore Point.

Thank you ALL.

EDIT: Hey quietman7 I just noticed you're a fellow Virginian!

This post has been edited by kamerlet: 11 August 2009 - 06:49 AM

You're welcome on behalf of the Bleeping Computer community.

Yep, I'm a Virginian these days.