Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.purityscan Infection


  • Please log in to reply
17 replies to this topic

#1 quarri

quarri

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 19 December 2007 - 05:47 PM

Hello all, I am brand new to this site. I apologize in advance for any obvious errors I make, which come from lack of knowledge/experience... Thanks in advance for any help, and for bearing with me!

I have a Dell desktop, about 3 years old, running Windows XP Home, and we run Symantec and Spybot scans and search for updates at least once a week; I am posting this from my office, so I don't have access to immediate specs, though I can post them when I get home.

However, I'm reluctant to use the Internet from home because Symantec keeps detecting a virus: Adware.purityscan. Symantec popped up a window stating that it had found Adware.purityscan, with the file name fast.exe, as well as some other files that it said it had caught and deleted or quarantined. (I can't remember the names of these other files, but nothing but adware.purityscan has shown up on subsequent scans.) We made certain that we had the most recent updates for Symantec and ran a full scan. While this scan was running, a window popped up to a site we had never been to, ironically wanting us to download antivirus software. We carefully closed this window without clicking any of its option buttons ("download" "cancel" etc.) and that was the only time we've seen it. That's been the only overt thing that it has done. However, when we went to double-check our Windows Internet security settings before going to the Symantec site, we found that it was set to "accept all cookies", which neither of us ever do; we changed it to a higher security setting, but we have found that while our readjustments last while the computer is on, any time we reboot, the cookie settings revert back to "accept all", which we suspect has something to do with the virus. This is the only setting that changes.

We got it pretty late Monday night, so after it showed up in the initial scan we shut down the computer. Last night we turned it back on and ran full scans with the most recently updated versions of both Symantec and Spybot. Spybot showed nothing, other than a cookie from somewhere called Yazzle, I think, which we removed; Symantec kept catching adware.purityscan when it would do a scan (and it would also pop up a window telling us it had found the virus a few seconds after we would open our internet browser), but told us that it needed to undergo a termination process that required a computer reboot. We've rebooted the computer, with some trepidation, but nothing has happened one way or the other; the virus still shows up on Symantec when we run a scan, but it doesn't do anything else (except possibly adjust the cookie settings) on the computer. My husband was going to see if he could restore the system to an earlier point as we have done previously and successfully when we have gotten a virus, but when he went to restore it the computer couldn't find a save point earlier than Monday the 17th, the day we got the virus. D'oh!

Symantec has an entry for Adware.purityscan, which is at:
http://www.symantec.com/security_response/...-090516-2325-99
We have attempted to do what they have recommended, but while Symantec's scan keeps finding the virus, apparently its cleaning procedures aren't working. (Which isn't surprising, given that I believe their entry was from 2005.) And they list files they recommend looking for and deleting out of our registry, but none of them are there at all. We did find a file not on Symantec's list in HKEY_CURRENT_USER that has not been there before that contained the filename fast.exe, and we deleted it (the file, not the registry key); Symantec didn't catch the virus when we subsequently opened a Firefox window, but then when we accessed the internet via Internet Explorer (for some reason my husband is convinced that we must be getting this virus through security flaws in Firefox), Symantec caught it and then continued to find it regularly no matter what browser we tried.

Sorry for the length and the detail, but I figured it was better to go into more detail than necessary rather than to be insufficient. As of 8:20 this morning Symantec still wasn't able to clean or quarantine it with a full system scan, just to detect it. Since, beyond the very basics, we don't really have any software expertise, I am reluctant to putter around with it extensively; a lot of the discussions for dealing with Purityscan I've seen involve deleting very specific files from very specific folders, and I don't want to delete the wrong thing because I wasn't sure what I was doing. I should also note that we don't have HijackThis installed; I'm worried about downloading a new program with a known virus threat on the computer, but if it would help diagnose the problem I'm all about it (and I will post any logs in the appropriate forum, of course). After looking up recommendations for dealing with this virus on the Internet, I'm really kicking myself for not installing it before. Any advice would be very welcome. Thanks so much!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:40 AM

Posted 19 December 2007 - 10:11 PM

Hi quarri and welcome to Bleeping Computer

Please download and install these to desktop. DO NOT scan yet

SUPERAntiSpyware ,Free Home User version

Double-click SUPERAntiSypware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from HERE and unzip into the program's folder.)
Under the "Configuration and Preferences", click the Preferences... button.
Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program.

Do not run a scan just yet.

SmitFraudFix ,by S!R!..Print the instructions now.

After both applications are installed Reboot into Safe mode How to start Windows in Safe Mode

Now click on the SmiFraudFix Desktop Icon and follow your Printed instructions FULLY.
If reboot was required reboot again to Safe Mode or if still in Safe then...

Scan with SUPERAntiSpyware as follows:
Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Also copy and paste the Smitfraud results(C:\rapport.txt ) in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 quarri

quarri
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 20 December 2007 - 11:40 PM

Thank you so very much for your quick response, and my sincere apologies for not being able to reply in a similarly quick fashion. I've been trying to use my home computer as little as possible until I get this fixed, and so did not see your response until I arrived at work this morning; I've just finished the last scans tonight.

Here is the report from the initial Smitfraud search I ran, as per the Smitfraud instructions:


SmitFraudFix v2.274

Scan done at 18:32:25.84, Thu 12/20/2007
Run from C:\Documents and Settings\Terri Jordan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Terri Jordan


C:\Documents and Settings\Terri Jordan\Application Data


Start Menu


C:\DOCUME~1\TERRIJ~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Next is the second Smitfraud report that came up after I finished the Clean process.

SmitFraudFix v2.274

Scan done at 18:54:01.50, Thu 12/20/2007
Run from C:\Documents and Settings\Terri Jordan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix.exe by S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ADBF0631-2600-4301-B569-BCC3EF0C23BC}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{ADBF0631-2600-4301-B569-BCC3EF0C23BC}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"Startup"="MCPSystemStartup"


Registry Cleaning

Registry Cleaning done.

Next reply will have the SuperAntiSpyware scan results.


#4 quarri

quarri
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 20 December 2007 - 11:44 PM

Here is the SuperAntiSpyware log. What should the next step I take be? And thank you very, very much for all your time and help (and patience!)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/20/2007 at 10:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3364
Trace Rules Database Version: 1363

Scan type : Complete Scan
Total Scan Time : 03:28:53

Memory items scanned : 179
Memory threats detected : 2
Registry items scanned : 5774
Registry threats detected : 13
File items scanned : 63998
File threats detected : 4

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\RQRRRPM.DLL
C:\WINDOWS\SYSTEM32\RQRRRPM.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rqrrrpm
C:\WINDOWS\SYSTEM32\IIFDABX.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\GEBCC.DLL
C:\WINDOWS\SYSTEM32\GEBCC.DLL
HKLM\Software\Classes\CLSID\{B532415F-AD3A-4716-96BB-7224E50AF317}
HKCR\CLSID\{B532415F-AD3A-4716-96BB-7224E50AF317}
HKCR\CLSID\{B532415F-AD3A-4716-96BB-7224E50AF317}\InprocServer32
HKCR\CLSID\{B532415F-AD3A-4716-96BB-7224E50AF317}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B532415F-AD3A-4716-96BB-7224E50AF317}

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}
HKCR\CLSID\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}
HKCR\CLSID\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}\InprocServer32
HKCR\CLSID\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}
HKCR\CLSID\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}

Adware.ClickSpring
C:\WINDOWS\SMANTE~1\FAST.EXE

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 AM

Posted 21 December 2007 - 02:13 PM

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight any of the following programs (if listed) and select "Remove".

ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX By OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Sudoku by OIN
Yazzle Snowballwars by OIN
Yazzle Kobe Balls! by OIN
Zolero Translator
or anything similar with OIN, Outer Info Network or Yazzle in them.

Important! Reboot when done.

Open My Computer or Windows Explorer, navigate to C:\Program Files and delete any of the named program folders listed above that you find (if they still exist).

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 quarri

quarri
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 21 December 2007 - 09:13 PM

Many thanks. I went to search for the files and folders as you recommended, and found none. I downloaded and ran Vundofix as per the tutorial, and it did not find anything. I clicked "Remove" and it told me there was nothing to remove, and closed. I am pasting the vundofix.txt below:


VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:45:14 PM 12/21/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


I will also note that while VundoFix was running, Symantec popped up a window to let me know that it had found and deleted Trojan.Metajuan. I didn't know if this had any relevance, but thought I would include it just in case. (I was not running in safe mode to run VundoFix, as the tutorial only instructed Safe mode if VundoFix did not clean infected files and I had to use VirtumundoBeGone.)

Next step? And thank you again so very much for your help and your time!


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 AM

Posted 22 December 2007 - 07:28 AM

Trojan.Metajuan "is a Trojan horse that registers itself as a Browser Helper Object and may download potentially malicious files on to the compromised computer.". Symantec deleted the file but you still should perform a full system scan since this trojan could have downloaded other malware.

Follow up by performing an Online Virus Scan like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)

Also, your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Let me know the results of you anti-virus scan and if you are having any further malware issues.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 quarri

quarri
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 22 December 2007 - 05:16 PM

I ran a full system Symantec scan and came up with nothing found at all. However, I started the BitDefender online scan and came back later to find that the scan was still running, but was scanning beyond my original files (in its countdown, at the beginning it stated it had scanned "5 our of 65k+ files" [can't remember exact number] and when I returned it stated it was scanning "67k+ of 65k+ files". In the meantime, a Symantec window had popped up stating that it had detected hundreds of infections:
Adware.Purityscan, Terminate Process Required, Count 306, Filename A0000428.exe
Trojan.Metajuan, Deleted, Count 2, Filename A0000474.dll
Downloader.MisleadApp, Deleted, Count 2, Filename A0000431.dll
Trojan.Vundo, Deleted, Count 118, Filename A000430.dll
Trojan.Vundo, Deleted, Count 118, Filename A000427.dll

I stopped the BitDefender scan, but exported the report. It is below.

Should I repeat the earlier process with SuperAntiSpyware, SmitFraudFix, and Vundofix? I am afraid I made a large error and that I should have updated my Java before I did the BitDefender scan. I apologize for my inexperience; any advice you could give would be very welcome. Thank you so much!


BitDefender Online Scanner



Scan report generated at: Sat, Dec 22, 2007 - 15:59:27

Scan path: A:\;C:\;D:\;

Statistics

Time 00:49:42

Files 201918

Folders 7055

Boot Sectors 3

Archives 9510

Packed Files 10588

Results

Identified Viruses 5

Infected Files 15

Suspect Files 0

Warnings 0

Disinfected 0

Deleted Files 29



Engines Info

Virus Definitions 883959

Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins 14

Archive plugins 38

Unpack plugins 7

E-mail plugins 6

System plugins 1


Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions


Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes




Scanned File


Status

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480000\47DE04AB.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YLO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480000\47DE04AB.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480000\47DE04AB.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480001\47DE04D5.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YLO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480001\47DE04D5.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480001\47DE04D5.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0000\476C67CB.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0002


Infected with: Trojan.Downloader.Purityscan.EN

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0000\476C67CB.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0002


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0000\476C67CB.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0002


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\022C0000\476C67CB.VBN=>(Quarantine-PE)=>(NSIS o)


Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0000.VBN=>(Quarantine-PE)


Infected with: Trojan.Zlob.JH

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0000.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0000.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0001.VBN=>(Quarantine-PE)


Infected with: Trojan.Zlob.JH

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0001.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0001.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE00000\4FEF7026.VBN=>(Quarantine-PE)


Infected with: Trojan.PurityScan.DM

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE00000\4FEF7026.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE00000\4FEF7026.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE40000\4EFF64CE.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YLO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE40000\4EFF64CE.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE40000\4EFF64CE.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE40001\4EFF64FC.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YLO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE40001\4EFF64FC.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE40001\4EFF64FC.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DCC0000\4FDC316E.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YLO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DCC0000\4FDC316E.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DCC0000\4FDC316E.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580000\4F7F46E9.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YWO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580000\4F7F46E9.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580001\4F7F46F6.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YWO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580001\4F7F46F6.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580002\4F7F48D0.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YWO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580002\4F7F48D0.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580003\4F7F48DF.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YWO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580003\4F7F48DF.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FAC0000\4FFE362F.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YLO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FAC0000\4FFE362F.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FAC0000\4FFE362F.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FAC0001\4FFE3683.VBN=>(Quarantine-PE)


Infected with: Trojan.Downloader.Agent.YLO

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FAC0001\4FFE3683.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FAC0001\4FFE3683.VBN=>(Quarantine-PE)


Deleted

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:40 AM

Posted 22 December 2007 - 08:56 PM

Update the Java (remove old first) and rescan With the How To Remove Vundo/Winfixer Infection ,It contains SmitFraudFix, and Super ,if you still see remaining Vundo use the VirtumundoBeGone Fix in the Vundo Tutorial

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 quarri

quarri
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 23 December 2007 - 01:13 AM

I am going out of town for the holidays tomorrow morning, and not knowing what to do I went ahead and ran SmitfraudFix and SuperAntiSpyware again late this afternoon. Results are pasted below. I checked online and found your reply; I have updated the Java as directed, and run Vundofix, which did not find anything. Below are the scan logs from this round of Smitfraud, SuperAntiSpyware, and VundoFix (in 2 replies).


Smitfraud search results:

SmitFraudFix v2.274

Scan done at 19:35:00.04, Sat 12/22/2007
Run from C:\Documents and Settings\Terri Jordan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Terri Jordan


C:\Documents and Settings\Terri Jordan\Application Data


Start Menu


C:\DOCUME~1\TERRIJ~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"Startup"="MCPSystemStartup"


Rustock



DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.11
DNS Server Search Order: 68.105.29.11
DNS Server Search Order: 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ADBF0631-2600-4301-B569-BCC3EF0C23BC}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{ADBF0631-2600-4301-B569-BCC3EF0C23BC}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{ADBF0631-2600-4301-B569-BCC3EF0C23BC}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12


Scanning for wininet.dll infection


End


Smitfraud Post-Cleaning Report:

SmitFraudFix v2.274

Scan done at 19:38:23.04, Sat 12/22/2007
Run from C:\Documents and Settings\Terri Jordan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix.exe by S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ADBF0631-2600-4301-B569-BCC3EF0C23BC}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{ADBF0631-2600-4301-B569-BCC3EF0C23BC}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{ADBF0631-2600-4301-B569-BCC3EF0C23BC}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"Startup"="MCPSystemStartup"


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#11 quarri

quarri
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 23 December 2007 - 01:23 AM

(continued from above) SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/22/2007 at 11:02 PM

Application Version : 3.9.1008

Core Rules Database Version : 3364
Trace Rules Database Version: 1363

Scan type : Complete Scan
Total Scan Time : 03:18:41

Memory items scanned : 171
Memory threats detected : 0
Registry items scanned : 5775
Registry threats detected : 0
File items scanned : 64086
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Terri Jordan\Cookies\terri_jordan@atdmt[1].txt


The VundoFix log does not appear to have saved over the older version (it still cites the Java version I have as 1.4.2.3, though I have installed version 1.6.0.30, which shows up in my Add/Remove programs panel) but it found nothing at all, not a single thing when I ran it. I haven't run a full Symantec scan or an online virus scan, but I will try to do this in the morning before I leave. (My computer is a desktop, not a laptop, so I unfortunately can't take it with me.)

Thanks so much again, boopme and quietman7, for your help and your time. What is the next step I should take as soon as I can?

(And have a great holiday!)


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 AM

Posted 23 December 2007 - 06:20 AM

No need to panic.

The files identified by Bit Defender are those being held in Symantec's quarantine folder. When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the file in the vault is known to be bad, you can delete it at any time. However, when these files are left in quarantine, other scanning programs and security tools may flag them while in the quarantined area which has happened in your case. Although Bit Defender's disinfection failed, the files were successfully deleted. You can launch your anti-virus and delete any remaining quarantined files.

The infected RP***\A0000**** file(s) identified by Symantec are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SIV folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

An example would look like this:
C:\System Volume Information\_restore{BDD09937-603A-46A5-9C72-8348BB141FD8}\RP4\A0000474.DLL -> Trojan.Metajuan
C:\System Volume Information\_restore{FD41502D-8068-4B59-AA5E-6EAA70E5F109}\RP10\A0000430.DLL -> Adware.Virtumonde
C:\System Volume Information\_restore{56150063-41FB-403C-81D5-1AD5B4BF7FEA}\RP16\A0000428.EXE -> Adware.Purityscan

Keep in mind that System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the System Volume Information folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To fix this, you need to Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.

When you updated your java, did you remove all older previous versions?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 quarri

quarri
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 23 December 2007 - 11:20 AM

Yep! I did. When we ran VundoFix again this morning, it didn't pop up with any Java messages, so I am assuming that it updated properly....


VundoFix V6.7.7

Checking Java version...

Scan started at 9:46:29 AM 12/23/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

It didn't find anything at all, again. We are getting ready to walk out the door to visit family, but I will run another full scan and create a new restore point when we return. Thanks so much again for your help, and I will post again with results when we get back.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 AM

Posted 23 December 2007 - 10:34 PM

Yes, VundoFix is now showing the current version. Let me know if your having any further problems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 quarri

quarri
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 27 December 2007 - 10:53 PM

Just got back and ran full scans with Symantec and Sypbot. Everything came up spotless, with nothing at all found. I'd like to run BitDefender, but I am concerned because I seem to have gotten reinfected the last time I tried to run it, though that was before I had updated my Java. Everything had come up clean on the earlier Symantec and VundoFix scans, until my previous attempt at running BitDefender through IE (I usually use Firefox) when Symantec began to find Purityscan again in alarmingly high numbers, as described earlier.

I understand about the quarantine/file deletion process (Symantec had been notifying me for some time that A) those files were in quarantine, and B ) it was unable to delete them, so was leaving them quarantined). Is there anything else that I can do aside from updating my Java to help ensure that I don't get any reinfection if I run anything else through IE?

Also, since the scans came back clean, is my computer good to go? Or is there anything else you recommend I should download/run to make sure everything is really clean before creating a new restore point?

Sorry for the continued questions. I'd just like to make sure that I don't have to bother you guys again :thumbsup: Again, thank you.

Edited by quarri, 27 December 2007 - 10:53 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users