Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.purityscan Among Others...


  • This topic is locked This topic is locked
4 replies to this topic

#1 Dersu

Dersu

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 17 July 2006 - 02:33 AM

Started out with Spywarequake and has gone downhill ever since.

I no longer get hits on Adware or Spybot, but Ewido had a number of hits; most serious/persistent of which was purityscan. I've pasted the Ewido scan log prior to the HJT log. Ewido would not delete or quarentine purityscan. McAfee Stinger came up with nada.

Symptoms are slowdown, redirecting of IE (not that I use it) and a recurring windows warning that activeX controls are not allowed on this site--although I will not have a browser window open.

HJT log follows this ewido scan report:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:05:21 AM 7/17/2006

+ Scan result:

C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__p_i_n_g_._d_l_l_ -> Adware.PurityScan : Cleaned with backup (quarantined).
[1036] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1048] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1212] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1236] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1304] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1344] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1392] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1472] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1516] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1620] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1740] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1812] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[1844] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[2024] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[2412] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[256] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[3164] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[3172] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[3216] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[3224] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[3280] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[3444] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[448] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[808] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
[984] C:\WINDOWS\system32\ping.dll -> Adware.PurityScan : Error during cleaning.
C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Ignored.
C:\WINDOWS\system32\byxwvut.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xxwuv.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Standish\Cookies\standish@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Standish\Cookies\standish@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Standish\Local Settings\Temporary Internet Files\Content.IE5\IZC1M9CX\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Documents and Settings\Standish\Local Settings\Temporary Internet Files\Content.IE5\45CZM7EZ\srviuf[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\temp\winC5.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 3:08:54 AM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Standish\Desktop\HijackThis.exe


Here is HJT

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138234494866
O20 - AppInit_DLLs: C:\WINDOWS\system32\ping.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks, and here's to hoping I'm not reinstalling windows the rest of the day!

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:31 PM

Posted 19 July 2006 - 10:04 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Dersu

Dersu
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 19 July 2006 - 11:04 AM

Hi Sam,

Thank you for taking the time to assist, but I formatted my c: drive and reinstalled my OS already. You all do great service and work though. Unfortunately, call me impatient.

If you don't mind I do have a question though:

On infected computer is it possible to have an contaminated My Documents or data on a seperate partition (d: drive)? Before blasting away my c: drive I copied over My Documents to another computer as well as performed routine backup of photos from infected computer on D: to backup computer.

I have yet to migrate My Doc's back to original c:. Can you recommend tests before doing so? Also, to make sure other computer is not infected?

Thanks again!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:31 PM

Posted 19 July 2006 - 01:25 PM

If its data, photos, or files that you created yourself, then they are almost certainly clean. But if it's files that you downloaded off the net from an unknown source, then I would most definitely scan those files with a good antivirus program.

In most cases, infections are not found in My Documents.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Dersu

Dersu
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 19 July 2006 - 01:49 PM

schweeet. Thank you, Sam.

I can migrate files now because "All your bases My Documents are belong to us"! :thumbsup:

Sorry, when I get excited I tell bad jokes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users