Author Topic: Win32:PurityScan-AF virus?? I need help once again  (Read 63782 times)

0 Members and 1 Guest are viewing this topic.

brenda31

  • Guest
Win32:PurityScan-AF virus?? I need help once again
« on: June 26, 2007, 03:29:05 AM »
My avast has detected Win32VB-TGS [Trj] and Win32:PurityScan-AF.  I attempt to move to the chest however I continue to get

C:\DOCUME~BRENDA~1\LOCALS~1\TEMP\snapset.exe
Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item.

This is my Avast log.    Please help me. 
2007-06-25 7:27   SYSTEM   2036   Sign of "Win32:VB-TGS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\snapsnet.exe" file. 
2007-06-25 7:32   SYSTEM   2036   Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Outerinfo\OinFP.exe\[UPX]" file. 
2007-06-25 7:32   SYSTEM   2036   Sign of "Win32:Mirar-B [Adw]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\NNBar_VCSetup_876919_LOG_IES_NoDMY_AFF.exe" file. 
2007-06-25 7:33   SYSTEM   2036   Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Outerinfo\Outerinfo.dll" file. 
2007-06-25 7:35   SYSTEM   2036   Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Outerinfo\OinFP.exe\[UPX]" file. 
2007-06-25 7:38   SYSTEM   2036   Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Outerinfo\OinFP.exe\[UPX]" file. 

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #1 on: June 26, 2007, 03:39:18 AM »
In addition, when I attempt to move to the avast chest  I get

avast!:  The system cannot find the file specified.
Cannot process "C:\Program Files\Outerinfo\OinFP.exe\[UPX]"

as well as a second box that says

C:\DOCUMEN~1BRENDA~\LOCALS~1\Temp\wr-1-2000219.exe
Windows cannot find 'C:\DOCUMEN~1BRENDA~\LOCALS~1\Temp\wr-1-2000219.exe'.  Make sure you typed the new name correctly, and then try again.  To search for a file, click the Start button, and then click Search.

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #2 on: June 26, 2007, 03:56:09 AM »
Sorry for so many posts but i'm also getting

C:\Document and Settings\Brenda M\Local Settings\Temp\adkseimop43855.exenb5.tmp
File could not be created.

C:\Document and Settings\Brenda M\Local Settings\Temp\adkseimop43855.exenb5.tmp
File could not be decompressed.

Error
There was an error while unpacking files.  Not all files have been unpacked.

mauserme

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #3 on: June 26, 2007, 04:49:23 AM »
First download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #4 on: June 26, 2007, 06:18:02 AM »
Logfile of HijackThis v1.99.1
Scan saved at 10:53, on 2007-06-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLC4030\WLService.exe
C:\Program Files\Airlink101\AWLC4030\WLanCfgAG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Outerinfo-1281.exe
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\OinADInst.exe
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\wr-1-2000219.exe
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Outerinfo-1281.exe
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Outerinfo-1281.exe
C:\Documents and Settings\Brenda Mayorga\Local Settings\Temp\adkseimop43855.exe
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\OinADInst.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\6T78XCR6\aswclnr[1].exe
C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\6T78XCR6\aswclnr[1].tmp
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #5 on: June 26, 2007, 06:19:06 AM »
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176249475250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176249440859
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Super G Wireless Cardbus Service - Unknown owner - C:\Program Files\Airlink101\AWLC4030\WLService.exe

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #6 on: June 26, 2007, 06:55:32 AM »
Window's defender says I have
Trojan:Win32:Deskwizz
Trojan:Win32:Virtumonde.M
Spyware:Win32/MediaTicketsCDT
Adaware:Win32/Mirar.gen.A
Adaware:Win32/Mirar.gen.C

I have quarantined them by computer is running slow.


brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #7 on: June 26, 2007, 07:42:53 AM »
ComboFix 07-06-18.2 - C:\Documents and Settings\Brenda Mayorga\Desktop\ComboFix.exe
"Brenda Mayorga" - 2007-06-26  0:18:34 - Service Pack 2  NTFS 


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf


(((((((((((((((((((((((((   Files Created from 2007-05-26 to 2007-06-26  )))))))))))))))))))))))))))))))


2007-06-26 00:01   43,064   --a------   C:\WINDOWS\acdt68.exe
2007-06-25 23:25   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-25 20:40   31,254   --a------   C:\WINDOWS\system32\xxyayww.dll
2007-06-25 19:47   6,409   ---hs----   C:\WINDOWS\system32\bccdd.bak1
2007-06-25 19:40   266,336   --a------   C:\WINDOWS\system32\ddccb.dll
2007-06-25 19:33   31,254   --a------   C:\WINDOWS\system32\tuvtqpm.dll
2007-06-25 19:33   31,254   --a------   C:\WINDOWS\system32\efccyab.dll
2007-06-25 19:28   31,254   --a------   C:\WINDOWS\system32\pmnonnk.dll
2007-06-25 00:45   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-06-21 00:37   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-19 23:58   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-06-19 23:58   <DIR>   d--------   C:\DOCUME~1\BRENDA~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-19 23:58   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-17 00:14   0   -rahs----   C:\MSDOS.SYS
2007-06-17 00:14   0   -rahs----   C:\IO.SYS
2007-06-15 23:45   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-15 23:29   <DIR>   d--------   C:\Program Files\Yahoo!
2007-06-14 13:01   <DIR>   d--------   C:\DOCUME~1\BRENDA~1\APPLIC~1\Snapfish
2007-06-13 16:24   <DIR>   d--------   C:\DOCUME~1\BRENDA~1\APPLIC~1\IMVU


brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #8 on: June 26, 2007, 07:44:00 AM »
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 05:04:56   --------   d-----w   C:\Program Files\Messenger
2007-06-20 04:57:18   --------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-06-09 05:52:17   --------   d-----w   C:\DOCUME~1\BRENDA~1\APPLIC~1\AdobeUM
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-05-14 22:17:57   --------   d-----w   C:\DOCUME~1\BRENDA~1\APPLIC~1\Viewpoint
2007-05-09 12:14:32   --------   d-----w   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-04-17 03:44:20   271,224   ----a-w   C:\WINDOWS\system32\mucltui.dll
2007-04-17 03:44:18   208,248   ----a-w   C:\WINDOWS\system32\muweb.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 16:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:33]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{E8497736-90B2-4E1A-B930-2CC058FDECBB}=C:\WINDOWS\system32\ddccb.dll [2007-06-25 19:40]
{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}=C:\Program Files\Messenger\meqot43855.dll [2007-06-14 06:54]

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #9 on: June 26, 2007, 07:44:58 AM »
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 12:00]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 18:04]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 11:28]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-29 08:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]
"Outerinfo"="C:\Program Files\Outerinfo\Outerinfo.exe" []
"OuterinfoUpdate"="C:\Program Files\Outerinfo\OuterinfoUpdate.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]
"{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\system32\vtuspol.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccb]
C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuspol]
vtuspol.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

*Newly Created Service* - GTNDIS5

Contents of the 'Scheduled Tasks' folder
2007-05-14 12:29:00  C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-06-26 05:08:40  C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 00:31:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #10 on: June 26, 2007, 07:57:25 AM »
My icons on my desktop have disappeared and my start up menu has also disappeared.   :'(

mauserme

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #11 on: June 26, 2007, 02:01:35 PM »
Did this happen immediatley after ComboFix, or was it some time after?

Is it possible to post a HJT log from after the ComboFix run? 

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #12 on: June 26, 2007, 07:19:48 PM »
I might need to restart the computer to do that.  Is it safe to do that?

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #13 on: June 26, 2007, 07:25:26 PM »
I had made the mistake and did the hijackthis first and then i did combofix.  I noticed that the icons on the desktop and the start up disappeared when i was doing the combofix.  i'm not sure if it disappeared right after the hijackthis. 

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #14 on: June 26, 2007, 08:40:46 PM »
Here is the hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 1:31, on 2007-06-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLC4030\WLService.exe
C:\Program Files\Airlink101\AWLC4030\WLanCfgAG.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com