Author Topic: Win32:PurityScan-AF virus?? I need help once again  (Read 63783 times)

0 Members and 1 Guest are viewing this topic.

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #15 on: June 26, 2007, 08:41:36 PM »
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176249475250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176249440859
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Super G Wireless Cardbus Service - Unknown owner - C:\Program Files\Airlink101\AWLC4030\WLService.exe


mauserme

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #16 on: June 27, 2007, 04:26:48 AM »
I going through the logs now. 

Are you able to work on the computer or do we need to try and fix your desktop first?  Maybe there's another user account you can use for now.

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #17 on: June 27, 2007, 04:35:47 AM »
I restarted the computer this afternoon and my icons and everything reappeared.  I have yet for them to disappear.  However every now and then i see like a thin line cut across the screen.  I am able to work off the computer right now though.

mauserme

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #18 on: June 27, 2007, 04:52:07 AM »
I'm breathing a little easier 8)

Give me some time with this - there are many files to remove. 

The last time you and I worked together was not so long ago.  That was a similar infection (Virtumondo with others that it downloaded).  This curent infection looks like it started on 25 June but I'm wondering if you had any symptoms between your last thread and this one.

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #19 on: June 27, 2007, 05:06:43 AM »
Thanks again!  I had not noticed anything until the avast showed the trojan alert.  that's when my computer began working slower.  The only other thing I noticed before the trojan alert was that I believe it's msn messenger popped up once or twice and began to install although i hit cancel so it would never finish installing.

mauserme

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #20 on: June 27, 2007, 06:21:16 AM »
The avast! logs and file creation dates in combofix agree on 25 June.  Just making sure I didn't miss anything the first time.

Download OTMoveIt  by OldTimer.  Save it to your desktop but don't use it yet.


Open HijackThis and click to Do a System Scan Only.  Then place a check mark next to these lines

O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"

O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab


Close all other windows, including your browser, and click Fix Checked.


Close HijackThis and double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\xxyayww.dll
C:\WINDOWS\system32\efccyab.dll
C:\WINDOWS\system32\pmnonnk.dll
C:\WINDOWS\system32\tuvtqpm.dll
C:\WINDOWS\acdt68.exe
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\ddccb.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
C:\Program Files\Outerinfo\Outerinfo.exe
C:\Program Files\Outerinfo\OuterinfoUpdate.exe
C:\WINDOWS\system32\vtuspol.dll
C:\WINDOWS\system32\ddccb.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Now open Add/Remove Programs in the Control Panel and uninstall any of the following you find there

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga



Then run a complete system scan with the free version of SuperAntiSpyware and save, then post, the log along with a fresh HJT log

http://www.superantispyware.com/



Finally, submit this file to Virus Total and post the scan results

C:\Program Files\Messenger\meqot43855.dll
« Last Edit: June 27, 2007, 06:26:38 AM by mauserme »

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #21 on: June 27, 2007, 07:16:25 AM »
I did the system scan and clicked fixed checked after check marking those lines you told me to.  I then proceeded to OTMoveIt and moved the files you told me to.  However about this time the AVG AntiSpyware told me I had a trojan so i clicked ignore to finish up with the OTMoveIt.  This when the OTMoveIt told me to reboot my system.  I did that and then once the computer began to restart my avast showed it found a trojan.  I'm unsure how to go back and get the results from the OTMoveIt.  Should I just continue and run the hijackthis or will I have to redo everything again so that I can get the results from the OTMoveIT?

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #22 on: June 27, 2007, 07:30:59 AM »
Also, when the AVG went up with that trojan warning it asked if should quarantine, which i clicked yes.  it then told me i need to reboot to finish cleaning up the file should I do that?  I have yet to do look for and uninstall the programs you told me to in the Control Panel.

mauserme

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #23 on: June 27, 2007, 01:19:52 PM »
...  it then told me i need to reboot to finish cleaning up the file should I do that?  I have yet to do look for and uninstall the programs you told me to in the Control Panel.
Yes, do both of the above.

Then try to move all the same files with OTMoveIt as before, and post the results.  Don't worry if most of them are not found now.

I still need th Virus total results for

C:\Program Files\Messenger\meqot43855.dll

and then I would also like a new ComboFix and HJT logs (in that order).


EDIT:  Post the contents of the AVG quarantine too.
« Last Edit: June 27, 2007, 01:35:44 PM by mauserme »

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #24 on: June 27, 2007, 09:33:13 PM »
When I have the files moved, (using OTMoveIt) it tells me to reboot, however it does not allow me to make a copy of the results.

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #25 on: June 27, 2007, 09:35:18 PM »
File/Folder C:\WINDOWS\system32\xxyayww.dll not found.
File/Folder C:\WINDOWS\system32\efccyab.dll not found.
File/Folder C:\WINDOWS\system32\pmnonnk.dll not found.
File/Folder C:\WINDOWS\system32\tuvtqpm.dll not found.
File/Folder C:\WINDOWS\acdt68.exe not found.
File/Folder C:\WINDOWS\system32\bccdd.bak1 not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\ddccb.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ddccb.dll scheduled to be moved on reboot.
File/Folder C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap not found.
File/Folder C:\Program Files\Outerinfo\Outerinfo.exe not found.
File/Folder C:\Program Files\Outerinfo\OuterinfoUpdate.exe not found.
File/Folder C:\WINDOWS\system32\vtuspol.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\ddccb.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ddccb.dll scheduled to be moved on reboot.
 
Created on 06-27-2007 14:34:34

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #26 on: June 27, 2007, 10:57:02 PM »
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/27/2007 at 03:53 PM

Application Version : 3.8.1002

Core Rules Database Version : 3258
Trace Rules Database Version: 1269

Scan type       : Complete Scan
Total Scan Time : 00:48:32

Memory items scanned      : 482
Memory threats detected   : 1
Registry items scanned    : 5743
Registry threats detected : 14
File items scanned        : 24902
File threats detected     : 68

Trojan.WinFixer
   C:\WINDOWS\SYSTEM32\DDCCB.DLL
   C:\WINDOWS\SYSTEM32\DDCCB.DLL
   HKLM\Software\Classes\CLSID\{81DD6C8F-EA28-4CFF-A56A-5BD9A8F1D1FD}
   HKCR\CLSID\{81DD6C8F-EA28-4CFF-A56A-5BD9A8F1D1FD}
   HKCR\CLSID\{81DD6C8F-EA28-4CFF-A56A-5BD9A8F1D1FD}\InprocServer32
   HKCR\CLSID\{81DD6C8F-EA28-4CFF-A56A-5BD9A8F1D1FD}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81DD6C8F-EA28-4CFF-A56A-5BD9A8F1D1FD}
   Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ddccb

Unclassified.Unknown Origin
   HKLM\Software\Classes\CLSID\{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}
   HKCR\CLSID\{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}
   HKCR\CLSID\{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}
   HKCR\CLSID\{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}\InProcServer32
   HKCR\CLSID\{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}\InProcServer32#ThreadingModel
   C:\PROGRAM FILES\MESSENGER\MEQOT43855.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}

Adware.Tracking Cookie
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@viamtvcom.112.2o7[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@2o7[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@atdmt[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adopt.specificclick[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@bs.serving-sys[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@tacoda[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@112.2o7[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@metacafe.122.2o7[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@serving-sys[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adinterax[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@2.adbrite[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@hitbox[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ehg-viacom.hitbox[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@fastclick[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@tribalfusion[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@advertising[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@edge.ru4[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@burstnet[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ad.xplusone[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@doubleclick[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@specificclick[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@mediaplex[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.pointroll[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@www.burstnet[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@imedia.foxsports[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adopt.euroclick[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.cnn[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@image.masterstats[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adserving.cpxinteractive[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adlegend[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.cluster01.oasis.zmh.zope[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@zedo[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@questionmarket[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@media.mtvnservices[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@toplist[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ad[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.gametap[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@overture[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@cgi-bin[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@realmedia[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.k8l[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@adbrite[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@trafficmp[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@perf.overture[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@anad.tacoda[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@revsci[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@anat.tacoda[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@track.searchignite[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@data4.perf.overture[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@atwola[2].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@cbs.112.2o7[1].txt
   C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@pointroll[1].txt

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #27 on: June 27, 2007, 10:57:51 PM »
Adware.ClickSpring/Outer Info Network
   HKLM\Software\Outerinfo
   HKLM\Software\Outerinfo#InstallDirectory
   C:\Documents and Settings\Brenda Mayorga\Start Menu\Programs\Outerinfo\Terms.lnk
   C:\Documents and Settings\Brenda Mayorga\Start Menu\Programs\Outerinfo\Uninstall.lnk
   C:\Documents and Settings\Brenda Mayorga\Start Menu\Programs\Outerinfo

Adware.RAC
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP220\A0044438.EXE

Adware.eZula
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP222\A0044669.EXE

Trojan.Downloader-Gen/HitItQuitIt
   C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\EFCCYAB.DLL
   C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\PMNONNK.DLL
   C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\TUVTQPM.DLL
   C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\XXYAYWW.DLL

Trace.Known Threat Sources
   C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\6T78XCR6\tob_snd_20070616[1]
   C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\JJ1RJTOS\adfcook[1]
   C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\LBCRWB6D\_affvm[2]
   C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\PKO7T5KT\_jnvm[1]

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #28 on: June 27, 2007, 11:27:37 PM »
Logfile of HijackThis v1.99.1
Scan saved at 4:26, on 2007-06-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLC4030\WLService.exe
C:\Program Files\Airlink101\AWLC4030\WLanCfgAG.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

brenda31

  • Guest
Re: Win32:PurityScan-AF virus?? I need help once again
« Reply #29 on: June 27, 2007, 11:28:29 PM »
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\mtgafqjo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {81DD6C8F-EA28-4CFF-A56A-5BD9A8F1D1FD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\dobypqqc.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176249475250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176249440859
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuspol - vtuspol.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\tcbbsjha.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Super G Wireless Cardbus Service - Unknown owner - C:\Program Files\Airlink101\AWLC4030\WLService.exe