Solved

Varment loose and can't catch

Posted on 2004-10-08
16
1,235 Views
Last Modified: 2013-12-04
#@_!xxx Popups. I spyboted ad awared and nortoned.
Norton reports: C:\WINNT\system32\WNSPOO~1.EXE
adware.purityscan. It can not  delete it.
The only strange task manager file is
wVnspool.exe.
Searched and no can find.
SystemInternals shows file namd w?nspool.exe
can't  find it either.
I can kill wVnspool.exe but it reappears when ie6 is opened or page changes.
I cleaned the HKLM...run. Changed misc registry. One of them made
every site a trusted site HKCU...Internet Settings/Protocoldefaults/http

Any thoughts??
0
Comment
Question by:jb784
16 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12258334
Hello jb784 =)

Very first thing,,,,, run all those scans in SAFEMODE coz in normal mode those processes will be running and cannot be deleted easily !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12258344
Second thing,,, Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)

After hijackthis fixing, make sure u have the following tools handy with u !!
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

Then run them in safemode alongwith norton to delete everything they detect !!
if u can find the infected files on ur hard drive, delete them manually !!
run Disk Cleanup on ur hard drive to delete the temp and temp internet files !!

Not reboot back in normal mode to check for the problems !!
Good Luck :)
0
 

Author Comment

by:jb784
ID: 12258354
Yep was in safe mode.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12258402
>> It can not  delete it.

may be some permission problem on the file :-/
Have u followed the manual removal instructions here >> http://sarc.com/avcenter/venc/data/adware.purityscan.html
Also dont forget to run Stinger in safemode with other tools !!
0
 

Author Comment

by:jb784
ID: 12258485
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12258535
search ur hard drive for "nspool"
check what it finds ??
0
 
LVL 3

Expert Comment

by:onesquin
ID: 12258590
Did you check show hidden files and folders and uncheck hide system files and folders
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12258622
R3 - Default URLSearchHook is missing
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} -C:\WINNT\system32\mspxs32.dll (file missing)
O2 - BHO: (no name) - {6FAF647C-B134-7996-D356-125578F42A4A} -C:\WINNT\system32\eubyn.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (nofile)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (nofile)
O16 - DPF: {10000000-1000-0000-1000-000000000000} -ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//colin/main.chm::/load.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_file.php?bt=ie&p=1d6ddb8ab613b247b304d42096c8efd7b5a6d92d0b257d741d007e58b6bee12ee6a04096977d18a1ea6cf81af6152686c5ee31c6:5505c90b877c63a0dcbb0ca5764d0b15
============================

btw these are the entries in log, which are required to be fixed !!
but let me know the results of the above file search first :-?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:jb784
ID: 12258908
search with show hidden.

winspool.h
winspool.lib
winspool.drv
winspool.drv.000
system\winspool.drv
system32\winspool.exe
system32\dllcache\winspool.exe
system32\dllcache\winspool.vir  (I changed the name for a test and it regened winspool.exe)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12259127
these are legit files..... !!

so the file is no where,,,, and norton is picking it up..... i never get why Norton does these things >:(
did u run stinger,,,, did it picked it up ??
also fix the entries in hijackthis now.... reboot and post back the results !!
0
 

Author Comment

by:jb784
ID: 12259529
No more popups :>
Thanks for the help.

Did the points make it to you?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12259619
great ^_^

>> Did the points make it to you?
sorry i didn't get the question :-?
0
 

Author Comment

by:jb784
ID: 12259780
Sorry
I thought when I click accept the
500 points gets awared automaticly.

I was just checking to make sure
you got the 500 points because you
did an excellent job.

Thanx again
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12259830
lol..... yes my friend, when u hit Accept the expert gets the points automatically.... and i got them :)
thanx for the points and ur kind words... cheers ^_^
0
 
LVL 2

Expert Comment

by:raindog_mx
ID: 12904871
I actually found the solution from http://sarc.com/avcenter/venc/data/adware.purityscan.html a simpler one.

Apparently this is a program called purityscan and the uninstaller can be downloaded from
http://www.purityscan.com/uninstall.html

i used it and worked flawlessly (apparently)

SheharyaarSaahil first suggested it in the thread.


0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12909383
glad you got the solution from here mx! Cheers :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now