krlaw6
asked on
Adware problem I'm having trouble eliminating - Purityscan.
MS XP Professional, Ver. 2002, SP 2. Client machine. Internet Explorere 7. User downloaded nasty adware/spyware, and it keeps showing up in Norton Antivirus scan, but it's not eliminating it. Adware is purityscan. It's locking up the user's browser. Browser works in Safe Mode, but not otherwise. Also works when I disable third-party browser extensions.
Tried Ad-aware, Spybot, uninstalling & reinstalling IE 7. Norton scan still kept showing purityscan on the machine. Finally, after reading similar entries on this website, did this.
Ran Hijack This. Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:32 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\Symantec\LiveU pdate\ALUS chedulerSv c.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\hpb2ks rv.exe
C:\WINDOWS\system32\hpbhks rv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.ex e
C:\WINDOWS\System32\hkcmd. exe
C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb05.exe
C:\WINDOWS\System32\hphmon 04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Tool box\Status Client\Sta tusClient. exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hpnra. exe
C:\WINDOWS\system32\hpstat us.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTra y.exe
C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon .exe
C:\PROGRA~1\WALGRE~1\WALGR E~1\data\X tras\mssys mgr.exe
C:\Program Files\Hewlett-Packard\Tool box\jre\bi n\javaw.ex e
C:\WINDOWS\system32\HPBSPS VR.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\HPBJDS NT.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.e xe
C:\Palm\HOTSYNC.EXE
C:\Program Files\TimeLeft3\TimeLeft.e xe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\PROGRA~1\Yahoo!\COMPAN~ 1\Installs \cpn\ycomp 5_3_12_0.d ll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\PROGRA~1\Yahoo!\COMPAN~ 1\Installs \cpn\ycomp 5_3_12_0.d ll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.ex e
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon 04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hph upd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Tool box\Status Client\Sta tusClient. exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Tool box\hpbpst tp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra. exe
O4 - HKLM\..\Run: [HP Status] C:\WINDOWS\system32\hpstat us.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\CLJ2 500\SetCon fig.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EX E /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra y.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe"
O4 - HKLM\..\RunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd. exe /d /q /c %SystemRoot%\system32\ieud init.exe -ResetFileAttributes
O4 - HKLM\..\RunOnce: [IERESETICONS] %SystemRoot%\system32\cmd. exe /d /q /c %SystemRoot%\iereseticons. exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGR E~1\data\X tras\mssys mgr.exe
O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPow erCleaner\ RegPowerCl ean.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.e xe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes0521. dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes0521. dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov au.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-C C0A30F9028 C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {406B5949-7190-4245-91A9-3 0A17DE16AD 0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D 6AABA6D385 0} (Microsoft RDP Client Control (redist)) - https://www.acmeoyster.net/Remote/msrdp.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3 6E7F593073 C} - http://a19.g.akamai.net/7/19/7125/1433/ftp.coupons.com/v3121/cpbrkpie.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-3 98534BB899 9} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6 D6814EF0DE C} (Quicksilver Class) - https://vapwda.ops.placeware.com/etc/place/DESK/VADpws-a3s/5.1.0.121/lib/quicksilver.cab
O16 - DPF: {C4847596-972C-11D0-9567-0 0A0C9273C2 A} (Crystal Report Viewer Control) - https://www.netchexonline.net/ActiveX/activexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0 060082AA75 C} (GpcContainer Class) - https://avero.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = amg.local
O17 - HKLM\Software\..\Telephony : DomainName = amg.local
O17 - HKLM\System\CCS\Services\T cpip\..\{3 971F020-CA 1B-43C5-B6 E8-9E0E48B A75D6}: NameServer = 192.168.1.2
O20 - AppInit_DLLs: wuaclt.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\PROGRA~1\Symantec\LiveU pdate\ALUS chedulerSv c.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\ awhost32.e xe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\system32\hpb2ks rv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\system32\hpbhks rv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1050\Inte l 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm 11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
--
End of file - 12322 bytes
Then, in Safe Mode, ran SmitFraudFix. Here's the scan report:
SmitFraudFix v2.256
Scan done at 10:12:27.40, Thu 11/29/2007
Run from C:\Documents and Settings\stacyl\Desktop\to ols\Smitfr audFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Process
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.ex e
C:\WINDOWS\system32\ctfmon .exe
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» hosts
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» C:\
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» C:\WINDOWS
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» C:\WINDOWS\system
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» C:\WINDOWS\Web
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» C:\WINDOWS\system32
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» C:\Documents and Settings\stacyl
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» C:\Documents and Settings\stacyl\Applicatio n Data
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Start Menu
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» C:\DOCUME~1\stacyl\FAVORI~ 1
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Desktop
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» C:\Program Files
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Corrupted keys
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Desktop Components
[HKEY_CURRENT_USER\Softwar e\Microsof t\Internet Explorer\Desktop\Component s\0]
"Source"="About:Home"
"SubscribedURL"="About:Hom e"
"FriendlyName"="My Current Home Page"
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" wuaclt.dll "
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon ]
"System"=""
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Rustock
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.2
HKLM\SYSTEM\CCS\Services\T cpip\..\{3 971F020-CA 1B-43C5-B6 E8-9E0E48B A75D6}: NameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\T cpip\..\{3 971F020-CA 1B-43C5-B6 E8-9E0E48B A75D6}: NameServer=192.168.1.2
HKLM\SYSTEM\CS3\Services\T cpip\..\{3 971F020-CA 1B-43C5-B6 E8-9E0E48B A75D6}: NameServer=192.168.1.2
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Scanning for wininet.dll infection
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» End
And, after fixing the problems, here's the Fixed report:
SmitFraudFix v2.256
Scan done at 10:13:19.15, Thu 11/29/2007
Run from C:\Documents and Settings\stacyl\Desktop\to ols\Smitfr audFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Killing process
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» hosts
127.0.0.1 localhost
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Generic Renos Fix
GenericRenosFix by S!Ri
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Deleting infected files
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.2
HKLM\SYSTEM\CCS\Services\T cpip\..\{3 971F020-CA 1B-43C5-B6 E8-9E0E48B A75D6}: NameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\T cpip\..\{3 971F020-CA 1B-43C5-B6 E8-9E0E48B A75D6}: NameServer=192.168.1.2
HKLM\SYSTEM\CS3\Services\T cpip\..\{3 971F020-CA 1B-43C5-B6 E8-9E0E48B A75D6}: NameServer=192.168.1.2
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Deleting Temp Files
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon ]
"System"=""
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» Registry Cleaning
Registry Cleaning done.
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»à ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚»Â »Â »Ã‚» Ȉ ‚» End
Then, still in Safe Mode, ran SuperAntiSpyware. After fixing all of the found problems, switched back out of Safe Mode, and ran Hijack This again. Here's the current report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:53 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\Symantec\LiveU pdate\ALUS chedulerSv c.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\hpb2ks rv.exe
C:\WINDOWS\system32\hpbhks rv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.ex e
C:\WINDOWS\System32\hkcmd. exe
C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb05.exe
C:\WINDOWS\System32\hphmon 04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Tool box\Status Client\Sta tusClient. exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hpnra. exe
C:\WINDOWS\system32\hpstat us.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\HPBSPS VR.EXE
C:\PROGRA~1\SYMANT~2\VPTra y.exe
C:\WINDOWS\system32\HPBJDS NT.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Tool box\jre\bi n\javaw.ex e
C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon .exe
C:\PROGRA~1\WALGRE~1\WALGR E~1\data\X tras\mssys mgr.exe
C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Microsoft Office\Office10\msoffice.e xe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\PROGRA~1\Yahoo!\COMPAN~ 1\Installs \cpn\ycomp 5_3_12_0.d ll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\PROGRA~1\Yahoo!\COMPAN~ 1\Installs \cpn\ycomp 5_3_12_0.d ll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.ex e
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon 04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hph upd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Tool box\Status Client\Sta tusClient. exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Tool box\hpbpst tp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra. exe
O4 - HKLM\..\Run: [HP Status] C:\WINDOWS\system32\hpstat us.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\CLJ2 500\SetCon fig.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EX E /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra y.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGR E~1\data\X tras\mssys mgr.exe
O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPow erCleaner\ RegPowerCl ean.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.e xe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes0521. dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes0521. dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov au.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-C C0A30F9028 C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {406B5949-7190-4245-91A9-3 0A17DE16AD 0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D 6AABA6D385 0} (Microsoft RDP Client Control (redist)) - https://www.acmeoyster.net/Remote/msrdp.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3 6E7F593073 C} - http://a19.g.akamai.net/7/19/7125/1433/ftp.coupons.com/v3121/cpbrkpie.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-3 98534BB899 9} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6 D6814EF0DE C} (Quicksilver Class) - https://vapwda.ops.placeware.com/etc/place/DESK/VADpws-a3s/5.1.0.121/lib/quicksilver.cab
O16 - DPF: {C4847596-972C-11D0-9567-0 0A0C9273C2 A} (Crystal Report Viewer Control) - https://www.netchexonline.net/ActiveX/activexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0 060082AA75 C} (GpcContainer Class) - https://avero.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = amg.local
O17 - HKLM\Software\..\Telephony : DomainName = amg.local
O17 - HKLM\System\CCS\Services\T cpip\..\{3 971F020-CA 1B-43C5-B6 E8-9E0E48B A75D6}: NameServer = 192.168.1.2
O20 - AppInit_DLLs: wuaclt.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS WINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\PROGRA~1\Symantec\LiveU pdate\ALUS chedulerSv c.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\ awhost32.e xe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\system32\hpb2ks rv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\system32\hpbhks rv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1050\Inte l 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm 11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
--
End of file - 11272 bytes
Now, Norton Quick Scan (finally!) isn't finding an instance of purityscan. However, I wanted to run these llogs past the experts to make SURE that I don't have anything left to worry about.
Thanks for your help.
Tried Ad-aware, Spybot, uninstalling & reinstalling IE 7. Norton scan still kept showing purityscan on the machine. Finally, after reading similar entries on this website, did this.
Ran Hijack This. Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:32 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools
C:\PROGRA~1\Symantec\LiveU
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\hpb2ks
C:\WINDOWS\system32\hpbhks
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\Vie
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuaucl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.ex
C:\WINDOWS\System32\hkcmd.
C:\WINDOWS\System32\spool\
C:\WINDOWS\System32\hphmon
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Tool
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hpnra.
C:\WINDOWS\system32\hpstat
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTra
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon
C:\PROGRA~1\WALGRE~1\WALGR
C:\Program Files\Hewlett-Packard\Tool
C:\WINDOWS\system32\HPBSPS
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\HPBJDS
C:\Program Files\Microsoft Office\Office10\msoffice.e
C:\Palm\HOTSYNC.EXE
C:\Program Files\TimeLeft3\TimeLeft.e
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.ex
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hph
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Tool
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Tool
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.
O4 - HKLM\..\Run: [HP Status] C:\WINDOWS\system32\hpstat
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\CLJ2
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EX
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKLM\..\RunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.
O4 - HKLM\..\RunOnce: [IERESETICONS] %SystemRoot%\system32\cmd.
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGR
O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPow
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.e
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-C
O16 - DPF: {406B5949-7190-4245-91A9-3
O16 - DPF: {7584C670-2274-4EFB-B00B-D
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3
O16 - DPF: {B9191F79-5613-4C76-AA2A-3
O16 - DPF: {BF116476-3238-4EDA-A2D7-6
O16 - DPF: {C4847596-972C-11D0-9567-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O20 - AppInit_DLLs: wuaclt.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\PROGRA~1\Symantec\LiveU
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\system32\hpb2ks
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\system32\hpbhks
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
--
End of file - 12322 bytes
Then, in Safe Mode, ran SmitFraudFix. Here's the scan report:
SmitFraudFix v2.256
Scan done at 10:12:27.40, Thu 11/29/2007
Run from C:\Documents and Settings\stacyl\Desktop\to
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»Ã
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.ex
C:\WINDOWS\system32\ctfmon
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
»»»Ã
[HKEY_CURRENT_USER\Softwar
"Source"="About:Home"
"SubscribedURL"="About:Hom
"FriendlyName"="My Current Home Page"
»»»Ã
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»Ã
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWA
"AppInit_DLLs"=" wuaclt.dll "
»»»Ã
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWA
"System"=""
»»»Ã
»»»Ã
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.2
HKLM\SYSTEM\CCS\Services\T
HKLM\SYSTEM\CS2\Services\T
HKLM\SYSTEM\CS3\Services\T
»»»Ã
»»»Ã
And, after fixing the problems, here's the Fixed report:
SmitFraudFix v2.256
Scan done at 10:13:19.15, Thu 11/29/2007
Run from C:\Documents and Settings\stacyl\Desktop\to
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»Ã
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»Ã
»»»Ã
127.0.0.1 localhost
»»»Ã
S!Ri's WS2Fix: LSP not Found.
»»»Ã
GenericRenosFix by S!Ri
»»»Ã
»»»Ã
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.2
HKLM\SYSTEM\CCS\Services\T
HKLM\SYSTEM\CS2\Services\T
HKLM\SYSTEM\CS3\Services\T
»»»Ã
»»»Ã
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWA
"System"=""
»»»Ã
Registry Cleaning done.
»»»Ã
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»Ã
Then, still in Safe Mode, ran SuperAntiSpyware. After fixing all of the found problems, switched back out of Safe Mode, and ran Hijack This again. Here's the current report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:53 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools
C:\PROGRA~1\Symantec\LiveU
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\hpb2ks
C:\WINDOWS\system32\hpbhks
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\Vie
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuaucl
C:\Program Files\Analog Devices\SoundMAX\Smtray.ex
C:\WINDOWS\System32\hkcmd.
C:\WINDOWS\System32\spool\
C:\WINDOWS\System32\hphmon
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Tool
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hpnra.
C:\WINDOWS\system32\hpstat
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\HPBSPS
C:\PROGRA~1\SYMANT~2\VPTra
C:\WINDOWS\system32\HPBJDS
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Tool
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon
C:\PROGRA~1\WALGRE~1\WALGR
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\wuaucl
C:\Program Files\Microsoft Office\Office10\msoffice.e
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.ex
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hph
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Tool
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Tool
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.
O4 - HKLM\..\Run: [HP Status] C:\WINDOWS\system32\hpstat
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\CLJ2
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EX
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGR
O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPow
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.e
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-C
O16 - DPF: {406B5949-7190-4245-91A9-3
O16 - DPF: {7584C670-2274-4EFB-B00B-D
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3
O16 - DPF: {B9191F79-5613-4C76-AA2A-3
O16 - DPF: {BF116476-3238-4EDA-A2D7-6
O16 - DPF: {C4847596-972C-11D0-9567-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O20 - AppInit_DLLs: wuaclt.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\PROGRA~1\Symantec\LiveU
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\system32\hpb2ks
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\system32\hpbhks
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
--
End of file - 11272 bytes
Now, Norton Quick Scan (finally!) isn't finding an instance of purityscan. However, I wanted to run these llogs past the experts to make SURE that I don't have anything left to worry about.
Thanks for your help.
Usually PurityScan/Clickspring always show up in the hijackthis log, it doesn't hide like other malware, so it's probably not there.
Combofix should catch if there are leftovers present.
RegistryPowerCleaner is definitely the one I would remove, it's a rogue program.
Personally, I don't even trust the well known CCleaner with my registry.
Combofix should catch if there are leftovers present.
RegistryPowerCleaner is definitely the one I would remove, it's a rogue program.
Personally, I don't even trust the well known CCleaner with my registry.
Remove following from computer along with the file
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
Yes its of sypbot. But if you are not using it from ie you can remove it
and try http://www.prevx.com
i may detect what file is bad ( yes you have to remove it manually)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
Yes its of sypbot. But if you are not using it from ie you can remove it
and try http://www.prevx.com
i may detect what file is bad ( yes you have to remove it manually)
ASKER
IndiGenus:
OK, after working with someone from Symantec using autoruns.exe, and also after using superantispyware (which was recommended in another related question on this site), I finally had gotten IE 7 working, and got a clean virus scan from Symantec AV ver. 10.1.
Now, after following the regedit instructions from Symantec, IE isn't working again. And it still doesn't work when I disable 3rd party browser extensions. (With the original problem, disabling 3rd party browser extensions took care of the problem.) AND Symantec AV keeps closing down. Mozilla FIrefox still works. If I was in your shoes, I would probably assume that I made a mistake when editing the registry, but I was very careful, and don't believe that I made any deletions other than what was listed in the Symantec fix. I will upload the Combofix & Hijack This logs after posting this entry.
Thanks.
OK, after working with someone from Symantec using autoruns.exe, and also after using superantispyware (which was recommended in another related question on this site), I finally had gotten IE 7 working, and got a clean virus scan from Symantec AV ver. 10.1.
Now, after following the regedit instructions from Symantec, IE isn't working again. And it still doesn't work when I disable 3rd party browser extensions. (With the original problem, disabling 3rd party browser extensions took care of the problem.) AND Symantec AV keeps closing down. Mozilla FIrefox still works. If I was in your shoes, I would probably assume that I made a mistake when editing the registry, but I was very careful, and don't believe that I made any deletions other than what was listed in the Symantec fix. I will upload the Combofix & Hijack This logs after posting this entry.
Thanks.
ASKER
Here's the link to the uploaded files:
https://filedb.experts-exchange.com/incoming/ee-stuff/5970-Combofix-log--2--12-3-2007.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5971-hijackthis--2--12-3-2007.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5965-Combofix-log-12-3-2007.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5966-hijackthis-12-3-2007.txt
Thanks.
https://filedb.experts-exchange.com/incoming/ee-stuff/5970-Combofix-log--2--12-3-2007.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5971-hijackthis--2--12-3-2007.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5965-Combofix-log-12-3-2007.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5966-hijackthis-12-3-2007.txt
Thanks.
ASKER
Since, before attempting to remove RegPowerCleaner, I had IE 7 working, with 3rd party browser extensions enabled, and got a clean virus scan from Symantec, I'm wondering if I should just attempt to restore to Last Known Good. (Assuming that this will work, since I had System Restore turned off, which was suggested in the other question's fix that I tried.)
Last known good and system restore are 2 different things.
1. Last known good will not work here I don't think. It only works if the PC will not boot into Windows. You have already booted into Windows correct?
2. If system restore was off you have no restore points, so that is out of the question. I know many of the security companies (ie Symantec) advise turning off system restore before cleaning. But I and many other security experts strongly disagree with this practice.
- A bad restore point is better than none if something goes really wrong.
-Infected restore points can only re-infect a PC if sys restore is actually done.
So we advise people at the end to clear out and set a fresh restore point.
I will look closer at the logs. Not seeing anything at first glance but will get back to you.
1. Last known good will not work here I don't think. It only works if the PC will not boot into Windows. You have already booted into Windows correct?
2. If system restore was off you have no restore points, so that is out of the question. I know many of the security companies (ie Symantec) advise turning off system restore before cleaning. But I and many other security experts strongly disagree with this practice.
- A bad restore point is better than none if something goes really wrong.
-Infected restore points can only re-infect a PC if sys restore is actually done.
So we advise people at the end to clear out and set a fresh restore point.
I will look closer at the logs. Not seeing anything at first glance but will get back to you.
ASKER
Yes - I am able to boot into Windows.
I did back up the entire registry before starting the deletions, but the last time I tried to restore an entire registry, it didn't work - said some entries couldn't be overwritten because programs were using them, or a message to that effect. Tried in Safe Mode, and got the same message. Which makes me wonder what the value of backing up the entire registry is, if you can't restore it later. Just wondering.
I did back up the entire registry before starting the deletions, but the last time I tried to restore an entire registry, it didn't work - said some entries couldn't be overwritten because programs were using them, or a message to that effect. Tried in Safe Mode, and got the same message. Which makes me wonder what the value of backing up the entire registry is, if you can't restore it later. Just wondering.
Some cleanup. Your issues with the registry? Were you using that rogue registry program to do the backup and restore?
1. Please open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -----
Folder::
C:\Program Files\Hotbar
C:\Program Files\Coupons
Registry::
[-HKEY_LOCAL_MACHINE\softw are\micros oft\shared tools\msconfig\startupreg\ WeatherOnT ray]
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -----
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
========================== ======
Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
-------------------------- -------
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-C C0A30F9028 C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3 6E7F593073 C} - http://a19.g.akamai.net/7/19/7125/1433/ftp.coupons.com/v3121/cpbrkpie.cab
-------------------------- -------
Then close all windows except this one and press Fix checked.
Reboot and upload a new HJT log.
========================== =======
Let us know where you are at this point.
1. Please open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
Folder::
C:\Program Files\Hotbar
C:\Program Files\Coupons
Registry::
[-HKEY_LOCAL_MACHINE\softw
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
==========================
Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
--------------------------
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-C
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3
--------------------------
Then close all windows except this one and press Fix checked.
Reboot and upload a new HJT log.
==========================
Let us know where you are at this point.
ASKER
I'll do that, and get back to you with the results.
And, no, I wasn't using RegPowerCleaner to do the backup and restore. I was just doing an export from Reg Edit to a reg file, and then trying to import that same file back in later.
And, no, I wasn't using RegPowerCleaner to do the backup and restore. I was just doing an export from Reg Edit to a reg file, and then trying to import that same file back in later.
Hmm...maybe the reg script was bad? I don't know. I use ERUNT and have had good luck with it in the past, saved my own hide a couple of times. Plus it will do automated backups on restarts. Free too...
http://aumha.org/freeware/freeware.php
http://aumha.org/freeware/freeware.php
ASKER
New logs:
https://filedb.experts-exchange.com/incoming/ee-stuff/5970-Combofix-log--2--12-3-2007.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5971-hijackthis--2--12-3-2007.txt
And IE still isn't working; Mozilla still is. Also, at reboot, when Windows was coming up, got this error -
The instruction at "0x65930993" referenced memory at "0x69583550". The memory could not be "read".
Click on OK to terminate the program.
Click on CANCEL to debug the program.
Title bar was Rtvscan.exe - Application Error.
I assume that Rtvscan is real-time virus scan - Symantec runs a Quick Scan at startup. And I'm still getting error messages saying that Symantec had to shut down.
Thanks.
https://filedb.experts-exchange.com/incoming/ee-stuff/5970-Combofix-log--2--12-3-2007.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5971-hijackthis--2--12-3-2007.txt
And IE still isn't working; Mozilla still is. Also, at reboot, when Windows was coming up, got this error -
The instruction at "0x65930993" referenced memory at "0x69583550". The memory could not be "read".
Click on OK to terminate the program.
Click on CANCEL to debug the program.
Title bar was Rtvscan.exe - Application Error.
I assume that Rtvscan is real-time virus scan - Symantec runs a Quick Scan at startup. And I'm still getting error messages saying that Symantec had to shut down.
Thanks.
My bad here. I missed one. It fooled me as it looks just like a valid file. Use HJT to remove this 020.
O20 - AppInit_DLLs: wuaclt.dll
Then delete the file. You may need to enable hidden files and folders to find it.
C:\WINDOWS\system32\wuaucl t.exe
Reboot and run HJT. Make sure that entry is gone.
-------------------------- ---------- --------
If your other issues continue...I am wondering if Norton has become corrupted. May need to re-install if possible. And with IE, when you say it isn't working. What happens when you use it. Lock ups, can't get to internet?
O20 - AppInit_DLLs: wuaclt.dll
Then delete the file. You may need to enable hidden files and folders to find it.
C:\WINDOWS\system32\wuaucl
Reboot and run HJT. Make sure that entry is gone.
--------------------------
If your other issues continue...I am wondering if Norton has become corrupted. May need to re-install if possible. And with IE, when you say it isn't working. What happens when you use it. Lock ups, can't get to internet?
ASKER
A quick question:
When deleting the wuauclt.exe file, there are also a wuauclt1.exe, and a wuauclt.exe.wusetup.136093 .bak file. Should I touch these, or leave them alone?
When deleting the wuauclt.exe file, there are also a wuauclt1.exe, and a wuauclt.exe.wusetup.136093
ASKER
What happens with IE is that the browser won't display a page. We have internet connectivity - user is getting email. But the page won't load, and you can't close the browser with the X - have to go into Task Manager and close it.
>"""When deleting the wuauclt.exe file, there are also a wuauclt1.exe, and a wuauclt.exe.wusetup.136093 .bak file. Should I touch these, or leave them alone?"""<
Argg...been a long day for me. The file I gave you was a valid file. The one in HJT was the one we wanted.
wuaclt.dll=bad
wuauclt.exe=good
Note the second u...
The good one is part of windows update. Hopefully Windows File Protection restored or stopped you from deleting it. Do a search for the wuaclt.dll file. It may be in the location I gave or it may be somewhere else.
Sounds like IE is along with Norton is corrupt. I would advise you to try and re-install it.
Information on uninstalling it here. This will revert to IE6. Try and see if IE6 works, then if OK re-install IE7.
http://support.microsoft.com/kb/927177
Argg...been a long day for me. The file I gave you was a valid file. The one in HJT was the one we wanted.
wuaclt.dll=bad
wuauclt.exe=good
Note the second u...
The good one is part of windows update. Hopefully Windows File Protection restored or stopped you from deleting it. Do a search for the wuaclt.dll file. It may be in the location I gave or it may be somewhere else.
Sounds like IE is along with Norton is corrupt. I would advise you to try and re-install it.
Information on uninstalling it here. This will revert to IE6. Try and see if IE6 works, then if OK re-install IE7.
http://support.microsoft.com/kb/927177
ASKER
Windows restored it.
I'm trying to search for the wuaclt.dll, but my Search isn't working now.... I'm trying through a DOS prompt, but not sure if this is the right syntax to find hidden files:
C:\dir wuaclt.dll /s /ah
Uninstalled IE 7, and I'll reinstall it in a minute. Tried to uninstall Symantec, and it froze up on me. I'm going to attempt a repair; not sure if that's an option or not. Or I may just try to reinstall it over the old install.
I'm trying to search for the wuaclt.dll, but my Search isn't working now.... I'm trying through a DOS prompt, but not sure if this is the right syntax to find hidden files:
C:\dir wuaclt.dll /s /ah
Uninstalled IE 7, and I'll reinstall it in a minute. Tried to uninstall Symantec, and it froze up on me. I'm going to attempt a repair; not sure if that's an option or not. Or I may just try to reinstall it over the old install.
no that file script won't work I don't think. Not a dos expert but I have something easier.
Findfile by Atribune. Download, unzip, and run. Pretty straightforward...
http://www.atribune.org/downloads/FileFind.zip
Findfile by Atribune. Download, unzip, and run. Pretty straightforward...
http://www.atribune.org/downloads/FileFind.zip
If the purityscan wuaclt.dll is still present it should be in the system32 folder, you could try killboxing it to be deleted at reboot and fixing the 020 entry in hijackthis, or try the CFScript.
-------------------------- ---------- ------
File::
C:\WINDOWS\System32\wuaclt .dll
Registry::
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
--------------------------
File::
C:\WINDOWS\System32\wuaclt
Registry::
[HKEY_LOCAL_MACHINE\softwa
"AppInit_DLLs"=-
ASKER
OK, Findfile didn't find the wuaclt.exe file, so I assume I'm alright with that. (I deleted the dll through HJT.) Now I'm unable to either uninstall Symantec, or reinstall over the old version (tells me that there's already a client version installed, and stops the installation.) I can try working with Symantec tech support on that one. IE 6 is working, but when I try to install IE 7, it hangs while checking for updates (which is pretty early in the installation).
At this point, I'm wondering if I should just get a new PC. This one is pretty old. I don't want to if I can fix this, but it's been going on for 4 days now, and I'm not sure I'm getting anywhere.
Opinions?
At this point, I'm wondering if I should just get a new PC. This one is pretty old. I don't want to if I can fix this, but it's been going on for 4 days now, and I'm not sure I'm getting anywhere.
Opinions?
For Norton. Try the removal tool, Norton is known for being stubborn to remove.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
I am not sure on the IE issue. How long had you been using IE7 prior to issues starting?
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
I am not sure on the IE issue. How long had you been using IE7 prior to issues starting?
ASKER
Used IE for several months. No problems until this whole purityscan thing. And, keep in mind that last week, I had removed purityscan entirely (or at least it was no longer showing in a Symantec AV scan), AND I had IE 7 working. Then, when I followed the Symantec instructions for removing RegPowerCleaner, that's when I lost IE 7 again (Mozilla and IE 6 still working fine), and Symantec AV Auto-Protect stopped loading.
ASKER
Sorry - used IE 7 for several months, I meant to say.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think the main reason why Symantec suggests to turn off System Restore before the cleanup is to cut off the scanning time and to avoid possible hangs when scanning this folder. It's possible for a scanner to hang when scanning this folder, it happens.
And Symantec also can't modify files in this folder, so if it finds a virus it can't remove it.
So, it's easier for them to just say, turn off System Restore.
They are wrong of course, they're just protecting their own interest, they probably don't care the pc users, :(
And Symantec also can't modify files in this folder, so if it finds a virus it can't remove it.
So, it's easier for them to just say, turn off System Restore.
They are wrong of course, they're just protecting their own interest, they probably don't care the pc users, :(
http://www.symantec.com/en/ca/norton/security_response/writeup.jsp?docid=2007-021515-4552-99&tabid=1
Also, it probably wouldn't hurt to run combofix as it will pick up Pscan and may also find some other nasties that may be hiding.
Download and Run ComboFix (by sUBs)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log. Upload to the following link and post the link to it back here.
http://www.ee-stuff.com
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.