Adware.Purityscan

3 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Adware.Purityscan8th January 2009, 10:32 pm

This is for my PC with Windows XP. My Symantic Anti-Virus keeps picking up over 300 counts of Adware.Purityscan. It says it's removing it, but it's not. I'm also getting downloads through Windows Downloader and it says it's downloading Symantic, but right after I'll cancel the download my auto protect will come up with the Adware.Purityscan and sometimes the Auto-protect will come up, but with nothing showing. I ran Malwarebytes but it's saying my system is clean. Any advice would be appreciated. Thanks

Re: Adware.Purityscan8th January 2009, 10:34 pm

Please read here and post a Hijack This log.

http://www.geekpolice.net/malware-removal-hijackthis-logs-f11/read-this-before-posting-t3821.htm

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Adware.Purityscan DXwU4

Re: Adware.Purityscan8th January 2009, 10:38 pm

This is What the Hijackthis Log Provided:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:09 PM, on 1/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\DOCUME~1\EILEEN~1\MYDOCU~1\SSTEM~1\userinit.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Ares\ares.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eileen Peterson\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.128.10.70:8080
R3 - URLSearchHook: (no name) - ~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: (no name) - {8CECC60C-FB7B-4A47-A64C-15B6CB76021B} - C:\WINDOWS\system32\urqNDTKB.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
O3 - Toolbar: Mirar - {38D916E2-A1AD-4333-A0BB-4D3AB1A25B9A} - C:\WINDOWS\system32\winnf77.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [StartUp] C:\WINDOWS\trayicons.exe /optimize speed
O4 - HKCU\..\Run: [Kjhfv] C:\WINDOWS\SYSTEM32\W?nSxS\l?gonui.exe
O4 - HKCU\..\Run: [Xodcydb] C:\WINDOWS\?ymantec\??rvices.exe
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\EILEEN~1\MYDOCU~1\SSTEM~1\userinit.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [Windows installer] C:\winstall.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows installer] C:\winstall.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us//html/activexplayer/SMALStreaming.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O18 - Filter hijack: text/html - {4bd7237b-f711-4655-ad87-9fcfd271307b} - C:\WINDOWS\system32\msiebbar.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\append.dll inpajs.dll
O20 - Winlogon Notify: geBrponn - geBrponn.dll (file missing)
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll (file missing)
O20 - Winlogon Notify: mljjh - C:\WINDOWS\system32\mljjh.dll (file missing)
O20 - Winlogon Notify: nnnlijh - nnnlijh.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 12390 bytes

Re: Adware.Purityscan8th January 2009, 10:49 pm

Hello.

Download HostsXpert from HERE

Unzip it.
Right click the program > "Run as administrator" to open the program.
If "Make writeable?" is shown in red at the top, click it to make writeable.
Press "Restore MS Hosts File"
OK the prompt.
Then click on "Make read only"
Exit HostXpert.

Open HijackThis
Choose "Do a system scan only"
Check the boxes in front of these lines:

R3 - URLSearchHook: (no name) - ~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {8CECC60C-FB7B-4A47-A64C-15B6CB76021B} - C:\WINDOWS\system32\urqNDTKB.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
O3 - Toolbar: Mirar - {38D916E2-A1AD-4333-A0BB-4D3AB1A25B9A} - C:\WINDOWS\system32\winnf77.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [StartUp] C:\WINDOWS\trayicons.exe /optimize speed
O4 - HKCU\..\Run: [Kjhfv] C:\WINDOWS\SYSTEM32\W?nSxS\l?gonui.exe
O4 - HKCU\..\Run: [Xodcydb] C:\WINDOWS\?ymantec\??rvices.exe
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\EILEEN~1\MYDOCU~1\SSTEM~1\userinit.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [Windows installer] C:\winstall.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows installer] C:\winstall.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O18 - Filter hijack: text/html - {4bd7237b-f711-4655-ad87-9fcfd271307b} - C:\WINDOWS\system32\msiebbar.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\append.dll inpajs.dll
O20 - Winlogon Notify: geBrponn - geBrponn.dll (file missing)
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll (file missing)
O20 - Winlogon Notify: mljjh - C:\WINDOWS\system32\mljjh.dll (file missing)
O20 - Winlogon Notify: nnnlijh - nnnlijh.dll (file missing)
Press "Fix Checked"
Close Hijack This.

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:processes
explorer.exe

:files
C:\WINDOWS\system32\append.dll
C:\WINDOWS\system32\inpajs.dll

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]
Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Re: Adware.Purityscan9th January 2009, 10:53 pm

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret <[purity]> in the current context!
Error: Unable to interpret <[emptytemp]> in the current context!
Error: Unable to interpret <[start explorer]> in the current context!
Error: Unable to interpret <[reboot]> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01092009_175321

Re: Adware.Purityscan9th January 2009, 10:56 pm

Did you copy it paste it all in right? I don't know if OTMoveIt liked what it may have been asked to do.

Re: Adware.Purityscan9th January 2009, 10:57 pm

I attempted another MOVEIT and it said the same thing.

Re: Adware.Purityscan9th January 2009, 11:02 pm

Okay, before I jump straight to a one hit KO for this malware, lets take some weight off the machine.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Re: Adware.Purityscan10th January 2009, 3:22 am

This is my Malwarebytes Log: All were deleted

Malwarebytes' Anti-Malware 1.32
Database version: 1635
Windows 5.1.2600 Service Pack 3

1/9/2009 9:24:34 PM
mbam-log-2009-01-09 (21-24-34).txt

Scan type: Quick Scan
Objects scanned: 59262
Time elapsed: 8 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eileen Peterson\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eileen Peterson\Desktop\Real Music Ringtones.url (Rogue.Link) -> Quarantined and deleted successfully.

Re: Adware.Purityscan10th January 2009, 1:58 pm

Download combofix from here, use the top links - combofix.exe
Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Re: Adware.Purityscan10th January 2009, 6:01 pm

Here's my Combofix Log:

ComboFix 09-01-09.03 - Eileen Peterson 2009-01-10 12:39:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.162 [GMT -5:00]
Running from: c:\documents and settings\Eileen Peterson\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eileen Peterson\Application Data\FunWebProducts
c:\documents and settings\Eileen Peterson\Application Data\FunWebProducts\Data\Eileen Peterson\avatar.dat
c:\documents and settings\Eileen Peterson\My Documents\SSTEM~1
c:\documents and settings\Eileen Peterson\My Documents\SSTEM~1\s?stem\
c:\documents and settings\Eileen Peterson\My Documents\SSTEM~1\userinit.exe
c:\documents and settings\LocalService\Application Data\install.dat
c:\program files\Common Files\smante~1
c:\program files\INSTALL.LOG
c:\windows\IE4 Error Log.txt
c:\windows\smante~1
c:\windows\SYSTEM32\BKTDNqru.ini
c:\windows\SYSTEM32\BKTDNqru.ini2
c:\windows\system32\cghmvlif.ini
c:\windows\system32\config\system~1\applic~1\install.dat
c:\windows\system32\ctoqrjek.ini
c:\windows\system32\cvvnxsrk.ini
c:\windows\system32\dxhidfhr.ini
c:\windows\system32\G353.tmp.exe
c:\windows\system32\G3ADC.tmp.exe
c:\windows\system32\G3CB7.tmp.exe
c:\windows\system32\G55F.tmp.exe
c:\windows\system32\GAF8E.tmp.exe
c:\windows\system32\GD14C.tmp.exe
c:\windows\system32\GE528.tmp.exe
c:\windows\system32\ggccduip.ini
c:\windows\SYSTEM32\hjjlm.bak1
c:\windows\SYSTEM32\hjjlm.bak2
c:\windows\system32\hjjlm.ini
c:\windows\system32\konnuuma.ini
c:\windows\system32\rdwftinl.ini
c:\windows\system32\rvttdofv.ini
c:\windows\system32\shellgui32.dll
c:\windows\system32\tgopmgsd.ini
c:\windows\system32\tmupcjfq.ini
c:\windows\system32\uttss.ini
c:\windows\SYSTEM32\uttss.ini2
c:\windows\system32\winsrv32.exe
c:\windows\system32\wnsxs~1
c:\windows\system32\wnsxs~1\l?gonui.exe
c:\windows\SYSTEM32\ybeeg.bak1
c:\windows\SYSTEM32\ybeeg.bak2
c:\windows\SYSTEM32\ybeeg.ini
c:\windows\SYSTEM32\ybeeg.ini2
c:\windows\SYSTEM32\ybeeg.tmp
c:\windows\wiaserviv.log
c:\windows\wiaservv.log
c:\windows\ymante~1
c:\windows\ymante~1\??rvices.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE

((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2028-04-02 09:52 . 2001-08-17 12:56 7,552 --a------ c:\windows\SYSTEM32\DRIVERS\SONYPVU1.SYS
2028-03-31 20:47 . 2028-03-31 20:56 d-------- c:\program files\GoldPocket
2009-01-09 18:45 . 2009-01-09 18:45 d--hs---- C:\found.000
2009-01-09 18:27 . 2009-01-09 18:27 d-------- c:\windows\SYSTEM32\scripting
2009-01-09 18:26 . 2009-01-09 18:26 d-------- c:\windows\SYSTEM32\en
2009-01-09 18:26 . 2009-01-09 18:27 d-------- c:\windows\l2schemas
2009-01-09 17:53 . 2009-01-09 17:53 d-------- C:\_OTMoveIt
2009-01-06 07:53 . 2009-01-06 07:53 d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-01 18:04 . 2009-01-04 20:23 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 18:04 . 2009-01-01 18:04 d-------- c:\documents and settings\Eileen Peterson\Application Data\Malwarebytes
2009-01-01 18:04 . 2009-01-01 18:04 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 18:04 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-01 18:04 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-01 18:03 . 2009-01-01 18:03 2,539,168 --a------ C:\mbam-setup.exe
2008-12-14 14:19 . 2008-12-14 14:19 d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-12-13 11:24 . 2008-12-13 11:24 73 --a------ c:\windows\st_affiliate.ini
2008-12-11 03:52 . 2008-12-11 04:39 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-11 03:50 . 2008-12-11 03:50 13,596,592 --a------ C:\sdsetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 17:45 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-06 01:26 --------- d-----w c:\program files\Ares
2005-12-20 23:26 774,144 ----a-w c:\program files\RngInterstitial.dll
2004-08-06 23:13 16,706,160 ----a-w c:\program files\AdbeRdr60_enu_full.exe
2007-06-03 09:20 61,038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-06-03 09:20 49,256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-03 09:20 166,000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eileen Peterson^Start Menu^Programs^Startup^HOTLLAMA Update Check.lnk]
path=c:\documents and settings\Eileen Peterson\Start Menu\Programs\Startup\HOTLLAMA Update Check.lnk
backup=c:\windows\pss\HOTLLAMA Update Check.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eileen Peterson^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\Eileen Peterson\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^CreataCard Gold 2 Forget Me Not Reminders.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\CreataCard Gold 2 Forget Me Not Reminders.lnk
backup=c:\windows\pss\CreataCard Gold 2 Forget Me Not Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2005-03-02 12:40 1202688 c:\program files\Ares\ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 07:51 306688 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-08-06 02:04 114741 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 11:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 14:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2006-01-07 00:09 172032 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2006-01-07 00:09 659456 c:\windows\SYSTEM32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2006-01-07 00:09 49152 c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-16 08:21 28672 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
--a------ 2003-10-14 11:36 38984 c:\progra~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-12-03 06:40 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 20:47 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 21:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 02:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

Re: Adware.Purityscan10th January 2009, 6:01 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\ares.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\Ultima Online Samurai Empire\\client.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Ultima Online Samurai Empire\\uotd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R3 EraserUtilDrvI7;EraserUtilDrvI7;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilDrvI7.sys [2009-01-09 99376]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-06-23 124608]
S4 MTHFQMIO;MTHFQMIO;\??\c:\windows\system32\mthfqmio.jdz --> c:\windows\system32\mthfqmio.jdz [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]

2009-01-10 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2006-01-07 00:09]

2009-01-10 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DDKK0641-Eileen Peterson).job
- c:\progra~1\mcafee.com\vso\mcmnhdlr.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{8CECC60C-FB7B-4A47-A64C-15B6CB76021B} - c:\windows\system32\urqNDTKB.dll
WebBrowser-{38D916E2-A1AD-4333-A0BB-4D3AB1A25B9A} - c:\windows\system32\winnf77.dll
HKCU-Run-ctfmon.exe - c:\windows\system32\ctfmon.exe
HKCU-Run-AIM - c:\program files\AIM\aim.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-vptray - c:\progra~1\SYMANT~1\VPTray.exe
HKLM-Run-Ulead AutoDetector v2 - c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
SafeBoot-TDSSpqlt.sys
MSConfigStartUp-2LRX2W83X2T3MQ - c:\windows\System32\YjqWR9u0.exe
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-AutoUpdater - c:\program files\AutoUpdate\AutoUpdate.exe
MSConfigStartUp-Bargains - c:\program files\Bargain Buddy\bin2\bargains.exe
MSConfigStartUp-ClockSync - c:\progra~1\CLOCKS~1\Sync.exe
MSConfigStartUp-ClrSchLoader - c:\program files\ClearSearch\Loader.exe
MSConfigStartUp-ctfmon - c:\windows\system32\ctfmon.exe
MSConfigStartUp-eZmmod - c:\progra~1\ezula\mmod.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1142220836\ee\AOLSoftware.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-mdovqr - c:\windows\mdovqr.exe
MSConfigStartUp-msbb - c:\program files\stc\msbb.exe
MSConfigStartUp-Mwsvm - c:\windows\mwsvm.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-Rundll32_7 - c:\windows\System32\msiefr40.dll
MSConfigStartUp-RunWindowsUpdate - c:\windows\uptodate.exe
MSConfigStartUp-slmss - c:\program files\Common Files\slmss\slmss.exe
MSConfigStartUp-SQConfigChecker - c:\program files\Sqwire\cc.exe
MSConfigStartUp-SQUpdatesChecker - c:\program files\Sqwire\uc.exe
MSConfigStartUp-stcloader - c:\windows\System32\stcloader.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-Transponder - c:\windows\system32\susp.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
MSConfigStartUp-Vs - c:\documents and settings\eileen peterson\local settings\temp\Vs.exe
MSConfigStartUp-wcmdmgr - c:\windows\wt\updater\wcmdmgrl.exe
MSConfigStartUp-WhenUSave - c:\program files\Save\Save.exe
MSConfigStartUp-WhenUSearch - c:\progra~1\WHENUS~1\Search.exe
MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll
MSConfigStartUp-{2CF0B992-5EEB-4143-99C0-5297EF71F444} - c:\windows\System32\stlbdist.DLL

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 10.128.10.70:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: &Search
Trusted Zone: www.adobe.com
FF - ProfilePath - c:\documents and settings\Eileen Peterson\Application Data\Mozilla\Firefox\Profiles\cvmtcbgz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 12:50:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MTHFQMIO]
"ImagePath"="\??\c:\windows\system32\mthfqmio.jdz"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2009-01-10 12:58:47 - machine was rebooted [Eileen Peterson]
ComboFix-quarantined-files.txt 2009-01-10 17:57:28

Pre-Run: 44,476,313,600 bytes free
Post-Run: 44,500,959,232 bytes free

291 --- E O F --- 2009-01-10 00:07:34

Re: Adware.Purityscan10th January 2009, 6:07 pm

Hello.
Not done just yet.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
MTHFQMIO

File::
C:\mbam-setup.exe
c:\program files\AdbeRdr60_enu_full.exe
c:\windows\system32\mthfqmio.jdz

Folder::
C:\_OTMoveIt

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=-
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^Eileen Peterson^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MTHFQMIO]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Adware.Purityscan Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Re: Adware.Purityscan10th January 2009, 7:33 pm

Combofix stopped after Step 50. After 50 it said c:\windows\system32\mthfqmio.jdz was not recognized as a file folder etc.

Re: Adware.Purityscan10th January 2009, 7:42 pm

Ah, it's a folder.
The .jdz made me think it's a file extension and I listed it under File.
Doesn't matter though, is the machine okay?

Re: Adware.Purityscan10th January 2009, 8:00 pm

Yeah it's better. I do have a downloader on here someplace. When I open Symantec and even when I'm in Symantec and hit anything ( scan etc. ) a Windows Downloading Box appears. If I let it run another box will appear and say that the Feature I'm trying to use is on a CD-ROM and I need to insert a disk. When I cancel it my auto protect result will come up and say there is a 1 count downloader.

Re: Adware.Purityscan10th January 2009, 9:40 pm

Ok.
If you want to, switch AV? If you want to, I can give you links for free/decent AV's.

Re: Adware.Purityscan11th January 2009, 12:29 am

What do you mean by AV?

Re: Adware.Purityscan2nd March 2009, 10:06 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

............................................................................................
Please be a GeekPolice fan on Facebook!

Adware.Purityscan Lambo-11

Have we helped you? Help us! | Doctor by day, ninja by night.

Adware.Purityscan

descriptionAdware.Purityscan8th January 2009, 10:32 pm

descriptionRe: Adware.Purityscan8th January 2009, 10:34 pm

descriptionRe: Adware.Purityscan8th January 2009, 10:38 pm

descriptionRe: Adware.Purityscan8th January 2009, 10:49 pm

descriptionRe: Adware.Purityscan9th January 2009, 10:53 pm

descriptionRe: Adware.Purityscan9th January 2009, 10:56 pm

descriptionRe: Adware.Purityscan9th January 2009, 10:57 pm

descriptionRe: Adware.Purityscan9th January 2009, 11:02 pm

descriptionRe: Adware.Purityscan10th January 2009, 3:22 am

descriptionRe: Adware.Purityscan10th January 2009, 1:58 pm

descriptionRe: Adware.Purityscan10th January 2009, 6:01 pm

descriptionRe: Adware.Purityscan10th January 2009, 6:01 pm

descriptionRe: Adware.Purityscan10th January 2009, 6:07 pm

descriptionRe: Adware.Purityscan10th January 2009, 7:33 pm

descriptionRe: Adware.Purityscan10th January 2009, 7:42 pm

descriptionRe: Adware.Purityscan10th January 2009, 8:00 pm

descriptionRe: Adware.Purityscan10th January 2009, 9:40 pm

descriptionRe: Adware.Purityscan11th January 2009, 12:29 am

descriptionRe: Adware.Purityscan2nd March 2009, 10:06 am

descriptionRe: Adware.Purityscan