• ### Announcements

• #### IE 11 copy/paste problem

It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.

Followers 0

# Help! I’ve Been Hi-Jacked, Wormed, Trojaned or Vir

## 4 posts in this topic

Hi Folks,

I hope someone can help. I have been hit by Purity Scan, ISTbar, XXXtoolbar, Superbar, ClickSpring, CoolWWW, Lycos SideSearch, VX2, Enigma Spy, PowerScan, Bargain Buddy, Clear Search, plus others. I have Ad-Aware, Hi-Jack This, Pest Patrol, Cw Shredder, Spy Bot Search and Destroy, Spyware Killer, Kill Box, Bazooka, SpyGuard, Spyware Blaster, SpySweeper, Evidence Eliminator, Norton’s 2003 with Live Update, Registar Lite, RegClean,Web Search and none of these have been able to clean my system. They all say that they have, but all of these things keep coming back every time I re-boot.

I have used HJT many times and have deleted everything that was suspicious, and I have done this with Safe Mode and with System Restore Off. It doesn’t make a difference. I have gone through the registry as much as I could and killed anything that had these file names: bhui.exe, iinstall.exe, csrss.exe, rs.exe, arpa.exe, services.exe, svhost.exe. These were all identified in the task manager when these pop-ups happen. I get Windows Error Service saying that my computer has Spyware and when I click okay, it takes me to a dead Clickspring page. If I cancel it, it keeps popping back up. If I kill it in task manager, then Purity Scan Page pops up. Sometimes Purity Scan pops up so fast I can barely keep ahead of it deleting in task manager. When I use Pest Patrol to delete either Purity Scan, or ISTbar, then the Purity Scan page kicks in right on top of it. When I use HiJack This and delete the items that are definitely bad, they just keep coming back. Right now everything is quiet and I can type this letter without being bothered for a while I guess.

This has really got me stumped. I know there must be something I am missing in the registry or in the HiJack This Logs. But I’ll be darned if I can find out what it is. In the registry I don’t have a list of the number values to tell me which ones may be bad especially in the root. If they have a name, I can mostly recognize them. I need some really good help on this one. Please don’t tell me to buy another program. I have bought enough already and I think this whole mess is targeting them as well too. If this is a Virus, Worm or Trojan of which I think it is then I hope someone can recognize the symptoms I have and can direct me to a tool if there is one. If not, I guess it all has to be done manually. I just don’t even want to think about a re-format of C: It is more of a problem getting all the stuff back on the computer and having to deal with Microsoft now cause I have XP Pro-home edition. To re-load or repair, you have to call them and get new product ID numbers now. I don’t know if you have to do that on a re-format and install XP. I just would not rather do it, if possible.

So there you have it. Is anyone up to the challenge? Here is my latest HiJack Log after they reinstalled themselves again:

Oh, here is a little more information that I have found out.

I have done all of this in safe mode as well as regular mode. Nothing works. Spyware Sweeper shows me where some of this stuff is located. But I cannot for the life of me find it. Search doesn't find it either. But Spyware Sweeper says its there. The path is C;\ documents and settings\Network Services\Start Menu\Programs\Purity Scan\Purity Scan.Ink. The Problem folder I cannot see is NETWORK SERVICES. I have show all files including hidden and it still does not show up. Also my note pad will not open anymore as well as some saved registry files. When I try to open them, Purity Scan Page pops up. The only reason I am able to send a Hijack log, is that I do it while it is still open after saving it. Once I close it, I cannot reopen it again. I guess this thing is pretty wicked. That Network Services folder is the only one I have not been able to open. Got any ideas? I have already used, like I said, Ad-Aware, Spy Bot S&D and a whole lot of other programs and they just aren't able to get rid of it. And I have been running without System Restore on for over a week now, so that can't be the problem why they keep coming back. (The highlighted ones that I recognize are the ones I have consitantly deleted and they keep coming back!)

Log File from High Jack This:

Logfile of HijackThis v1.97.7

Scan saved at 11:16:30 AM, on 7/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Saitek\Software\SaiSmart.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Saitek\Software\Profiler.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

C:\WINDOWS\TBPanel.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE

C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe

C:\WINDOWS\system32\arpa.exe

C:\Program Files\Evidence Eliminator\ee.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\WINDOWS\services.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\arpa.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\cleaner.exe

C:\Documents and Settings\NetworkService\Application Data\tsuu.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\cleaner.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\IncrediMail\bin\IncMail.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Hijack This Zipped\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: IncrediBar - {D8073790-84C7-4602-BF77-C6ACBF1612E4} - C:\Program Files\IncrediBar\bin\IBTBar.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [saiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [WinPatrol PLUS] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [superBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe

O4 - HKLM\..\RunServices: [Cleanup] C:\Program Files\Complete Cleanup Trial\compind.bat

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE

O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT /SCAN

O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: IncrediBar (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O15 - Trusted Zone: http://*.xxxtoolbar.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8147.7367476852

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

ANY REAL HELP FROM ANYONE WOULD BE SO GREATLY APPRECIATED. EVEN IF IT IS TO DIRECT ME TO ANOTHER SITE FOR A PROGRAM OR HELP. I AM GRASPING AT STRINGS HERE. NOTHING I HAVE TRIED SEEMS TO WORK.

PLEASE FEEL FREE TO E-MAIL ME IF YOU WANT. THANKS AGAIN, FOR ANY ASSISTANCE.

SINCERELY,

##### Share on other sites

Try this. Check that adaware is updated.

Then go to the AdAware website, http://www.lavasoft.de/.

Then post a fresh log.

##### Share on other sites

http://www.spywareinfoforum.com/index.php?sh...ic=9573&hl=bhui