• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Allen Williams

Help! I’ve Been Hi-Jacked, Wormed, Trojaned or Vir

4 posts in this topic

Hi Folks,

I hope someone can help. I have been hit by Purity Scan, ISTbar, XXXtoolbar, Superbar, ClickSpring, CoolWWW, Lycos SideSearch, VX2, Enigma Spy, PowerScan, Bargain Buddy, Clear Search, plus others. I have Ad-Aware, Hi-Jack This, Pest Patrol, Cw Shredder, Spy Bot Search and Destroy, Spyware Killer, Kill Box, Bazooka, SpyGuard, Spyware Blaster, SpySweeper, Evidence Eliminator, Norton’s 2003 with Live Update, Registar Lite, RegClean,Web Search and none of these have been able to clean my system. They all say that they have, but all of these things keep coming back every time I re-boot.

I have used HJT many times and have deleted everything that was suspicious, and I have done this with Safe Mode and with System Restore Off. It doesn’t make a difference. I have gone through the registry as much as I could and killed anything that had these file names: bhui.exe, iinstall.exe, csrss.exe, rs.exe, arpa.exe, services.exe, svhost.exe. These were all identified in the task manager when these pop-ups happen. I get Windows Error Service saying that my computer has Spyware and when I click okay, it takes me to a dead Clickspring page. If I cancel it, it keeps popping back up. If I kill it in task manager, then Purity Scan Page pops up. Sometimes Purity Scan pops up so fast I can barely keep ahead of it deleting in task manager. When I use Pest Patrol to delete either Purity Scan, or ISTbar, then the Purity Scan page kicks in right on top of it. When I use HiJack This and delete the items that are definitely bad, they just keep coming back. Right now everything is quiet and I can type this letter without being bothered for a while I guess.


This has really got me stumped. I know there must be something I am missing in the registry or in the HiJack This Logs. But I’ll be darned if I can find out what it is. In the registry I don’t have a list of the number values to tell me which ones may be bad especially in the root. If they have a name, I can mostly recognize them. I need some really good help on this one. Please don’t tell me to buy another program. I have bought enough already and I think this whole mess is targeting them as well too. If this is a Virus, Worm or Trojan of which I think it is then I hope someone can recognize the symptoms I have and can direct me to a tool if there is one. If not, I guess it all has to be done manually. I just don’t even want to think about a re-format of C: It is more of a problem getting all the stuff back on the computer and having to deal with Microsoft now cause I have XP Pro-home edition. To re-load or repair, you have to call them and get new product ID numbers now. I don’t know if you have to do that on a re-format and install XP. I just would not rather do it, if possible.


So there you have it. Is anyone up to the challenge? Here is my latest HiJack Log after they reinstalled themselves again:


Oh, here is a little more information that I have found out.

I have done all of this in safe mode as well as regular mode. Nothing works. Spyware Sweeper shows me where some of this stuff is located. But I cannot for the life of me find it. Search doesn't find it either. But Spyware Sweeper says its there. The path is C;\ documents and settings\Network Services\Start Menu\Programs\Purity Scan\Purity Scan.Ink. The Problem folder I cannot see is NETWORK SERVICES. I have show all files including hidden and it still does not show up. Also my note pad will not open anymore as well as some saved registry files. When I try to open them, Purity Scan Page pops up. The only reason I am able to send a Hijack log, is that I do it while it is still open after saving it. Once I close it, I cannot reopen it again. I guess this thing is pretty wicked. That Network Services folder is the only one I have not been able to open. Got any ideas? I have already used, like I said, Ad-Aware, Spy Bot S&D and a whole lot of other programs and they just aren't able to get rid of it. And I have been running without System Restore on for over a week now, so that can't be the problem why they keep coming back. (The highlighted ones that I recognize are the ones I have consitantly deleted and they keep coming back!)

Log File from High Jack This:


Logfile of HijackThis v1.97.7

Scan saved at 11:16:30 AM, on 7/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:








C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe


C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe





C:\Program Files\Saitek\Software\SaiSmart.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Saitek\Software\Profiler.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe



C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe





C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE

C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe


C:\Program Files\Evidence Eliminator\ee.exe

C:\Program Files\SpywareGuard\sgmain.exe


C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\iexplore.exe


C:\Program Files\Internet Explorer\iexplore.exe


C:\Documents and Settings\NetworkService\Application Data\tsuu.exe

C:\Program Files\Internet Explorer\iexplore.exe


C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\IncrediMail\bin\IncMail.exe


C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Hijack This Zipped\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: IncrediBar - {D8073790-84C7-4602-BF77-C6ACBF1612E4} - C:\Program Files\IncrediBar\bin\IBTBar.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [saiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A


O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [WinPatrol PLUS] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [superBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe

O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe

O4 - HKLM\..\RunServices: [Cleanup] C:\Program Files\Complete Cleanup Trial\compind.bat

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE

O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT /SCAN

O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: IncrediBar (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O15 - Trusted Zone: http://*.mt-download.com

O15 - Trusted Zone: http://*.xxxtoolbar.com

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/s...119/CTSUEng.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083478691343

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8147.7367476852

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...swflash5r42.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/s...12119/CTPID.cab





Share this post

Link to post
Share on other sites

Try this. Check that adaware is updated.


Then go to the AdAware website, http://www.lavasoft.de/.

Download the VX2 pligin for AdAware, and run it according to the details given there.


Then post a fresh log.

Share this post

Link to post
Share on other sites

AS far as not being able to find notepad, try doing a search for it, happened to me too and for some reason it got relocated on my computer, for months i thought it was gone so i just didnt use it, today i did a search and it turned up that it ended up in C:\WINDOWS\notepad

Share this post

Link to post
Share on other sites
Sign in to follow this  
Followers 0