• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
The_Animal

PurityScan.e Removal...help pls.

4 posts in this topic

:grrr: I swear to GOD. I'm about ready to track down these hacker-$%^&s and unload some NATO 7.62 in their asses.

 

Need to remove PurityScan.e downloader trojan from system. Here is HijackThis Log. :alarm:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:39:05 AM, on 7/24/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE

C:\WINDOWS\SYSTEM\HPHMON05.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\HPZIPM12.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\DESKTOP\PROGRAMS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\d9lcloae.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\d9lcloae.slt\prefs.js)

O2 - BHO: (no name) - {1BA4320F-E541-7AB4-8753-60550DA6271F} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\KDX\KHOST.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05.EXE

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE

O4 - Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe

O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O9 - Extra button: AOL Instant Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing

O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

 

Any help would be much appreciated. Seriously considering "OPERA" as a browser. Anything less susceptible to hacker-crap would be a plus.

Edited by The_Animal

Share this post


Link to post
Share on other sites

Hello The Animal,

 

Just so that you know you are not being ignored - I will handle this case for you but

I need to ask for your patience while I review the log.

 

In the mean time please do this:

 

Get the new Version of HijackThis, (ver. 1.98).

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

 

I would like you also to change the location of HijackThis.exe.

It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.

This way you can undo any changes if something goes wrong, and will not clog your desktop of shortcuts.

 

Create a new folder in your C: Drive

Name it C:\HJT or HijackThis and use this folder for HJT.

 

Please keep an eye on this message for a resolution.

Share this post


Link to post
Share on other sites

Hello The Animal,

 

Print a copy of this topic to make it easier for you to follow the instructions and complete all of the necessary steps.

 

1 - Close all open Explorer windows and browsers

2 - Run HijackThis

3 - Click on the Scan button and when complete

4 - Put a check beside all of the items listed below if they are still present

5 - Click on the "Fix Checked" button

6 - When complete and all files removed, close the application

 

O2 - BHO: (no name) - {1BA4320F-E541-7AB4-8753-60550DA6271F} - (no file)

O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll

 

Optional item to be fixed at your discretion

Known at Kontiki I suggest you fix it.

 

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

Go to Go to http://www.safer-networking.org/en/threats/240.html for additional information.

*

Close HijackThis.

*

If you have removed the Kontiki optional item, then do this. Otherwise skip this removal.

 

Reboot, on restart, restart in "Safe Mode".

 

How To

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

Remove this folder and file in BOLD if still present.

 

C:\WINDOWS\kdx\KHost.exe

*

Reboot in normal mode.

 

Lets remove anything that has been left behind.

 

Download Ad-aware from: http://www.lavasoft.de/software/adaware/

 

Install the program in it's own folder and launch it.

 

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

Click on the Gear icon (second from the left) to access the preferences/settings window

 

1. In the General window make sure the following are selected:

  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL's
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives

Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

 

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

  • Use Custom Scanning Options

Click Next and Ad-awarewill scan your hard drive(s) with the options you have selected.

 

Save the log file when it asks and then click Finish

 

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

IMPORTANT

If you use a HOSTS file, beware of this new issue.

Ad-Aware has decided to include a new detection when scanning the HOSTS file. This now creates a "Bad hosts file entry" in the log file generated at the end of a scan. The best thing to do is to place a check in each entry, right-click and select: "Add selection to ignorelist". Otherwise if you let AWW "fix" these items it will trash the HOSTS file! Even if you have it "locked" by [example] SpywareBlaster or Winpatrol. It does not return the attributes and renames the HOSTS file incorrectly to hosts.

 

Close AdAware.

*

Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :

  • SpywareBlaster - It will prevent most spyware from ever being installed.
  • SpywareGuard - It offers realtime protection from spyware installation attempts.
  • IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

I also recommend reading this article.

How did I get infected in the first place?

http://forums.net-integration.net/index.php?showtopic=3051

*

Let me know if you have any other issues with the PurityScan.e downloader.

 

Run HijackThis, the new version, and post a fresh log for review.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0