Jump to content


PurityScan.e Removal...help pls.

  • This topic is locked This topic is locked
3 replies to this topic

#1 The_Animal



  • New Member
  • Pip
  • 1 posts

Posted 24 July 2004 - 10:39 AM

:grrr: I swear to GOD. I'm about ready to track down these hacker-$%^&s and unload some NATO 7.62 in their asses.

Need to remove PurityScan.e downloader trojan from system. Here is HijackThis Log. :alarm:

Logfile of HijackThis v1.97.7
Scan saved at 8:39:05 AM, on 7/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\d9lcloae.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\d9lcloae.slt\prefs.js)
O2 - BHO: (no name) - {1BA4320F-E541-7AB4-8753-60550DA6271F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab

Any help would be much appreciated. Seriously considering "OPERA" as a browser. Anything less susceptible to hacker-crap would be a plus.

Edited by The_Animal, 24 July 2004 - 10:42 AM.

#2 nasdaq


    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,086 posts

Posted 29 July 2004 - 10:34 AM

Hello The Animal,

Just so that you know you are not being ignored - I will handle this case for you but
I need to ask for your patience while I review the log.

In the mean time please do this:

Get the new Version of HijackThis, (ver. 1.98).

I would like you also to change the location of HijackThis.exe.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong, and will not clog your desktop of shortcuts.

Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and use this folder for HJT.

Please keep an eye on this message for a resolution.

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 nasdaq


    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,086 posts

Posted 29 July 2004 - 07:51 PM

Hello The Animal,

Print a copy of this topic to make it easier for you to follow the instructions and complete all of the necessary steps.

1 - Close all open Explorer windows and browsers
2 - Run HijackThis
3 - Click on the Scan button and when complete
4 - Put a check beside all of the items listed below if they are still present
5 - Click on the "Fix Checked" button
6 - When complete and all files removed, close the application

O2 - BHO: (no name) - {1BA4320F-E541-7AB4-8753-60550DA6271F} - (no file)
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll

Optional item to be fixed at your discretion
Known at Kontiki I suggest you fix it.

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
Go to Go to http://www.safer-networking.org/en/threats/240.html for additional information.
Close HijackThis.
If you have removed the Kontiki optional item, then do this. Otherwise skip this removal.

Reboot, on restart, restart in "Safe Mode".

How To

Remove this folder and file in BOLD if still present.

Reboot in normal mode.

Lets remove anything that has been left behind.

Download Ad-aware from: http://www.lavasoft....ftware/adaware/

Install the program in it's own folder and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL's
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Click Next and Ad-awarewill scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

If you use a HOSTS file, beware of this new issue.
Ad-Aware has decided to include a new detection when scanning the HOSTS file. This now creates a "Bad hosts file entry" in the log file generated at the end of a scan. The best thing to do is to place a check in each entry, right-click and select: "Add selection to ignorelist". Otherwise if you let AWW "fix" these items it will trash the HOSTS file! Even if you have it "locked" by [example] SpywareBlaster or Winpatrol. It does not return the attributes and renames the HOSTS file incorrectly to hosts.

Close AdAware.
Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :
  • SpywareBlaster - It will prevent most spyware from ever being installed.
  • SpywareGuard - It offers realtime protection from spyware installation attempts.
  • IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
I also recommend reading this article.
How did I get infected in the first place?
Let me know if you have any other issues with the PurityScan.e downloader.

Run HijackThis, the new version, and post a fresh log for review.

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 PGPhantom


    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 September 2004 - 11:15 AM

No repsonse since July - Topic closed.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button