• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0


7 posts in this topic

I’ve followed the steps: read FAQ, install and run Ad-aware, install HiJackThis, update anti-virus definition (AVG) and scan for virus. I keep having the problems listed below. I’m not sure there is a single solution for all these issues, but I believe they are all related to PurityScan adware.


1. A ‘Windows error service’ message keeps popping up: “Windows detected Spyare on your computer. Download free Spyware Scanner & Remover”


2. New browser window opens at http://www.noadware.net


3. An ‘AVG Resident Shield’ window pops-up alerting about Trojan horse Downloader.Purityscan.B


4. When trying to open notepad or registry editor, a PurityScan window opens instead!



Logfile of HijackThis v1.97.7

Scan saved at 14:05:55, on 21/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:










C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe


C:\Arquivos de programas\Winamp\Winampa.exe

C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe



C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Program Files\Network ICE\BlackICE\blackice.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Arquivos de programas\Netropa\OSD.exe



C:\Program Files\Network ICE\BlackICE\blackd.exe



C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_WatchDog.exe


C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_GUI.exe

C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_Service.exe



C:\Arquivos de programas\ISTsvc\istsvc.exe



C:\Documents and Settings\guga\Desktop\HijackThis.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Microsoft Office\Office\WINWORD.EXE

C:\Arquivos de programas\Internet Explorer\iexplore.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oglobo.globo.com/online/plantao/plantaofull.asp

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/intl/la/brazil/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/intl/la/brazil/index.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/intl/la/brazil/index.htm

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Barra de Ferramentas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Toolbar\01.01.1629.0\pt-br\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize


O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Arquivos de programas\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Arquivos de programas\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Arquivos de programas\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [TkBellExe] C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [nscntrl] c:\windows\system32\nscntrl.exe /noconnect

O4 - HKLM\..\Run: [updmgr] C:\Arquivos de programas\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [superBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe

O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe

O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe

O4 - HKLM\..\Run: [iST Service] C:\Arquivos de programas\ISTsvc\istsvc.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: BlackICE Agent.lnk = ?

O4 - Global Startup: Lembretes do Calendário do Microsoft Works.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: PowerReg Scheduler.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: http://*.flingstone.com

O15 - Trusted Zone: http://*.mt-download.com

O15 - Trusted Zone: http://*.xxxtoolbar.com

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {6986A6CF-9D58-11D6-91C2-00E02964E8E3} (IntPagomaster Class) - http://www.webcamenvivo.com/pagomast.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

Share this post

Link to post
Share on other sites

I had the identical issue - been trying in vain to fix it for a week .

Here is what I ended up doing and for now , at least, all seems well.

My concern is that I may have deleted something critical to windows, but the stuff I deleted is still in my Recycle bin so , nothing to lose , I figured .


WHen I tried to do a clean install of WIndows 98SE ( not a reformat) that is the first time the Purity Scan trojan appeared in AVG.


My concern is that they still exist somewhere and can execute but here is my hijackthis log which I was finally able to scan and open in AOL tex editor for the first time without them re-executing .


Any more info. welcome .

LAnyway, I installed MMJB rather than a new WMP and now music files can play without arpa, bhui, etc., installing themselves .


After deleting the services.exe, arpa.exe ,bhui.exe, csrss.exe, ping.exe, that they created or modified, I ran two AV programs - clean as always have been, ran spybot, adaware - clean.


I was then able to scan with hijack this , save a log ( for the first time since they attacked me ) and was able to have AOL open the log as a text file , copied and pasted .


To my eyes, the log is clean?


The log has been clean in the past after I took all these steps but

in the past, as soon as I hit " save log", THEN the executables would open up again and would have to run adaware ,etc to remove them .

For the moment , it looks like I might be clean without reformatting .


Now , I am wondering , if I just put in my Windows 98 SEdisc for a clean install to put back the real regedit , notepad , etc., will they still be able to attack them ?


I guess for now I could live without regedit and I rarely use notepad , so no issue there .


Sorry to be a pain and not trying to not follow anyone's advice - I was just unable to do all that was suggested but did give it the best effort I could .


I KNOW that in the past as soon as I attempted to open a text doc. on my desktop with notepad , they would all run again. Am hesitant to try this but I do want to make certain they are gone for good, which I doubt . Then I would clean all with adaware, etc. and uncheck their startup trash and get the xxxtoolbar and others out of my trusted sites.


Does the log look clean now ? I believe so , not sure if it will allow me to fix anyway at this point .


Do you think I should try opening the text doc. with notepad and see if they return ?


Thanks for ALL the MAJOR HELP.



Logfile of HijackThis v1.97.7

Scan saved at 11:43:34 AM, on 6/23/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
















R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int

ernet Settings,ProxyOverride = localhost


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe


O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: ComcastHSI (HKCU)

O9 - Extra button: Help (HKCU)

O9 - Extra button: Support (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1.../v6/brix6ie.cab

O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) -

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...21/cpbrkpie.cab

O16 - DPF: {4A752EEF-26FA-4E8F-8FF0-4EB40FE1D33B} (ACNPlayer2 Class) -

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8118.2294097222

og seems clean to me .


PS - on prior logs, I had the exact crap you have - go into msconfg and you will see the AdRotator , Superbarand a numerical file in wbem folder checked off at startup - uncheck them and then go into trusted sites and that is where the xxxtoolbar, mt-download and flingstone added themselves. I removed them , ran adaware and spybot, and AVG again and removed - As i said , I ended up deleting regedit and notepad so that is an issue but .......

Share this post

Link to post
Share on other sites

Just wanted to add that I downloaded a free 30 day trial of System Mechanic and went into the Fix Registry problem module.


There were 111 entries they wanted me to fix and I am SURE some were from them , but since I can't back up the registry without opening regedit and I do not want to open that can of worms again, I only deleted the entries

that were AdRotator , SuperBarComponent and the numerical file ( found in Msconfig startup tab) that is located in the Drivers folder .


Figured that could do no harm and may actually fix .


There were a LOT of other invalid reg. entries relating to backup of REg and media file formats which I THINK they may have made .


Not sure if you mentioned this , but I think the original source of the hack has to do with WMP . If you open Media Player and then check your task manager , I think you will see them loading / executing again - arpa , services, bhui -


CWShredder uninstalled my WMP because of corruption and I downloaded Musicmatch Jukebox instead and no issues there .


Just out of curiosity, I wonder if you would mind saying what you were doing when you were hijacked ?


My teenage son was on the computer and I was at work - he says he was at an independent music site he goes to ( local bands ) and was re-directed to a porn site , x'd off and then the windows error service fake message appeared .


I am running zone alarm and AVG so I am not sure if any program asked for access or what - were you downloading music or using your WMP when this happened ?


Thanks and hope my advice on the System Mechanic helps .

Share this post

Link to post
Share on other sites

Thank you for the info. I think my brother was downloading music when we were hijacked. I didn't see a relation with Media Player. The processes you listed were not started by it.

Share this post

Link to post
Share on other sites


I wondered if you ever solved your problem ?


I THOUGHT mine was solved but I think not .

All my scans run clean and I do not have any more popups, the xxxtoolbar etc are no longer in my trusted sites - All seems well .


My boss told me that after running system mechanic and deleting the bad reg. entries , I should try taking regedit.exe out of my recycle bin and restoring and then running a scan again with System Mechanic to see if the registry entries that the System Mechanic had cleaned would return. As soon as I restored regedit.exe , one bad reg. entry showed up in System Mechanic and as soon as I hit delete , the executables began reisntalling themselves again !!!


I had to go run adaware , spybot, etc. again to eliminate so they have some kind of program code that allows them to reopen with certain programs. I know mine are tied to regedit, notepad and WMP -( i think) but there may be more .

Maybe they have since renamed themselves -


My major concern is what harm they might be doing .If it is just an annoyance and an attempt to get some people to buy their fake spyware remover , oh well.

But they may be able to steal passwords , etc and I no longer feel safe buying anything online ,etc.


IF you search for files named arpa.exe, bhui.exe, services.exe, csrss.exe, and iinstall.exe - are they still present on your computer ?


Thanks for any advice - I have been advised that the only way to really delete this problem is to reformat which I do not know how to do and seems a major hassle .


You may email me at chercat@mycoupons.com if you wish.

Thanks !

Share this post

Link to post
Share on other sites

Hi there. I too had this terrible problem, my regedit, and notepad would reinstall the nasties after I would get rid of them. So I searched my hardrive for files that were accessed and created on the day my problem started, in my case the files were created on 6/18/2004 at 9:36AM.


Try a search of your hard drive for files that were created and that match the dates and times you first started having problems, if you can remeber the date of course. Anyway In my case I found the following duplicate files that seem to be responsible for the trojans reinstalling on my system. I found them in my WINDOWS directory all created on 6/18/2004 at 9:36AM, the files were


NOTEPAD.EXE, PING.EXE, REGEDIT.EXE, WORDPAD.EXE. **remember these are duplicate files I found and they will match the date the trojan installed on your system, don't delete your legit files of the same name.**


I deleted those duplicate files and the the problem with the trojans reinstalling on reboot seemed to stop, except my real NOTEPAD.exe would still install all the trojan files again. So I checked the date it was created and it seemed to be legit other than it said it was modified 6/18/2004 at 9:36AM. I figure maybe the trojan/virus somehow must have altered it. I ended up copying a NOTEPAD.EXE from my WINDOWS folder and pasting it in my WINDOWS/SYSTEM32 folder and let it replace the altered NOTEPAD, seems to have fixed it for me. Also be sure to turn on show hidden files just incase they are hidden on your system. You may or not have the same problem I did after you delete the duplicate NOTEPAD as I did, but I thought I would include the fix I used just incase.


If you find any of those duplicate files on your system and delete them, then you can run Ad-Aware, HiJackthis, and any other programs ppl recommend you do here to clean up your system and hopefully you will be lucky as I have been and finally be rid of this nasty pest.


Good Luck

Edited by sarahmartini

Share this post

Link to post
Share on other sites

Hi Sarah

Thanks for your reply .

I did the same thing -searched for the files created or modified on that date 0 June 17th here.

The affected files here also were ping.exe, ntoepad.exe and regedt.exe.


I think I probably deleted the real notepad anda real regedit as well as the corrupted ones - a few are still in my recycle bin. Afraid to totally delete .


I also found these files and I may have deleted some of the real ones needed too but since I have no windows errors , I figured it must be ok.

I deleted csrss.exe

a folder named wbem in Windows






I run all scans and am clean , but when I tried restoring the regedit ( the one they supposedly did not modify, they WILL reinstall again - I open task manager ( on Windows 98SE here ) and will see bhui loading , etc.


Did you try using your WMP since this happened ?


My hijackthis log originally had media tickets installer and a few other things - they also had put SuperBarComponent , AdRotator and a numerical file under that in my msconfig startup tab menu. Check this.


Now the hijackthis log looks clean, except there are two entries that say

HKEY \Software\Microsoft\InternetExplorer\Main, Local Page=

HKLM ''' ''' ''' ''' '' ''' ''' '''


And there is another extry about proxy overide so I unchecked that - now that I have them unchecked , System Mechanic says there are registry errors . If I say , OK, delete the red value errors, the things I mentioned return on my

hijackthis log.


I can't understand how they did not corrupt your registry again .


If you find any of these files , or have any other suggestions, please post back.

Thanks a lot ! Maybe if enough people expose what they have found, these hackers can be beaten .

Share this post

Link to post
Share on other sites
Sign in to follow this  
Followers 0