Jump to content



  • Please log in to reply
6 replies to this topic

#1 gmous



  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 12:18 PM

I’ve followed the steps: read FAQ, install and run Ad-aware, install HiJackThis, update anti-virus definition (AVG) and scan for virus. I keep having the problems listed below. I’m not sure there is a single solution for all these issues, but I believe they are all related to PurityScan adware.

1. A ‘Windows error service’ message keeps popping up: “Windows detected Spyare on your computer. Download free Spyware Scanner & Remover”

2. New browser window opens at http://www.noadware.net

3. An ‘AVG Resident Shield’ window pops-up alerting about Trojan horse Downloader.Purityscan.B

4. When trying to open notepad or registry editor, a PurityScan window opens instead!

Logfile of HijackThis v1.97.7
Scan saved at 14:05:55, on 21/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Arquivos de programas\Winamp\Winampa.exe
C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Arquivos de programas\Netropa\OSD.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Arquivos de programas\ISTsvc\istsvc.exe
C:\Documents and Settings\guga\Desktop\HijackThis.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Microsoft Office\Office\WINWORD.EXE
C:\Arquivos de programas\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oglobo.globo....plantaofull.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/...razil/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/...razil/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/...razil/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Barra de Ferramentas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Toolbar\01.01.1629.0\pt-br\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Arquivos de programas\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Arquivos de programas\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Arquivos de programas\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Arquivos de programas\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [TkBellExe] C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nscntrl] c:\windows\system32\nscntrl.exe /noconnect
O4 - HKLM\..\Run: [updmgr] C:\Arquivos de programas\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
O4 - HKLM\..\Run: [IST Service] C:\Arquivos de programas\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: Lembretes do Calendário do Microsoft Works.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O15 - Trusted Zone: http://*.flingstone.com
O15 - Trusted Zone: http://*.mt-download.com
O15 - Trusted Zone: http://*.xxxtoolbar.com
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6986A6CF-9D58-11D6-91C2-00E02964E8E3} (IntPagomaster Class) - http://www.webcamenv...om/pagomast.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab

#2 chercat



  • Full Member
  • Pip
  • 4 posts

Posted 23 June 2004 - 04:21 PM

I had the identical issue - been trying in vain to fix it for a week .
Here is what I ended up doing and for now , at least, all seems well.
My concern is that I may have deleted something critical to windows, but the stuff I deleted is still in my Recycle bin so , nothing to lose , I figured .

WHen I tried to do a clean install of WIndows 98SE ( not a reformat) that is the first time the Purity Scan trojan appeared in AVG.

My concern is that they still exist somewhere and can execute but here is my hijackthis log which I was finally able to scan and open in AOL tex editor for the first time without them re-executing .

Any more info. welcome .
LAnyway, I installed MMJB rather than a new WMP and now music files can play without arpa, bhui, etc., installing themselves .

After deleting the services.exe, arpa.exe ,bhui.exe, csrss.exe, ping.exe, that they created or modified, I ran two AV programs - clean as always have been, ran spybot, adaware - clean.

I was then able to scan with hijack this , save a log ( for the first time since they attacked me ) and was able to have AOL open the log as a text file , copied and pasted .

To my eyes, the log is clean?

The log has been clean in the past after I took all these steps but
in the past, as soon as I hit " save log", THEN the executables would open up again and would have to run adaware ,etc to remove them .
For the moment , it looks like I might be clean without reformatting .

Now , I am wondering , if I just put in my Windows 98 SEdisc for a clean install to put back the real regedit , notepad , etc., will they still be able to attack them ?

I guess for now I could live without regedit and I rarely use notepad , so no issue there .

Sorry to be a pain and not trying to not follow anyone's advice - I was just unable to do all that was suggested but did give it the best effort I could .

I KNOW that in the past as soon as I attempted to open a text doc. on my desktop with notepad , they would all run again. Am hesitant to try this but I do want to make certain they are gone for good, which I doubt . Then I would clean all with adaware, etc. and uncheck their startup trash and get the xxxtoolbar and others out of my trusted sites.

Does the log look clean now ? I believe so , not sure if it will allow me to fix anyway at this point .

Do you think I should try opening the text doc. with notepad and see if they return ?

Thanks for ALL the MAJOR HELP.

Logfile of HijackThis v1.97.7
Scan saved at 11:43:34 AM, on 6/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.bright...bin/actxcab.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai..../v6/brix6ie.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....21/cpbrkpie.cab
O16 - DPF: {4A752EEF-26FA-4E8F-8FF0-4EB40FE1D33B} (ACNPlayer2 Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8118.2294097222
og seems clean to me .

PS - on prior logs, I had the exact crap you have - go into msconfg and you will see the AdRotator , Superbarand a numerical file in wbem folder checked off at startup - uncheck them and then go into trusted sites and that is where the xxxtoolbar, mt-download and flingstone added themselves. I removed them , ran adaware and spybot, and AVG again and removed - As i said , I ended up deleting regedit and notepad so that is an issue but .......

#3 chercat



  • Full Member
  • Pip
  • 4 posts

Posted 23 June 2004 - 06:50 PM

Just wanted to add that I downloaded a free 30 day trial of System Mechanic and went into the Fix Registry problem module.

There were 111 entries they wanted me to fix and I am SURE some were from them , but since I can't back up the registry without opening regedit and I do not want to open that can of worms again, I only deleted the entries
that were AdRotator , SuperBarComponent and the numerical file ( found in Msconfig startup tab) that is located in the Drivers folder .

Figured that could do no harm and may actually fix .

There were a LOT of other invalid reg. entries relating to backup of REg and media file formats which I THINK they may have made .

Not sure if you mentioned this , but I think the original source of the hack has to do with WMP . If you open Media Player and then check your task manager , I think you will see them loading / executing again - arpa , services, bhui -

CWShredder uninstalled my WMP because of corruption and I downloaded Musicmatch Jukebox instead and no issues there .

Just out of curiosity, I wonder if you would mind saying what you were doing when you were hijacked ?

My teenage son was on the computer and I was at work - he says he was at an independent music site he goes to ( local bands ) and was re-directed to a porn site , x'd off and then the windows error service fake message appeared .

I am running zone alarm and AVG so I am not sure if any program asked for access or what - were you downloading music or using your WMP when this happened ?

Thanks and hope my advice on the System Mechanic helps .

#4 gmous



  • New Member
  • Pip
  • 2 posts

Posted 24 June 2004 - 12:04 PM

Thank you for the info. I think my brother was downloading music when we were hijacked. I didn't see a relation with Media Player. The processes you listed were not started by it.

#5 chercat



  • Full Member
  • Pip
  • 4 posts

Posted 27 June 2004 - 06:55 PM

I wondered if you ever solved your problem ?

I THOUGHT mine was solved but I think not .
All my scans run clean and I do not have any more popups, the xxxtoolbar etc are no longer in my trusted sites - All seems well .

My boss told me that after running system mechanic and deleting the bad reg. entries , I should try taking regedit.exe out of my recycle bin and restoring and then running a scan again with System Mechanic to see if the registry entries that the System Mechanic had cleaned would return. As soon as I restored regedit.exe , one bad reg. entry showed up in System Mechanic and as soon as I hit delete , the executables began reisntalling themselves again !!!

I had to go run adaware , spybot, etc. again to eliminate so they have some kind of program code that allows them to reopen with certain programs. I know mine are tied to regedit, notepad and WMP -( i think) but there may be more .
Maybe they have since renamed themselves -

My major concern is what harm they might be doing .If it is just an annoyance and an attempt to get some people to buy their fake spyware remover , oh well.
But they may be able to steal passwords , etc and I no longer feel safe buying anything online ,etc.

IF you search for files named arpa.exe, bhui.exe, services.exe, csrss.exe, and iinstall.exe - are they still present on your computer ?

Thanks for any advice - I have been advised that the only way to really delete this problem is to reformat which I do not know how to do and seems a major hassle .

You may email me at chercat@mycoupons.com if you wish.
Thanks !

#6 sarahmartini



  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 07:00 PM

Hi there. I too had this terrible problem, my regedit, and notepad would reinstall the nasties after I would get rid of them. So I searched my hardrive for files that were accessed and created on the day my problem started, in my case the files were created on 6/18/2004 at 9:36AM.

Try a search of your hard drive for files that were created and that match the dates and times you first started having problems, if you can remeber the date of course. Anyway In my case I found the following duplicate files that seem to be responsible for the trojans reinstalling on my system. I found them in my WINDOWS directory all created on 6/18/2004 at 9:36AM, the files were

NOTEPAD.EXE, PING.EXE, REGEDIT.EXE, WORDPAD.EXE. **remember these are duplicate files I found and they will match the date the trojan installed on your system, don't delete your legit files of the same name.**

I deleted those duplicate files and the the problem with the trojans reinstalling on reboot seemed to stop, except my real NOTEPAD.exe would still install all the trojan files again. So I checked the date it was created and it seemed to be legit other than it said it was modified 6/18/2004 at 9:36AM. I figure maybe the trojan/virus somehow must have altered it. I ended up copying a NOTEPAD.EXE from my WINDOWS folder and pasting it in my WINDOWS/SYSTEM32 folder and let it replace the altered NOTEPAD, seems to have fixed it for me. Also be sure to turn on show hidden files just incase they are hidden on your system. You may or not have the same problem I did after you delete the duplicate NOTEPAD as I did, but I thought I would include the fix I used just incase.

If you find any of those duplicate files on your system and delete them, then you can run Ad-Aware, HiJackthis, and any other programs ppl recommend you do here to clean up your system and hopefully you will be lucky as I have been and finally be rid of this nasty pest.

Good Luck

Edited by sarahmartini, 27 June 2004 - 08:25 PM.

#7 chercat



  • Full Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 05:36 PM

Hi Sarah
Thanks for your reply .
I did the same thing -searched for the files created or modified on that date 0 June 17th here.
The affected files here also were ping.exe, ntoepad.exe and regedt.exe.

I think I probably deleted the real notepad anda real regedit as well as the corrupted ones - a few are still in my recycle bin. Afraid to totally delete .

I also found these files and I may have deleted some of the real ones needed too but since I have no windows errors , I figured it must be ok.
I deleted csrss.exe
a folder named wbem in Windows

I run all scans and am clean , but when I tried restoring the regedit ( the one they supposedly did not modify, they WILL reinstall again - I open task manager ( on Windows 98SE here ) and will see bhui loading , etc.

Did you try using your WMP since this happened ?

My hijackthis log originally had media tickets installer and a few other things - they also had put SuperBarComponent , AdRotator and a numerical file under that in my msconfig startup tab menu. Check this.

Now the hijackthis log looks clean, except there are two entries that say
HKEY \Software\Microsoft\InternetExplorer\Main, Local Page=
HKLM ''' ''' ''' ''' '' ''' ''' '''

And there is another extry about proxy overide so I unchecked that - now that I have them unchecked , System Mechanic says there are registry errors . If I say , OK, delete the red value errors, the things I mentioned return on my
hijackthis log.

I can't understand how they did not corrupt your registry again .

If you find any of these files , or have any other suggestions, please post back.
Thanks a lot ! Maybe if enough people expose what they have found, these hackers can be beaten .

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!