Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Adware.Purityscan


  • This topic is locked This topic is locked
10 replies to this topic

#1 ~Lady Panthyr~

~Lady Panthyr~

    New Member

  • New Member
  • Pip
  • 6 posts
  • Interests:LARPing, Drawing, Reading, etc...

Posted 06 March 2006 - 10:08 AM

Hi, hoping someone can help.

On 2/20 Mon morning, I came in to work and found my norton had caught Adware.Purityscan and quarantined it. Since then every morning when I come into work I have a notification about this one file that keeps coming back into my C:\WINDOWS\SYSTEM32 as either ??oolsv.exe or OOLSV~1.exe. I keep telling norton to get rid of these things, but they keep coming up. I've run spybot and adaware and norton in safe mode. It doesn't find these files (prolly cuz norton gets ride of them) but I can't stop them from coming back in the morning. I went to symantec's site on Adware.Purityscan to try and remove the problem manually, but none of the files it wanted me to look for existed. Any ideas?

I did not do anything ordinary on my comp. I did not install or update any software or go to any websites out of the norm for me. This thing just came out of nowhere. The only thing that our office tech has done since then is update our norton to the latest version. It hasn't helped me to get rid of this.

Oh, I even tried going to purityscan's website to try their remover, but my computer will not let me access the file in any way. I even tried DLing it to another person's computer and tried to copy it over through the network. My computer won't let me.

Thank you much in advance,
~lady panthyr~

p.s. I put the WinMX domains in with PIE quite a while ago if you're wondering. And no problems from that.


=============

Here's my HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:56:51 AM, on 3/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HelioBar XP\HelioBarXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NuvaTime\NuvaTime™.exe
C:\Program Files\Javacool\SpywareGuard\sgmain.exe
C:\Program Files\Javacool\SpywareGuard\sgbhp.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\QuickBooks Pro\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\HijackThis\HijackThis 1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O1 - Hosts: 205.238.40.2 www.winmx.com
O1 - Hosts: 205.238.40.2 err.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com
O1 - Hosts: 67.18.233.36 c3311.z1301.winmx.com
O1 - Hosts: 82.43.224.20 c3312.z1301.winmx.com
O1 - Hosts: 209.67.209.50 c3313.z1301.winmx.com
O1 - Hosts: 212.227.64.159 c3314.z1301.winmx.com
O1 - Hosts: 205.238.40.2 c3315.z1301.winmx.com
O1 - Hosts: 67.18.233.36 c3316.z1301.winmx.com
O1 - Hosts: 82.43.224.20 c3317.z1301.winmx.com
O1 - Hosts: 209.67.209.50 c3318.z1301.winmx.com
O1 - Hosts: 212.227.64.159 c3319.z1301.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1302.winmx.com
O1 - Hosts: 67.18.233.36 c3311.z1302.winmx.com
O1 - Hosts: 82.43.224.20 c3312.z1302.winmx.com
O1 - Hosts: 209.67.209.50 c3313.z1302.winmx.com
O1 - Hosts: 212.227.64.159 c3314.z1302.winmx.com
O1 - Hosts: 205.238.40.2 c3315.z1302.winmx.com
O1 - Hosts: 67.18.233.36 c3316.z1302.winmx.com
O1 - Hosts: 82.43.224.20 c3317.z1302.winmx.com
O1 - Hosts: 209.67.209.50 c3318.z1302.winmx.com
O1 - Hosts: 212.227.64.159 c3319.z1302.winmx.com
O1 - Hosts: 82.43.224.20 c3310.z1303.winmx.com
O1 - Hosts: 67.18.233.36 c3311.z1303.winmx.com
O1 - Hosts: 205.238.40.2 c3312.z1303.winmx.com
O1 - Hosts: 82.43.224.20 c3313.z1303.winmx.com
O1 - Hosts: 67.18.233.36 c3314.z1303.winmx.com
O1 - Hosts: 205.238.40.2 c3315.z1303.winmx.com
O1 - Hosts: 82.43.224.20 c3316.z1303.winmx.com
O1 - Hosts: 67.18.233.36 c3317.z1303.winmx.com
O1 - Hosts: 205.238.40.2 c3318.z1303.winmx.com
O1 - Hosts: 82.43.224.20 c3319.z1303.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1304.winmx.com
O1 - Hosts: 67.18.233.36 c3311.z1304.winmx.com
O1 - Hosts: 82.43.224.20 c3312.z1304.winmx.com
O1 - Hosts: 209.67.209.50 c3313.z1304.winmx.com
O1 - Hosts: 212.227.64.159 c3314.z1304.winmx.com
O1 - Hosts: 205.238.40.2 c3315.z1304.winmx.com
O1 - Hosts: 67.18.233.36 c3316.z1304.winmx.com
O1 - Hosts: 82.43.224.20 c3317.z1304.winmx.com
O1 - Hosts: 209.67.209.50 c3318.z1304.winmx.com
O1 - Hosts: 212.227.64.159 c3319.z1304.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1305.winmx.com
O1 - Hosts: 67.18.233.36 c3311.z1305.winmx.com
O1 - Hosts: 82.43.224.20 c3312.z1305.winmx.com
O1 - Hosts: 209.67.209.50 c3313.z1305.winmx.com
O1 - Hosts: 212.227.64.159 c3314.z1305.winmx.com
O1 - Hosts: 205.238.40.2 c3315.z1305.winmx.com
O1 - Hosts: 67.18.233.36 c3316.z1305.winmx.com
O1 - Hosts: 82.43.224.20 c3317.z1305.winmx.com
O1 - Hosts: 209.67.209.50 c3318.z1305.winmx.com
O1 - Hosts: 212.227.64.159 c3319.z1305.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1306.winmx.com
O1 - Hosts: 67.18.233.36 c3311.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3312.z1306.winmx.com
O1 - Hosts: 209.67.209.50 c3313.z1306.winmx.com
O1 - Hosts: 212.227.64.159 c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3315.z1306.winmx.com
O1 - Hosts: 67.18.233.36 c3316.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3317.z1306.winmx.com
O1 - Hosts: 209.67.209.50 c3318.z1306.winmx.com
O1 - Hosts: 212.227.64.159 c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com
O1 - Hosts: 67.18.233.36 c3521.z1301.winmx.com
O1 - Hosts: 82.43.224.20 c3522.z1301.winmx.com
O1 - Hosts: 209.67.209.50 c3523.z1301.winmx.com
O1 - Hosts: 212.227.64.159 c3524.z1301.winmx.com
O1 - Hosts: 205.238.40.2 c3525.z1301.winmx.com
O1 - Hosts: 67.18.233.36 c3526.z1301.winmx.com
O1 - Hosts: 82.43.224.20 c3527.z1301.winmx.com
O1 - Hosts: 209.67.209.50 c3528.z1301.winmx.com
O1 - Hosts: 212.227.64.159 c3529.z1301.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1302.winmx.com
O1 - Hosts: 67.18.233.36 c3521.z1302.winmx.com
O1 - Hosts: 82.43.224.20 c3522.z1302.winmx.com
O1 - Hosts: 209.67.209.50 c3523.z1302.winmx.com
O1 - Hosts: 212.227.64.159 c3524.z1302.winmx.com
O1 - Hosts: 205.238.40.2 c3525.z1302.winmx.com
O1 - Hosts: 67.18.233.36 c3526.z1302.winmx.com
O1 - Hosts: 82.43.224.20 c3527.z1302.winmx.com
O1 - Hosts: 209.67.209.50 c3528.z1302.winmx.com
O1 - Hosts: 212.227.64.159 c3529.z1302.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1303.winmx.com
O1 - Hosts: 67.18.233.36 c3521.z1303.winmx.com
O1 - Hosts: 82.43.224.20 c3522.z1303.winmx.com
O1 - Hosts: 209.67.209.50 c3523.z1303.winmx.com
O1 - Hosts: 212.227.64.159 c3524.z1303.winmx.com
O1 - Hosts: 205.238.40.2 c3525.z1303.winmx.com
O1 - Hosts: 67.18.233.36 c3526.z1303.winmx.com
O1 - Hosts: 82.43.224.20 c3527.z1303.winmx.com
O1 - Hosts: 209.67.209.50 c3528.z1303.winmx.com
O1 - Hosts: 212.227.64.159 c3529.z1303.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1304.winmx.com
O1 - Hosts: 67.18.233.36 c3521.z1304.winmx.com
O1 - Hosts: 82.43.224.20 c3522.z1304.winmx.com
O1 - Hosts: 209.67.209.50 c3523.z1304.winmx.com
O1 - Hosts: 212.227.64.159 c3524.z1304.winmx.com
O1 - Hosts: 205.238.40.2 c3525.z1304.winmx.com
O1 - Hosts: 67.18.233.36 c3526.z1304.winmx.com
O1 - Hosts: 82.43.224.20 c3527.z1304.winmx.com
O1 - Hosts: 209.67.209.50 c3528.z1304.winmx.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Javacool\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [HelioBarXP] C:\Program Files\HelioBar XP\HelioBarXP.exe start
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Javacool\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NuvaTime™.lnk = C:\Program Files\NuvaTime\NuvaTime™.exe
O8 - Extra context menu item: Save Flash - res://C:\Program Files\Browser Tools\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Browser Tools\Flash Saving Plugin\FlashSButton.dll (HKCU)
O9 - Extra button: Pictures - {C7486E80-B111-4768-995E-23CF307346FC} - C:\Program Files\Browser Tools\Flash and Pics Control\FPCButton.dll (HKCU)
O9 - Extra button: (no name) - {FD424F56-B38D-4190-94D1-C2B4E91C9A17} - C:\Program Files\Browser Tools\Flash and Pics Control\FlashPicsControl.exe (HKCU)
O9 - Extra 'Tools' menuitem: Flash and Pics Control - {FD424F56-B38D-4190-94D1-C2B4E91C9A17} - C:\Program Files\Browser Tools\Flash and Pics Control\FlashPicsControl.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.apple.com
O15 - Trusted Zone: http://*.msn.com
O15 - Trusted Zone: http://*.tickle.com
O16 - DPF: ConferenceRoom Java Client -
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pestpatrol.co...an/pestscan.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TRI.local
O17 - HKLM\Software\..\Telephony: DomainName = TRI.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5ACDB2C1-06CA-48C4-8FFF-1C124F0F8822}: NameServer = 192.168.70.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TRI.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{5ACDB2C1-06CA-48C4-8FFF-1C124F0F8822}: NameServer = 192.168.70.10
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = TRI.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{5ACDB2C1-06CA-48C4-8FFF-1C124F0F8822}: NameServer = 192.168.70.10
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    Advertisements

Register to Remove


#2 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 15 March 2006 - 06:04 PM

hi ~Lady Panthyr~,

sorry for delay. you might try doing a online scan or two at one of these:

BitDefender Free Online Virus Scan
http://www.bitdefend...can/licence.php
check AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoft...CACHEHINT=Guest

Kaspersky virus scanner
http://www.kaspersky.com/virusscanner

Housecall at TrendMicro
http://housecall.tre.../start_corp.asp
check Auto Clean.

F-Secure virus scanner
http://support.f-sec.../home/ols.shtml

eTrust Antivirus Web Scanner
http://www3.ca.com/s...sinfo/scan.aspx
------------------------------------------------------------------------
if this is a workplace computer there might be restrictions in place about installing/downloading files to your computer

shelf life
How Can I Reduce My Risk?

#3 ~Lady Panthyr~

~Lady Panthyr~

    New Member

  • New Member
  • Pip
  • 6 posts
  • Interests:LARPing, Drawing, Reading, etc...

Posted 16 March 2006 - 09:33 AM

Hi Shelf Life. :) I'm going to run those and I'll let you know how it goes. As far as this being a work computer, I have no restrictions on what I do with my computer. I essentially do the moderate fixes that need to be done on them and if I can't fix it, we call our professional tech. So if I need to DL something, let me know. Running the scans now. It'll prolly take a good while. Will post later. Thank you very much, ~lady panthyr~

#4 ~Lady Panthyr~

~Lady Panthyr~

    New Member

  • New Member
  • Pip
  • 6 posts
  • Interests:LARPing, Drawing, Reading, etc...

Posted 16 March 2006 - 02:05 PM

Hey Shelf Life

Okay... here's what's happened today.

I ran bit defender and panda. Here are the results:

=================
BitDefender Online Scanner

Scan report generated at: Thu, Mar 16, 2006 - 11:49:06
Scan path: A:\;C:\;D:\;E:\
Statistics

Time 01:22:17
Files 451324
Folders 6158
Boot Sectors 5
Archives 5860
Packed Files 46198

Results
Identified Viruses 2
Infected Files 4
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 4

Engines Info
Virus Definitions 321859
Engine build AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins 13
Archive plugins 39
Unpack plugins 4
E-mail plugins 6
System plugins 1

Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes

Scanned File Status

C:\DLs\AIM 5.9.3690 and crack and AIMutation\AIM 5.9.3690.exe=>wise0041=>wise0008
Detected with: Adware.Wheaterbug.A

C:\DLs\AIM 5.9.3690 and crack and AIMutation\AIM 5.9.3690.exe=>wise0041=>wise0008
Disinfection failed

C:\DLs\AIM 5.9.3690 and crack and AIMutation\AIM 5.9.3690.exe=>wise0041=>wise0008
Deleted

C:\DLs\AIM 5.9.3690 and crack and AIMutation\AIM 5.9.3690.exe=>wise0041
Update failed

C:\DLs\Tweak me out\AIM 5.9.3690 and crack and AIMutation\AIM 5.9.3690.exe=>wise0041=>wise0008
Detected with: Adware.Wheaterbug.A

C:\DLs\Tweak me out\AIM 5.9.3690 and crack and AIMutation\AIM 5.9.3690.exe=>wise0041=>wise0008
Disinfection failed

C:\DLs\Tweak me out\AIM 5.9.3690 and crack and AIMutation\AIM 5.9.3690.exe=>wise0041=>wise0008
Deleted

C:\DLs\Tweak me out\AIM 5.9.3690 and crack and AIMutation\AIM 5.9.3690.exe=>wise0041
Update failed

C:\Documents and Settings\Jenn.old\Local Settings\Temporary Internet Files\Content.IE5\4967QVWX\display[1].htm=>(JAVASCRIPT 3)
Infected with: Trojan.Nezew.A

C:\Documents and Settings\Jenn.old\Local Settings\Temporary Internet Files\Content.IE5\4967QVWX\display[1].htm=>(JAVASCRIPT 3)
Disinfection failed

C:\Documents and Settings\Jenn.old\Local Settings\Temporary Internet Files\Content.IE5\4967QVWX\display[1].htm=>(JAVASCRIPT 3)
Deleted

C:\Documents and Settings\Jenn.old\Local Settings\Temporary Internet Files\Content.IE5\4967QVWX\display[1].htm
Updated

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP697\A0052596.exe=>wise0041=>wise0008
Detected with: Adware.Wheaterbug.A

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP697\A0052596.exe=>wise0041=>wise0008
Disinfection failed

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP697\A0052596.exe=>wise0041=>wise0008
Deleted

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP697\A0052596.exe=>wise0041
Update failed

====================
Panda


Incident Status Location

Potentially unwanted tool:Application/Poliphonic Not disinfected C:\DLs\Coding Workshop Polyphonic Wizard v2.3.3 with BROKEN crack\cwpolywz.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\administrator.TRI\Cookies\administrator@microsoftwga.112.2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jenn\Application Data\Mozilla\Firefox\Profiles\f2z7089x.default\cookies.txt[]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@belnk[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@go[2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@hc2.humanclick[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@landing.domainsponsor[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@searchportal.information[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@server.iad.liveperson[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@uol.com[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Jenn\Cookies\jenn@www.myaffiliateprogram[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@ath.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@dist.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@banner[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@burstnet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@go[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@rightmedia[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@www.burstbeacon[1].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@www.web-stat[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Jenn.old\Cookies\jenn@yadro[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@banner[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@burstnet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@go[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@rightmedia[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@www.burstbeacon[1].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@www.web-stat[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\jenn2\Cookies\jenn@yadro[1].txt
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\??oolsv.exe

Spyware:Spyware/BetterInet Not disinfected F:\WINDOWS\inf\biini.inf
Spyware:Cookie/Cd Freaks Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@cdfreaks[2].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt
Spyware:Cookie/go Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@go[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected F:\Documents and Settings\Administrator\Cookies\jenn@www.affiliatefuel[1].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@com[2].txt
Spyware:Cookie/Affiliate fuel Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@www.affiliatefuel[2].txt
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@112.2o7[1].txt
Spyware:Cookie/go Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@go[4].txt
Spyware:Cookie/web-stat Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@www.web-stat[1].txt
Spyware:Cookie/go Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@go[2].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@smni[1].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@atwola[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@www.myaffiliateprogram[1].txt
Spyware:Cookie/Yadro Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@yadro[1].txt
Spyware:Cookie/Toplist Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@toplist[1].txt
Spyware:Cookie/go Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@go[3].txt
Spyware:Cookie/MyWay Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@www.xzoomy[2].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@atwola[2].txt
Spyware:Cookie/web-stat Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@www.web-stat[3].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\jenn\Cookies\jenn@com[3].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@atwola[1].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@azjmp[2].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@com[1].txt
Spyware:Cookie/go Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@go[5].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@com[2].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@com[3].txt
Spyware:Cookie/go Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@go[2].txt
Spyware:Cookie/go Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@go[3].txt
Spyware:Cookie/go Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@go[4].txt
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@112.2o7[1].txt
Spyware:Cookie/Xiti Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@xiti[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@smni[1].txt
Spyware:Cookie/Toplist Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@toplist[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.affiliatefuel[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.myaffiliateprogram[1].txt
Spyware:Cookie/web-stat Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.web-stat[1].txt
Spyware:Cookie/web-stat Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.web-stat[3].txt
Spyware:Cookie/MyWay Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.xzoomy[2].txt
Spyware:Cookie/Yadro Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@yadro[1].txt
Spyware:Cookie/Yadro Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@yadro[2].txt
Spyware:Cookie/Tucows Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@tucows[1].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@atwola[3].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@atwola[4].txt
Spyware:Cookie/Rightmedia Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@rightmedia[1].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@com[4].txt
Spyware:Cookie/BurstBeacon Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.burstbeacon[1].txt
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@112.2o7[3].txt
Spyware:Cookie/GoStats Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@c2.gostats[2].txt
Spyware:Cookie/go Not disinfected F:\Documents and Settings\Jenn.TRI\Cookies\jenn@go[1].txt
Potentially unwanted tool:Application/Poliphonic Not disinfected F:\DLs\Coding Workshop Polyphonic Wizard v2.3.3 with BROKEN crack\cwpolywz.exe
========================

I've cleaned out my cookies since running this. The things on my F: don't worry about; that's just data from my old computer drive that I have hooked up for storage now in this new computer. Coding Workshop isn't installed so it's just sitting there.

The things in red are what the other scans didn't get. (I used some of the other scans from your list to scan my System32 folder since that seemed to be the problem and they came up empty. To do all the scans fully would have taken me too long.)

Please see my links to screenshots to help clear up my descriptions below.

Norton's warning for purityscan came up 4x today while I was doing these scans. I did not have norton do anything because it doesn't work anyways. :(
http://panthyr.com/s...rityscan_01.jpg
http://panthyr.com/s...rityscan_02.jpg

I know that spoolsv.exe is a normal Microsoft file for the printer spooler or something. That file was listed in my System32.
http://panthyr.com/s..._spoolsv_01.jpg
http://panthyr.com/s..._spoolsv_02.jpg

Now this is the one I think Norton and Panda detected. I clicked the option to show protected OS files and I finally was able to see this purityscan file in my System32. This is the one that showed up as hidden, read only, and system. It's the ??oolsv.exe file and take note of the command line.
http://panthyr.com/s..._spoolsv_01.jpg
http://panthyr.com/s..._spoolsv_02.jpg

At this time I cannot locate the file OOLSV~1.EXE that the command line refers to. However, as I said in my original post, Norton does pick that file up on occasion. It first detected on Mon 2/20 when this mess started. My Norton history shows that this file has returned every Friday since then: 2/24, 3/3, 3/10. So the file will probably show up tomorrow if the pattern holds true.


What should I do now?


I'm sorry if I've bogged you down with all this info. Just trying to be as through as I can for you.

Thanks,
~lady panthyr~

#5 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 16 March 2006 - 04:34 PM

hi ~Lady Panthyr~,

ok good, try this next. requires another download. best to run it in safe mode:

1. Download Ewido and install
Ewido Security Suite. It is a free trial version of the program:

http://www.ewido.net/en/download/

2. Install ewido security suite
3. Launch ewido, there should be an icon on your desktop double-click it.
4. The program will now go to the main screen

You will need to update ewido to the latest definition files.

1. On the left hand side of the main screen click update
2. Then click on Start Update

Once the updates are installed, close ewido and boot computer into safe mode. you reach safe mode by tapping the f8 key during a restart. chose the first option safe mode. once in safe mode run ewido and your norton av.

Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido
run norton in safe mode
------------------------------------------
reboot computer normally and post the saved ewido log from safe mode..............shelf life
How Can I Reduce My Risk?

#6 ~Lady Panthyr~

~Lady Panthyr~

    New Member

  • New Member
  • Pip
  • 6 posts
  • Interests:LARPing, Drawing, Reading, etc...

Posted 17 March 2006 - 10:54 AM

Okay... I did all that and here's the ewido log: =================== --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 10:22:46 AM, 3/17/2006 + Report-Checksum: 1B5BB18A + Scan result: C:\Jenn's Stuff\MSN Plus info & DLs\MsgPlus 2.54 - Patchou.exe/sponsor.exe -> Downloader.Swizzor.ag : Ignored C:\Jenn's Stuff\MSN Plus info & DLs\MsgPlus Patchou 220.exe/70000011.exe -> Downloader.Swizzor.g : Ignored C:\Jenn's Stuff\MSN Plus info & DLs\MsgPlus-221.exe/70000011.exe -> Downloader.Swizzor.g : Ignored C:\Jenn's Stuff\MSN Plus info & DLs\MsgPlus-301.exe/sponsor.exe -> Downloader.Swizzor.ag : Ignored F:\Program Files\Messenger Plus! 2\Setup.dat/sponsor.exe -> Downloader.Swizzor.ag : Ignored F:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP677\A0047307.exe/fakefmt.exe -> Not-A-Virus.BadJoke.Win32.FakeFormat.105 : Ignored F:\Jenn's Stuff\MSN Plus info & DLs\MsgPlus Patchou 220.exe/70000011.exe -> Downloader.Swizzor.g : Ignored F:\Jenn's Stuff\MSN Plus info & DLs\MsgPlus-221.exe/70000011.exe -> Downloader.Swizzor.g : Ignored F:\Jenn's Stuff\MSN Plus info & DLs\MsgPlus 2.54 - Patchou.exe/sponsor.exe -> Downloader.Swizzor.ag : Ignored C:\Documents and Settings\administrator.TRI\Cookies\administrator@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup :mozilla.16:C:\Documents and Settings\Jenn\Application Data\Mozilla\Firefox\Profiles\f2z7089x.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup :mozilla.17:C:\Documents and Settings\Jenn\Application Data\Mozilla\Firefox\Profiles\f2z7089x.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup :mozilla.23:C:\Documents and Settings\Jenn\Application Data\Mozilla\Firefox\Profiles\f2z7089x.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Jenn.old\Cookies\jenn@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\Jenn.old\Cookies\jenn@ads.euniverseads[1].txt -> TrackingCookie.Euniverseads : Cleaned with backup C:\Documents and Settings\Jenn.old\Cookies\jenn@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup C:\Documents and Settings\Jenn.old\Cookies\jenn@com[2].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\Jenn.old\Cookies\jenn@e-2dj6wjk4qncjofq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup C:\Documents and Settings\Jenn.old\Cookies\jenn@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup C:\Documents and Settings\Jenn.old\Cookies\jenn@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup C:\Documents and Settings\Jenn.old\Cookies\jenn@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup C:\Documents and Settings\jenn2\Cookies\jenn@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\jenn2\Cookies\jenn@ads.euniverseads[1].txt -> TrackingCookie.Euniverseads : Cleaned with backup C:\Documents and Settings\jenn2\Cookies\jenn@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup C:\Documents and Settings\jenn2\Cookies\jenn@com[2].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\jenn2\Cookies\jenn@e-2dj6wjk4qncjofq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup C:\Documents and Settings\jenn2\Cookies\jenn@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup C:\Documents and Settings\jenn2\Cookies\jenn@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup C:\Documents and Settings\jenn2\Cookies\jenn@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup F:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned with backup F:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup F:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SLQRSLQV\pup[1].htm -> Trojan.NoClose.c : Cleaned with backup F:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CXGHQ501\pup[1].htm -> Trojan.NoClose.c : Cleaned with backup F:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> TrackingCookie.Com : Cleaned with backup F:\Documents and Settings\Administrator\Cookies\jenn@adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned with backup F:\Documents and Settings\jenn\Local Settings\Temporary Internet Files\Content.IE5\87NFI4X9\popcaploader_v5[1].cab/PopCapLoader.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@ads.adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@com[1].txt -> TrackingCookie.Com : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@com[2].txt -> TrackingCookie.Com : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@com[3].txt -> TrackingCookie.Com : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.web-stat[3].txt -> TrackingCookie.Web-stat : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4eocjkcpwydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@msn-cnet.com[2].txt -> TrackingCookie.Com : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@download.com[1].txt -> TrackingCookie.Com : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@com[4].txt -> TrackingCookie.Com : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@112.2o7[3].txt -> TrackingCookie.2o7 : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup F:\Documents and Settings\Jenn.TRI\Cookies\jenn@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkysid5capa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup F:\Recycled\Df8.txt -> TrackingCookie.2o7 : Cleaned with backup F:\Recycled\Df30.txt -> TrackingCookie.Adorigin : Cleaned with backup F:\Recycled\Df32.txt -> TrackingCookie.Adorigin : Cleaned with backup F:\Recycled\Df98.txt -> TrackingCookie.Com : Cleaned with backup F:\Recycled\Df99.txt -> TrackingCookie.Com : Cleaned with backup F:\Recycled\Df105.txt -> TrackingCookie.Clickzs : Cleaned with backup F:\Recycled\Df272.txt -> TrackingCookie.Liveperson : Cleaned with backup F:\Recycled\Df392.txt -> TrackingCookie.Goclick : Cleaned with backup F:\Recycled\Df419.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup F:\Recycled\Df479.txt -> TrackingCookie.Web-stat : Cleaned with backup F:\Recycled\Df480.txt -> TrackingCookie.Web-stat : Cleaned with backup F:\Recycled\Df488.txt -> TrackingCookie.Yadro : Cleaned with backup ::Report End ========================= I kept my MSG Plus install files because I know better than to install the optional sponsor (adware carp**) program in it. And I haven't updated it in months. No problems with it, no ads/sponsors in relation to it. During the norton scan in safe mode, OOLSV~1.EXE came up again and was quarantined... again. And I could still see the bad spoolsv.exe files in my System32 file list window. Norton did not pick up the xmltok.dll & hosts.bho that panda had flagged in its scan. Restarted into normal mode. The message for OOLSV.EXE came up again. I navigated to system32 and scrolled down to the bad spoolsv file. I right-clicked and scanned just that file with norton. Norton read it as OOLSV~1.EXE and quarantined it (again) but it was still there! I did that 3 times just to make sure. About xmltok.dll & hosts.bho. Should I delete those 2 files manually? Do you think they may be related to the spool thing? Do you think I should uncheck read only from the bad spoolsv and try having norton kill it? Now what? Thanks so much... This is so frustrating :( ~lady panthyr~ p.s. if it helps, i'm online here from 10am-4am (mon, wed) & 10am - 5 or 6pm (tues, thur, fri), EST.

#7 ~Lady Panthyr~

~Lady Panthyr~

    New Member

  • New Member
  • Pip
  • 6 posts
  • Interests:LARPing, Drawing, Reading, etc...

Posted 17 March 2006 - 03:49 PM

Hey Shelf Life, I've got to leave work now. I'll be back in Monday morning. Have a good weekend and thanks again. :) ~lady panthyr~

#8 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 17 March 2006 - 05:29 PM

hi ~Lady Panthyr~, hope you had a good weekend! back to reality (sorry). go to the c:windows\system32 dir and manually delete these three: Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\??oolsv.exe once you get there click on name at the top to sort by name. The valid files will be in the proper order and the invalid files will be in the bottom, out of order. They will also have a newer date." see if that works............shelf life
How Can I Reduce My Risk?

#9 ~Lady Panthyr~

~Lady Panthyr~

    New Member

  • New Member
  • Pip
  • 6 posts
  • Interests:LARPing, Drawing, Reading, etc...

Posted 20 March 2006 - 09:34 AM

Good morning shelf life. :) Bleh... reality... :P *chuckles* My weekend was good! Hope you had a good one too! Okay. I just deleted C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho C:\WINDOWS\SYSTEM32\xmltok.dll It would not let me delete C:\WINDOWS\SYSTEM32\??oolsv.exe So I went into safe mode and deleted it there then rebooted into normal mode. I looked in the system32 folder to see if it reappeared and so far (as of 10 minutes of deleting it) it has not come back. Hopefully we have the daily appearance problem handled, but we may have to wait till friday to see if it's totally gone. What would you like me to do now? Run another panda or other scans? Thanks heaps! ~lady panthyr~

Edited by ~Lady Panthyr~, 20 March 2006 - 09:34 AM.


#10 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 20 March 2006 - 03:48 PM

hi ~Lady Panthyr~,

mine was good. (no work). you can do another online scan or use your resident scanner. heres some reference material for you. if any more problems, just post back in this thread.

shelf life




Make sure you keep your Windows OS current by visiting Windows update
occasionaly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

Also download, install and keep updated- Antivirus Software (and use only one):
Free for home users:
avast! 4 Home Edition Download
AVG free version 7.0
AntiVir Personal Edition

Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Internet Explorer Privacy & Security Settings
Working with Internet Explorer 6 Security
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser.
Like Firefox,
And Pegasus Mail for a safer e-mail, no tweaking needed.

Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser.
look here
and here


Install a firewall. A firewall will control what comes in from the internet and what leaves your computer to the internet. A firewall will also alert you when a application trys to connect to the internet from your computer, this is a good way to catch crapware or trojans, trying to connect out bound from your computer- whats that and why does it need a internet connection? You can deny it access it until more investigation is done. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. Microsoft XP firewall only provides inbound protection. SP2 adds in and out bound protection which is better than nothing, but is not as robust as third party firewalls, Be sure to run only >one< firewall.If you use another, be sure to disable XP's built in firewall. If you use Zone Alarm learn what needs/uses your internet connection. If something unusal or out of the ordinary "asks" deny it access until more investigation is done.Some of these have learning curves.
Zone Alarm
Kerio (Sunbelt Kerio Personal Firewall)"Free Evaluation"
Outpost Firewall
Outpost Free Basic Firewall
Jetico Personal Firewall
Tiny Firewall
BlackIce



Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
CounterSpy Free trial version
Spybot Search and destroy
Ad-Aware SE Personal edition
Microsoft AntiSpyware (beta version)
Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" programs that "claim to remove" spyware.Check here first.

Other programs to consider:
Process Guard stop events/processes with user intervention
SpywareBlaster add security to IE
IE-SPYAD adds adware peddlers sites/domains to IE restricted zone
CleanUp cleans out temps,history, autoforms etc

AntiTrojan software to fill in the gap:
a2 free
Ewido Security Suite
Trojan Hunter (30 day trial version)
Tauscan trial version


Learn More:
Browser Checkup
Parasite Free
Safe Hex
Shelf Lifes site
Home Computer Security
Wilders Security Advisors

Watch what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Make sure you understand what it is you will be downloading and installing to your computer. Visit the makers website, learn more about the program, Does the program you want come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? Track your surfing habits?. Read the EULA agreement, you know, that paragraph of stuff you "agree to" before the software installs? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is. DO YOU TRUST THE SOURCE?
How Can I Reduce My Risk?

#11 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 20 April 2006 - 06:50 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
How Can I Reduce My Risk?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users