Author Topic: Please help with Win32:Purityscan trojan/spyware (Read 2806 times)

mdbrock7 · « **on:** March 30, 2006, 04:16:47 PM »

Can someone please help? Avast gives me the following warning:

A Trojan Horse Was Found!

C:\Documents and Settings\AdminAccount\Local Settings\Temporary Internet Files\Content.IE5\U5XPFPDK\!update-3595[2].0000\[UPX]

Win32:PurityScan-N [Trj]

It will not let me move it to the chest or delete it. When I try I get the following message:
"Cannot process "C:\Documents and Settings\AdminAccount\Local Settings\Temporary Internet Files\Content.IE5\U5XPFPDK\!update-3595[2].0000\[UPX]" file
The process cannot access the file beause it is being used by another process.

I have turned off system restore, deleted temporary internet files and scanned my pc in safe mode with all of the following: Ad aware, spybot, avast, ewido, a-squared, and trojan hunter. Everytime I reboot the trojan reappears. I am using Windows XP. Any help would be greatly appreciated.

GR@PH;<'S · « **Reply #1 on:** March 30, 2006, 04:35:23 PM »

mdbrock7,
please can you try CCleaner
(Note in CCleaner: go to >options > advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours"). but see CCleaner Set up
GR@PH;<'S

mdbrock7 · « **Reply #2 on:** March 30, 2006, 05:06:35 PM »

It removed the trojan but it reappeared again :help: after I rebooted. I am beginning to think the only way to get rid of it is to format my drive. I have been battling this thig for 3 days

winchester73 · « **Reply #3 on:** March 30, 2006, 05:35:35 PM »

Something is triggering it ...

Download HijackThis© Merijn from: http://www.thespykiller.co.uk/files/HJTsetup.exe .

This installer will put HijackThis onto your computer at C:\Program Files\HijackThis (it will make an entry in the Start menu and also provide a desktop shortcut).

At the download prompt, choose "Save". After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it to complete the installation.

Double-click the HijackThis icon on your desktop. Choose "Do a system scan and save logfile". The log will open in Notepad and you can copy/paste it here.

mdbrock7 · « **Reply #4 on:** March 30, 2006, 05:42:59 PM »

Here is the logfile:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Muiltmedia keyboard Utility\2.0\KbdAp32A.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\w?nword.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard Utility\2.0\KbdAp32A.exe
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Vks] C:\WINDOWS\System32\w?nword.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notes.hpcpub.com/iNotes6.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - https://notes.hpcpub.com/download/dolcontrol.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

winchester73 · « **Reply #5 on:** March 30, 2006, 06:17:55 PM »

Here's the culprit ...

O4 - HKCU\..\Run: [Vks] C:\WINDOWS\System32\w?nword.exe

Do you know how to use Windows Explorer to search for a file?

Right click on the start button, then Explore ... you'll find a left window that you can use to navigate to find this bold-face file in the right window.

C:\WINDOWS\System32\w?nword.exe

Be certain you are in the System32 folder ... the "?" can be any character, not just the obvious "i".

When you find it, right click on the file and look at the properties. Let me know what you see regarding file creation date and file size.

mdbrock7 · « **Reply #6 on:** March 30, 2006, 06:28:24 PM »

before I saw your reply I used a purityscan uninstaller from here that was recommended by someone from a different forum: http://www.spyany.com/program/article_spw_rm_PurityScan.html

It seems to have fixed the problem. The file you suggested I look at doesn't exist anymore. I scanned with hijackthis again and it didn't appear there either.

thanks alot for all your help.

winchester73 · « **Reply #7 on:** March 30, 2006, 06:48:31 PM »

C:\Program Files\Java\jre1.5.0_02

Don't know if the other forum mentioned this or not, but your version of Sun Java is out of date. A pest called Vundo is exploiting that, so you might wish to update the Java.

mdbrock7 · « **Reply #8 on:** March 30, 2006, 06:49:36 PM »

thanks. I will do that now

Corrine · « **Reply #9 on:** March 31, 2006, 07:33:35 PM »

Don't for get to uninstall the old versions of Java, mdbrock7. Unfortunately, the SunJava update doesn't do that.

foolsgold99 · « **Reply #10 on:** April 06, 2006, 09:45:38 AM »

Hi,
I also had they same PurityScan problems and couldn't get rid of it. I've followed the instructions and it's gone. Thankyou very much to all the users who posted hints here. I really appreciate it!

LandzDown Forum

News:

Author Topic: Please help with Win32:Purityscan trojan/spyware (Read 2806 times)

mdbrock7

Please help with Win32:Purityscan trojan/spyware

GR@PH;<'S

Re: Please help with Win32:Purityscan trojan/spyware

mdbrock7

Re: Please help with Win32:Purityscan trojan/spyware

winchester73

Re: Please help with Win32:Purityscan trojan/spyware

mdbrock7

Re: Please help with Win32:Purityscan trojan/spyware

winchester73

Re: Please help with Win32:Purityscan trojan/spyware

mdbrock7

Re: Please help with Win32:Purityscan trojan/spyware

winchester73

Re: Please help with Win32:Purityscan trojan/spyware

mdbrock7

Re: Please help with Win32:Purityscan trojan/spyware

Corrine

Re: Please help with Win32:Purityscan trojan/spyware

foolsgold99

Re: Please help with Win32:Purityscan trojan/spyware