Purity Scan, Trojan.Spy.Agent.MS, more?

Hi

We will need the Hijackthis log from Normal Mode as we will nedd to see all the running applications and processes, plus hijackthis installed and run in the location specified, with the name change to analyze.exe as many malware varients are not picked up when the name is the default one.

 

First install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java 2 Runtime Environment, SE v1.4.2_06



Start by downloading two tools we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\Common Files\?ystem\??anregw.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {CA1FEB8F-2C6E-2DB4-41FC-70E2EE0671C6} - C:\WINDOWS\system32\zrtogd.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {CA1FEB8F-2C6E-2DB4-41FC-70E2EE0671C6} - C:\WINDOWS\system32\zrtogd.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SMANTE~1\spoolsv.exe" -vt tzt
O4 - HKCU\..\Run: [Zthm] C:\Program Files\Common Files\?ystem\??anregw.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\zrtogd.dll
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\system32\WinNB65.dll
C:\Program Files\S?mantec\spoolsv.exe
C:\Program Files\SMANTE~1\spoolsv.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete it if found:
C:\Program Files\popupwithcast

Also delete all files & subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Owner\Local Settings\Temp

Now attach new logs from HJT & ShowNew.
Also tell me how the steps went.
Make sure you tell me how things are working now!

 

You're welcome!

Somehow you missed one item with Killbox. Delete the below file manually or use Killbox to delete it:

C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

Then empty your Recycle Bin and also Run Pocket Killbox and select File, Cleanup, Delete All Backups!

Then reboot and make sure it is still gone.

Also locate the below folders!

Code:

"C:\Documents and Settings\Owner\Application Data\"
CROSOF~1      Sep 29 2006              "??crosoft"
FNTS~1        Sep 27 2006              "F?nts"
 
"C:\Program Files\"
ICROSO~1.NET  Sep 13 2006              "?icrosoft.NET"
SMANTE~1      Sep  7 2006              "S?mantec"
ECURIT~1      Sep  7 2006              "?ecurity"
 
"C:\Program Files\Common Files\"
YSTEM~1       Sep 28 2006              "?ystem"

Locate them by the Date given because they may look like other folders with the same name. The question mark represents unprintable characters but when you view these folders from a Windows Explorer session the question marks will show up as other characters. For example, these two:

Code:

"C:\Documents and Settings\Owner\Application Data\"
CROSOF~1      Sep 29 2006              "??crosoft"
FNTS~1        Sep 27 2006              "F?nts"

Will more than likely show up as Microsoft and as Fonts. You already have a a valid Microsoft subfolder in this folder but it will have an older date. The Fonts folder will probably be empty.

Let me know what you find. And also tell me which of 6 folders are empty. If not empty, tell me what is in them. Again, make sure you locate them by DATES!

 

You're welcome.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!