A couple of days ago I updated my AVG Ani-Virus and it quickly found this trojan horse: Trojan Horse Downloader.PurityScan.L

The thing is AVG cannot get rid of it, either by healing it or locking it in the Virus Vault (it says it cannot move the file). Here is the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 2:25:44 PM, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\My Documents\Programs folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.computerhousepr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7DA2729C-55D0-4016-9EB5-55E6C05BF59F} - C:\WINDOWS\System32\ogd.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Bahm] C:\Documents and Settings\user\Application Data\o?e?.exe
O4 - HKCU\..\Run: [Yxwwpo] C:\WINDOWS\System32\t?skmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.computerhousepr.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7ED673-F9F0-42CF-9725-1631C97E84EE}: NameServer = 196.28.61.36 196.28.61.66



Any help would be appreciated, I don't like viruses or trojans or whatever roaming freely on my computer!

Hi Guaili,

Where did AVG find PurityScan?

I see you are running AVG6 Anti-Virus from Grisoft.

Please read these links.

http://www.grisoft.com/us/us_index.php

http://free.grisoft.com/freeweb.php/doc/2/

You need to get to download AVG7 Free version when it is available as the other version will no longer give you any protection after 31st December 2004.

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O2 - BHO: (no name) - {7DA2729C-55D0-4016-9EB5-55E6C05BF59F} - C:\WINDOWS\System32\ogd.dll (file missing)

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

O4 - HKCU\..\Run: [Bahm] C:\Documents and Settings\user\Application Data\o?e?.exe
O4 - HKCU\..\Run: [Yxwwpo] C:\WINDOWS\System32\t?skmgr.exe

O15 - Trusted Zone: *.windupdates.com

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?

Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\System32\twink64.exe

Restart your computer and post a new log in this thread.

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.



Locate FindFile.bat on your Desktop and double-click on it. It will open two instances of Notepad with some text in it. Please post the text here.

First things first: I downloaded AVG Anti-Virus 7.0 (don't know if this is still the Beta version or the official version, or if there is any difference between the two), scanned my computer and it found the trojan horse in
C:\Documents and Settings\user\Application Data\o?e?.exe

But contrary to the AVG 6.0 it had no problem in deleting the file, and the problem was apparently solved, but I did another scan later and it found the trojan again, same place, deletes it and after another scan there it is again. I'm wondering if this is one of those "you need to turn off system restore" things or if this is some really nasty trojan, because there is no info about it in the virus encyclopedia of AVG.

As for the other things you asked, I did so, after restarting in safe mode I did not find any hidden file with the twink64.exe (did a search and checked in My Documents, dunno where else to look for it). The new log is this:

Logfile of HijackThis v1.98.2
Scan saved at 11:49:13 AM, on 11/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\user\My Documents\Programs folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.computerhousepr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.computerhousepr.com
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab

The notepad thing you asked me to do opened up two notepad windows. Here is the first notepad window:

Volume in drive C has no label.
Volume Serial Number is 4811-6500

Directory of C:\Documents and Settings\user\Application Data

09/29/2004 12:48 AM 82,432 o?e?.exe
1 File(s) 82,432 bytes

Directory of C:\Documents and Settings\user\Desktop

And here the second window:

Volume in drive C has no label.
Volume Serial Number is 4811-6500

Directory of C:\WINDOWS\System32

08/04/2004 03:56 AM 135,680 taskmgr.exe
10/05/2004 11:06 AM 380,928 t?skmgr.exe
2 File(s) 516,608 bytes

Directory of C:\Documents and Settings\user\Desktop


Thanks in advance for any help you can provide.

Hi Guaili,

Restart your computer in Safe Mode. How do I Safe Boot my computer?
Show hidden files. How do I show hidden files?

Open Windows Explorer, navigate to the folder "C:\Documents and Settings\user\Application Data" and find the file "o?e?.exe". Delete this file.
Navigate to the folder "C:\WINDOWS\System32" and find the file "t?skmgr.exe". Delete this file. Take care that you delete the right one. The file you want to delete has a date of 10/05/2004 and is 380,928 bytes in size! Do not delete Taskmgr.exe!

For the rest, this log is clean!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....

I have Ad-Aware, Spybot, SpywareBlaster, AVG, Firefox browser, and the Windows Service Pack 2. So, on that account, I think I am quite protected. :thumb:

As for the deletion of files, I did have a problem: I couldn't find them. I tried to find them in both normal mode and safe mode (safe mode being a bit uncomfortable to use) and couldn't. And yes, I did enable the show hidden files, but nothing. Not o?e?.exe nor ts?kmgr.exe. I tried to locate them by date, by doing a search, and just by looking around their locations, but they aren't there. How can that be? I'll post the latest HijackThis log just in case something can be figured out of it:

Logfile of HijackThis v1.98.2
Scan saved at 6:54:04 PM, on 11/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\user\My Documents\Programs folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.computerhousepr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.computerhousepr.com
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7ED673-F9F0-42CF-9725-1631C97E84EE}: NameServer = 196.28.61.36 196.28.61.66

Again, I appreciate all your help.

Hi Guaili,

Then AVG has taken care of both of them! Your log is still clean.

One of the best features of Windows XP is the System Restore option, however if a virus infects a computer with this operating system the virus may be accidentally backed up because of this feature. In order to completely remove a virus on these operating systems, you should disable System Restore before cleaning the system, then reenable it after the system is clean.

Follow the instructions below to disable System Restore

IMPORTANT NOTES:
You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the "System Restore"-tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click "Start", click "Properties", click "Start menu (not Classic)" and then click "OK".

1. Click "Start".
2. Right-click the "My Computer"-icon, and then click "Properties".
3. Click the "System Restore"-tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives".
5. Click "Apply".
6. When turning off "System Restore", the existing restore points will be deleted. Click "Yes" to do this.
7. Click "OK".
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click "Start".
2. Right-click "My Computer", and then click "Properties".
3. Click the "System Restore"-tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives".
5. Click "Apply", and then click "OK".

The AVG Anti Virus still detects it, in the same file. I'll do a scanning later, with System Restore off, to see if I have any luck, if I keep having the problem I'll post back. Thanks for all the help!

I scanned the computer with the System Restore off, and still it could not get rid of the trojan horse. I don't have any idea of what to do, except perhaps download another anti-virus and try my luck with it, but if the file where the trojan supposedly is can't be found, I dunno how another anti-virus can get rid of it. Are more people having problems of this kind, where the file where the virus/trojan supposedly is cannot be found? Is this a mistake by the computer?

Here's the latest HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 8:08:43 PM, on 11/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\user\My Documents\Programs folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.computerhousepr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.computerhousepr.com
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7ED673-F9F0-42CF-9725-1631C97E84EE}: NameServer = 196.28.61.36 196.28.61.66

Hi Guaili,

Have you turned System Restore back on?
This log is clean.

Yes, I did so immediately and created a restore point.

So AVG is detecting a phantom virus or something? hmmm...

I was under the impression that PurityScan was found in System Restore; but the previous posts don't tell me that. Where does AVG find it?

Turning on System Restore creates a new restore point, effectively erasing the viruses in the last one.

The trojan is found in C:\Documents and Settings\users\Application Data\o?e?.exe which is where it has been from the beginning, and precisely the file I cannot find to delete. AVG always tells me it deleted the file, but at the next scanning it shows up again. I don't know, maybe it's a bug in the AVG, because its Resident Shield has not alerted me about this trojan in quite a while (only once after I downloaded AVG 7.0). I have a similar problem with the DSO exploit, which Spybot always find but because of a bug it cannot get rid of it completely, it always comes back. I have learned to live with this one, since its a spyware program that exploits IE, and I use Firefox, and in the case of this trojan so far it has not done any damage, but I just don't feel safe with that thing "loose" in my computer.

If you navigate to that folder does that exist? In an earlier post you said AVG had deleted the file...

If it isn't there get in contact with the makers of AVG.

No, it doesn't exist, that's the thing. Neither did the other file you asked me to delete, t?skmgr.exe or something of the sort. AVG detects the o?e?.exe file and says its deleted, only to reappear at the next scan. I will contact the AVG people, it must be a bug.

I am wondering if you really have the final version of AVG 7 and or maybe version 6 was not completely uninstalled for some reason. why dont you do this uninstall what you do have no matter what it is..then start over with a new download and install of 7..maybe somehow you have parts of 6 still in there or some settings...how id you do it all in the first place..this change over to 7?

This is our Forum for AVG..and there you can also post..and find answers for your AVG7
http://forum.gladiator-antivirus.com/index.php?showforum=155

BTW- one thing you can do with AVG7 that you could not do with AVG6 is scan and remove virus in the SAFE MODE of your computer..so get into the safe mode..run a complete scan with your AVG7 and do it with the correct settings...and see if that clears the problem.

I downloaded version 7.0, clicked on it and the install began. It said that as part of the installing process of version 7.0 it would uninstall any previous versions of AVG. But I will do what you say, just in case.

BTW, the trojan horse is purityscan.u, not purityscan.L, it was a mistake of mine but that was what showed up in the resident shield window, maybe the text was cut right at the u... anyway, I saw there's another thread which tells how to get rid of purityscan.u, so i will check it out too.

Thanks, Hunter, I will check it out.

As for the SAFE MODE thing, I will also do this. But what exactly is the difference between SAFE MODE and normal mode? How is it safer?

Safe mode of your Computer means..only a limited number of programs run at start up..in fact only the ones necessary to run your pc and get a desktop...this is good since when you try to clean some viruses from your PC..many times this can not be done in the window mode since " it is impossible for an AV to clean a file off if it is currently running on your PC "

In the safe they will not run..so you can clean many of them off during that mode.

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


Also OT..please do not post in other peoples threads in this forum. thanks Wave.gif

also..you now have to tell me if your AVG still finds a virus..where it is finding it. I need the complete path and info..not just the fact it was found.

This will also help you understand why..

What is System Restore?

One of the new features of Windows Me and Windows XP is System Restore. This feature, which is enabled by default, is used by Windows to restore files on your computer in case they become damaged. If you experience a problem with your system that is caused by software, System Restore gives you the opportunity to go back to a point where things were working correctly.

Windows XP stores this information in the SYSTEM VOLUME information folder. These folders are updated when the computer restarts.

NOTE: Both the _RESTORE folder in WinME and the System volume information folder in Win XP are marked with the hidden attribute, and, by default, Windows is set to not display such files or folders.

Even after you have found a virus and your AV has cleaned your PC you still might get an indication you still have the virus but it can not be deleted in these folders.

Problem is..the system restore also has a copy of all those virus and trojans that have infected your system. They are in a compressed mode...your ANTIVIRUS knows they are there but can not help you clean them, so you must do it manually.

GO TO THE FIRST LINK AND FOLLOW THE SCREEN SHOTS TO GET RID OF THIS IN THE "SYSTEM VOLUME" INFO FOLDER THE SECOND LINK WILL DO IT FOR WIN ME IN THE "_RESTORE FOLDER".


NAME: Disabling System Restore on Windows XP
ALIAS: Disabling Windows XP AutoRestore feature


http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

NAME: Disabling System Restore on Windows ME
ALIAS: Disabling Windows ME AutoRestore feature

http://www.europe.f-secure.com/v-descs/sfc_dis.shtml


*********************

also this you should know


It is recommended that you do a couple of things after a serious infection.

Just to be sure.

Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >
Internet Options. Under the General tab click the Delete temporary internet files,
choose to delete all Offline content. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all ->
File > delete.

Empty the contents of the C:\Windows\temp folder and C:\temp folder, if you have one.

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

Empty the Recycle Bin.

This will result in your having to re-enter passwords at forums, banks, and the like.

A small price to pay if it gets rid of any bad guys.

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained here:
http://service1.symantec.com/SUPPORT/tsgen...001111912274039

Also if you have sunjava installed it's cache should be cleared too.
> control panel java-plugin > cache tab > hit clear!
And make sure you have the latest version if you have sunjava.

Adjust your security settings for ActiveX:
a. Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set/click the options as follows:
Download signed ActiveX controls > prompt
Download unsigned ActiveX controls > disable
Initialize and Script ActiveX controls not marked as safe > disable
b. In your Restricted Sites Zone set everything that can be to "disable". Set anything that cannot be disabled to "prompt".
c. Never add any site to your Trusted Sites Zone.

I would also recommend, In your own self defense and to reduce the potential for spyware infection in the future, installing both SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.

More info and download is available at:
SpywareBlaster: http://www.majorgeeks.com/download.php?det=2859
SpywareGuard: http://www.majorgeeks.com/download.php?det=3045

Maybe consider this as well:
IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit
innocent-looking sites that aren't really innocent at all.
https://netfiles.uiuc.edu/ehowes/www/resource.htm
Also some info on that page to tighten your IE security.

Be sure to also keep up with Windows and IE updates.

Windows security and critical updates.
http://v4.windowsupdate.microsoft.com/en/default.asp

Internet Explorer security and critical updates.
http://www.microsoft.com/windows/ie/default.asp

Keep all of these programs updated, its free.