i'm infected, please help, thank you

[bth_2k3]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:49 AM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/c...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchpl ugins%5CSBWeb_01.src"); (C:\Documents and Settings\BRANDON HUTCHCROFT\Application Data\Mozilla\Profiles\default\ju7p1gh9.slt\prefs.j s)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151351526924
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151352203520
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8826 bytes

[jholland1964]

Frist of all bth_2k3, you began two different threads with the same problem. This is not necessary and can cause confusion. I have deleted your other one.
Now we need more info here, HOW do you know you are infected and with what are you infected? What symptoms are occurring which cause you to believe you are infected?

Answer those two questions here FIRST, also giving us more information about your computer. THEN go to this sticky READ ME Before Posting A Request For Assistance!
follow each and every step there, in order.
Save all logs requested. Once you have completed all those steps then run a NEW HJT scan and post back here with that new log and all the other requested logs. Be sure to note that some steps request that you allow the particular program that you are using to CLEAN anything found, please do so. This will make your clean up much easier.
Post back with the logs when you have completed those steps and we can decide if other steps are needed.

[Ghot]

jHolland...I was helping him with his comp and recommended he post here....

1. Norton AV Corp would NOT install, with no other AV running or installed.
2. All previous Norton "suite" entries removed with JV16 Power Tools.
3. The HJT log analyzer has 3 RED entries and one can't be removed with HJT.
4. pinfi.parite was one problem, and still is.
5. when trying to install Norton AV Corp 2003 this error:
"Symantec cannot open device specified"
6. The initial indication was his inability to create games in Diablo II....in 8 years I have NEVER seen this before.
7. He's running an old PIII comp, make unknown.
8. The 1st HJT scan resulted in 7 RED entries....HJT removed 6 and after reboot..."regrew" three of them, one of which still cannot be removed.
9. I sent him here expecting an expert to "walk him thru" cleaning his comp
"specifically "walk him thru"....while a very nice guy he is very new to computer maintenance and with what information you will need to help him.
10. I spent over ten hours on the phone with him...just to get him this far.

Programs I had him install:
Zonealarm (free) and properly configured.
Avast AV (updated)
Glary Utilities
Unlocker 1.8.5
CCleaner
JV16 Power Tools (last free version)

also I believe his nwprovau.dll is corrupt...I emailed him MY copy of this file and it immediately became corrupt again.

Lastly, we did manage to solve the "create games" on D2 LoD problem. But I for the life of me, cannot figure out why Norton Corp AV will not install. You dont EVEN want to know how much infection we already removed Jv16 alone removed about 4k entries...the most I've EVER seen!

P.S. Windows XP Pro with all the updates, updated Spybot S&D, updated Ad-Aware, system restore is OFF, and he knows how to boot to safe mode, and his Services are NOW set to the minimum required for a gaming machine, and he has great connection (Cable-canadian) and windows explorer is NOW set to show hidden and system files and file extensions. I can't help him any further as I use Norton Ghost to de-infect my machine with a known clean backup.

Other Symptoms: properties sheet of my computer would lose tabs randomly.

[jholland1964]

I cannot stress enought DON'T USE the Analyzer to determine which items to remove. This analyzer here is way, way out of date so don't do ANY removal based on what is shown there. Many entries which refuse to be removed quite possibly ARE legitimate files and are needed by the computer. Plus HJT is really NOT a fixer program but a scanner program. Final general clean up fixes can be done with it at times but most of the time that isn't necessary.
Norton really should be removed using first Add/Remove and then the Norton Removal tool that you download from their website.
Just to be certain all of that is gone do, or have him do a file search for Norton, delete anything found and then for Symantec and delete anything found.
We really need the logs from the link I gave before I can or one of the other helpers here, can determine what can and should be removed. Entries noted often times depend on location...that is...if something is noted in one location it is probably an infection BUT noted in another location then it is a legitimate file and must not be removed.
I certainly will be happy to "walk through" removals and fixing but he actually has to be her on the site to do that.
Have him do steps 7 through 9 on the link, saving all logs. Tools are very easy to run, honest, just a click, it runs and that is it. Once all those are run then a new scan with HJT should be run.

You say that

He's running an old PIII comp, make unknown.

what is the hard drive size and amount of RAM?

[Ghot]

yess we did the complete norton removal and for some reason AVAST wiped out inet explorer so we removed that ...completely and installed AVG free for now and mozilla firefox so he can stay away from IE for the time being....shortly he will view ur readme of what progs to use and then post the logs....untill just now he cudnt get online at all well he cud get online to diablo but not IE but that seems to be fixed atm...i have him running the ewido scan right now and then imma send him here.

512 mb RAM, 20GB HD.

P.S. he has the 2.0.0 version of HijackThis btw.

the EWIDO scan found this file too: wnscpsv.exe which is a nasty!

also a run of Spyware Doctor hard locked on nwprovau.dll which we already know is corrupt and if found something called security scan....
we successfully removed wnscpsv.exe before running Spyware Doctor.....currently we are letting Spyware Doctor run at start up as nwprovau.dll is a necessary windows file and cannot be removed by normal means. However we did manage to replace nwprovau.dll in both the dllcache folder AND the sytem32 folder with a valid copy....BUT it grew back, corrupted. I assume w/e "security scan" that Spyware Doctor found before it locked up at 97% is the cause of this. If running Spyware Doctor at startup does not solve this issue...then I will have my friend run all the programs and post all the logs, as I've done all I know how to do. HJT v2.0.0 continually shows nwprovau.dll in RED on HIS comp but does not even appear in a HJT scan on mine. On HIS comp HJT cannot remove it for obvious reasons. I'm trying to solve this simply because its a learning experience for me and I know you guys are busy...very busy. It's beginning to seem that we are going to have to add to your workload...we will know for sure in about a half hour. Lastly I know you are completely correct about NOT using HJT to remove entries. But take MY word for one thing...we have removed nothing Windows related with HJT and will NOT do so.

WE got IE working again and replaced AVAST with AVG as AVAST is apparently what stopped IE. He also NOW has the latest Mozilla Firefox installed also. While I realize that the above methods we have used is NOT the proper method of removing a trojan...it sure is fun trying.

P.S. For any new people do NOT try to remove this nwprovau.dll file as it will disable both Windows Explorer and your desktop....the ONLY reason I am messing with it on HIS comp is that I have a non corrupt copy of it and have sent him a non corrupt copy. I repeat do NOT mess with nwprovau.dll or you will bork your' windows install!

[jholland1964]

nwprovau.dll as shown in O10 IS the legitimate file as far as I can tell. HijackThis will show good and bad Winsock layers. In your case, it's a legitimate file for now don't worry about it.
Have you run ANY of the steps in the sticky?

[jholland1964]

Please do the following:

• Download combofix.exe by sUBs to your computer's Desktop.
• Alternate Download
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window while it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post that log for us. You can copy&paste this one into this thread.

[bth_2k3]

ComboFix 08-04-13.3 - Brandon Hutchcroft 2008-04-14 21:22:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.205 [GMT -4:00]
Running from: C:\Documents and Settings\Brandon Hutchcroft\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

[Ghot]

OK we found the ROOT of the problem: Trojan.PurityScan .......unfortunately the trial version of Spyware Doctor canNOT remove it....apparently the full version can. NOW, we need YOUR help

[Ghot]

this is the result he got, I ran combofix.exe on my machine also and got a huge log...anyways he went to eat and is running Spyware Doctor Starter Edition (from the Google Pack) while he eats. On my comp the "log" just popped up when it was finished...there was no log in C:\Combofix on MY comp....also when I ran it Zonealarm popped up a notice wanting to connect something that began with an "n" ...in MY case I neither allowed or denied it. His Zonealarm popped up same thing and since mine produced a log anyways .....I told him to disregard the Zonealarm notice...I don't know if this was correct or not.