The following approach is suggested to rid the various malware entries on your PC: First, check the following items, and have HijackThis! fix them: O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\TPS108.DLL O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Network Essentials\v11\NE.DLL O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe O16 - DPF: {11111111-1111-1111-1111-111111111111} - O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - Reboot computer. Second, go to Control Panel/Add/Remove Programs, look for: 'Downloadware' and 'NetworkEssentials' or 'MediaLoads Enhanced' entries. If found, uninstall them all. Third, go to C:\WINDOWS\System32\, and locate this file: winservn.exe Delete it. Reboot again. Fourth, go to: Download: SpyBotS&D , unzip and run it. Use the online tab to update all. From the File Sets {lower right} set it to :Spyware Check only, and run the scan. It will detect and list all the malware remnants. Have it fix all red marked entries found. (You can uncheck 'Alexa Related', and references to IE and Media player ID's.) Also, as mentioned in a previous response, the following two undesirables are running: C:\Program Files\DownloadWare\dw.exe C:\Program Files\KFH\cl\launcher.exe SpyBotS&D should remove these, as well as any Casino related malware. To check on the latter: -Go to Strat>Run, key in: Regedit and go to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run -Remove the 'DownloadWare' value. -Open the Task Manager (Ctrl-Alt-Del) and kill the task called 'Dw' if it is still running. -Delete the 'DownloadWare' folder in the Program Files directory. -Clean up the 'DownloadWare' and 'WebInstall' keys in HKEY_CURRENT_USER\Software\. Post back with results, and as to whether the 80070776 error message is still kickin’.

0

Let's try these again: O2 - BHO: (no name) - {0000026A-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\TPS108.DLL O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Network Essentials\v11\NE.DLL O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://207.246.124.105/cabs/ROOSTRS3002/TPS108.cab O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://pluginaccess.com/pornoviewpost/Browser Plugin.cab O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download,mediacharger.com/movieplace.cab Fourth, go to: http://security.kolla.de/index.php?lang=en&page=download Download: SpyBotS&D

0

FZWG Performed all of your suggestions in Responses 7 @ 8 with one exception. Access was denied in attempting to delete winservn.exe. Message read: disk full, write-protected or in use. FYI-During SpyBot download process, the script error message was more aggresive than ever. Couldn't click it away fast enough. Almost like it was sensing the end. Ten minutes and (fingers crossed) no message. Will post tomorrow if fix was successfull. Thanks again.

0

Hopefully we are seeing the light at the end of the tunnel, and it is not another train from the opposite direction! Do a Ctrl+Alt+Del to end task on winservn.exe before deleting it, or boot into Safe Mode and try deleting it from there. Post back.

0

To all of those that have encountered this insidious clickspring error message and have located this support page, you need to follow FZWG's advice. Previous suggested repairs from support personnel and IT's did not work. I've been online for 4 hours since completing the downloads and cleansings, and have not received this script error for the first time in a month. I hope none of you have go through this annoyance. Thanks again, FZWG, but please check this site occasionally in case this is only a temporary fix. (I hope not to be back, but you never know).

0

Glad to help, many have helped when I've been in deep trouble. However, cannot take all the credit. Had plenty of info provided by other sources and experts. We might not be totally finished, though. Take a look at another source that follows, found at the following web page: http://www.cexx.org/winservs.htm) >>>Advertising Spyware: Clickspring WinServs / PuritySCAN / sear1 (WINSERVS.EXE, sear1.exe) PurityScan is a program distributed by Clickspring LLC, an advertising company. Its stated purpose is to scan your computer for hidden pornographic materials and allow you to remove them. Upon first loading, PuritySCAN (often named PuritySCAN.exe or sear1.exe) will scan your IE files (browser cache, history, and cookies) for occurances of "dirty words" relating to pornography. (To avoid getting myself branded as a porn site, the list of words will be left to the reader's imagination.) The program will then display a list of any files found to contain the words. It will also drop a copy of itself in the Windows StartUp folder as "WINSERVS.EXE". This copy will load at start-up and spawn massive quantities of large popup ads when the user is online. On our test installation, the parasite spawned 14 popup windows in a 45-minute idle period, averaging one popup every 3.2 minutes. NOTE: "Winservs.exe" may go under different names, a now common one being "winservn.exe". Keep this in mind when following removal instructions. Infection method: The WINSERVS task is typically installed by running the Purity Scan program from purityscan.com. However, Clickspring offers an affiliate program that pays Webmasters to get people to run the program, which may provide incentive for sites to attempt to load it in a dishonest manner. The specimen we obtained did not display the License Agreement and reported back what appeared to be an affiliate's username. Removal Procedure: Press Ctrl-Alt-Del once to bring up the End Task dialogue. Highlight "WINSERVS" and select End Task. (It may take a few moments for a "not responding" warning to appear. Press End Task again.) Now remove WINSERVS.exe from your StartUp folder. This can be done by going to Start > Settings > Taskbar, and clicking on the Start Menu tab. Select "Remove". Find the StartUp folder on the list that appears, select it if necessary, and delete the WINSERVS entry that appears there. More Information: The Privacy Policy states that Clickspring will sell information you provide (name, email address, age, gender, zip code, country of residence) to third parties for marketing purposes. On our test installation, the program found only 1 'objectionable' file (an non-pornographic image file, whose binary data happened to contain the string 'pics'), even after intentionally visiting a pornographic Web site and sites containing terms in the program's "naughty word list".<<< Check out and follow up on the above to make sure all is gone. Post back with update.

0

Went through the steps suggested from cexx.org and didn't locate winservs.exe or winservn.exe. I think I was able to purge last night following your recommendation. Two things, though. I did have a file named winsrv.dll that appears benign so I did not delete. I think it's Window legitimate. Concur? Also, I did locate PuritySCAN and deleted. Proper move? Now that I have Spybot S&D installed, do you recommend I run regularly and fix all red checked items (except Alexa and IE)?

0

winsrv.dll From what I find, it appears that this dll is normally part of NT. Have no clue as to why it is there if you run W98. You might want to do a new posting concerning just winsrv.dll, and not relate it to anything on this thread to see if you get some new input. Like you say, it appears just like a totally harmless file. In your shoes, would do a Registry 'Find' for PurityScan and for Click Spring. (Start>Run, key in: regedit. In the Registry Editor frame, click on Edit, and select Find. In 'Find What:', enter the info. Have keys, values and data checked. Hit 'Find Next'.) If something shows up, post it before you delete it. Hopefully you will come up blank. Also, for comparison purposes, you may want to consider running and posting another copy of StartUpList, just to compare the before and after. It is up to you entirely. On SpyBot, run it whenever you like. I run it every week or two, whenever I remember. With the stuff websites use to stay alive, etc., you never know what is going to end up on your PC. It is a good program, as you found out.

0

thanks sean and fzwg, i think i have eliminated the problem...i haven't had a computer for yery long so most of what you said above didn't make any sense to me... but i did find 2 things: 1. in the add/remove program screen i found downloadware and removed it...i didn't find any of the others 2. on start>program>start up i found that purityscan.winservs had been installed as a part of my start up menu...i uninstalled it that was 36 hours ago and i haven't had the 80070776 clockspring error message since...or any other error message for that matter thanks for your help you two

0

Glad to hear the problem is gone, ron. If it returns, just post again. G'day!!

0

FZWG I'm running on XP. Brand new Dell PC, all my installed programs came with it from Dell. Located PurityScan in my Registry Find, but unable to post. Don't know how to get it from there to here. Here is what my StartUpList currently looks like now. Anything jump out at you? StartupList report, 1/27/2003, 7:55:56 PM StartupList version: 1.51 Started from : C:\Documents and Settings\Sean\Local Settings\Temp\Temporary Directory 3 for startuplist151[1].zip\StartupList.exe Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe c:\program files\mcafee.com\agent\mcagent.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\KFH\cl\launcher.exe C:\PROGRA~1\PANICW~1\POP-UP~2\dpps2.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Sean\Local Settings\Temp\Temporary Directory 3 for startuplist151[1].zip\StartupList.exe --------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Digital Line Detect.lnk = ? --------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IgfxTray = C:\WINDOWS\System32\igfxtray.exe HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER --------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background --------------------- Enumerating Task Scheduler jobs: FRU Task #Hewlett-Packard#Deskjet#5550.job McAfee.com Update Check (D1G2R721-Owner).job McAfee.com Update Check (D1G2R721-Sean).job --------------------- Enumerating Download Program Files: [{11111111-1111-1111-1111-111111111111}] CODEBASE = http://207.246.124.105/cabs/ROOSTRS3002/TPS108.cab [Update Class] InProcServer32 = C:\WINDOWS\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37635.2677893518 [{A1DC3241-B122-195F-B21A-000000000000}] CODEBASE = http://pluginaccess.com/pornmoviepost/Browser_Plugin.cab [{EB6AFDAB-E16D-430B-A5EE-0408A12289DC}] CODEBASE = http://download.mediacharger.com/movieplace.cab --------------------- End of report, 4,197 bytes Report generated in 0.125 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

0

sean, i don't know for sure but you may be over-complicating the situation...pleasae read mine above to see the simple solution i found to eliminate the problem...what do you think, fzwg?

0

Sean, In order to print the Registry key that has the PurityScan entry, do the following: (Assuming that you used Start>Run>Regedit, and expanded (+) the key that was found.) -Select the key on the right hand side of the Registry Editor that you want to print. -Go to the Menu Bar in the top left of the screen, and choose: Registry, and then: Print. The Print Registry dialog box appears. -Select the printer you want to print to in the printer Name drop-down list. (If it is not already there.) -Choose Selected Branch in the Print Range box. (The edit field contains the name of the key you selected. If the name is wrong, type in the correct name.) Choose OK. It should print, and then we can take it from there. ron, Thanks very much for your input. What Sean is doing is a very thorough check, and it is a very good and smart move on his part. Although the removal of some malware entries sometimes 'appears' successful, some of these things have deep roots. Programs like SpyBot Search and Destroy, and HijackThis! are made to act against malware. The StartUp List pinpoints the trouble spots. You might want to consider downloading the StartUp List also. Then you will know exactly what gives.

0

FZWG I've printed out the contents of PurityScan from the Registry Editor. It has a Key Name, a Value Name, and a Type. What do I need to post to explore further? Was there anything in my current StartUp List that needs attention? Sean

0

Sean, Post the entire thing for PurityScan, if you can. The StartUpList looks pretty good. The entry that was giving you the problem is gone. There are some undesirable remnants still showing, such as: Enumerating Download Program Files: [{11111111-1111-1111-1111-111111111111}] CODEBASE = http://207.246.124.105/cabs/ROOSTRS3002/TPS108.cab [{A1DC3241-B122-195F-B21A-000000000000}] CODEBASE = http://pluginaccess.com/pornmoviepost/Browser_Plugin.cab [{EB6AFDAB-E16D-430B-A5EE-0408A12289DC}] CODEBASE = http://download.mediacharger.com/movieplace.cab These goodies will have to be deleted manually, but that is OK. Want to see what the Registry is showing for Purity Scan, and then we will give it the ax and wrap it all up.

0

FZWG Here's the Registry Editor Entry: Key Name: HKEY_USERS\S-5-21-1186477138-1506075543-2382527365-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\reg Class Name: Last Write Time: 1/24/03 - 6:14 PM Value 0 Name: a Type: REG_SZ Data: C:\Documents and Settings\Sean\My Documents\PurityScan.reg Value 1 Name: MRUList Type: REG_SZ Data: a Any action recommended? What about the "undesirable remnants" left in my Start Up. What would be the most effective and permanent way of deleting these? Ron- FZWG is correct. Had a brief period a couple of weeks ago where ClickSpring was dormant after following a Support Tech's advice. Now I just want a totally clean system.

0

Sean, These are the entries that we need to get rid of: in the StartUpList:: In Running Processes: C:\Program Files\KFH\cl\launcher.exe See if you have an entry in Control Panel>Add/Remove Programs with the name of a Casino followed by '-launcher'. Check the Task Manager and kill the task if it is there. Go to C:\Programs, and delete the KFH folder. Check the Registry key: HKLM\Software\KFH. If there, clean it up. In Enumerating Download Program Files: [{11111111-1111-1111-1111-111111111111}] CODEBASE = http://207.246.124.105/cabs/ROOSTRS3002/TPS108.cab [{A1DC3241-B122-195F-B21A-000000000000}] CODEBASE = http://pluginaccess.com/pornmoviepost/Browser_Plugin.cab [{EB6AFDAB-E16D-430B-A5EE-0408A12289DC}] CODEBASE = http://download.mediacharger.com/movieplace.cab The above are ActiveX objects. To get rid of them, open up Internet Explorer>Tools>Internet Options>Temporary Internet Files>Settings>View Objects. Right click each one, and delete. On the following Registry key: HKEY_USERS\S-5-21-1186477138-1506075543-2382527365-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\reg Non-issue. This is a MRU (Most Recently Used) list that holds a usage 'history', so to speak, of where the PC has been, etc. It is like a log of activities. After all of the above, you can run another StartUpList, and hopefully we will be calling you MR. CLEAN!!

0

FZWG How'd I do? StartupList report, 1/29/2003, 9:18:48 PM StartupList version: 1.51 Started from : C:\Documents and Settings\Sean\Local Settings\Temp\Temporary Directory 4 for startuplist151[1].zip\StartupList.exe Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\PANICW~1\POP-UP~2\dpps2.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Digital Line Detect\DLG.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Sean\Local Settings\Temp\Temporary Directory 4 for startuplist151[1].zip\StartupList.exe --------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Digital Line Detect.lnk = ? --------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IgfxTray = C:\WINDOWS\System32\igfxtray.exe HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER --------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background --------------------- Enumerating Task Scheduler jobs: FRU Task #Hewlett-Packard#Deskjet#5550.job McAfee.com Update Check (D1G2R721-Owner).job McAfee.com Update Check (D1G2R721-Sean).job --------------------- Enumerating Download Program Files: [Update Class] InProcServer32 = C:\WINDOWS\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37635.2677893518 --------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: \??\C:\DOCUME~1\Sean\LOCALS~1\Temp\tmp6B.tmp --------------------- End of report, 4,151 bytes Report generated in 0.093 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

0

OUTSTANDING!!!!!!! Great Job!! You got it CLEAN!!

0

FZWG You mean WE got it clean. Thanks, Sean

0

:-)) Good luck!!

0