tenky Posted December 28, 2005 Report Share Posted December 28, 2005 (edited) could someone please have a look at this, and tell me what i need to get rid of. This SpyAxe is driving me insane! Logfile of HijackThis v1.99.1Scan saved at 14:45:31, on 28/12/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\slserv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXEC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exeC:\Program Files\LimeWire\LimeWire.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\Charlie\My Documents\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.ukR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WanadooF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exeO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp9F11.tmpO2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\RunServices: [isass] C:\WINDOWS\system32\Isass.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exeO8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.htmlO8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101AXGBO8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)O9 - Extra button: (no name) - {12345678-1234-1234-1234-1234567890AB} - (no file)O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.ukO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133723336859O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - AppInit_DLLs: MsgPlusLoader.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exeThankyou so much to anyone who helps me, Tenky xhijackthis_log_file.txt Edited December 28, 2005 by didom Link to post Share on other sites
didom Posted December 28, 2005 Report Share Posted December 28, 2005 Download smitRem.exe and save the file to your desktop.Double click on the file to extract it to it's own folder on the desktop.Place a shortcut to Panda ActiveScan on your desktop.Please download the trial version of Ewido Security Suite here:http://www.ewido.net/en/download/Please read Ewido Setup InstructionsInstall it, and update the definitions to the newest files. Do NOT run a scan yet.If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:Ad-Aware SE SetupDon't run it yet!We need to make sure all hidden files are showing so please:Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide file extensions for known types option.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Reboot Your System in Safe Mode:Restart the computer.As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Scan again with HijackThis and check the following items:O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp9F11.tmpO2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)O4 - HKLM\..\RunServices: [isass] C:\WINDOWS\system32\Isass.exeO8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101AXGBO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)After checking these items, close all browser windows except HijackThis and click "Fix checked".Find and delete these files and folders (if they are still there):C:\Program Files\PartyPoker <= this folderOpen the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.Wait for the tool to complete and disk cleanup to finish.The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.Open Ad-aware and do a full scan. Remove all it finds.Run Ewido:Click on scannerClick on Complete System Scan and the scan will begin.You will be prompted to clean the first infection.Select "Perform action on all infections", then proceed.Once the scan has completed, there will be a button located on the bottom of the screen named Save reportClick Save report.Save the report .txt file to your desktop or a location where you can find it easily.Close ewido security suite.Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log and the Ewido Log by using Add Reply.Let us know if any problems persist. Link to post Share on other sites
tenky Posted December 29, 2005 Author Report Share Posted December 29, 2005 Hey, Thankyou so so much for the help that you gave me. My computer now seems to be all clean, and SpyAxe, i think, is gone. I've attached the Panda ActiveScan log, HijackThis log, the contents of the smitfiles log, and the Ewido log. I would be really really grateful if you could have a quick look over them and see if theres anything left over or missed.Thanks again for all your help, its really really appreciated,Tenky x Activescan.txtHijackThis_Log___29.12.05.txtsmitfiles.txtewido_Scan_report___29.12.05.txt Link to post Share on other sites
didom Posted December 29, 2005 Report Share Posted December 29, 2005 Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.Step #1Scan again with HijackThis and check the following items:O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp2B3B.tmpO18 - Filter: text/html - (no CLSID) - (no file)O18 - Filter: text/plain - (no CLSID) - (no file) After checking these items, close all browser windows except HijackThis and click "Fix checked".Step #2We need to make sure all hidden files are showing so please:Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide file extensions for known types option.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Step #3Reboot Your System in Safe Mode:Restart the computer.As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Step #4Find and delete these files and folders (if they are still there):C:\Program Files\Microsoft AntiSpyware\Quarantine\F1235B3D-60B5-40FA-96FC-ADEF23\C87A2E04-AE09-4F3D-A34C-937AC7 <= this folderReboot your computer normally.Step #5Run Panda's online virus scan and perform a full system scan: Panda ActiveScanSave the Panda ActiveScan log. Start HijackThis and perform a new scan. Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in. Link to post Share on other sites
tenky Posted December 31, 2005 Author Report Share Posted December 31, 2005 hello,Ive done everything you said apart from part of step 2. When i went to uncheck the 'Hide protected operating system files (recommended)' it said that if i delete or edit them it could make windows unoperable, which I thought was a bit risky. Could you please reassure me, and tell me why i need to do this, just so i can be sure it wont break my computer.I have attached the two logs that you asked for,With thanks,Tenky xActivescan_31.12.05.txthijackthislog___31.12.05.txt Link to post Share on other sites
didom Posted December 31, 2005 Report Share Posted December 31, 2005 When i went to uncheck the 'Hide protected operating system files (recommended)' it said that if i delete or edit them it could make windows unoperable, which I thought was a bit risky. wacko.gif Could you please reassure me, and tell me why i need to do this, just so i can be sure it wont break my computer.It's safe! You have to make all the hidden files visible because some files may be hidden and then you can't delete them! when you are clean we can hide them again!Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.Step #1Please run Notepad and copy the following text into a new file:attrib -r -s -h %systemdrive%\Recyclerdel %systemdrive%\Recyclerattrib -r -s -h %systemdrive%\Recycleddel %systemdrive%\Recycledshutdown /r /t 0 /fSave the file as recyclerem.bat and make sure the "Save as type" field says "All files".This is how the batch must look afterwards: Double-Click on the file recyclerem.bat, a small DOS type window should open and close immediately.Step #2We need to make sure all hidden files are showing so please:Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide file extensions for known types option.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Step #3Reboot Your System in Safe Mode:Restart the computer.As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Step #4Find and delete these files and folders (if they are still there):C:\WINDOWS\SYSTEM32\msvol.tlb <= this fileReboot your computer normally.Step #5Run Panda's online virus scan and perform a full system scan: Panda ActiveScanSave the Panda ActiveScan log. Start HijackThis and perform a new scan. Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in. Link to post Share on other sites
Marcus Posted January 1, 2006 Report Share Posted January 1, 2006 Yeah, my computer got infected with this problem a couple of days ago. I think I got rid of it, but I still have pop ups of other stuff. Link to post Share on other sites
tenky Posted January 1, 2006 Author Report Share Posted January 1, 2006 hey,I've done everything you said, and ive attached the two logs that you've asked for.With thanks,Tenky xhijackThis_Log___01.01.06.txtActivescan_01.01.06.txt Link to post Share on other sites
didom Posted January 1, 2006 Report Share Posted January 1, 2006 Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.Step #1Please run Notepad and copy the following text into a new file:attrib -r -s -h %systemdrive%\RECYCLERdel %systemdrive%\RECYCLERattrib -r -s -h %systemdrive%\RECYCLEDdel %systemdrive%\RECYCLEDshutdown /r /t 0 /fSave the file as recyclerem.bat and make sure the "Save as type" field says "All files".This is how the batch must look afterwards: Double-Click on the file recyclerem.bat, a small DOS type window should open and close immediately.Step #2We need to make sure all hidden files are showing so please:Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide file extensions for known types option.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Step #3Reboot Your System in Safe Mode:Restart the computer.As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Step #4Find and delete these files and folders (if they are still there):C:\WINDOWS\SYSTEM32\ncompat.tlb <= this fileReboot your computer normally.Step #5Run Panda's online virus scan and perform a full system scan: Panda ActiveScanSave the Panda ActiveScan log. Start HijackThis and perform a new scan. Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in. Link to post Share on other sites
Matt Posted January 16, 2006 Report Share Posted January 16, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts