Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

yet antoher nasty strike by spyaxe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

yet antoher nasty strike by spyaxe

Unread postby afo » November 24th, 2005, 7:07 pm

OK, somehow I got also hit by Spyaxe. It hijacks my home and takes me to http://www.updateyoursystem.com which sells malware, Spyaxe, SpyTrooper...

I ran ad-aware, spybot and trojan hunter + friend of mine adviced me to try also Spy Sweeper with Ewido, so I ran also those before finding my way to this site. For the anti-virus program I use F-Secure Anit-virus client security with firewalls of course. And i still got problem with this.

I have some logs from scans + hijackthis log before everything i tried earlier, just let me know if you want to / need to see them as well.

Anyway, here is my latest Hijack This logfile.
This is OLD Hijack This log before I tried my friends tricks:

Logfile of HijackThis v1.99.1
Scan saved at 0:08:38, on 24.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helia.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp6192.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Program Files\TeleWell\ADSL USB Router\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file. ... 016edfc8eb
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O18 - Protocol: bw+0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {07908CE4-F3C3-4AA5-A550-2BE17EE1D803} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe



And this is HT log now, when I give up...


Logfile of HijackThis v1.99.1
Scan saved at 0:49:38, on 25.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hpB5BE.tmp
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
afo
Active Member
 
Posts: 5
Joined: November 23rd, 2005, 7:31 pm
Advertisement
Register to Remove

Unread postby Surreal2 » November 26th, 2005, 5:50 am

Hi afo - I'm checking your log now and will post back as soon as possible. Researching the log takes a little time so please be patient.

Cheers...
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Unread postby Surreal2 » November 27th, 2005, 7:24 am

Hi afo - the actions you've taken so far have removed a lot, but it looks like SpyAxe was installed along with Smitfraud and you still have this on your computer. SpyAxe itself seems to have gone, but a special removal tool has been developed for this infection by Noahdfear so we'll use it just to make sure.

First, though, I need to warn you that your computer may have been compromised. In the first log you posted (before you ran the various tools) there's a running process named C:\WINDOWS\system32\nvctrl.exe. This trojan may have allowed attackers to access your computer and steal passwords and personal data.

The program is not there in the second log you posted, but you may want to consider what sort of information you store on your computer and whether it would be safer to change passwords used to access the computer/websites/email accounts etc; and to contact your bank/credit card companies etc for advice if the computer holds financial data or has been used for online financial transactions.

++++

That said, let's get on with cleaning the remaining malware on your computer.

First, please temporarily disable the real time protection functions of the following as they may interfere with the fixes:
    Trojan Hunter Guard - look for the icon in the lower right corner of your screen (light blue magnifying glass with a red handle), right-click on it and select 'Settings', then click to UN-check both 'Load at startup' and 'Enabled'.

    Ewido Security Suite - if there is an icon in the lower right corner right-click on it and UN-check 'Rreal time protection'…if there is no icon, open Ewido and look under 'Your security status' - if real time protection is active, deactivate it by clicking 'Real time protection' until the status says 'Inactive'
Step 1
  • Click HERE to download smitRem.exe © noahdfear and save it to your desktop - DO NOT RUN IT YET
  • Click HERE to download SpyAxeFix.exe © noahdfear and save it to your desktop - DO NOT RUN IT YET
  • Start your copy of Ad-Aware, click 'Help --> About' and check you have the latest version 1.06 (if not, download the latest from HERE), then click the 'globe' button to check for and download any updates and then close the program - DO NOT RUN A SCAN YET
  • Start your copy of Ewido, check for and download any updates and then close the program - DO NOT RUN A SCAN YET

Please print out the rest of this post or copy it to Notepad as you will now need to restart your computer in Safe Mode and won't have access to the Internet

Step 2
  • Restart your computer in Safe Mode (restart it and immediately begin repeatedly tapping the 'F8' key until a menu appears, use the arrow keys to highlight 'Safe Mode' and click the 'Enter' key)
  • Show hidden files - go Start --> Control panel --> Folder options, select the View tab, choose to 'Show hidden files and folders' and UN-check both 'Hide protected operating system files' and 'Hide extensions for known file types', then click 'OK' to close the window
Step 3
  • In Safe Mode, start HijackThis and click 'Do a system scan only', then click to place a checkmark against the following entry:

    O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hpB5BE.tmp

    Ensure there are no open windows/programs except for HijackThis, and click 'Fix checked', then close HijackThis
  • Using Windows Explorer, look for and delete the following file:

    C:\WINDOWS\system32\hpB5BE.tmp <-- delete all instances of files beginning with 'hp' and ending with the '.tmp' extensiion and having any random letters/numbers between them
  • Click or double-click on the smitRem.exe file on your desktop and extract the program into its own folder on the desktop. Ensure there are no other open programs/windows on your computer then open the folder and click or double click the RunThis.bat file to start the tool. Follow the prompts and then wait for the tool to complete and disk cleanup to finish. A log named smitfiles.txt will be created in the root of your drive (eg Local Disk C: or the partition where your operating system is installed)
  • Ensure all other programs/windows are closed then start Ad-Aware and perform a full system scan - remove all it finds
  • Ensure all other programs/windows are closed then start Ewido, click on 'scanner' and then click 'Complete System Scan' to begin the scan (see note below). When the scan is finished, click 'Save report' and save the report to your desktop, then close Ewido

    NOTE: we are finding cases of 'false positives' with Ewido so you will need to step through the process of cleaning files one-by-one. If ewido detects a file you know is legitimate, or if you are unsure of any entry, select 'None' as the action - DO NOT select 'Perform action on all infections'.
  • Next go Start --> Control Panel --> Display --> Desktop --> Customize Desktop --> Web and UN-check 'Security Info' if present
  • Ensure all other programs/windows are closed then click or double-click the SpyAxeFix.exe file on your desktop and then click 'Start' to extract the tool to its own folder. Open the folder and click or double click the SpyAxeFix.bat to start the tool. At one point when the tool runs, your taskbar will disappear (this is normal). Your computer will restart when the tool completes and a text file named spyaxe.txt will be created in the SpyAxeFix folder
  • When your computer has restarted, click HERE to visit the Panda ActiveScan website
    • Click the 'Scan your PC' button (about halfway down the page) and in the new window that opens click the 'Check Now' button
    • Enter your Country, State/Province and e-mail address (it is safe to do so) and click 'Send', then select either 'Home User' or 'Company' and click the big 'Scan Now' button
    • If Panda asks to install an ActiveX component allow it do do so - it will then download the files it requires (which may take a few minutes)
    • When the download is finished click on 'Local Disks' to start the scan
    • When the scan completes, if anything malicious is detected, click the 'See Report' button, then 'Save Report' and save it to your desktop

Finally, run HijackThis again and post back with the following logs (you may have to put them in separate posts):
  • HijackThis
  • smitRem
  • Ewido
  • SpyAxe
  • Panda
Also, please let me know how your computer is behaving now.


Cheers…
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Unread postby afo » November 28th, 2005, 6:08 am

Thanks a lot for you help! Don't what i would have done with your help.

Computer start up is now a lot faster but internet seems to have slowed down a bit. Another thing i noticed is that my F-Secure anti-virus program isn't running properly. Could it be overlapping with ewido spy sweeper? do they slow down each other?

Another thing i noticed is that my IE browsers jumps between active and inactive windows. For example when i am writing this message screen becomes inactive like running on the background and i need click on it again to make it active. why?

Then considering the future now, what applications do you recommend me to use for blocking adware and spyware? preferably freeware or not too expensive. So far I have been quite happy with F-Secure protection but obviously it doesn't help with adware and spyware. is there possibility that some programs like ewido and spy sweeper could be intercepting each other to run properly and slowing down the whole computer?

Anyway, here are the logs as you asked for...
Cheers mate!!!




Logfile of HijackThis v1.99.1
Scan saved at 12:01:57, on 28.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Last edited by afo on November 28th, 2005, 6:27 am, edited 1 time in total.
afo
Active Member
 
Posts: 5
Joined: November 23rd, 2005, 7:31 pm

Unread postby afo » November 28th, 2005, 6:17 am

smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: su 27.11.2005
The current time is: 22:22:04,29

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Remaining Post-run Files


~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)





---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 23:34:15, 27.11.2005
+ Report-Checksum: 69B5AC39

+ Scan result:

C:\Documents and Settings\acer\Cookies\acer@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\acer\Cookies\acer@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20051127-220938-420.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B7C9A981-B8EC-41C4-8C07-5A7354B665BF}\RP221\A0043561.exe -> TrojanDownloader.Zlob.bk : Cleaned with backup
C:\System Volume Information\_restore{B7C9A981-B8EC-41C4-8C07-5A7354B665BF}\RP223\A0043648.exe -> TrojanDownloader.Zlob.bm : Cleaned with backup
C:\System Volume Information\_restore{B7C9A981-B8EC-41C4-8C07-5A7354B665BF}\RP223\A0043650.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\backups\backup-20051124-001450-269.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End







SpyAxeFix © by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: su 27.11.2005
The current time is: 23:39:03,11

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of spyaxe.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1612 'explorer.exe'
Killing PID 1612 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

svchosts.dll present

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"








Panda scan
28.11.2005 02:34


Incident Status Location

Adware:adware/wupd Not desinfected C:\WINDOWS\system32\ide21201.vxd
afo
Active Member
 
Posts: 5
Joined: November 23rd, 2005, 7:31 pm

Unread postby Surreal2 » November 29th, 2005, 5:36 am

Hi afo - good job…HijackThis log is now clean...smitRem found nothing (looks as though you removed Smitfraud with the previous tools just leaving the stray 02 entry in HijackThis)...Ewido removed a few more bits of rubbish...and the SpyAxe tool found the remnants of this infection and removed it.

The Panda scan found a browser hijacker - SearchRelevancy. This could well explain the problems you're having with the Internet. SearchRelevancy adds advertising links to search engine results, disguised as real results from the search engine itself. Searches can become much slower, as it tries to fetch results from its link server before displaying any of the page - and during this delay, Internet Explorer becomes inoperable and fails to respond to clicks. We'll get rid of SearchRelevancy easily enough.

As to your other questions - SpySweeper won't specifically conflict with your F-Secure AV. Running two AVs CAN cause conflicts and actually reduce the protection, but it's fine to run an AV with other tools that target adware or spyware.

On the other hand, there may be problems with running several 'real time protection' functions from different programs. You have Ewido, Trojan Hunter and SpySweeper. I'd suggest testing each of these in turn by keeping one active and disabling the other two - and then using the computer for a while to see whether problems persist when using one, a combination of two and all three. Let me know if that makes a difference - and particularly whether any of the combinations ends the problems with the AV.

As to the future - I usually post some recommendations on protection software once the computer is clean, so let's get on with removing SearchRelevancy, after which I'll need one more post to finish cleaning the malware from your computer and will then offer some recommendations.

As before, you might want to print out the rest of this post or copy it to Notepad so you can refer to it in Safe Mode.

First, check under Add/Remove programs - if there is an entry for 'Search Relevancy' or 'Search Relevant' choose to uninstall it (ignore any repeated pleas it makes to be kept installed and ignore any claims it makes that it needs a network connection to uninstall - just persist with removing it).

Don't worry if there's no entry under Add/Remove as the next steps will make sure it's gone:
  • Go Start --> Run and type in cmd
  • In the Command Prompt window that opens type in the following lines, pressing the 'Enter' key after each line and waiting for the blinking cursor to appear before typing in the next line:

      cd "%WinDir%\System"

      regsvr32 /u "\Program Files\SearchRelevancy\searchrelevancy.dll"

      regsvr32 /u "\Program Files\SearchRelevant\searchrelevant.dll"

Restart your computer in Safe Mode

In Safe Mode, use Windows Explorer to navigate to the following and delete them if present:
  • C:\Program Files\SearchRelevancy <-- delete this entire folder OR a folder named SearchRelevant
  • C:\WINDOWS\System32\ide21201.vxd <-- delete this file

After you've done that, go Start --> Run and in the dialogue box type in: cleanmgr
  • If you have more than one hard drive or hard drive partition, choose each in turn from the drop down box (ignoring floppy/CD/DVD drives)
  • When the computer has scanned the drive, place a checkmark against all the entries in the dialogue box except for 'Compress old files' (unless you want to do this), then click 'OK' to remove the temporary files (if you haven't done this before it might take a while; this is normal)

Restart your computer in Normal Mode

In Normal mode, start start Internet Explorer and click on Tools --> Internet Options and choose the 'General' tab
  • Click 'Delete Files', then click in the window that opens to place a check against 'Delete all offline content', and finally click 'OK' (again, this might take a while, which is normal)
  • Click 'Clear History' and then click 'OK'
  • I would also recommend clicking on 'Delete Cookies' and then clicking 'OK' (Note - deleting the cookies is likely to mean that you will have to re-enter usernames/passwords to access certain sites, including web-based e-mail accounts)
  • Now move to the 'Programs' tab and click 'Reset Web Settings', then click 'OK' to close the dialogue box
  • If you have more than one user account on the computer, please log into each account in turn and complete the previous steps


Now please use your computer as normal for a while, including browing the Internet and testing the various combinations of real-time protection. Then run HijackThis once more and post back with a new log and let me know how your computer is behaving and if you are still having any problems - particularly with the AV - then there will be just a couple more important steps to take to finish cleaning the malware from your computer.

Cheers…
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Unread postby NonSuch » December 8th, 2005, 4:21 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27235
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby ChrisRLG » December 18th, 2005, 2:15 pm

Re opened by email request.

================

Before getting a helper to assist - please follow this instuctions from this blog (One of our teachers).

http://malwareremoval.com/plog/index.ph ... 8&blogId=3

Then post back with a new HJT log for someone to check.
Please tell us how the machine is too.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby afo » December 18th, 2005, 6:24 pm

Alrighty then,

After that last instructions that I completed i monitored system, installed newer version of the F-Secure AV (FSAV Client Security 6.01) and now asked to re-open this because felt like desktop hijacked and especially when typing some of the key strokes did not appear/count. Approx. every 4th-5th key stroke did not appear.

Well, then i ran hijackthis with log file, and then followed ChrisRLG's instruction from blog. here are the logs now, hoe you can help me again.
-AFo



This is before everything:
Logfile of HijackThis v1.99.1
Scan saved at 19:58:30, on 18.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helia.fi/fi/
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Cisco Trust Agent (ctad) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctad.exe
O23 - Service: Cisco Trust Agent Event Logging Service (ctalogd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



Then according to blog instructions:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 23:43:51, 18.12.2005
+ Report-Checksum: 7F1B47AF

+ Scan result:

C:\Documents and Settings\acer\Cookies\acer@vip2.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned without backup
C:\Documents and Settings\acer\Cookies\acer@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned without backup
C:\Documents and Settings\acer\Cookies\acer@com[2].txt -> Spyware.Cookie.Com : Cleaned without backup
C:\System Volume Information\_restore{B7C9A981-B8EC-41C4-8C07-5A7354B665BF}\RP223\A0043676.dll -> Not-A-Virus.Downloader.Win32.Spax.a : Cleaned without backup


::Report End






Ad-Aware SE Build 1.06r1
Logfile Created on: 18 December 2005 23:45:34
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R81 16.12.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Malware.SpyAxe(TAC index:4):2 total references
MRU List(TAC index:0):46 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


18.12.2005 23:45:34 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\acer\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\acer\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\frontpage\explorer\frontpage explorer\recent file list
Description : list of recently used files in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\frontpage\explorer\frontpage explorer\recent page list
Description : list of recently used pages in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\frontpage\explorer\frontpage explorer\recent web list
Description : list of recently used webs in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\mediaplayer\player\settings
Description : last save as directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\10.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\10.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\10.0\powerpoint\recent templates
Description : list of recent templates used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\10.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\10.0\powerpoint\recenttemplatelist
Description : list of recent templates used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\office\9.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1296836545-1065543706-2027339946-1004\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 176
ThreadCreationTime : 18.12.2005 20:51:53
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 228
ThreadCreationTime : 18.12.2005 20:52:02
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 252
ThreadCreationTime : 18.12.2005 20:52:05
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 296
ThreadCreationTime : 18.12.2005 20:52:09
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 308
ThreadCreationTime : 18.12.2005 20:52:10
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 452
ThreadCreationTime : 18.12.2005 20:52:12
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 516
ThreadCreationTime : 18.12.2005 20:52:13
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 564
ThreadCreationTime : 18.12.2005 20:52:15
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1400
ThreadCreationTime : 18.12.2005 20:56:36
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 556
ThreadCreationTime : 18.12.2005 20:57:14
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1948
ThreadCreationTime : 18.12.2005 21:44:47
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.SpyAxe Object Recognized!
Type : File
Data : A0042612.exe
TAC Rating : 4
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B7C9A981-B8EC-41C4-8C07-5A7354B665BF}\RP218\
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : SpyAxe
CompanyName : SpyAxe.com
FileDescription : Anti-spyware software
InternalName : spyaxe
LegalCopyright : (c) SpyAxe.com. All rights reserved.
OriginalFilename : spyaxe.exe


Malware.SpyAxe Object Recognized!
Type : File
Data : A0043675.exe
TAC Rating : 4
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B7C9A981-B8EC-41C4-8C07-5A7354B665BF}\RP223\
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : SpyAxe
CompanyName : SpyAxe.com
FileDescription : Anti-spyware software
InternalName : spyaxe
LegalCopyright : (c) SpyAxe.com. All rights reserved.
OriginalFilename : spyaxe.exe


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 48


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 48




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 48

23:56:21 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:47.121
Objects scanned:160677
Objects identified:2
Objects ignored:0
New critical objects:2





And the latest hijackthis again after completing previous tasks...
Logfile of HijackThis v1.99.1
Scan saved at 0:10:57, on 19.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helia.fi/fi/
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Cisco Trust Agent (ctad) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctad.exe
O23 - Service: Cisco Trust Agent Event Logging Service (ctalogd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
afo
Active Member
 
Posts: 5
Joined: November 23rd, 2005, 7:31 pm

Unread postby Surreal2 » December 20th, 2005, 7:24 am

Hi again afo

The tools you've run and the 'fixes' with HijackThis seem to have cleaned out the malware and I can't see any signs of infection in your latest logs.

Please explain in more detail:
    Why you think your desktop is being hijacked?

    What happens to make you suspicious?

    What were/are you doing when it happens?

Also, more details about the ineffective keystrokes:
    What type of keyboard do you have (is it wireless)?

    Does it happen with all programs/windows (ie when you are typing text in a word processor document or Notepad or in your Internet browser - does it happen when you're typing your posts to this thread)?

    Do the failures occur randomly with all keys or just with some of the keys?

Cheers…
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Unread postby afo » December 20th, 2005, 10:57 am

About hijacking desktop: Previously I had trouble setting my taskbar the way i wanted. I had extra icons or sometimes multiple icons of applications with taskbar dividers. but it seems to be fixed now as well after fixes i ran.

about the keystrokes, i use laptop, nothing wireless there. it seemed to problem with all the applications i tested MS Word, notepad, IE, Excel... and at least to me it seemed more or less randomly with all the keys.
afo
Active Member
 
Posts: 5
Joined: November 23rd, 2005, 7:31 pm

Unread postby Surreal2 » December 20th, 2005, 2:07 pm

Hi afo - OK, so the desktop hijack seems to be fixed and we're left with the keyboard problem.

What is the make and model of your laptop and how old is it?

Has anything been spilt on the keyboard?

To test whether the problem lies with the laptop keyboard itself or elsewhere, try plugging an external keyboard into the laptop's usb or ps/2 port and using that for a while - then let me know if the problem persists.

Cheers...
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Unread postby NonSuch » January 1st, 2006, 5:09 am

Due to a lack of response by the originator of the topic, and because this issue no longer appears to be related to malware, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27235
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware