Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please, please help me with spy axe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby cowriles3 » December 9th, 2005, 1:05 pm

Hey AndyHill.. sorry i've been MIA..

I'm starting on your directions.. i'm at the first step and when i try and navigate to
Start>My Computer>( C: )>Documents and Settings>CPR & CDT>Local Settings>Temp>Temporary Directory 1 for HJT.zip. In this folder "Temporary Directory 1 for HJT.zip" delete HijackThis.exe

I can't because local setting>temp>on.. its not there.. after i click CPR&CDT folder local setting isn't there.. I just have the folders : cookies, desktop,favorites,my documents, start menu, user data and a file called NTUSER which is a DAT file.. do i don't know how to get to the HIjackThisexe from here.. Remember i'm an idot on the computer.. :roll:

Thanks..
cowriles3
Regular Member
 
Posts: 23
Joined: December 5th, 2005, 3:03 pm
Advertisement
Register to Remove

Unread postby AndyAtHull » December 9th, 2005, 1:09 pm

Try looking in here:

Start>My Computer>( C: )>Documents and Settings>Administrator>Local Settings>Temp>Temporary Directory 1 for HJT.zip. Delete Temporary Directory 1 for HJT.zip if found. ;)

or...

Start>My Computer>( C: )>Documents and Settings>Default user>Local Settings>Temp>Temporary Directory 1 for HJT.zip. Delete Temporary Directory 1 for HJT.zip.

Then continue with the instructions :D
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby cowriles3 » December 9th, 2005, 1:57 pm

Still Can't find it.. there is no administrator folder.. and the default folder after you click on documents and settings has the same folder options as cpr and cdt.. i'm lost.. can i search for it somehow..??

Thanks
cowriles3
Regular Member
 
Posts: 23
Joined: December 5th, 2005, 3:03 pm

Unread postby AndyAtHull » December 9th, 2005, 6:19 pm

Ok let us try it this way.

Click on Start>Search>All files and folders>In All or Part of the files name type in Temporary Directory 1 for HJT.zip>And click on search. If located delete and continue with the fix.

Please continue from here on the previous reply

Use this LINK.
Save it to your desktop and then doubleclick to run it.
It will install the program in c:\program files\hijackthis. And leave it for now.
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby cowriles3 » December 9th, 2005, 7:56 pm

So i did a search and nothing came up under what you told me to put in.. so i just put in HJT and 3 docs came up.. 2 of which were saved to my desktop and one that was in the recycling bin.. so i deleted all of them from the desktop and the recycling bin.. so now when i do the search, HJT no search results are there.. is that ok? should i continue..??

Thanks soo much!
cowriles3
Regular Member
 
Posts: 23
Joined: December 5th, 2005, 3:03 pm

Unread postby AndyAtHull » December 9th, 2005, 8:05 pm

That that would of been my next option. If you can continue the fix from downloading a new copy of HJT. Starting from here in my previous reply:

Use this LINK.
Save it to your desktop and then doubleclick to run it.
It will install the program in c:\program files\hijackthis. And leave it for now.


That would be great. Remember if you are in doubt of anything. Please let me know and I will help you through it ;)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby cowriles3 » December 10th, 2005, 12:32 pm

Java version: 5.0.60.5 Java(TM) 2 Platform Standard Edition binary

It wasn't under control panel, last time I saved it to my desk top.. its still there.. when i click on it it asks me if it wants me to run it?? should i leave it there or what??

Thanks
cowriles3
Regular Member
 
Posts: 23
Joined: December 5th, 2005, 3:03 pm

Unread postby AndyAtHull » December 10th, 2005, 12:48 pm

When installing a program it is always better to install it to the suggested location it suggests. Like for example with Java it will suggest here C:\Program Files\Java. Then click Next. It might be possible that is a shortcut on your desktop. If you would like to check in My Computer>C:\Program Files\Java. Check for jre1.5.0_06

If that is in there then there is nothing to worry about. And you can continue with the fix.
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby cowriles3 » December 10th, 2005, 1:35 pm

j2re1.4.2_03 is the version when i do the my computer, program files, java.. is that the wrong one?

Thanks
cowriles3
Regular Member
 
Posts: 23
Joined: December 5th, 2005, 3:03 pm

Unread postby AndyAtHull » December 10th, 2005, 2:19 pm

It is not wrong, but that version is out of date and that makes your computer unstable.

Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 6 .

If that Java on your desktop is a download i.e. Windows (Offline Installation)
(filesize: 16.00 MB). jre-1_5_0_06-windows-i586-p.exe. Then install that. If not delete it.

You can get the manual download here: Choose Windows (Offline Installation)
(filesize: 16.00 MB).

Once you have downloaded and installed the latest update, please go to Add/Remove and remove all older instances of Java listed there. Example: Uninstall anything that says J2SE Runtime Enviroment, other than your new update J2SE Runtime Enviroment 5.0 Update 6.

(Please take care when uninstalling. It may catch you out)

Then restart your computer.

Do this and report back to me. And I can re-post the intructions I asked you to do before ;)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby cowriles3 » December 12th, 2005, 2:09 pm

Hey andyhill,

well i'm down to the last part of your directions.. the panda part.. i clicked on the big scan now button.. it had a little bar at the top for activex.. i clicked on the install now or something of that nature.. so i'm on the active scan has started screen.. then it says in the same window.. "If this is the first time you scan your PC, you'll have to download the ActiveX controls (a technology that allows ActiveScan to be run on your computer).This download size is 8 MB." its taking 4-ever.. like 1400 sec it says it has left and it keeps fluctuating up and down.. one time its 1800 the next its 1700.. now after this is it then going to give me the option of clicking on "local disks?" to start the scan or is it already scanning? i'm just concerned why its taking so long.. my computer has been running slower i assume because of this spy axe stuff.. let me know if i should be worried..

Thanks!
cowriles3
Regular Member
 
Posts: 23
Joined: December 5th, 2005, 3:03 pm

Unread postby cowriles3 » December 12th, 2005, 2:17 pm

Now its is compying and deleting files on its own.. a window came up and it just started deleting and copying.. mostly copying.. ?? should i be worried??
cowriles3
Regular Member
 
Posts: 23
Joined: December 5th, 2005, 3:03 pm

Unread postby AndyAtHull » December 12th, 2005, 6:33 pm

Allow any activeX to download. It will take time depending on your type of connection to the internet

Close the current Panda Scan and start again from fresh and follow this:

Run Panda's ActiveScan from here and perform a full system scan.

1. Once you are on the Panda site click the "Scan your PC" button
2. A new window will open...click the big "Check Now" button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
10. Click on "Local Disks" to start the scan
11. Post Panda scan results in your next reply


If Panda starts to delete files again. Stop the scan.

Then try a Trend Micro scan again:

Now I would like you to run an online scan, from here http://housecall.trendmicro.com/. Click on "Scan now It's free" then "Please Select your Location" and press on go. The "Start Free Scan" and "Complete Scan". Make sure no windows are open apart from the Trend Mirco page and the scanning page during this scan. And to note down any infections, spyware or vunrabillities it brings up and save it in a .txt file from notepad.


Do not worry so much about it being slow at the moment. Even if it won't work at this present moment. Once I get a look at a fresh HJT log we can go from there and work on it.

Don't worry too much you are in safe hands. Let us do the worrying :D

Remember in your next reply after the online scan is to post:

A fresh HJT log
Ewido log
And anything Panda or Trend Micro brings up - Note if either of them do not work. Do not worry just tell me and we will go from there.
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby cowriles3 » December 13th, 2005, 12:06 am

Well, Trend Micro has a window that keeps popping up that says : An error occurred while trying to transfer data from the internet! Do you want TrendMicro houscall to try resending the required files? It won't get from step 1 to step 2.. Its stuck in the "preparing stage." Oh wait.. it is now in the "detected vunerabilities stage"... finally!! I'll let you know what comes up after..

Here is the new HJT log, Ewido and Panda Info.

Logfile of HijackThis v1.99.1
Scan saved at 11:00:54 PM, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1124921760\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124921760\ee\AOLServiceHost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Documents and Settings\CPR & CDT\Desktop\security suite\ewidoctrl.exe
C:\Documents and Settings\CPR & CDT\Desktop\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\1124921760\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124921760\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\CPR & CDT\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\CPR & CDT\Desktop\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

This is the Ewido: ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:50:03 PM, 12/12/2005
+ Report-Checksum: 23877012

+ Scan result:

C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Cookies\cpr & cdt@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\CPR & CDT\Local Settings\Temporary Internet Files\Content.IE5\94X5VD17\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024\ld1D26.tmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\hpE8D7.tmp -> Trojan.Puper.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\ld45D3.tmp -> Downloader.Zlob.bz : Cleaned with backup
C:\WINDOWS\SYSTEM32\nvctrl(2).exe -> Trojan.Puper.bq : Cleaned with backup




Adware:adware/securityerror Not disinfected C:\Documents and Settings\All Users\Desktop\Online Security Center.url
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\CPR & CDT\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-1a53859e-30a52231.zip[Dummy.class]
Adware:Adware/SecurityError Not disinfected C:\Documents and Settings\CPR & CDT\Local Settings\Temporary Internet Files\Content.IE5\N7P55L9M\sec1-adls[1].htm
cowriles3
Regular Member
 
Posts: 23
Joined: December 5th, 2005, 3:03 pm

Unread postby AndyAtHull » December 13th, 2005, 12:28 am

Hi cowriles3, thank you for the logs. I will research them and report back with fresh instructions tomorrow. Sorry for any delay :)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 53 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware