Free Malware Removal Forum

[observant]

I've visited this forum and tried the smitrem fix, downloaded Ewido and Trojan Hunter, updated Spybot, and still have to go into safe mode and use RunThis.bat. It seems that spyaxe is continually updating. The smitrem fix would get rid of everything but a red shield icon that appeared on startup on the taskbar w/ a warning that Norton wasn't on. Norton comes on and the red shield goes away. So even though everything else was gone, I knew this evil program was lurking in the background somewhere.

I just ran everything again, rebooted and there's a yellow shield w/ "Updates are ready... etc." Now spyaxe is posing as a computer update!

I ran hijackthis. Here is my log. It's good to know there are white hats out there. I think my system needs an exorcism.

I thank you for any help you can offer.

Logfile of HijackThis v1.99.1
Scan saved at 11:36:25 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Media\QuickTime\qttask.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Media\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
C:\Program Files\Media\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eileen\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} -

C:\WINDOWS\system32\hp7CEC.tmp (file missing)
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

(file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]

C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\Media\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor]

C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager]

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program

Files\Media\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter

4.2\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program

Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office_2000\Office\OSA9.EXE
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\Communications\AIM\aim.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider

'xfire_lsp_10650.dll' missing
O12 - Plugin for .UVR: C:\Program Files\Internet

Explorer\Plugins\NPUPano.dll
O16 - DPF: {0F3F9178-C164-4B4B-ED40-362B011DD0CA} -

http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {2D2D4EC9-872D-2BE1-06A2-3D36100ACFAD} -

http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {440E3007-0348-17D4-D237-608D56D630DF} -

http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {4571464A-7962-5EE2-36D0-5BDE4B35455F} -

http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {55449B9D-00D8-12C8-E763-7BAF0456D400} -

http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {63E0606A-9F30-68D3-31A0-197C3C484886} -

http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://v5.windowsupdate.microsoft.com/v ... ols/en/x86

/client/wuweb_site.cab?1093872404828
O16 - DPF: {65F295B8-5BCC-589B-D67D-67AF7EB9AD9E} -

http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {660DACCB-A7A7-7163-C8F7-78C42CB56BF3} -

http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {78065D9D-E7CD-4D7D-B581-2F4A56794566} -

http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader

Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll (file

missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -

C:\Program Files\Media\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) -

Symantec Corporation - C:\Program Files\Norton

AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program

Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe

[Kimberly]

Hello observant and welcome,

Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

You seem to have a leftover from Vundo, since I don't know if everything was cleaned up, I'll include some instructions for that too.

Delete smitrem.exe from your desktop, delete the smitrem folder on your Desktop too.

Please redownload SmitRem.exe © noahdfear to your Desktop. Don't use the one you already have because we need to be sure that we are running the latest version. The server might be busy, if the download didn't start correctly, please try again.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double-click the smitRem.exe and it will extract the files to a smitRem folder on your Desktop.
______________________________

Start Ewido, you will need to update Ewido to the latest definition files.

• On the left-hand side of the main screen click the Update Button.
• Click on Start.

The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green

• Under Safety
  
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
• Under Definitions
  
  • Prompt to udate outdated definitions - set to 7 days

Click on the Scanning Button of the left and select in green

• Under Driver, Folders & Files
  
  • Scan Within Archives
• Under Select drives & folders to scan
  
  • choose all hard drives
• Under Memory & Registry
  
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file

Click on the Advanced Button on the left and select in green

• Under Shell Integration
  
  • Move deleted files to Recycle Bin
• Under Logfile Detail Level
  
  • Include addtional object information
  • DESELECT - Include negligible objects information (make it show a red X)
  • Include environment information
• Under Alternate Data Streams
  
  • Don't log streams smaller than 0 bytes
  • Don't log ADS with the following names: CA_INOCULATEIT

Click the Tweak Button and select in green

• Under the Scanning Engine (Click on the + sign to expand)
  
  • DESELECT Unload recognized processes & modules during scan (make it show a red X)
  • Scan registry for all users instead of current user only
• Under the Cleaning Engine (Click on the + sign to expand)
  
  • Always try to unload modules before deletion
  • During Removal, unload Explorer and IE if necessary
  • Let Windows remove files in use at next reboot
• Under the Log Files (Click on the + sign to expand)
  
  • Include basic Ad-aware SE settings in logfile
  • Include additional Ad-aware SE settings in logfile
  • Include reference summarry in log file
  • Include alternate data stream details in log file

Click on Proceed to save the settings and close the program.
______________________________

If not already installed, download and install the VX2 Cleaner 2.0 plugin from Lavasoft by following the instructions below.

Installing VX2 Cleaner 2.0

1. Close Ad-Aware, if it is currently open.
2. Download the VX2 Cleaner 2.0 Plug-in here.
3. Install the VX2 Cleaner by clicking on vx2cleaner_inst.exe.

______________________________

Download Registry Search by Bobbi Flekman
http://www.bleepingcomputer.com/files/regsearch.php
Create a folder named C:\Reg for it and unzip into that folder.
______________________________

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39D2FC9B-041C-470E-AE72-F8C001247626}]

[-HKEY_CLASSES_ROOT\CLSID\{39D2FC9B-041C-470E-AE72-F8C001247626}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]

[-HKEY_CLASSES_ROOT\CLSID\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]

[-HKEY_CLASSES_ROOT\CLSID\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]

[-HKEY_CLASSES_ROOT\CLSID\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{39D2FC9B-041C-470E-AE72-F8C001247626}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]
"Compatibility Flags"=dword:00000400

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}]

[-HKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}]
"Compatibility Flags"=dword:00000400

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}]

[-HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{827DC836-DD9F-4A68-A602-5812EB50A834}]
"Compatibility Flags"=dword:00000400

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}]

[-HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{52B1DFC7-AAFC-4362-B103-868B0683C697}]
"Compatibility Flags"=dword:00000400

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}]

[-HKEY_CLASSES_ROOT\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}]
"Compatibility Flags"=dword:00000400

Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg
______________________________

Disable Trojan Hunter, it might interfer with the fix.
______________________________

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.

______________________________

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

Double-click the icon for RegSearch.exe in the C:\reg folder to launch the program.
Enter contextplus to search for and click "OK".
After completion Notepad will be opened with all the found instances of the string.
The resulting file is saved in the same folder location as RegSearch.exe. I will need that file later on.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present.

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp7CEC.tmp (file missing)
O16 - DPF: {0F3F9178-C164-4B4B-ED40-362B011DD0CA} - http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {2D2D4EC9-872D-2BE1-06A2-3D36100ACFAD} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {440E3007-0348-17D4-D237-608D56D630DF} - http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {4571464A-7962-5EE2-36D0-5BDE4B35455F} - http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {55449B9D-00D8-12C8-E763-7BAF0456D400} - http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {63E0606A-9F30-68D3-31A0-197C3C484886} - http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {65F295B8-5BCC-589B-D67D-67AF7EB9AD9E} - http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {660DACCB-A7A7-7163-C8F7-78C42CB56BF3} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {78065D9D-E7CD-4D7D-B581-2F4A56794566} - http://85.255.113.213/1/gdnUS2218.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll (file missing)

Close ALL windows and browsers except HijackThis and click Fix Checked.
______________________________

Open the smitRem Folder, then double-click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Using Windows Explorer, Search and Delete these Files if listed:

C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\awtsr.ini
C:\WINDOWS\system32\awtsr.bak
C:\WINDOWS\system32\rstwa.dll
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.bak

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________

Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.

• Click on Scanner
• Click on Settings
  
  • Under How to scan all boxes should be checked
  • Under Unwanted Software all boxes should be checked
  • Under What to scan select Scan every file
  • Click on Ok
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

• Click Save Report button
• Save the report to your Desktop

Close Ewido.
______________________________

Start Ad-Aware SE

• Click on Add-ons
• Select the VX2 Cleaner plug-in and click Run Tool
• If your computer isn’t infected, click Close.
  OR
• If you computer is infected with VX2, a dialog box with text such as New VX2 variant found or VX2 variant 1 found will appear.
• Press Clean and a dialog box with text The first phase completed. Please reboot and perform a Smart Scan will appear.
• Reboot your computer
• Run Ad-Aware and Click on the Scan Now Button
  
  • Choose Perform Full System Scan
  • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
  Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.
  
  Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.

Repeat this until the VX2 Cleaner reports System clean. Press Close to exit.

Run Ad-Aware one more time and perform a Perform Full System Scan of your computer to make sure VX2 has been found and removed. Reboot in Normal Mode
______________________________

Run Panda's ActiveScan and perform a full system scan.

• Once you are on the Panda site click the Scan your PC button.
• A new window will open...click the big Check Now button.
• Enter your Country.
• Enter your State/Province.
• Enter your e-mail address.
• Select either Home User or Company.
• Click the big Scan Now button.
• Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
• Click on Local Disks to start the scan.

Upon scan completion, if anything malicious is detected, click See Report, then click Save Report and save it to your Desktop.
______________________________

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  
  • Scan using the following Anti-Virus database:
    
    • Extended (If available otherwise Standard)
  • Scan Options:
    
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

______________________________

Please post :

1. The results from the RegSearch.exe
2. c:\smitfiles.txt
3. Ewido log
4. ActiveScan results
5. Kaspersky results
6. a new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

Kim

[observant]

Kim, Thank you very much for your very thorough and well written instructions. I think I need a good night's sleep, some cool tunes, and a fresh pot of coffee to run the programs that will exorcise this bug with the tools you gave me.

Spyaxe is keeping all of us on our toes!

I hope to get this done tomorrow -- but my kids want a Christmas tree... !
I'll post my logs in a day or so.
Again, many thanks, and you have a very cool avatar.

[Kimberly]

Hi observant,

I hope to get this done tomorrow -- but my kids want a Christmas tree... !
I'll post my logs in a day or so.

No worries

SpyAxe has different variants, some people have many infected files along with SpyAxe, some people don't ... It's hard to tell what you will find on a PC. The longer you have SpyAxe on your computer running with an active internet connection, the more files you can get. gdnUS2218.exe is a Trojan Downloader. The website it is downloaded from (85.255.113.213) belongs to Estdomains and if some other programs get through, one never knows what is gonna show up. Thus try not to spend too much time on Internet if possible until it is cleaned up.

Kim

[NonSuch]

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.