Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyaxe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spyaxe

Unread postby Mojo » December 11th, 2005, 3:04 pm

I would be grateful for some help. Spyaxe has got on my computer and it's driving me mad. I am "well protected" with Spybot, Ad-Aware, and a range of other programmes but they haven't rid me of this. I have searched the web but I am not very computer literate and I am wary of trying the various suggestions offered. MalWare Removal kindly helped me with another problem about 6 months ago. Can someone help me this time - bearing in mind I'm a bit of a novice.
Mojo
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am
Advertisement
Register to Remove

Unread postby Piney » December 11th, 2005, 6:07 pm

Mojo
If you would download and install HijackThis, do a scan and save the log to paste as a reply to this post, someone can help you :)

Make sure you are using the the latest version (1.99.1) ofHijackThis
Install/extract it to its own folder on the main drive. (C:\HJT)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 11th, 2005, 7:59 pm

Thank you Piney. Here is my HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 23:53:59, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\McAfee\QuickClean\PlgUni.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp5B35.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\PlgUni.exe" /START
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [GSISETUP] C:\DOCUME~1\MLC\LOCALS~1\Temp\GsiInst.exe INSTALL C:\DOCUME~1\MLC\LOCALS~1\Temp\.\V205Res 13
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Play_PC_Backup] C:\Program Files\PC Backup\pcbackup.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3232885125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - http://register.btinternet.com/template ... rol023.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 12th, 2005, 1:13 am

Hello again, Mojo :)

I need for you to download some programs. Do not use them until directed to do so.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes.
There should not be any opened browsers when you are carrying out the procedures below.
You will want to copy out these instructions and save them to notepad as you will not have internet connection during the fix.
Save the notepad to your desktop where you can find it.

I see you still have Ewido on your computer. Make sure it is updated and setup as below:
Go to: http://download.ewido.net/ewido-setup.exe
" Install Ewido Security Suite
" When installing, under "Additional Options" uncheck..
o Install background guard
o Install scan via context menu
" Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
" On the left hand side of the main screen click update.
" Then click on Start Update.
The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido
http://www.ewido.net/en/download/updates/
When you have finished updating, EXIT Ewido.


Go: here to download smitRem version 2.8
Double click on the file to extract it to it's own folder on the desktop


Start up your computer, after the first 'beep' begin tapping on the F8 key. A black menu page will appear.
Use your arrow keys to choose Safe Mode (without networking!)
Click on the Enter key.
Your desktop will appear, although it will be very distorted. The words Safe Mode will be in each corner of the desktop.

Disable SpywareGuard:

Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.
Once we are finished, remember to re-enable Spywareguard.

We need to open up hidden files and folders. Click Start>>>>Control Panel>>>>Folder Options and double click.
Under the View tab scroll down to Hidden Files and Folders
Check Show hidden files and folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended} Answer Yes
Click Apply and click OK

While still in the Control Panel, double click on Add/Remove Programs
Scroll ... find ... highlight and delete/uninstall/remove (if present)
Security Toolbar
You will be prompted to reboot... choose NO
Close out of the Control Panel

Open HJT and scan. Place a check/tick next to these items (if present):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp5B35.tmp <<< this may change names
O4 - HKLM\..\Run: [GSISETUP] C:\DOCUME~1\MLC\LOCALS~1\Temp\GsiInst.exe INSTALL C:\DOCUME~1\MLC\LOCALS~1\Temp\.\V205Res 13
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h

With everything closed (Nothing open) except HijackThis, click on the Fix Checked button. Close HJT.

Open the smitRem folder, double-click on the the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Please post that log along with all others requested in your next reply.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
"Perform action on all infections"
Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop.


On your keyboard, click on the Windows key and the E key to bring up your Windows Explorer
Click to expand the C:/ drive, navigate to and delete the following files/folders:
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\hp5B35.tmp <<<< NOTE: this may have changed names. Look in the System32 Folder for any hpxxx.tmp files and delete them all.
C:\Program Files\SpyAxe
While you still have your Windows Explorer open, scroll through the C:\Windows to the Prefetch folder. Open the folder and delete all the contents.
Do not delete the folder, just the contents of the Prefetch folder. Close Windows Explorer.
Empty your recycle bin.
Reboot normally

After the reboot, on a clear spot on your desktop, right-click and choose Properties
Under the Desktop tab, click on Customize Desktop
Click on Web tab and uncheck/delete Security Info if present
Click OK
Click Apply and then click OK

Do an online scan at: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Let it clean, disinfect, quarantine any items found.

Open HJT, scan, and save the report.
Paste the Ewido log, the smitfiles.text, and the new HijackThis log to this thread.
I'll be watching for your reply.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 12th, 2005, 7:35 pm

Thank you Piney for your clear instructions which I have followed. Here is the information you needed [Smitfiles.text; Ewido log; and new HJT log]. I still have the irritating pop-up and flashing icon on the bottom tool bar.

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 12/12/2005
The current time is: 22:24:26.87

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SpyAxeFix © by noahdfear

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}"="Windows Update"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 752 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

____________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 23:25:44, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\McAfee\QuickClean\PlgUni.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\PlgUni.exe" /START
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Play_PC_Backup] C:\Program Files\PC Backup\pcbackup.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3232885125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - http://register.btinternet.com/template ... rol023.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

___________________________________________________________

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:42:49, 12/12/2005
+ Report-Checksum: CE729E7F

+ Scan result:

No infected objects found.


::Report End
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 12th, 2005, 8:43 pm

Thank you for the logs and the info, Mojo

I'll look it over and be back as soon as I can:)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » December 13th, 2005, 12:33 am

Well!

Let's do something about that then.

Start up your computer, after the first 'beep' begin tapping on the F8 key. A black menu page will appear.
Use your arrow keys to choose Safe Mode (without networking!)
Click on the Enter key.
Your desktop will appear, although it will be very distorted. The words Safe Mode will be in each corner of the desktop.

Disable SpywareGuard:

Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.
Once we are finished, remember to re-enable Spywareguard.


Go to the Control Panel, double click on Add/Remove Programs
Scroll ... find ... highlight and delete/uninstall/remove (if present)
SpyAxe
You will be prompted to reboot... choose NO
Close out of the Control Panel

Open HJT and scan. Place a check/tick next to these items (if present):
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
With everything closed (Nothing open) except HijackThis, click on the Fix Checked button. Close HJT.

On your keyboard, click on the Windows key and the E key to bring up your Windows Explorer
Click to expand the C:/ drive, navigate to and delete the following folder:
C:\Program Files\SpyAxe
While you still have your Windows Explorer open, scroll through the C:\Windows to the Prefetch folder. Open the folder and delete all the contents.
Do not delete the folder, just the contents of the Prefetch folder. Close Windows Explorer.

Empty your recycle bin.

Reboot normally.

Do an online scan at: Trend Housecalls
Allow the scanner to remove/delete any items found.

When finished, reboot normally.
Open HJT and scan. Save the scan log to paste here along with information if you are still having problems.
I'll be watching for your reply.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 13th, 2005, 3:21 pm

Thanks Piney for your patience but I'm still having trouble. I followed everything you advised but when I reboot I still get the Spyaxe icon and it returns to the programme file. I repeated your suggestions and what happens is that after uninstalling the programme [everything in safe mode] I don't find it in the HJT scan, and I don't find it in Windows Explorer. However, Prefetch gets filled with 26 files - and among them is spyaxe.exe. I delete all the contents of the folder as you instruct but everything returns when I reboot. Finally, I can't get Trend Housecalls to work. It won't scan for me.

Is it of any help for you to know that when I reboot I get a pop-up "Norton Antivirus 2005 does not support the Repair feature. Please uninstall and reinstall". It looks odd to me so I have ignored it. Anyway - here is the HJT log. I look forward to your continuing help.

Logfile of HijackThis v1.99.1
Scan saved at 19:01:28, on 13/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\McAfee\QuickClean\PlgUni.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\PlgUni.exe" /START
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Play_PC_Backup] C:\Program Files\PC Backup\pcbackup.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3232885125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - http://register.btinternet.com/template ... rol023.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 13th, 2005, 3:44 pm

sheesh, that grubby thing is very determined :(

Let me look this over, and I'll get back to you.

Do you have Adaware SE v 1.06 with newly updated files?
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 13th, 2005, 5:14 pm

Yes I do, and it is updated. So I did a scan [and kept a logfile] and followed the Ad-aware removal instructions. But when I rebooted the spyaxe had returned. Here is the logfile before attempted removal [the summary is 23 registry keys, 6 registry values, 20 files, and 4 folders]:


Ad-Aware SE Build 1.06r1
Logfile Created on:13 December 2005 20:48:23
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R79 09.12.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Malware.SpyAxe(TAC index:4):44 total references
MRU List(TAC index:0):8 total references
Other(TAC index:5):1 total references
Possible Browser Hijack attempt(TAC index:3):7 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


13-12-2005 20:48:23 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\MLC\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\MLC\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-220523388-152049171-682003330-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-220523388-152049171-682003330-1003\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-220523388-152049171-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-220523388-152049171-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-220523388-152049171-682003330-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 504
ThreadCreationTime : 13-12-2005 20:43:50
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 632
ThreadCreationTime : 13-12-2005 20:43:52
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 660
ThreadCreationTime : 13-12-2005 20:43:53
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 980
ThreadCreationTime : 13-12-2005 20:43:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 992
ThreadCreationTime : 13-12-2005 20:43:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1168
ThreadCreationTime : 13-12-2005 20:43:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1228
ThreadCreationTime : 13-12-2005 20:43:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1348
ThreadCreationTime : 13-12-2005 20:43:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1396
ThreadCreationTime : 13-12-2005 20:43:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1448
ThreadCreationTime : 13-12-2005 20:43:54
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [ccproxy.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1700
ThreadCreationTime : 13-12-2005 20:43:54
BasePriority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:12 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1780
ThreadCreationTime : 13-12-2005 20:43:55
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:13 [issvc.exe]
FilePath : C:\Program Files\Norton Internet Security\
ProcessID : 1800
ThreadCreationTime : 13-12-2005 20:43:55
BasePriority : Normal
FileVersion : 8.0.5.14
ProductVersion : 8.0
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : IS Service
InternalName : ISSVC.exe
LegalCopyright : Copyright (c) 2004 Symantec Corporation
OriginalFilename : ISSVC.exe

#:14 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1824
ThreadCreationTime : 13-12-2005 20:43:55
BasePriority : Normal
FileVersion : 5.5.1.6
ProductVersion : 5.5
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:15 [spbbcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\
ProcessID : 1864
ThreadCreationTime : 13-12-2005 20:43:55
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright (c) 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:16 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1964
ThreadCreationTime : 13-12-2005 20:43:55
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:17 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 464
ThreadCreationTime : 13-12-2005 20:43:56
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:18 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 828
ThreadCreationTime : 13-12-2005 20:43:58
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:19 [cvpnd.exe]
FilePath : C:\Program Files\Cisco Systems\VPN Client\
ProcessID : 936
ThreadCreationTime : 13-12-2005 20:43:58
BasePriority : Normal
FileVersion : 4.6.03.0021
ProductVersion : 4.6.03.0021
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
LegalCopyright : Copyright © 1998-2005 Cisco Systems, Inc.
OriginalFilename : CVPND.EXE

#:20 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 1200
ThreadCreationTime : 13-12-2005 20:43:58
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:21 [activitydisk.exe]
FilePath : C:\PROGRA~1\Iomega\System32\
ProcessID : 1312
ThreadCreationTime : 13-12-2005 20:43:58
BasePriority : Normal
FileVersion : 1, 7, 2, 0
ProductVersion : 1, 7, 2, 0
ProductName : SmartSoft ActivityDisk
CompanyName : Iomega Corporation
FileDescription : ActivityDisk
InternalName : ActivityDisk
LegalCopyright : Copyright © 2000
OriginalFilename : ActivityDisk.exe
Comments : Iomega Activity Disk Service Component For Windows 2000/NT

#:22 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1404
ThreadCreationTime : 13-12-2005 20:43:58
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:23 [navapsvc.exe]
FilePath : C:\Program Files\Norton Internet Security\Norton AntiVirus\
ProcessID : 1436
ThreadCreationTime : 13-12-2005 20:43:58
BasePriority : Normal
FileVersion : 11.0.16.2
ProductVersion : 11.0.16
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:24 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1676
ThreadCreationTime : 13-12-2005 20:43:58
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:25 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 1912
ThreadCreationTime : 13-12-2005 20:43:58
BasePriority : Normal
FileVersion : 1.8.54.841
ProductVersion : 1.8.54.841
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright (C) 2003
OriginalFilename : symlcsvc.exe

#:26 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2224
ThreadCreationTime : 13-12-2005 20:44:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:27 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2304
ThreadCreationTime : 13-12-2005 20:44:04
BasePriority : Normal
FileVersion : 3,0,0,1773
ProductVersion : 7,0,0,1773
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:28 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2328
ThreadCreationTime : 13-12-2005 20:44:05
BasePriority : Normal
FileVersion : 3,0,0,1773
ProductVersion : 7,0,0,1773
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : HKCMD.EXE

#:29 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 2336
ThreadCreationTime : 13-12-2005 20:44:05
BasePriority : Normal
FileVersion : 5.0.03
ProductVersion : 5.0.03
ProductName : Avance Sound Manager
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2002 Avance Logic, Inc.
OriginalFilename : ALSMTray.exe
Comments : Avance AC97 Audio Sound Manager

#:30 [imgicon.exe]
FilePath : C:\Program Files\Iomega\DriveIcons\
ProcessID : 2352
ThreadCreationTime : 13-12-2005 20:44:05
BasePriority : Normal


#:31 [type32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Keyboard\
ProcessID : 2376
ThreadCreationTime : 13-12-2005 20:44:05
BasePriority : Normal


#:32 [point32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Mouse\
ProcessID : 2428
ThreadCreationTime : 13-12-2005 20:44:05
BasePriority : Normal


#:33 [drives~1.exe]
FilePath : C:\PROGRA~1\Ahead\NEROTO~1\
ProcessID : 2488
ThreadCreationTime : 13-12-2005 20:44:07
BasePriority : Normal
FileVersion : 1, 6, 1, 0
ProductVersion : 1, 6, 1, 0
ProductName : DriveSpeed
CompanyName : Erik Deppe
FileDescription : Nero DriveSpeed
InternalName : DriveSpeed
LegalCopyright : Copyright (C) 1999-2002
OriginalFilename : DriveSpeed.EXE

#:34 [plguni.exe]
FilePath : C:\Program Files\McAfee\QuickClean\
ProcessID : 2616
ThreadCreationTime : 13-12-2005 20:44:08
BasePriority : Normal
FileVersion : 3.02.6000.0
ProductVersion : 3.02.6000.0
ProductName : QuickClean
CompanyName : Network Associates, Inc.
FileDescription : QuickClean Plug-In For McAfee Agent
InternalName : PlgUni.exe
LegalCopyright : Copyright © 2003 Networks Associates Technology, Inc. All Rights Reserved.
LegalTrademarks : QuickClean is a registered trademark of Network Associates, Inc and/or its affilates in the US or other countries.
OriginalFilename : PlgUni.exe

#:35 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 2668
ThreadCreationTime : 13-12-2005 20:44:08
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:36 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2884
ThreadCreationTime : 13-12-2005 20:44:09
BasePriority : Normal
FileVersion : 6.0.1.3
ProductVersion : 6.0.1.3
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2005 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:37 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 3068
ThreadCreationTime : 13-12-2005 20:44:10
BasePriority : Normal
FileVersion : 7.0.3
ProductVersion : QuickTime 7.0.3
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2005
OriginalFilename : QTTask.exe

#:38 [spyaxe.exe]
FilePath : C:\Program Files\SpyAxe\
ProcessID : 3640
ThreadCreationTime : 13-12-2005 20:44:13
BasePriority : Normal
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : SpyAxe
CompanyName : SpyAxe.com
FileDescription : Anti-spyware software
InternalName : spyaxe
LegalCopyright : (c) SpyAxe.com. All rights reserved.
OriginalFilename : spyaxe.exe

#:39 [spyaxe.exe]
FilePath : C:\Program Files\SpyAxe\
ProcessID : 3684
ThreadCreationTime : 13-12-2005 20:44:14
BasePriority : Normal
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : SpyAxe
CompanyName : SpyAxe.com
FileDescription : Anti-spyware software
InternalName : spyaxe
LegalCopyright : (c) SpyAxe.com. All rights reserved.
OriginalFilename : spyaxe.exe

#:40 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 3692
ThreadCreationTime : 13-12-2005 20:44:14
BasePriority : Normal
FileVersion : 6.0.1.3
ProductVersion : 6.0.1.3
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2005 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:41 [rulaunch.exe]
FilePath : C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\
ProcessID : 3700
ThreadCreationTime : 13-12-2005 20:44:14
BasePriority : Normal
FileVersion : 2.03.1016.0
ProductVersion : 2.03.1016.0
ProductName : McAfee Instant Updater
CompanyName : Network Associates, Inc.
FileDescription : Instant Updater Main Program
InternalName : RuLaunch
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc. All rights reserved.
OriginalFilename : RuLaunch.exe

#:42 [offman.exe]
FilePath : C:\Program Files\Intense Language Office\COMMON\
ProcessID : 3756
ThreadCreationTime : 13-12-2005 20:44:16
BasePriority : Normal


#:43 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3772
ThreadCreationTime : 13-12-2005 20:44:17
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:44 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ProcessID : 4076
ThreadCreationTime : 13-12-2005 20:44:30
BasePriority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 8.1 (4319)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright (c) WinZip Computing, Inc. 1991-2001 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English

#:45 [fcpms.exe]
FilePath : C:\Program Files\Freecom Personal Media Suite\
ProcessID : 4084
ThreadCreationTime : 13-12-2005 20:44:30
BasePriority : Normal
FileVersion : 2.03
ProductVersion : 2.03
ProductName : Freecom Personal Media Suite
CompanyName : Freecom
FileDescription : Personal Media Suite
InternalName : Zion
LegalCopyright : Copyright © 2003-2004
OriginalFilename : FCPMS.exe

#:46 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ProcessID : 1428
ThreadCreationTime : 13-12-2005 20:44:32
BasePriority : Normal
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
ProductName : SpywareGuard
FileDescription : SpywareGuard
InternalName : sgmain
LegalCopyright : Copyright (C) 2002-2003 Javacool Software LLC
OriginalFilename : sgmain.exe
Comments : SpywareGuard

#:47 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2296
ThreadCreationTime : 13-12-2005 20:44:49
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:48 [msiexec.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3032
ThreadCreationTime : 13-12-2005 20:45:02
BasePriority : Normal


#:49 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 124
ThreadCreationTime : 13-12-2005 20:47:27
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:50 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3780
ThreadCreationTime : 13-12-2005 20:48:01
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{957bab51-81ff-8195-f273-d7e286ea702f}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{2bb3bcbf-411a-4c67-8e69-f4bb301dc333}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0f68a8aa-a9a8-4711-be36-ae363efa6443}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{28420952-c82b-47d9-a042-fa2217d8a082}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3c099c83-8587-4b35-8af0-fc3a169ce14f}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3fe13f31-e890-4c37-8213-4b5f9a511c26}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{4cad27dc-1b60-42f4-820e-316fe0a13512}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{54874d12-c0c6-44cc-83fb-2c35202f881b}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{54a3200b-d76e-48d1-b35c-d87eaf6d90bd}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{663dfe59-032c-46fb-a09a-ffc2dc074f54}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{69ce4fbc-4861-4206-8211-dd5a9ee79ad3}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{afa9056f-aa11-4771-ae01-04ecfde18206}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b8f2487f-aa6a-4914-9a3f-db84e6868d66}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{e4645720-e02f-4bb2-8e6d-be7653dd1bf2}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{fa46b160-c9dd-4040-b9d9-ccf5d3db5438}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{fc1f0c2c-8117-427d-816c-215b68524f74}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{fd1eee96-8dc7-478d-be3b-7d06ac67fb66}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{fd8e5ed7-0091-416f-a55b-1d072d58a24f}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\spyaxe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 20
Objects found so far: 28


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe "http://www.spyaxe.com"
TAC Rating : 4
Category : Malware
Comment : (http://www.spyaxe.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe "http://www.spyaxe.com"
TAC Rating : 4
Category : Malware
Comment : (http://www.spyaxe.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe
Value : UninstallString

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe "http://www.spyaxe.com"
TAC Rating : 4
Category : Malware
Comment : (http://www.spyaxe.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe
Value : DisplayIcon

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe "http://www.spyaxe.com"
TAC Rating : 4
Category : Malware
Comment : (http://www.spyaxe.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe
Value : DisplayVersion

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe "http://www.spyaxe.com"
TAC Rating : 4
Category : Malware
Comment : (http://www.spyaxe.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe
Value : NSIS:StartMenuDir

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe "http://www.spyaxe.com"
TAC Rating : 4
Category : Malware
Comment : (http://www.spyaxe.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe "http://www.spyaxe.com"
TAC Rating : 4
Category : Malware
Comment : (http://www.spyaxe.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe
Value : Publisher

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 35


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\spyaxe.exe

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\app paths\spyaxe.exe

Malware.SpyAxe Object Recognized!
Type : Folder
TAC Rating : 4
Category : Malware
Comment : Malware.SpyAxe
Object : C:\Documents and Settings\MLC\Start Menu\Programs\SpyAxe

Malware.SpyAxe Object Recognized!
Type : Folder
TAC Rating : 4
Category : Malware
Comment : Malware.SpyAxe
Object : C:\Program Files\SpyAxe

Malware.SpyAxe Object Recognized!
Type : Folder
TAC Rating : 4
Category : Malware
Comment : Malware.SpyAxe
Object : C:\Program Files\spyaxe\Lang

Malware.SpyAxe Object Recognized!
Type : Folder
TAC Rating : 4
Category : Malware
Comment : Malware.SpyAxe
Object : C:\Program Files\spyaxe\Quarantine

Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe 3.0.lnk
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Documents and Settings\MLC\Start Menu\



Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe 3.0.lnk
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Documents and Settings\MLC\Application Data\microsoft\internet explorer\quick launch\



Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe.lnk
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Documents and Settings\MLC\Desktop\



Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe 3.0 Website.lnk
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Documents and Settings\MLC\Start Menu\Programs\spyaxe\



Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe 3.0.lnk
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Documents and Settings\MLC\Start Menu\Programs\spyaxe\



Malware.SpyAxe Object Recognized!
Type : File
Data : Uninstall SpyAxe 3.0.lnk
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Documents and Settings\MLC\Start Menu\Programs\spyaxe\



Malware.SpyAxe Object Recognized!
Type : File
Data : English.ini
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Program Files\spyaxe\lang\



Malware.SpyAxe Object Recognized!
Type : File
Data : msvcp71.dll
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Program Files\spyaxe\
FileVersion : 7.10.3077.0
ProductVersion : 7.10.3077.0
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Microsoft® C++ Runtime Library
InternalName : MSVCP71.DLL
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSVCP71.DLL


Malware.SpyAxe Object Recognized!
Type : File
Data : msvcr71.dll
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Program Files\spyaxe\
FileVersion : 7.10.3052.4
ProductVersion : 7.10.3052.4
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Microsoft® C Runtime Library
InternalName : MSVCR71.DLL
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSVCR71.DLL


Malware.SpyAxe Object Recognized!
Type : File
Data : signatures.ref
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Program Files\spyaxe\



Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe.exe
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Program Files\spyaxe\
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : SpyAxe
CompanyName : SpyAxe.com
FileDescription : Anti-spyware software
InternalName : spyaxe
LegalCopyright : (c) SpyAxe.com. All rights reserved.
OriginalFilename : spyaxe.exe


Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe.url
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Program Files\spyaxe\



Malware.SpyAxe Object Recognized!
Type : File
Data : uninst.exe
TAC Rating : 4
Category : Malware
Comment :
Object : C:\Program Files\spyaxe\
FileVersion : 3.0.0.0
ProductName : SpyAxe 3.0
CompanyName : SpyAxe
FileDescription : SpyAxe Software Installer
LegalCopyright : 2004, All rights reserverd (c) SpyAxe.
OriginalFilename : SpyAxe_Setup.exe
Comments : Anti-Spyware Software


Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe.lnk
TAC Rating : 4
Category : Malware
Comment : Shortcut to bad file : C:\Documents and Settings\MLC\Desktop\SpyAxe.lnk
Object : C:\Documents and Settings\MLC\Desktop\



Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe 3.0.lnk
TAC Rating : 4
Category : Malware
Comment : Shortcut to bad file : C:\Documents and Settings\MLC\Start Menu\Programs\SpyAxe\SpyAxe 3.0.lnk
Object : C:\Documents and Settings\MLC\Start Menu\Programs\SpyAxe\



Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe 3.0.lnk
TAC Rating : 4
Category : Malware
Comment : Shortcut to bad file : C:\Documents and Settings\MLC\Start Menu\SpyAxe 3.0.lnk
Object : C:\Documents and Settings\MLC\Start Menu\



Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe 3.0 Website.lnk
TAC Rating : 4
Category : Malware
Comment : Shortcut to bad file : C:\Documents and Settings\MLC\Start Menu\Programs\SpyAxe\SpyAxe 3.0 Website.lnk
Object : C:\Documents and Settings\MLC\Start Menu\Programs\SpyAxe\



Malware.SpyAxe Object Recognized!
Type : File
Data : Uninstall SpyAxe 3.0.lnk
TAC Rating : 4
Category : Malware
Comment : Shortcut to bad file : C:\Documents and Settings\MLC\Start Menu\Programs\SpyAxe\Uninstall SpyAxe 3.0.lnk
Object : C:\Documents and Settings\MLC\Start Menu\Programs\SpyAxe\



Other Object Recognized!
Type : File
Data : SPYAXE.EXE-1E39CDF6.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 25
Objects found so far: 60

20:59:03 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:39.875
Objects scanned:143715
Objects identified:53
Objects ignored:0
New critical objects:53

Thank you - hope this helps. Mojo.
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 13th, 2005, 6:16 pm

Thank you Mojo :)

Hang tuff for a minute or so, I need to formulate some instructions, but I should post within just a few minutes.

SpyAxe is NOT invincible ;)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » December 13th, 2005, 6:54 pm

Mojo, I need for you to delete the smitrem that you have, and download a new one.
noahdfear has updated his fix to include what may have caused the resistance by SpyAxe.

Go: here to download smitRem
Double click on the file to extract it to it's own folder on the desktop


Make sure Ewido is updated and setup as below:
Go to: http://download.ewido.net/ewido-setup.exe
" Install Ewido Security Suite
" When installing, under "Additional Options" uncheck..
o Install background guard
o Install scan via context menu
" Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
" On the left hand side of the main screen click update.
" Then click on Start Update.
The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido
http://www.ewido.net/en/download/updates/
When you have finished updating, EXIT Ewido.

Copy or print out the next, as you will not have internet connection while in Safe Mode.

Start up your computer, after the first 'beep' begin tapping on the F8 key. A black menu page will appear.
Use your arrow keys to choose Safe Mode (without networking!)
Click on the Enter key.
Your desktop will appear, although it will be very distorted. The words Safe Mode will be in each corner of the desktop.

Disable SpywareGuard:

Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.
Once we are finished, remember to re-enable Spywareguard.

We need to open up hidden files and folders. Click Start>>>>Control Panel>>>>Folder Options and double click.
Under the View tab scroll down to Hidden Files and Folders
Check Show hidden files and folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended} Answer Yes
Click Apply and click OK

While still in the Control Panel, double click on Add/Remove Programs
Scroll ... find ... highlight and delete/uninstall/remove (if present)
Security Toolbar
SpyAxe
You will be prompted to reboot... choose NO
Close out of the Control Panel

Open HJT and scan. Place a check/tick next to these items (if present):
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
With everything closed (Nothing open) except HijackThis, click on the Fix Checked button. Close HJT.

Open the smitRem folder, double-click on the the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Please post that log along with all others requested in your next reply.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
"Perform action on all infections"
Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop.


On your keyboard, click on the Windows key and the E key to bring up your Windows Explorer
Click to expand the C:/ drive, navigate to and delete the following files/folders:
Look in the System32 Folder for any hpxxx.tmp files and delete them all.
C:\Program Files\SpyAxe
C:\Program Files\Security Toolbar
While you still have your Windows Explorer open, scroll through the C:\Windows to the Prefetch folder. Open the folder and delete all the contents.
Do not delete the folder, just the contents of the Prefetch folder. Close Windows Explorer.
Empty your recycle bin.
Reboot normally

After the reboot, on a clear spot on your desktop, right-click and choose Properties
Under the Desktop tab, click on Customize Desktop
Click on Web tab and uncheck/delete Security Info if present
Click OK
Click Apply and then click OK

Do an online scan at: http://www.pandasoftware.com/products/activescan.htm
Click the "Free use Active scan" in the upper right of the web page.
Click Scan your PC & a 'pop up' window will appear.
Make sure your popup blocker allows this to come up.
Click Scan Now
Enter your e-mail address & click Scan Now ...
The program will begin downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Reboot normally once more.

Open HJT, scan, and save the report.
Paste the Ewido log, the smitfiles.text, the Panda scan log and the new HijackThis log to this thread.
I'll be watching for your reply.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 14th, 2005, 5:42 pm

Hello Piney.
Well, following your instructions it now looks like Spyaxe is no longer reloading when I reboot. The icon does not appear and it no longer features in my programmes. However, there is still something not right. When I reboot I get pop-ups "Windows Installer .......preparing to install" and "Norton Antivirus 2005 does not support the Repair feature, please uninstall and reinstall".
When I did the Panda scan, the scanning process appeared in a new window which was "cut-off" on the right hand side. I could not enlarge the window. At the completion of the scan it showed that it had detected 2 spyware files. but there was no feature on view to allow me to save the scan. Here are the new HJT log, smitfiles.text, and the Ewido log. Thank you for your continuing patience. Mojo


Logfile of HijackThis v1.99.1
Scan saved at 20:08:48, on 14/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program Files\McAfee\QuickClean\PlgUni.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\PlgUni.exe" /START
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Play_PC_Backup] C:\Program Files\PC Backup\pcbackup.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3232885125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - http://register.btinternet.com/template ... rol023.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

___________________________________________

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 13/12/2005
The current time is: 23:29:44.25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

ioctrl.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 744 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)
--______________________________________________________

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 23:46:21, 13/12/2005
+ Report-Checksum: 50EC3C0C

+ Scan result:

No infected objects found.


::Report End
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 14th, 2005, 7:15 pm

Thank you for the logs and the info. Let me do a mind meld with my mentor and see what we can come up with that will help you.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » December 15th, 2005, 2:19 am

Mojo, I want to thank YOU for your patience. I know the computer is important to you, and you have been very gracious about waiting.

Smitrem noted two shortcut url's, which were also mentioned in your Adaware log
Malware.SpyAxe Object Recognized!
Type : File
Data : SpyAxe 3.0 Website.lnk
TAC Rating : 4
Category : Malware
Comment : Shortcut to bad file : C:\Documents and Settings\MLC\Start Menu\Programs\SpyAxe\SpyAxe 3.0 Website.lnk
Object : C:\Documents and Settings\MLC\Start Menu\Programs\SpyAxe\

so we will do two things.

Click on the Windows key and the E key to bring up your Windows Explorer
Expand your C:\ drive >>> Documents and Settings >>> MLC >>> Start Menu >>>Programs and delete any instance of SpyAxe found in the right pane.

Close Windows Explorer

Click Start >>> Run ...type into the box Cleanmgr.exe
Let the program scan your machine. When finished make sure these 3 are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

Press OK
Once done, reboot your machine.

Open Adaware SE, update the definitions before doing a full system scan.
Fix everything found.

If unable to fix/quarantine something, make a note of it to post with your next HJT log.

Reboot, open HijackThis and scan. Save the report to paste here.

As to the Nortons warning... I found this Symantec site: http://service1.symantec.com/SUPPORT/nav.nsf/5faa3ca6df6f549888256edd0061c0a4/fc096f3adb76b4d388256f08006d038b?OpenDocument&src=bar_sch_nam&seg=ag

Follow their instructions from the top down. The online malware scanner at Symantec used to give a lot of false positives, so I won't recommend you do it.

There IS an automated (free) on-site analyzer you can use to check for bad files within the Norton's product.
If it comes down to doing an uninstall, they used to have a tool to use, which will remove most while leaving some items for the re-install. I've uninstalled Nortons from several machines and it is not impossible, but it is difficult.

I suggest we make sure the SpyAxe stuff is gone before you attempt to mess with Nortons

I'll be watching for your HJT log, any difficulties you encountered and an update on your computer's performance.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 466 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware