Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

SpyAxe is pestering me!!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

SpyAxe is pestering me!!!!

Unread postby somethinglikeemo » June 7th, 2006, 10:34 pm

I'm pretty sure my computer is infected with SpyAxe. I've posted my hijackthis log below. I used the free version of TrojanHunter as well as a paid version of spydoctor to attempt to remove the virus. I got the flashing icons to go away but my computer is still running pretty slowly. Thanks for any help ahead of time.

Logfile of HijackThis v1.99.1
Scan saved at 9:56:46 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134592475\ee\AOLSoftware.exe
C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
c:\program files\common files\aol\1134592475\ee\aim6.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSProxy Support Dll - {1920E150-5D27-4B95-B60B-D68B78928441} - C:\WINDOWS\system32\msprxcore.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: XBTBPos00 - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134592475\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe -t
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... YYYYYYYYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)
somethinglikeemo
Active Member
 
Posts: 7
Joined: June 7th, 2006, 9:49 pm
Advertisement
Register to Remove

Unread postby whisperer » June 8th, 2006, 5:10 pm

Hi somethinglikeemo and welcome to the Malware Removal forums. My name is Whisperer and I will be assisting you with your problem.

Thanks for the descriptions of your problems; I am sure that you appreciate that it will take time to fully analyse your log, so I will get back to you as soon as possible.

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby whisperer » June 9th, 2006, 5:54 pm

Back again,

You are infected with a Trojan of the Spyaxe/Smitfraud family of malware so we will deal with that now. Please note that there are other elements in your log that should be addressed but that will be in a later fix.

  1. Please download this file SmitfraudFix (by S!Ri) to your desktop
    1. Extract the content to your Desktop,.a folder named SmitfraudFix will appear
    2. Open the SmitfraudFix folder and click to open smitfraudfix.cmd
    3. Follow the prompt and then select option #1 - Search by typing 1 and press Enter
    4. When complete a text file will appear, which lists infected files (if present).
    5. Enter Q and press Enter
    6. Do not run any other process until you are asked to do so
    7. The program will make a log file called rapport.txt in the root drive

    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. In this case disregard the warnings.
  2. Please make a new scan with HijackThis and save the log
  3. Please post
    • The Smitfraud report (C:\Rapport.txt)
    • The new HijackThis log

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

New Logs

Unread postby somethinglikeemo » June 10th, 2006, 1:16 am

I did what you requested. Below are the HijackThis and Smitfraud logs you asked for.

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 1:08:02 AM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134592475\ee\AOLSoftware.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe
c:\program files\common files\aol\1134592475\ee\aim6.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: XBTBPos00 - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134592475\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe -t
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... YYYYYYYYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

Smitfraud:

SmitFraudFix v2.56

Scan done at 1:14:15.10, Sat 06/10/2006
Run from C:\Documents and Settings\Mark\My Documents\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mark\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Mark\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
somethinglikeemo
Active Member
 
Posts: 7
Joined: June 7th, 2006, 9:49 pm

Unread postby whisperer » June 10th, 2006, 5:57 am

If you have it, please pass a copy of the Ewido log to see what it unearthed. Have the Spyaxe symptoms gone now?

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Update

Unread postby somethinglikeemo » June 10th, 2006, 11:43 am

Okay I am currently running a new scan of Ewido so I can give you an updated log file. I'll post it later today as Ewido takes a while to run as I have alot of files on my computer. In regards to the virus itself, most of the symptoms have gone away. My computer is running faster but still not at the speed it was before I contracted the infection, and I am still receiving many pop-ups even when using Mozilla Firefox. I attribute the progress to the use of a file called Smitrem. I downloaded it from another forum post and applied the instructions they gave. Its basically an uninstaller for the virus. The main symptom my computer is still exhibiting though is my windows explorer crashing. I get the message box that says its no responding and that i should send an error report. Hopefully with this info we can figure out where to go from here. Also I was wondering, after all of the problems have been solved on my computer, is there a way to prevent this from happening again as this is the 3rd time I've contracted something this bad in 2 years? Thank you again.
somethinglikeemo
Active Member
 
Posts: 7
Joined: June 7th, 2006, 9:49 pm

Ewido Log

Unread postby somethinglikeemo » June 10th, 2006, 12:00 pm

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:58:40 AM, 6/10/2006
+ Report-Checksum: 763597F

+ Scan result:

:mozilla.7:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.249:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.259:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.267:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.281:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.282:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\r2iwguug.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Mark\Cookies\mark@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Mark\Cookies\mark@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Mark\Cookies\mark@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Program Files\Media-Codec -> Trojan.Small : Cleaned with backup
C:\Program Files\Media-Codec\uninst.exe -> Trojan.Small : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9AE14E27-7B4A-4F07-B38C-5AD11C\024EF102-8820-485C-8672-A1E33E -> Adware.180Solutions : Cleaned with backup


::Report End
somethinglikeemo
Active Member
 
Posts: 7
Joined: June 7th, 2006, 9:49 pm

Unread postby whisperer » June 11th, 2006, 3:23 am

somethinglikeemo,

I am glad that you told me about Smitrem as I was beginning to doubt my sanity. Your earlier log had shown the Spyaxe problem and whilst we were investigating the extent of the infection it had gone from the next log as if by magic. I then wasted some time investigating how. For your information, Smitrem is an older tool than Smitfraudfix and not so efficient. At least I now know why the Smitfraud log was clean.

We are happy to help you get your system clean; however, in order to accomplish that it is going to be necessary for you to refrain from doing fixes on your own as this is counterproductive and may even interfere with the removal process itself. There are fixes that must be done in a particular order, and there are fixes that should not be done at all, depending on the infection. My helpers and I can not do the job properly if you are trying to fix things on your own.

You have, however shown an aptitude for removing Malware so once we have got your computer clean, why not enrol at the Malware Removal University? You will be made most welcome.

  1. To assist diagnosis I would like a list of installed programs.
    1. Open HijackThis and select Open the Misc Tools section
    2. Click on the Open Uninstall Manager…
    3. Select the Save List button
    4. I suggest that you accept the default name of uninstall_list.txt and save the file to your desktop
    5. Close HijackThis
  2. Please post the uninstall_list.txt back in your next response

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Uninstall_List

Unread postby somethinglikeemo » June 11th, 2006, 11:39 am

This is the list of programs that you requested. I apologize for using Smitrem without asking first. The whole situation has really been getting to me and I kinda went off on it. Thank you for the contnued help though. You've been doing a great job.

Programs List:

Ad-Aware SE Plus
Adobe Audition 2.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 2.0
Adobe Photoshop CS2
Adobe Reader 7.0.7
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
AOL Uninstaller (Choose which Products to Remove)
AP Tuner 3.06
a-squared Personal 1.6.5
AviSynth 2.5
Booking MPire Trial
Canon i450
Canon PIXMA iP2000
ccCommon
Command & Conquer Renegade
Crimsonland
CueClub
DivX
DivX Player
Drug Lord 2
Easy CD & DVD Creator 6
ewido anti-malware
HijackThis 1.99.1
Hitman 2: Silent Assassin
IC Card Reader Driver v1.9e2
InCD (Ahead Software)
Internet Worm Protection
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 6
Kai's Power Goo SE
KhalSetup
Lavasoft VX2 Cleaner
Linksys Wireless-G USB Network Adapter
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech Desktop Messenger
Logitech SetPoint
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Media Video 9 VCM
Microsoft Works 7.0
mIRC
Morpheus 5.2 (remove only)
Morpheus Toolbar
Mozilla Firefox (1.5.0.4)
MSN Music Assistant
MyDVD
Nero
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
NVIDIA PureVideo Decoder
Office Animation Runtime
Plaxo Toolbar for Outlook and Outlook Express
PPLive 1.1.0.7
QuickTime
RealArcade
RealPlayer
RenGuard
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Sound Blaster Live!
SPBBC
Spyware Doctor 3.8
Symantec
Symantec Script Blocking Installer
SymNet
Synacast Plug-in 1.1.0.7
TrojanHunter 4.5
Tweak-SE plug-in for Ad-Aware SE
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
USB Storage Driver
VIA Rhine-Family Fast Ethernet Adapter
Videora iPod Converter 0.91
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Westwood Shared Internet Components
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Wrestling Spirit
somethinglikeemo
Active Member
 
Posts: 7
Joined: June 7th, 2006, 9:49 pm

Unread postby whisperer » June 11th, 2006, 12:01 pm

Thanks Mark,

I do not have Norton on my machines, do you have a Firewall other than the Windows Firewall installed?

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Firewall

Unread postby somethinglikeemo » June 11th, 2006, 7:23 pm

I don't have any other firewalls other than Windows Firewall. I've considered getting one in the past but never had the money. Should I get one when this is all said and done?
somethinglikeemo
Active Member
 
Posts: 7
Joined: June 7th, 2006, 9:49 pm

Unread postby whisperer » June 12th, 2006, 5:44 pm

somethinglikeemo,

Thank you for the list. You have programs that I would recommend removing and one that must go, two of these could well be the source of your continuing problems; you also have a couple of resource hogs that need not be running at start-up

  1. You have evidence of a Real player on your computer.
    1. If it is RealOne Player then I would recommend its removal.
    2. If you prefer to keep it OR it is the Real Player Classic then I suggest you navigate to C:\Program Files\Common Files\Real\Update_OB\ and rename the Realsched.exe file to Realsched.exe.old.
    3. To assist you further have a look at this post
  2. The second program is the P2P Morpheus program, any P2P program is going to be a likely source of Malware, some more than others. To minimize the risk it is imperative that you have a good anti-virus and firewall in place. I have posted removal instructions for Morpheus and in its place I would suggest Limewire as it is known to be clean of embedded malware. Morpheus is still under investigation.
  3. The third program that can safely be removed is the InCD program, see the quote below. As with Real Player, this is entirely optional and will be shown as such in the fix below
    From Answers that Work
    The InCD software enables you to drag files onto a CD-R directly from Windows Explorer, or to save onto CD directly from within applications like Microsoft Word, without using the CD Recording software that came with your CD-Writer (Nero). While a great and potentially very useful concept, the limitations of InCD CDs (CDs created with InCD are only ever guaranteed to be readable in CD Writers that are the same model as the CD Writer in which the CD was created – it is not unusual not to be able to read a CD created via InCD, in another CD-ROM drive) lead us to always recommend its removal. We advocate to instead always use its sister product, Nero (also called "Nero Burning ROM"), to create CDs, as that is the only method that guarantees that you will be able to read the CDs you create in any other CD, CD-Writer, or DVD drive – a crucial consideration if you are using CDs for data backups !

  4. The first thing to do is to upgrade your protection, the Windows firewall is a one-way firewall in that it prevents Malware from coming on to your computer, BUT any Malware that is already present will not be prevented from passing sensitive information off of your computer.
  5. I can not stress too much, how important this is in your protection against malware. There are many paid and free versions available for your use but in the interim I would suggest that you install the following free program
    • Zone Labs ZoneAlarm.Go straight to the download.
    • Once ZoneAlarm is installed you can disable the Windows Firewall

    We will now carry out an update to Java and then move on to the removal of those 3 programs
  6. Click here to download and install JRE 5.0 Update 7.
    • Click the link "Download JRE 5.0 Update 7".
    • You will need to Accept License Agreement and click Continue .
    • Click the link Windows Offline Installation, Multi-language , and save it to your Desktop.
    • Click to open the jre-1_5_0_07-windows-i586-p.exe to start the install.
  7. Go to Start , click Control Panel then select Add or Remove Programs from the list of options. Locate the following programs select and choose Remove, do not worry if you can not find any of them
    • J2SE Runtime Environment 5.0 Update 1
    • J2SE Runtime Environment 5.0 Update 6

      Optional but recommended
    • Morpheus 5.2 (remove only)
    • Morpheus Toolbar
    • RealPlayer
    • InCD (Ahead Software)
    Next is a clean-up of some HJT entries, I have included all of the recommended ones, so if you have not removed them then do not select them below.
  8. With all other windows closed, start your HijackThis and click on Scan
    1. Click in the check-box to the left of each of the following entries, if found
      • O2 - BHO: XBTBPos00 - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL (file missing)
      • O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
      • O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
      • O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      • O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... YYYYYYYYUS
      • O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
      • O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
      • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      • O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

        The following two are resource hogs that do not need to be running at start-up
      • O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
      • O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
    2. Select Fix Checked
  9. When you have done this please run CCleaner again
  10. Please post
    • A new HijackThis log
    • Updated information on how the computer is behaving

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Finished!!!

Unread postby somethinglikeemo » June 12th, 2006, 10:06 pm

I followed all of your instructions. Everything seems to have speeded up but I'll give it a few days to make sure nothing is wrong. I scanned with Hijackthis again. The log is below.

Logfile of HijackThis v1.99.1
Scan saved at 10:02:17 PM, on 6/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1134592475\ee\AOLSoftware.exe
C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134592475\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe -t
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)
somethinglikeemo
Active Member
 
Posts: 7
Joined: June 7th, 2006, 9:49 pm

Unread postby whisperer » June 15th, 2006, 2:23 am

Nearly there,

It is strongly recommended that you remove Logitech’s Desktop Manager as it really does slow the computer down. Do this through Add or Remove programs . The Google version is not so bad. Similarly, AIM is a route that is used extensively by the Adware merchants and you should look for one of the all-in ones like Trillian as an alternative chat facility.

I missed an O16, FunWebProducts are renowned for their adware so I would stay away from there
  1. With all other windows closed, start your HijackThis and click on Scan
    1. Click in the check-box to the left of each of the following entries, if found
    2. Select Fix Checked

    That should now give you a Clean log so just a tidy up required now.
  2. First I would like you to boot into Safe mode and run Ewido , curing anything it finds. Please repeat this until it states that you are clean
  3. Download CCleaner
    1. Select the Download Latest Version link (top of green column) and save to your desktop
    2. Right-click the ccsetup127.exe file on your desktop and select Open
    3. Follow the on-screen instructions through to the Install Options page. I suggest you only retain the following 2 options
      • Add Desktop Shortcut
      • Automatically check for updates etc…
    4. Click Install
      To setup CCleaner
    5. Click on the CCleaner icon on your desktop.
    6. From the menu on the left select Options
    7. Now select Advanced. On the right remove the check against Only delete files in Windows Temp folders older than 48 hours.
    8. Select Cookies. When CCleaner is run it will remove all of the cookies in the left window; if there are cookies that you wish to retain then select them and transfer them to the right window. Multiple selections can be made by holding down the Ctrl key before selecting.
    9. Select Cleaner from the left menu and the Windows tab
      • Under Internet Explorer place ticks in all but the last box
      • Under Windows Explorer tick the last two only
      • Under System tick all boxes
      • There is no need to tick anything under Advanced
    10. From the menu on the left click on Analyze
    11. When the analysis is complete, click on Run Cleaner and OK at the next screen.
    12. Close CCleaner
  4. Carry out a Defragmentation of your drive(s) by
    • Click Start and then Programs
    • Choose Accessories , select System Tools
    • Run Disk Defragmenter
    • Select the drive you wish to defragment. I then just go straight to the Defragment button, but you could click Analyse if you wish
    • If you have not done this for a while it will take a long time to complete. If done fortnightly thereafter, together with CCleaner, it will keep your disk(s) in good condition and you will notice a difference in performance
Preventative measures
  1. Please download the following free program to complement your AdAware. Update them both and run them at regular intervals
  2. In addition I would suggest that you install the following 3 free programs, keep these updated as they are background tools
    1. SpywareBlaster - Excellent prevention tool to keep Malware from installing on your system.
    2. SpywareGuard provides a shield against infection
    3. IE-SpyAd puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. A tutorial is available here
  3. Windows Updates – It is very important to ensure that Internet Explorer and Windows are kept up to date with the latest critical security patches from Microsoft. Click on the Start button and select Windows Update, follow the online instructions from there.
  4. On a similar vein do ensure that all of your Anti-Virus and Anti-Malware software are also kept up to date.
  5. To find out more information about how you got infected in the first place and some excellent guide lines to follow to prevent future infections you can read this article by Tony Klein

Stand up and be counted
Should you wish to register a complaint about your problems then your main infection was associated with Smitfraud. Please go to this site , locate your country and register your complaint -

Best wishes and safe surfing

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby 'KotaGuy » June 18th, 2006, 2:30 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 288 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware