Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spyaxe


  • Please log in to reply
14 replies to this topic

#1 want to learn

want to learn

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:central coast NSW, Australia
  • Local time:10:04 PM

Posted 02 February 2006 - 09:33 PM

As first mentioned theproblem is on my brother in laws computer, Spyaxe pops up to say Computer is infected was able to delete most of it but Windows update icon pops up in notification area saying computer is infected, can't get rid of this ( if you click in the balloon thinking 'its windows, it will help' it just starts SPyaxe up all over again. Please help!!

I have been out and done Hijack this saved it to a disk and am now sending it to you, Hope you can help

Logfile of HijackThis v1.99.1
Scan saved at 12:11:24 PM, on 3/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118973864828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0716E511-DB0C-4F7D-9561-3A80224597E6}: NameServer = 203.8.183.1 192.189.54.33
O17 - HKLM\System\CS1\Services\Tcpip\..\{0716E511-DB0C-4F7D-9561-3A80224597E6}: NameServer = 203.8.183.1 192.189.54.33
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for all your help, hope you can figure this one out for me, I would be most grateful

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 AM

Posted 02 February 2006 - 11:20 PM

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h

===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

#3 want to learn

want to learn
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:central coast NSW, Australia
  • Local time:10:04 PM

Posted 03 February 2006 - 03:50 PM

Hi this is Want to learn,

Just like to thank you, grinler for your information to help me, because it is on my brotherin laws comp, I will not be able to get out there till Monday to do what you have told me to do, so I will let you know AS SOON as I have been out to do what I now need to do.

#4 want to learn

want to learn
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:central coast NSW, Australia
  • Local time:10:04 PM

Posted 03 February 2006 - 04:06 PM

Hi again,
A question for Grinler-could you please explain to me how I make the shortcut to Panda, have checked on the others you want me to download, and they all look easy to follow, Panda doesn't tell me much.

Thanks

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 AM

Posted 03 February 2006 - 04:32 PM

You can skip that...just go to http://www.pandasoftware.com/products/activescan.htm when you are the stage that you run it.

#6 want to learn

want to learn
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:central coast NSW, Australia
  • Local time:10:04 PM

Posted 05 February 2006 - 09:09 PM

Hi could not scan Panda, but here are logs for HJT, smitfiles.txt and Ewido hope these will be enough for you
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:33:09 AM, 6/02/2006
+ Report-Checksum: 2E45FEBB

+ Scan result:

C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\spyaxe.exe -> Adware.SpyAxe : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\wininet.dll -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe -> Adware.SpyAxe : Cleaned with backup
HKLM\SOFTWARE\SpyAxe -> Adware.SpyAxe : Cleaned with backup
HKU\S-1-5-21-602162358-1677128483-839522115-1007\Software\Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F} -> Downloader.SpyAxe : Cleaned with backup
HKU\S-1-5-21-602162358-1677128483-839522115-1007_Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F} -> Downloader.SpyAxe : Cleaned with backup
[404] C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Cleaned with backup
C:\Documents and Settings\Katie Richter\Cookies\katie richter@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Michael Richter\Cookies\michael richter@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michael Richter\Cookies\michael richter@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michael Richter\Cookies\michael richter@bigpond.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michael Richter\Cookies\michael richter@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Michael Richter\Cookies\michael richter@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Michael Richter\Cookies\michael richter@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Michael Richter\Cookies\michael richter@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Michael Richter\Cookies\michael richter@sensis.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michael Richter\Cookies\michael richter@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@217.73.66[1].txt -> Spyware.Cookie.217.73.66.16 : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@ads1.revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@e-2dj6wfkikgdzghp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@e-2dj6wfliencpilp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@e-2dj6wfmikocpwho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@e-2dj6wgkoeodpacq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@e-2dj6wjkyakd5oeq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@e-2dj6wjkycncpmgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@e-2dj6wjkyshcpodo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@e-2dj6wjny-1pdjch.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Cookies\mitchell richter@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Mitchell Richter\Local Settings\Temporary Internet Files\Content.IE5\OLE7OD2Z\all_natural[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Nathan Richter\Cookies\nathan richter@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Nathan Richter\Cookies\nathan richter@ads1.revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Nathan Richter\Cookies\nathan richter@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Nathan Richter\Cookies\nathan richter@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Nathan Richter\Cookies\nathan richter@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Nathan Richter\Cookies\nathan richter@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Nathan Richter\Local Settings\Temporary Internet Files\Content.IE5\ZD5YTEPQ\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\SpyAxe -> Hijacker.SpyAxe : Cleaned with backup
C:\Program Files\SpyAxe\Lang -> Hijacker.SpyAxe : Cleaned with backup
C:\Program Files\SpyAxe\Lang\English.ini -> Hijacker.SpyAxe : Cleaned with backup
C:\Program Files\SpyAxe\msvcp71.dll -> Hijacker.SpyAxe : Cleaned with backup
C:\Program Files\SpyAxe\msvcr71.dll -> Hijacker.SpyAxe : Cleaned with backup
C:\Program Files\SpyAxe\Quarantine -> Hijacker.SpyAxe : Cleaned with backup
C:\Program Files\SpyAxe\signatures.ref -> Hijacker.SpyAxe : Cleaned with backup
C:\Program Files\SpyAxe\SpyAxe.exe -> Hijacker.SpyAxe : Cleaned with backup
C:\Program Files\SpyAxe\SpyAxe.url -> Hijacker.SpyAxe : Cleaned with backup
C:\Program Files\SpyAxe\uninst.exe -> Hijacker.SpyAxe : Cleaned with backup


::Report End


O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h

sorry but am having trouble sending smitrem !!just found it



~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :huh: ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :huh: ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :huh: ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :huh: ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :o ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :thumbsup: ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :flowers: ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :huh: ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~



Thanks

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 AM

Posted 05 February 2006 - 10:39 PM

Delete the smitrem folder and c:\smitfiles.txt. Redownload it, extract, and run it again. Then post the resulting c:\smitfiles.txt.

#8 want to learn

want to learn
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:central coast NSW, Australia
  • Local time:10:04 PM

Posted 09 February 2006 - 04:06 PM

Hi Grinler, Just a quick note to say I probaly won't get out to do the next step till Monday. Thanks for all your help so far, will send in log ASAP

Thank you
Carla

#9 want to learn

want to learn
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:central coast NSW, Australia
  • Local time:10:04 PM

Posted 14 February 2006 - 05:33 PM

Hi grinler
Here is new smitrem file for you to look at


smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 15/02/2006
The current time is: 9:15:40.54

Running from
C:\Documents and Settings\Michael Richter\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}"="Security Update"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 356 'explorer.exe'
Killing PID 356 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 AM

Posted 15 February 2006 - 09:51 AM

Lets see a new log and are you better?

#11 want to learn

want to learn
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:central coast NSW, Australia
  • Local time:10:04 PM

Posted 15 February 2006 - 08:59 PM

Hi grinler,
You have asked to see a new log. Which log do you need to see? A new hijack this log? I noticed when doing the last smitrem log it seemed to do things that the last one did not, maybe I didn't do the first one correctly.
You have been so great.
Thanks so much
Carla

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 AM

Posted 16 February 2006 - 02:15 PM

I need to see a new hijackthis log. Also does the computer seem to be cured?

#13 want to learn

want to learn
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:central coast NSW, Australia
  • Local time:10:04 PM

Posted 18 February 2006 - 02:21 PM

Hi
Have gone away for weekend won't be back till Wednesday let you know

#14 want to learn

want to learn
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:central coast NSW, Australia
  • Local time:10:04 PM

Posted 23 February 2006 - 05:22 PM

Hi Grinler,
Here is the new hijack this log, and it does seem to be better no more popups
Thank you so much!!

Logfile of HijackThis v1.99.1
Scan saved at 9:13:31 AM, on 24/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118973864828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0716E511-DB0C-4F7D-9561-3A80224597E6}: NameServer = 203.8.183.1 192.189.54.33
O17 - HKLM\System\CS1\Services\Tcpip\..\{0716E511-DB0C-4F7D-9561-3A80224597E6}: NameServer = 203.8.183.1 192.189.54.33
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again- let me know if you find anything in the log

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 AM

Posted 24 February 2006 - 07:55 AM

You can fix this :

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Otherwise your all clean.

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users