Post by: samui on December 15, 2005, 04:46:29 AM
I've tried the methods posted so far but still can't get spyaxe off my machine.
Any one fancy a crack at this ?
Many thanks
Post by: guestolo on December 15, 2005, 08:49:36 PM
From my signature below, download and save too a permanent folder on your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Post by: samui on December 16, 2005, 07:25:53 AM
In between power outs i'm following the instuctions posted for RobertN.
Will post all the logs when finished.
Thanks for your time on this, it's much appreciated
Post by: guestolo on December 17, 2005, 04:54:58 AM
Some may help, but other may be unneeded, that's just ridiculous
Do what I posted to him if you want, but all instructions are possibly not needed
Also, without a log, how do you know you are not infected with something else also?
Post by: samui on December 17, 2005, 05:32:35 AM
Logfile of HijackThis v1.99.1
Scan saved at 5:19:30 PM, on 17-12-05
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\hijackthis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F086432-5E3A-4E72-A741-D190D1232185}: NameServer = 203.147.0.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{E066AF0F-B647-46CA-BCBB-1B6BE9183DBC}: NameServer = 203.146.237.237 203.146.237.222
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Regards
Post by: guestolo on December 17, 2005, 12:02:35 PM
Quote
excuse my Ridiculousness, kinda new to this stuff.
That's ok, I just like to see a log to know what I'm up against
Did you happen to do any instructions I posted to RobertN yet?
Are you still having problems with SpyAxe?
Post by: samui on December 18, 2005, 01:12:30 AM
So far i've tried in various combinations.
Smitrem
fixwareout
win32delfkil
cwsshredder
ad aware
norton
ewido
spysweeper
Ad aware and spy sweeper find spy axe and delete it but it just pops up again after a reboot.
Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, December 17, 2005 12:08:44 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R79 09.12.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
17-12-05 12:08:44 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-448539723-789336058-854245398-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-448539723-789336058-854245398-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-448539723-789336058-854245398-500\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 144
ThreadCreationTime : 17-12-05 4:02:37 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 192
ThreadCreationTime : 17-12-05 4:02:45 AM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 216
ThreadCreationTime : 17-12-05 4:02:47 AM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 260
ThreadCreationTime : 17-12-05 4:02:51 AM
BasePriority : Normal
FileVersion : 5.1.2600.2082 (xpsp.040216-1810)
ProductVersion : 5.1.2600.2082
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 272
ThreadCreationTime : 17-12-05 4:02:52 AM
BasePriority : Normal
FileVersion : 5.1.2600.2082 (xpsp.040216-1810)
ProductVersion : 5.1.2600.2082
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 444
ThreadCreationTime : 17-12-05 4:02:56 AM
BasePriority : Normal
FileVersion : 5.1.2600.2082 (xpsp.040216-1810)
ProductVersion : 5.1.2600.2082
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 496
ThreadCreationTime : 17-12-05 4:02:58 AM
BasePriority : Normal
FileVersion : 5.1.2600.2082 (xpsp.040216-1810)
ProductVersion : 5.1.2600.2082
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 548
ThreadCreationTime : 17-12-05 4:02:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.2082 (xpsp.040216-1810)
ProductVersion : 5.1.2600.2082
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [wrsssdk.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ProcessID : 632
ThreadCreationTime : 17-12-05 4:03:01 AM
BasePriority : Normal
FileVersion : 2,0,7,456
ProductVersion : 2, 0
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper SDK
LegalCopyright : Copyright © 2002 - 2005, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe
#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 736
ThreadCreationTime : 17-12-05 4:03:05 AM
BasePriority : Normal
FileVersion : 6.00.2900.2082 (xpsp.040216-1810)
ProductVersion : 6.00.2900.2082
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:11 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1476
ThreadCreationTime : 17-12-05 5:07:14 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
3 entries scanned.
New critical objects:0
Objects found so far: 6
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
12:14:41 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:56.672
Objects scanned:74000
Objects identified:0
Objects ignored:0
New critical objects:0
SPY SWEEPER LOG
********
11:45 AM: | Start of Session, Saturday, December 17, 2005 |
11:45 AM: Spy Sweeper started
11:45 AM: Sweep initiated using definitions version 584
11:46 AM: Starting Memory Sweep
11:49 AM: Memory Sweep Complete, Elapsed Time: 00:03:25
11:49 AM: Starting Registry Sweep
11:50 AM: Found Adware: spyaxe
11:50 AM: HKCR\clsid\{957bab51-81ff-8195-f273-d7e286ea702f}\ (43 subtraces) (ID = 1005712)
11:50 AM: HKLM\software\classes\clsid\{957bab51-81ff-8195-f273-d7e286ea702f}\ (43 subtraces) (ID = 1006006)
11:50 AM: Registry Sweep Complete, Elapsed Time:00:00:56
11:50 AM: Starting Cookie Sweep
11:50 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:50 AM: Starting File Sweep
12:00 PM: File Sweep Complete, Elapsed Time: 00:10:22
12:00 PM: Full Sweep has completed. Elapsed time 00:14:58
12:00 PM: Traces Found: 88
12:03 PM: Removal process initiated
12:03 PM: Quarantining All Traces: spyaxe
12:03 PM: Removal process completed. Elapsed time 00:00:03
12:04 PM: Deletion from quarantine initiated
12:04 PM: Processing: spyaxe
12:04 PM: Deletion from quarantine completed. Elapsed time 00:00:00
********
8:39 PM: | Start of Session, Wednesday, December 14, 2005 |
8:39 PM: Spy Sweeper started
8:39 PM: Sweep initiated using definitions version 584
8:39 PM: Starting Memory Sweep
8:46 PM: Memory Sweep Complete, Elapsed Time: 00:06:42
8:46 PM: Starting Registry Sweep
8:47 PM: Registry Sweep Complete, Elapsed Time:00:00:56
8:47 PM: Starting Cookie Sweep
8:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:47 PM: Starting File Sweep
8:57 PM: File Sweep Complete, Elapsed Time: 00:10:07
8:57 PM: Full Sweep has completed. Elapsed time 00:15:02
8:57 PM: Traces Found: 0
5:19 PM: Processing Startup Alerts
5:19 PM: Removed Startup entry: SpyAxe
11:45 AM: Program Version 4.5.7 (Build 656) Using Spyware Definitions 584
11:45 AM: | End of Session, Saturday, December 17, 2005 |
********
5:55 PM: | Start of Session, Wednesday, December 14, 2005 |
5:55 PM: Spy Sweeper started
5:55 PM: Sweep initiated using definitions version 584
5:56 PM: Starting Memory Sweep
6:27 PM: Memory Sweep Complete, Elapsed Time: 00:30:51
6:27 PM: Starting Registry Sweep
6:27 PM: Found Trojan Horse: antivirus gold
6:27 PM: HKCR\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 103594)
6:27 PM: HKLM\software\classes\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 103633)
6:30 PM: Found Adware: spyaxe
6:30 PM: HKCR\appid\spyaxe.exe\ (1 subtraces) (ID = 1005587)
6:30 PM: HKCR\clsid\{957bab51-81ff-8195-f273-d7e286ea702f}\ (18 subtraces) (ID = 1005712)
6:30 PM: HKCR\typelib\{2bb3bcbf-411a-4c67-8e69-f4bb301dc333}\ (9 subtraces) (ID = 1005758)
6:30 PM: HKLM\software\classes\appid\spyaxe.exe\ (1 subtraces) (ID = 1005850)
6:30 PM: HKLM\software\spyaxe\ (1 subtraces) (ID = 1005861)
6:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || spyaxe (ID = 1005881)
6:30 PM: HKLM\software\microsoft\windows\currentversion\uninstall\spyaxe\ (7 subtraces) (ID = 1005882)
6:30 PM: HKLM\software\microsoft\windows\currentversion\app paths\spyaxe.exe\ (1 subtraces) (ID = 1005890)
6:30 PM: HKLM\software\classes\clsid\{957bab51-81ff-8195-f273-d7e286ea702f}\ (18 subtraces) (ID = 1006006)
6:30 PM: HKLM\software\classes\typelib\{2bb3bcbf-411a-4c67-8e69-f4bb301dc333}\ (9 subtraces) (ID = 1006052)
6:33 PM: Registry Sweep Complete, Elapsed Time:00:06:00
6:33 PM: Starting Cookie Sweep
6:33 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:33 PM: Starting File Sweep
7:03 PM: File Sweep Complete, Elapsed Time: 00:29:59
7:03 PM: Full Sweep has completed. Elapsed time 01:07:28
7:03 PM: Traces Found: 79
7:05 PM: Removal process initiated
7:06 PM: Quarantining All Traces: antivirus gold
7:06 PM: Quarantining All Traces: spyaxe
7:06 PM: Removal process completed. Elapsed time 00:00:18
7:07 PM: Deletion from quarantine initiated
7:07 PM: Processing: antivirus gold
7:07 PM: Processing: spyaxe
7:07 PM: Deletion from quarantine completed. Elapsed time 00:00:00
8:38 PM: Program Version 4.5.7 (Build 656) Using Spyware Definitions 584
8:39 PM: | End of Session, Wednesday, December 14, 2005 |
********
5:24 PM: | Start of Session, Wednesday, December 14, 2005 |
5:24 PM: Spy Sweeper started
5:35 PM: Your spyware definitions have been updated.
5:45 PM: Your spyware definitions have been updated.
5:55 PM: | End of Session, Wednesday, December 14, 2005 |
Post by: guestolo on December 18, 2005, 01:19:19 AM
That's not the logs I wanted to see
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Can you do the following, I suspect another file causing problems
Then we'll try some removal steps
From my signature below
I need you to use Internet Explorer and run an Online Virus scan at Panda's
It's safe to supply them with an email address and additional info needed
When it's loaded
Choose to scan "Local Disks"
When the scan is done, if anything is found
Click the See Report
Save this report to your desktop
Post back here the report from Panda's
Also include a fresh hijackthis log, then we'll try and get this rid of for you
Post by: samui on December 18, 2005, 11:29:50 PM
Incident Status Location
Spyware:application/bestoffer Not desinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/SpyAxe Not desinfected C:\WINDOWS\system32\ioctrl.dll
Adware:Adware/P2PNetworking Not desinfected C:\WINDOWS\system32\P2P Networking v1262.cpl
................................................................................
......
Logfile of HijackThis v1.99.1
Scan saved at 11:19:35 AM, on 19-12-05
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\idwlog.exe
C:\Program Files\hijackthis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F086432-5E3A-4E72-A741-D190D1232185}: NameServer = 203.147.0.3
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on December 19, 2005, 12:02:30 AM
If you have SmitRem downloaded
I need you to delete SmitRem.exe and the whole SmitRem folder
It's been updated, so I want you to use the new version
Can you check for updates with Ewido please
Afterwards close it out, we'll need it later
==Download the updated SmitRem.exe by Noahdfear (http://\"http://noahdfear.geekstogo.com/click%20counter/click.php?id=1\") and save the file to your desktop.
Don't run it yet
In case you don't have this tool
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet
Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!
I need you too disable SpySweeper's realtime protections if they are enabled so it won't interfere with any fixes we try
Disable any of the following if applicable
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification". <-if you can find this one, may not be found
Afterwards
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu
Find and delete the bad files found bad by Panda's
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\system32\ioctrl.dll <-don't worry if you can't "ioctrl.dll", the updated Smitrem will take care of it
C:\WINDOWS\system32\P2P Networking v1262.cpl
Afterwards, ==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
Reboot back to Normal mode
Back in Windows please post the following
1. Post a fresh Hijackthis log
2. The full report from Ewido's
3. Post the Whole log made from SmitRem located here C:\Smitfiles.txt
Post by: samui on December 19, 2005, 11:12:40 PM
My power situation is getting worse and the power company said it wont be resolved untill the 23rd dec.
will follow your instructions as soon a possible, thanks for bearing with me.
Post by: guestolo on December 19, 2005, 11:17:14 PM
Power conditions can't be from the weather
Appears beautiful there right now
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> I'll leave this topic open
Try what I posted as soon as you can
Post by: samui on December 24, 2005, 06:23:14 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> thanks for hanging in there and bearing with me.
A thousand thanks and a merry christmas to you and yours.
PS
I live on Koh samui Island in the gulf of Thailand, the power company was repairing one of the submarine cables from the mainland, hense all the power outs.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 5:53:19 PM, 24-12-05
+ Report-Checksum: 38A48AD7
+ Scan result:
No infected objects found.
::Report End
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: 24-12-05
The current time is: 12:19:33.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SpyAxeFix © by noahdfear
spyaxe directory present
spyaxe uninstaller present
Starting spyaxe uninstaller
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Security Guide.url
~~~ Favorites ~~~
~~~ system32 folder ~~~
ioctrl.dll
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 744 'explorer.exe'
Killing PID 744 'explorer.exe'
Starting registry repairs
Deleting files
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Security Guide.url
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />-------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:10:26 PM, on 24-12-05
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\hijackthis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F086432-5E3A-4E72-A741-D190D1232185}: NameServer = 203.147.0.3
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on December 26, 2005, 04:05:30 PM
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Make sure you reenable system restore feature
Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"
Happy holidays
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: guestolo on December 28, 2005, 01:33:39 PM
If your still around
Can you take a look and remove the following file if found
Do a search for it
Online Security Guide.url
Post by: Sloan on January 03, 2006, 08:08:22 PM
guestolo if you can help me out, id be very thankful. Heres the hijackthis log, i didnt try fixing anything after i ran it.
Logfile of HijackThis v1.99.1
Scan saved at 01:02:44, on 04/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Common Files\AOL\1134775075\ee\AOLHostManager.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\AOL\1134775075\ee\AOLServiceHost.exe
c:\program files\common files\aol\1134775075\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1134775075\ee\AOLServiceHost.exe
C:\Program Files\AOL 9.0\wEmail Removedexe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sloan\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.loddmlimymqj.com/P0X7QCer/NVkpI...joXUKDqVJcA.cgi (http://\"http://www.loddmlimymqj.com/P0X7QCer/NVkpIAhQQIHh5tJdEeBTBohXefy6YjMDbIgoK9R2yDLSjoXUKDqVJcA.cgi\")
O2 - BHO: (no name) - {A102D4FE-0186-4B34-5018-64356CDE7FF3} - C:\DOCUME~1\Sloan\APPLIC~1\LOGO32\Dog Proc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O5 "LPT1:" /M "Stylus C66"
O4 - HKLM\..\Run: [EPSON Stylus C66 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P32 "EPSON Stylus C66 Series (Copy 1)" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134775075\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Proconethunknoun] C:\Documents and Settings\All Users\Application Data\Warn part proc one\Ref Trust.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [metalove] C:\DOCUME~1\Sloan\APPLIC~1\KNOBST~1\Bird 16 Cdrom.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab (http://\"http://download.ewido.net/ewidoOnlineScan.cab\")
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.Email (http://\"http://aolcc.aolsvc.Email\") Removed.uk/computercheckup/qdiagcc.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C567934-E724-4573-85B9-09C75155BC87}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Post by: samui on January 04, 2006, 07:14:57 AM
searched the file and can't see it anywhere, all is running fine except i no longer have the option to select
xp apperarance for windows and buttons, only the classic style. No worries. just glad to be rid of that spyaxe thing.
Thanks again and all the best for the newyear
Post by: guestolo on January 05, 2006, 12:17:30 AM
UNZIP the contents to your desktop so you now have the lunalook folder on your desktop
Open the folder
Double click on Find1.bat>>A text file will open, copy and paste back here the WHOLE contents please
Afterwards, double click on lunafind.bat
It may appear as nothing is happening, give this a minute or so
Eventually, a text file should open, copy and paste the whole contents also
Post by: Sloan on January 05, 2006, 08:25:54 AM
Volume Serial Number is 44C8-CEC2
Directory of C:\WINDOWS\Resources\Themes
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
12/08/2005 23:38 <DIR> Community
08/12/2001 01:38 1,089 Community.Theme
12/08/2005 23:38 <DIR> Coughdrop
12/02/2002 20:43 1,086 CoughDrop.Theme
12/08/2005 19:48 <DIR> Luna
31/03/2003 12:00 1,222 Luna.theme
12/08/2005 23:38 <DIR> StyleXP
06/11/2001 19:00 1,085 StyleXP.Theme
31/03/2003 12:00 3,025 Windows Classic.theme
5 File(s) 7,507 bytes
Directory of C:\WINDOWS\Resources\Themes\Community
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
24/01/2002 00:20 8,216,720 Community.msstyles
12/08/2005 23:38 <DIR> shell
1 File(s) 8,216,720 bytes
Directory of C:\WINDOWS\Resources\Themes\Community\shell
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
12/08/2005 23:38 <DIR> AikonXP
12/08/2005 23:38 <DIR> Cupric
12/08/2005 23:38 <DIR> Eclipse
12/08/2005 23:38 <DIR> normalcolor
12/08/2005 23:38 <DIR> ThemeXP
12/08/2005 23:38 <DIR> WindowNET
0 File(s) 0 bytes
Directory of C:\WINDOWS\Resources\Themes\Community\shell\AikonXP
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Community\shell\Cupric
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
20/12/2003 23:18 356,407 shellstyle.dll
1 File(s) 356,407 bytes
Directory of C:\WINDOWS\Resources\Themes\Community\shell\Eclipse
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
22/01/2002 19:38 920,064 shellstyle.dll
1 File(s) 920,064 bytes
Directory of C:\WINDOWS\Resources\Themes\Community\shell\normalcolor
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
20/12/2003 23:18 362,496 shellstyle.dll
1 File(s) 362,496 bytes
Directory of C:\WINDOWS\Resources\Themes\Community\shell\ThemeXP
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Community\shell\WindowNET
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Coughdrop
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
07/01/2002 22:13 10,166,416 CoughDrop.msstyles
12/08/2005 23:38 <DIR> shell
1 File(s) 10,166,416 bytes
Directory of C:\WINDOWS\Resources\Themes\Coughdrop\shell
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
12/08/2005 23:38 <DIR> Berry
12/08/2005 23:38 <DIR> Cherry
12/08/2005 23:38 <DIR> Cinnamon
12/08/2005 23:38 <DIR> Grape
12/08/2005 23:38 <DIR> Licorice
12/08/2005 23:38 <DIR> Lime
12/08/2005 23:38 <DIR> normalcolor
0 File(s) 0 bytes
Directory of C:\WINDOWS\Resources\Themes\Coughdrop\shell\Berry
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Coughdrop\shell\Cherry
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Coughdrop\shell\Cinnamon
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Coughdrop\shell\Grape
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Coughdrop\shell\Licorice
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Coughdrop\shell\Lime
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Coughdrop\shell\normalcolor
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna
12/08/2005 19:48 <DIR> .
12/08/2005 19:48 <DIR> ..
31/03/2003 12:00 4,186,256 luna.msstyles
12/08/2005 19:41 <DIR> Shell
1 File(s) 4,186,256 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna\Shell
12/08/2005 19:41 <DIR> .
12/08/2005 19:41 <DIR> ..
12/08/2005 19:48 <DIR> Homestead
12/08/2005 19:48 <DIR> Metallic
12/08/2005 19:47 <DIR> NormalColor
0 File(s) 0 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
12/08/2005 19:48 <DIR> .
12/08/2005 19:48 <DIR> ..
31/03/2003 12:00 362,496 shellstyle.dll
1 File(s) 362,496 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
12/08/2005 19:48 <DIR> .
12/08/2005 19:48 <DIR> ..
31/03/2003 12:00 362,496 shellstyle.dll
1 File(s) 362,496 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
12/08/2005 19:47 <DIR> .
12/08/2005 19:47 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\StyleXP
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
12/08/2005 23:38 <DIR> shell
20/12/2003 23:18 6,062,224 StyleXP.msstyles
1 File(s) 6,062,224 bytes
Directory of C:\WINDOWS\Resources\Themes\StyleXP\shell
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
12/08/2005 23:38 <DIR> Kiwi
12/08/2005 23:38 <DIR> Mulberry
12/08/2005 23:38 <DIR> normalcolor
12/08/2005 23:38 <DIR> Raspberry
12/08/2005 23:38 <DIR> Spearmint
12/08/2005 23:38 <DIR> Watermelon
0 File(s) 0 bytes
Directory of C:\WINDOWS\Resources\Themes\StyleXP\shell\Kiwi
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\StyleXP\shell\Mulberry
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\StyleXP\shell\normalcolor
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\StyleXP\shell\Raspberry
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\StyleXP\shell\Spearmint
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\StyleXP\shell\Watermelon
12/08/2005 23:38 <DIR> .
12/08/2005 23:38 <DIR> ..
31/03/2003 12:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Total Files Listed:
31 File(s) 37,148,106 bytes
92 Dir(s) 9,850,511,360 bytes free
Volume in drive C has no label.
Volume Serial Number is 44C8-CEC2
Directory of C:\WINDOWS\Resources\Themes\Luna
31/03/2003 12:00 4,186,256 luna.msstyles
1 File(s) 4,186,256 bytes
Heres the 2 documents you wanted,thanks for helping, this things been driving me crazy!!
lol iam thinkin you were wanting samui to download that luna thing, since its all about themes. Ah Well
Post by: guestolo on January 06, 2006, 02:36:24 PM
You still have problems in your log, can you please start your own post please and supply a new hijackthis log
Don't post in this users thread please
Post by: samui on January 10, 2006, 07:01:28 AM
here are the 2 docs.
Is it just a matter of downloading the missing theme ?
Volume in drive C is DISK1_VOL1
Volume Serial Number is 8E88-AE82
Directory of C:\WINDOWS\Resources\Themes
15/12/2004 13:19 <DIR> .
15/12/2004 13:19 <DIR> ..
15/12/2004 13:19 <DIR> Luna
29/08/2002 16:00 3,025 Windows Classic.theme
29/08/2002 16:00 1,222 Luna.theme
2 File(s) 4,247 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna
15/12/2004 13:19 <DIR> .
15/12/2004 13:19 <DIR> ..
15/12/2004 13:19 <DIR> Shell
0 File(s) 0 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna\Shell
15/12/2004 13:19 <DIR> .
15/12/2004 13:19 <DIR> ..
15/12/2004 13:19 <DIR> NormalColor
15/12/2004 13:19 <DIR> Metallic
15/12/2004 13:19 <DIR> Homestead
0 File(s) 0 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
15/12/2004 13:19 <DIR> .
15/12/2004 13:19 <DIR> ..
29/08/2002 16:00 361,472 shellstyle.dll
1 File(s) 361,472 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
15/12/2004 13:19 <DIR> .
15/12/2004 13:19 <DIR> ..
29/08/2002 16:00 362,496 shellstyle.dll
1 File(s) 362,496 bytes
Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
15/12/2004 13:19 <DIR> .
15/12/2004 13:19 <DIR> ..
29/08/2002 16:00 362,496 shellstyle.dll
1 File(s) 362,496 bytes
Total Files Listed:
5 File(s) 1,090,711 bytes
17 Dir(s) 73,124,970,496 bytes free
---------------------------------------------------------------------------------------------------------------
Volume in drive C is DISK1_VOL1
Volume Serial Number is 8E88-AE82
Post by: guestolo on January 11, 2006, 12:45:46 AM
Doesn't look like a missing file is anywhere on your computer
Are you running the English version of Windows XP, it appears you are
If you confirm this I will upload a file for you that should help you out
Post by: samui on January 13, 2006, 03:56:47 AM
how can i tell if it's the UK or US version ?
Post by: guestolo on January 16, 2006, 03:52:54 PM
Can you try the following please
From Below, download and Save to your desktop Luna.zip
Once you have saved this
UNZIP it ONLY to
C:\WINDOWS\Resources\Themes\Luna <-this folder and no where else
So you now have luna.msstyles extracted to the Luna folder
Once that is done
Access your display properties and try changing to Windows XP under Themes and Appearance
Post by: samui on January 18, 2006, 11:07:35 PM
Thanks, all your help is much appreciated
Post by: guestolo on January 19, 2006, 12:35:13 AM
Take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />