Author Topic: Problem removing Spy Axe (Read 1116 times)

RobertN · « **on:** December 14, 2005, 07:42:48 AM »

Hi,

I seem to have spy axe and have tried removing it with Ad-Aware and Search & Destroy as well as trying several other suggestions on forums such as this.

Here's my HJT log, please help! Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 13:34:02, on 14-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Ewido\ewidoctrl.exe
C:\WINDOWS\system32\RemoteControlService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Wireless Console\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Mobile Theater\Monitor.exe
C:\Program Files\Mobile Theater\RMC.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\system32\st3.dll - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - C:\WINDOWS\system32\st3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\ASUS\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Matchlock Scheduling] C:\Program Files\Mobile Theater\Monitor.exe
O4 - HKLM\..\Run: [Ulead Remote Control Center] C:\Program Files\Mobile Theater\RMC.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8569771E-4AFA-4FA9-A90F-AB98FC6403D9} (Netcam_mfc_activeX Control) - http://192.168.1.1/netcam_mfc_activeX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E1E1B43-9D8F-4949-B46D-D5FC3469FBA3}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{24A3CC14-CB0E-4B03-A4D7-92D2AD6F89F5}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{69055B47-DB54-4114-8C32-DC12FE49E399}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BEB0E06-4984-4CB1-9F47-662604C06787}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{949D43AC-4B92-42A4-B1E4-F1E4E9FA19A6}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E1E1B43-9D8F-4949-B46D-D5FC3469FBA3}: NameServer = 85.255.114.26,85.255.112.142
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~2\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ITE Remote Control Service (ITECIRService) - ITE Tech. Inc. - C:\WINDOWS\system32\RemoteControlService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

guestolo · « **Reply #1 on:** December 14, 2005, 09:33:30 PM »

Hi Robert, we can get all of what is bad in your log if you follow along and do everything I ask below
I need you to do the following:

==Download CWShredder.exe and save to your desktop
Don't run it yet

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

==Open Ewido
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link
http://www.ewido.net/en/download/updates/

==Download SmitRem.exe by Noahdfear and save the file to your desktop.
Don't run it yet

==Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
Save it to your desktop, don't run it yet

==Download Win32delfkil.exe
Save it on your desktop.

Please print the next set of instructions or save them too a notepad file on your desktop for reference

Close all unnecessary programs running including this window
Double click on CWShredder.exe
Run the FIX part of it, let it fix what it finds
When it's done
Don't restart the computer yet

Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.

Follow the prompts and perform exactly as mentioned in the screen!
The computer should reboot afterwards

Back in Windows

Double click on Fixwareout.exe
Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O2 - BHO: C:\WINDOWS\system32\st3.dll - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - C:\WINDOWS\system32\st3.dll
O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"

O17 - HKLM\System\CCS\Services\Tcpip\..\{0E1E1B43-9D8F-4949-B46D-D5FC3469FBA3}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{24A3CC14-CB0E-4B03-A4D7-92D2AD6F89F5}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{69055B47-DB54-4114-8C32-DC12FE49E399}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BEB0E06-4984-4CB1-9F47-662604C06787}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{949D43AC-4B92-42A4-B1E4-F1E4E9FA19A6}: NameServer = 85.255.114.26,85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E1E1B43-9D8F-4949-B46D-D5FC3469FBA3}: NameServer = 85.255.114.26,85.255.112.142

O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

Click Fix Checked. Close HijackThis, and click OK to proceed.

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

Once in safe mode

Access your add/remove programs and remove if found
UnSpyPC
Stay in safe mode
==Find and delete this file if found
C:\Program Files\UnSpyPC

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: Well Ewido is running, don't open any other windows, let it do it's job

==Reboot back to Normal mode

==From my signature below, use Internet Explorer and run an Online Virus scan at Panda's
It's safe to supply them with an email address and additional info needed
When it's loaded
Choose to scan "Local Disks"
When the scan is done, if anything is found
Click the See Report
Save this report to your desktop

==Post the following back please, try and include everything, I know it's a few logs, but the info is important
1. A fresh hijackthis log
2. The full report from Ewido's
3. Post the Whole log made from SmitRem located here C:\Smitfiles.txt
4. Post the Report from win32delfkil>> c\windelf.txt
5. Post the Report from FixWareout>> C:\fixwareout\report.txt
6. Post the Report from Panda's

NOTE: If you have problems connecting to the Internet after running the fixes above
Please do the following
Go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

RobertN · « **Reply #2 on:** December 15, 2005, 05:49:22 PM »

Hi guestolo,

Whenever I try running CWShredder.exe and click on fix, it starts checking stuff but then after about 10 seconds the blue screen of death comes and it restarts the computer... i would continue with the rest and skip CWShredder but I'm checking with you first.

Any ideas?

Rob.

guestolo · « **Reply #3 on:** December 15, 2005, 07:25:17 PM »

Try this Robert

Hold onto CWShredder
After you have gone thru the list of other fixes
Right after you run Ewido in safe mode

Then run CWShredder before you boot back to Normal mode

RobertN · « **Reply #4 on:** December 16, 2005, 08:46:18 AM »

Wow! that worked! I don't get the annoying spyaxe icon in the system tray anymore

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
In the end I had to do some thing slightly different. As I said cwshredder was giving me problems so I couldn't use that. win32delfkil.exe went according to plan as did Fixwareout.exe. The only difference was that when Fixwareout was finished and I had to run HJT, it didn't show up all the O#'s you told me to remove.
Then it got interesting as the computer wouldn't boot in safemode. I selected safemode but nothing happened after that, it just showed me a black screen.
In normal mode I found spyaxe in the add/remove programs, and removed it, but not UnSpyPC.
Cleanup! ran fine, SmitRem.exe ran fine and Ewido ran fine.

Here are all the reports/logs. Panda is running now, I'll post that log/report when it's done.

New Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:40:31, on 16-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ewido\ewidoctrl.exe
C:\WINDOWS\system32\RemoteControlService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Wireless Console\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Mobile Theater\Monitor.exe
C:\Program Files\Mobile Theater\RMC.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\ASUS\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Matchlock Scheduling] C:\Program Files\Mobile Theater\Monitor.exe
O4 - HKLM\..\Run: [Ulead Remote Control Center] C:\Program Files\Mobile Theater\RMC.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8569771E-4AFA-4FA9-A90F-AB98FC6403D9} (Netcam_mfc_activeX Control) - http://192.168.1.1/netcam_mfc_activeX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~2\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ITE Remote Control Service (ITECIRService) - ITE Tech. Inc. - C:\WINDOWS\system32\RemoteControlService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

Ewido report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         14:21:57, 16-12-2005
+ Report-Checksum:      B43C53FA

+ Scan result:

   C:\WINDOWS\system32\dmgdh.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\WINDOWS\system32\cswho.exe -> Downloader.Small : Cleaned with backup
   C:\Program Files\Kazaa Lite\supertrick.txt -> Trojan.Bambo.Hosts.A : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP5\A0001640.exe -> Not-A-Virus.NetTool.Win32.PsKill : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP63\A0010047.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP63\A0010054.exe -> Adware.Spyaxe : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP63\A0010063.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010065.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010072.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010083.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010090.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010096.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010109.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010114.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010159.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010168.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010186.EXE -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010196.EXE -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP64\A0010210.exe -> Adware.Spyaxe : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP65\A0010223.exe -> Adware.Spyaxe : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP65\A0010244.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP65\A0010254.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP65\A0010261.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP65\A0010272.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP65\A0010278.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP65\A0010289.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP65\A0011278.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP65\A0011285.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP66\A0011305.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP66\A0011317.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP66\A0012303.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP66\A0012311.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012402.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012415.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012425.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012430.DLL -> Downloader.Delf.h : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012431.dll -> Downloader.Delf.lh : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012438.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012456.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012478.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012493.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012501.exe -> Adware.Spyaxe : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012507.exe -> Trojan.Favadd.an : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012509.exe -> Trojan.Qhost.df : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012511.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012512.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{DAD3CB68-32D3-4EFC-A843-746CDFF2847D}\RP69\A0012527.DLL -> Adware.Spyaxe : Cleaned with backup

::Report End

Smitfile.txt:

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 16-12-2005
The current time is: 14:05:44.65

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

ioctrl.dll
1024 dir
ncompat.tlb
mscornet.exe
logfiles

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 2660 'explorer.exe'
Killing PID 2660 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Windelf.txt:

************************
* WIN32DELFKIL LOGFILE *
************************

BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
adsldpbe.dll

File(s) found in system32 folder
--------------------------------
st3.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} REG_SZ st3
{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F} REG_SZ Windows Update

Notify key
----------
subkey st3 is present!

AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F} REG_SZ Windows Update

Notify key
----------

Fixwareout:

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ritmd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSWHO.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
C:\WINDOWS\SYSTEM32\DMTIR.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

RobertN · « **Reply #5 on:** December 16, 2005, 09:04:30 AM »

Panda came back clean!

No viruses or other malicious software have been found!

Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0

So unless you see more dodgy stuff left in any of these reports/logs, I think I'm done?

thanks a lot!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

cheers,

Rob.

guestolo · « **Reply #6 on:** December 17, 2005, 04:28:55 AM »

Before we do a final cleanup, can you do the following please

You have a couple files that are unidentifiable
Can you go to this site
Jotti's Online Malware scan
Give this site time to load if busy

Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\SYSTEM32\CSWHO.EXE <-this file
C:\WINDOWS\SYSTEM32\DMTIR.EXE
Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

Additionally, if no info was found on either file, can you manually navigate to the file
and then right click on it and left click properties
If a version tab open it and let me know what the files are related too
What is the creation date of each file?

RobertN · « **Reply #7 on:** December 19, 2005, 06:22:57 AM »

It's strange, because I don't actually see the files on my HD. Maybe Ad-aware removed them since?

guestolo · « **Reply #8 on:** December 19, 2005, 05:39:38 PM »

Could you try to this one more time
Run Fixwareout.exe again, follow the prompts
After the reboot post the log it creates

If the same files are found, could you make sure windows is
Set To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

This file is legit
IPSEC6.EXE

Take another look please for this file
C:\WINDOWS\SYSTEM32\DMTIR.EXE

This one is gone as Ewido Killed it, I just noticed that
C:\WINDOWS\system32\cswho.exe

TheTechGuide Forum

News:

Author Topic: Problem removing Spy Axe (Read 1116 times)

RobertN

Problem removing Spy Axe

guestolo

Problem removing Spy Axe

RobertN

Problem removing Spy Axe

guestolo

Problem removing Spy Axe

RobertN

Problem removing Spy Axe

RobertN

Problem removing Spy Axe

guestolo

Problem removing Spy Axe

RobertN

Problem removing Spy Axe

guestolo

Problem removing Spy Axe