Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SpywareStrike/smitfraud-C/Spyaxe problems

Started by markh26 , Jan 18 2006 05:47 PM

  • Please log in to reply

#1
markh26
Posted 18 January 2006 - 05:47 PM

markh26

    New Member

  • Member
  • Pip
  • 1 posts
Would really appreciate some help here, not very knowledgeable about this kind of thing.......
Initial problem was spystrike which kept popping up in a window, along with constant message in a yellow text box bottom right of the screen "you are infected blah blah....".
Also random shield icons with security related names appear on the desktop, along with suggestive womans face icon!
Have AVG and zonealarm running on my machine, Windows XP home, tried scanning/removing with AVG, Spybot and adaware but problem kept returning. Finally followed all your instructions on "how to remove Spyaxe etc.....", no visible problem as of now but Panda scan came up with items shown in the log below.....

Help me please IT saviours!

Cheers,
Mark.

Logfile of HijackThis v1.99.1
Scan saved at 23:27:19, on 18/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134830018328
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37470.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 22:39:34, 18/01/2006
+ Report-Checksum: 1C27477D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gba2330.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gba2330.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gba2330.exe -> Dialer.Generic : Cleaned with backup


::Report End



Panda ActiveScan report:

Incident Status Location

Potentially unwanted tool:application/winantivirus2006 Not disinfected C:\PROGRAM FILES\WinAntiVirus Pro 2006
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mark\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mark\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\Companion Wizard\compwiz.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\WinAntiVirus Pro 2006\WapCHK.dll


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 18/01/2006
The current time is: 21:48:56.42

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

SpywareStrike


~~~ Shortcuts ~~~

SpywareStrike folder


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 668 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~

SpywareStrike


~~~ Shortcuts ~~~

SpywareStrike folder


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:
  • 0

Advertisements

#2
g2i2r4
Posted 22 January 2006 - 09:11 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Hi markh26, welcome to Geeks to Go!

Can you please upload the content of these folders, so our experts can have a look at them:
C:\PROGRAM FILES\WinAntiVirus Pro 2006\
C:\Program Files\Common Files\Companion Wizard\
C:\Program Files\Common Files\WinAntiVirus Pro 2006\

Please go here.
Start a new post and just give a link to this post here. Then press attach and upload the files.

Can you let me know when you uploaded the files?
We'll start cleaning up after that.
  • 0

#3
g2i2r4
Posted 02 February 2006 - 01:39 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thanks for submitting the files and your PM :tazz:

Let's start cleaning.

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

***

You are running HijackThis from the Desktop.
Please create a new folder for it and move the program into the new folder.

***

Please download the latest version of noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

***

Launch ewido, there should be an icon on your desktop double-click it.

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:


O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Use Windows Explorer to remove these folders:
C:\PROGRAM FILES\WinAntiVirus Pro 2006\
C:\Program Files\Common Files\Companion Wizard\
C:\Program Files\Common Files\WinAntiVirus Pro 2006\

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Note: XP users using the XP theme may experience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

***

Reboot back into Windows

***

Please run an online scan at http://www.pandasoft.../activescan.htm *Requires Internet Explorer.
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.
  • Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  • Click On 'Scan Now'
  • Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB (asinst.cab)
  • Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  • If it finds any malware, it will offer you a report. Click on see report
  • Then click Save report
  • Post the contents of the report in your next reply along with a new HijackThis log.
* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP