Virus Alert! - Toshiba laptop [CLOSED] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Virus Alert! - Toshiba laptop [CLOSED] "Spyaxe" - "Spyfalcon"

#1 Kovia

  • Group: Member
  • Posts: 61
  • Joined: 20-October 05

Posted 28 May 2008 - 10:11 AM

I believe I have contracted the virus "spyaxe" or "spyfalcon", my desktop (Explorer.exe) keeps turning itself off and rebooting itself every 10 to 15 seconds. I have run several antivirus and antispyware programs to try to fix this and nothing has helped.

I have checked through various forums and several people mentioned using SuperAntiSpyware will remove this virus. However i cannot do anything about this because the virus has locked the ability for me to install programs so i'm stuck!

Here is a copy of my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:10:41, on 28/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O3 - Toolbar: Web Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\ACCESS~1\ACCESS~1.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-1491950412-2009852829-4049741679-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1491950412-2009852829-4049741679-500\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\myapp\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\myapp\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2FE~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\myapp\Office12\GrooveSystemServices.dll

--
End of file - 3345 bytes

#2 koko_crunch

  • Group: Retired Staff
  • Posts: 1,751
  • Joined: 03-August 07

Posted 29 May 2008 - 11:09 AM

Hello Kovia and Welcome to Geeks to Go!

Sorry for the delay, busy week.

Looking at your log, I found signs of malware on your system.
Please stick with me until we get you cleaned up. :)

Please read this post completely before proceeding with the fix.
If you have questions, don't hesitate to ask.

Let's start.

First,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Then,
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Finally,

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Please post back with the following logs.

- MBAM log
- Vundofix log
- Smitfraudfix log
- New HijackThis log

#3 Kovia

  • Group: Member
  • Posts: 61
  • Joined: 20-October 05

Posted 30 May 2008 - 04:15 PM

Good evening!

Thanks for the help so far - that's got most of it patched up.

Unfortunately I'm responding from a different pc, so I don't have access to the resultant logs right now. However, there are still a few outstanding problems...

The 'All Programs' links has vanished from my start menu.

My Harddrive (C:) isn't showing up in My Computer. It's registering as normal everywhere else, works fine, is accessible from anywhere else, and is showing up as properly mapped through the 'Computer Management' menu.

Any thoughts?

Thanks!

#4 koko_crunch

  • Group: Retired Staff
  • Posts: 1,751
  • Joined: 03-August 07

Posted 31 May 2008 - 12:17 AM

Let's try these...

To Restore "All Programs", first, we need to backup your registry:
Please go to Start > Run
Paste in the following line:
    regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Registry Modifications

1. Copy and paste text in codebox below into notepad and save it to your desktop
2. Type filename as rstart.reg
3. Set Filetype to "all files"
4. After saving, Doubleclick on "rstart.reg" and confirm you want to merge it with the registry

REGEDIT4

[HKEY CURRENT USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Start Menu"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,53,74,61,72,74,20,4d,65,6e,75,00

[HKEY LOCAL MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Start Menu"=hex(2):25,41,4c,4c,55,53,45,52,53,50,52,4f,46,49,4c,45,25,5c,53,74,61,72,74,20,4d,6
5,6e,75,00


Next, to restore missing drive C.

Please download Tweak UI
  • Save it to your desktop
  • Double click on "TweakUiPowertoySetup.exe" to install.
  • After installation, click on Start >> (All) Programs >> Powertoys for Windows XP >> Tweak UI to run the program.
  • On the left side of "TweakUI" is a list, Click "[+]My Computer" then "Drives"
  • Place a check on the drive you wish to unhide.
  • Click Apply then Ok.
  • Close program.


Let me know how it turns out. :)

#5 koko_crunch

  • Group: Retired Staff
  • Posts: 1,751
  • Joined: 03-August 07

Posted 06 June 2008 - 08:50 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1