Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Yet Another Spyaxe victim


  • This topic is locked This topic is locked

#1
sirhobbes

sirhobbes

    New Member

  • Member
  • Pip
  • 5 posts
Hey GTG gurus,

I am another victim of this annoying Spyaxe junk. I am getting the annoying popup from my taskbar which redirects me to the Spyaxe website along with a desktop icon that keeps reappearing no matter how many times you uninstall the exe file. The homepage has been hijacked as well.

I have done all the steps mentioned before posting the HJT log except Windows update. I am not original owner of machine and it already had SP2 on it.

Here are my HJT log, ewido scan log, and Panda Activescan log.

Logfile of HijackThis v1.99.1
Scan saved at 3:24:06 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Joel Gaidosh\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hpEC25.tmp (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330975924
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122330967592
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:22:36 PM, 11/23/2005
+ Report-Checksum: 2BCFB4D6

+ Scan result:

No infected objects found.


::Report End


Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\All Users\Desktop\Online Security Center.url
Adware:Adware/SecurityToolbar Not disinfected C:\Program Files\Security Toolbar\Security Toolbar.dll
Adware:Adware/SpyAxe Not disinfected C:\WINDOWS\system32\svchosts.dll

Any help getting rid of this junk would be greatly appreciated.

Thanks,

JG
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome sirhobbes to Geeks to Go!

You are running HijackThis from the Desktop.
Please create a new folder for it and move the program into the new folder.

***

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Please download noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

***

Download SpyAxe removal tool. I've send you the link in PM.
Save it to your desktop.

***

Launch ewido, there should be an icon on your desktop double-click it.

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hpEC25.tmp (file missing)


Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Close all other programs and windows. Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder.
Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool.
At one point when the tool runs, your taskbar will disappear, and your computer will restart when the tool completes.
A text file will be created in the SpyAxeFix folder.
Post it's contents here in your reply.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows
You will need to allow the popups for this site!

Run the Free use Panda Active Scan.
  • Click on Scan your PC. A new browser window will open with Panda ActiveScan. If this is the first time you scan your PC, you'll have to download the ActiveX controls (8 MB).
  • A new window will open
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on 1click active scan (top right hand corner) to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Please post me:
the contents of the Panda scan report,
a new HijackThis Log,
the contents of smitfiles.txt
the content of the spyaxe.txt file
the content of the ST.txt file
and the Ewido Log by using Add Reply.
  • 0

#3
sirhobbes

sirhobbes

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I went through the steps you listed and there is improvement. The taskbar popups are gone and the homepage is not being hijacked. I am not sure if the Spyaxe uninstaller ran correctly as I still have the icon on my desktop along with a folder with its files in my Program Files folder. Here are the logs you requested.

Logfile of HijackThis v1.99.1
Scan saved at 8:36:50 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330975924
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122330967592
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:59:41 PM, 11/23/2005
+ Report-Checksum: 4CCBB49F

+ Scan result:

No infected objects found.


::Report End

Panda Activescan

Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Joel Gaidosh\Favorites\Take It Here - Daily Updated [bleep] Links.url
Adware:adware/antivirus-gold Not disinfected Windows Registry



SpyAxeFix © by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 11/23/2005
The current time is: 17:33:47.88

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of spyaxe.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1372 'explorer.exe'
Killing PID 1372 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

svchosts.dll present

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


SpyAxeFix © by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 11/24/2005
The current time is: 8:27:08.86

spyaxe directory present

spyaxe directory present


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1344 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 11/24/2005
The current time is: 8:22:24.00

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:


I am not sure where the ST.log is that you mentioned in your post. Is it safe to use the add/remove hardware in windows to get rid of the remaining Spyaxe junk?
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Don't remove Hardware please, it's not hardware that's being nasty. It's software.

Can you redo this part:

Download SpyAxeFix.exe © noahdfear. Save it to your desktop. Close all other programs and windows. Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder. Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool. At one point when the tool runs, your taskbar will dissappear, and your computer will restart when the tool completes. A text file named spyaxe.txt will be created in the SpyAxeFix folder. Post the contents of that log please.
  • 0

#5
sirhobbes

sirhobbes

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I misspoke in my previous post. Rather than remove hardware, I meant should I try using the add/remove programs in control panel.

I downloaded the spyaxefix again and re-ran it as you said. Icon is still on desktop and it still is in the program files. Here is the log file from last run. Also, uninstaller did not run this time as on screen text of fix indicates it would.


SpyAxeFix © by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 11/24/2005
The current time is: 15:43:21.63

spyaxe directory present

spyaxe directory present


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1780 'explorer.exe'
Killing PID 1780 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you post me a HijackThis log after a reboot, to check.
  • 0

#7
sirhobbes

sirhobbes

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is a new HJT log after reboot.

Logfile of HijackThis v1.99.1
Scan saved at 8:10:08 PM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330975924
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122330967592
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's remove it manually.

Download the Killbox version 2.0.0.473 .
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\system32\svchosts.dll
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt.
If your computer does not restart automatically, please restart it manually.

***

Rerun Killbox. If you fill in the same file, you should get a Pending Operations prompt. That means the file is no longer there. In that case there's no need for a reboot.
It could be still there, in that case kill it again and reboot again.

***

Reboot to safe mode.

Open HijackThis and remove these entries:


O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h


Remove SpyAxe 3.0:
Move to Start > Settings > Control Panel
Double click Add/Remove Programs.
Within Add/Remove programs click the "Install/Uninstall" tab or click the "Change or Remove Programs" button.
Within this section you will see a listing of programs that are currently installed that support this feature. If the program I’m advising you to uninstall is listed within this list, highlight it and click the Add/Remove or uninstall option or button.

***

Use Windows Explorer to remove this folder:
C:\WINDOWS\system32\1024\.

***

Reboot back to normal mode.

Please rerun Panda and post me the Panda report and a fresh HijackThis log please.

Edited by g2i2r4, 25 November 2005 - 01:16 PM.

  • 0

#9
sirhobbes

sirhobbes

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I think we might finally have success.

I ran killbox and got the Pending operation prompt on the first run. I re-ran it just to be sure and got same result.

I removed the two lines in HJT.

I then tried to remove Spyaxe 3.0 using add/remove programs. It said it was already uninstalled so I went through and manually cleaned out dead icons and removed folder from program files then emptied recycle bin.

Could not find C:\WINDOWS\system32\1024\. Other folders starting at 1025 and getting larger, but not that one.

Here is the new Panda scan report and HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 9:02:17 PM, on 11/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330975924
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122330967592
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

Panda Activescan:

Incident Status Location

Adware:adware/antivirus-gold Not disinfected Windows Registry
Are we spyaxe free and is this positive that Panda is catching something to worry about - the antivirus-gold adware in the Windows registry?
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Don't like Panda still finding it... Let's dig:

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.


EDIT:
As there has been no reply from the original poster for more than ten days this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 10 December 2005 - 01:49 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP