Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

smitfraud-c infection [RESOLVED]


  • This topic is locked This topic is locked

#1
tired

tired

    New Member

  • Member
  • Pip
  • 6 posts
I have been working to clear my Windows XP Professional system of the Smitfraud-c virus. I have completed all the prereq steps and scans outlined. It seems to have worked. Spybot no longer finds the Smitfraud-c virus (it previously would find it but could not remove it because it was in use) and I now have control over my desktop settings. I still have a problem that IE will not allow me to go to secure sites - as if the SSL's are not enabled, but they are. I can surf the web but can not get to my emails, banking or any scan updates that require me to go to a secure site. I simply get the typical default:

:tazz:
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later......



Additionally, Microsoft Works is not working anymore?? Could a launch file have gotten removed ?




I am attaching the HijackThis log. Please identify any and all items that can be deleted and let me know if there is anything else present on my system that would prevent me from getting to secure sites.

Logfile of HijackThis v1.99.1
Scan saved at 12:39:45 AM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\HP_Administrator\My Documents\Dan\Adware\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: awvtr - C:\WINDOWS\system32\awvtr.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UWCService - Business Logic Corporation - C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Thanks for all the info/help so far. I have been trying to clear Smitfraud for 2 days with no luck until tonight. I was about to do a complete restore of my system to get rid of it.
  • 0

Advertisements


#2
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi tired,

There are couple leftover entries in HijackThis, let's fix them.

Open HijackThis and click Scan. Put a check next to these:

O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - (no file)
O20 - Winlogon Notify: awvtr - C:\WINDOWS\system32\awvtr.dll (file missing)


Close all other windows except HijackThis and click Fix Checked.

Let's try two programs and see if those resolve the secure sites issue..

1)Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
2)Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/.../DelDomains.inf
Save the file to the desktop. Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal. Then please restart your computer, and post a new HijackThis log. You will have to reimmunize with SpywareBlaster, IE-SPYADS, and/or Spybot after doing this if you were using the features of those programs.

Now let's try an online scan:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a new HijackThis log.

  • 0

#3
tired

tired

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for reply. I have done everything on the list. Below are the 2 logs requested. Unfortunately, I still can not get to secure web sites.

Logfile of HijackThis v1.99.1
Scan saved at 6:13:05 AM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\HP_Administrator\My Documents\Dan\Adware\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UWCService - Business Logic Corporation - C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

AND NO THE KASPERSKY LOG:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, December 11, 2005 06:09:48
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/12/2005
Kaspersky Anti-Virus database records: 164399
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan Statistics:
Total number of scanned objects: 90235
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 2963 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

Anything else you can think of for my to try would be very much appreciated. System seems to be running OK but this lack of access to emails and banking is getting very frustrating. Thanks for you help
  • 0

#4
tired

tired

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK, something very strange. After my previous post and a couple of clicks on news stories from Comcast home page, I ran Spybot to follow up on reimmunizing. I ran S&D first and it found Spyaxe (which is the program associated with the Smitfraud-c virus that started my whole problem to begin with). Spybot "fixed" it but here is an updated Hijack log anyway. Please let me know anything/everything that should be fixed. Additionally, regarding my secure web site access issue, about the time I lost the ability to go to secure web site, I had run the program Spyaxefix. I found this by searching forums like this when I had the original infection. It managed to stop the pop ups and stopped Spyaxe from installing itself. I am attaching a print out of Spyaxefix.bat file that I ran. Can you tell if that could have done something to prevent access to secure web sites?

Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 9:22:03 AM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\HP_Administrator\My Documents\Dan\Adware\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UWCService - Business Logic Corporation - C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


Here is the SpyAxeFix.bat file:


@echo off

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO 2000

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO win

echo Unsupported Version
goto end

:NT

color 1F
@echo off
echo.
echo SpyAxe removal tool by noahdfear © 2005
echo.
echo Please quit all programs since this tool will restart your computer.
echo.
echo If SpyAxe is found installed, the SpyAxe uninstaller will start.
echo.
echo Allow it to continue. Close any browser window it may cause to open.
echo.
echo.
pause
echo SpyAxeFix © by noahdfear>>spyaxe1.txt
echo.>>spyaxe1.txt
ver>>spyaxe1.txt
echo. |date |find "current" >>spyaxe1.txt
echo. |time |find "current" >>spyaxe1.txt
echo.>>spyaxe1.txt
IF EXIST C:\progra~1\spyaxe echo spyaxe directory present>>spyaxe1.txt
echo.>>spyaxe1.txt
IF EXIST C:\progra~1\spyaxe\uninst.exe echo spyaxe uninstaller present>>spyaxe1.txt
IF EXIST C:\progra~1\spyaxe\uninst.exe goto cspyaxe
IF NOT EXIST C:\progra~1\spyaxe\uninst.exe goto sys
:cspyaxe
echo.>>spyaxe1.txt
echo Starting spyaxe uninstaller>>spyaxe1.txt
process -k spyaxe.exe>>spyaxe1.txt
start C:\progra~1\spyaxe\uninst.exe
goto remove
:sys
IF EXIST %systemdrive%\progra~1\spyaxe echo spyaxe directory present>>spyaxe1.txt
echo.>>spyaxe1.txt
IF EXIST %systemdrive%\progra~1\spyaxe\uninst.exe echo spyaxe uninstaller present>>spyaxe1.txt
IF EXIST %systemdrive%\progra~1\spyaxe\uninst.exe goto sysspy
IF NOT EXIST %systemdrive%\progra~1\spyaxe\uninst.exe goto svc
:sysspy
echo.>>spyaxe1.txt
echo Starting spyaxe uninstaller>>spyaxe1.txt
process -k spyaxe.exe>>spyaxe1.txt
start %systemdrive%\progra~1\spyaxe\uninst.exe
echo.>>spyaxe1.txt
goto remove
:remove
cls
echo.
echo.
echo If the SpyAxe uninstaller has completed,
echo.
echo press any key to continue.
echo.
echo.
pause
goto svc
:svc
cls
@echo off
process -k explorer.exe>>spyaxe1.txt
echo.>>spyaxe1.txt
process -k rundll32.exe>>spyaxe1.txt
@echo off
echo REGEDIT4>>fix.reg
echo.>>fix.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]>>fix.reg
echo "{E802FFFF-8E58-4d2c-A435-8BEEFB10AB77}"=->>fix.reg
echo "{A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72}"=->>fix.reg
regedit /s fix.reg
del /q fix.reg
@echo off
echo.>>spyaxe1.txt
IF EXIST %systemroot%\system32\svchosts.dll echo svchosts.dll present>>spyaxe1.txt
IF EXIST %systemroot%\system32\1024 echo 1024 directory present>>spyaxe1.txt
IF EXIST %systemroot%\system32\svchosts.dll attrib -r -h %systemroot%\system32\svchosts.dll
IF EXIST %systemroot%\system32\svchosts.dll del /q %systemroot%\system32\svchosts.dll
IF EXIST %systemroot%\system32\1024\*.* attrib -r -h %systemroot%\system32\1024\*.*
IF EXIST %systemroot%\system32\1024\*.* del /q %systemroot%\system32\1024\*.*
IF EXIST %systemroot%\system32\1024 rmdir %systemroot%\system32\1024
IF EXIST C:\progra~1\spyaxe\*.* attrib -r -h C:\progra~1\spyaxe\*.*
IF EXIST C:\progra~1\spyaxe\*.* del /q C:\progra~1\spyaxe\*.*
IF EXIST C:\progra~1\spyaxe rmdir C:\progra~1\spyaxe
IF EXIST %systemdrive%\progra~1\spyaxe\*.* attrib -r -h %systemdrive%\progra~1\spyaxe\*.*
IF EXIST %systemdrive%\progra~1\spyaxe\*.* del /q %systemdrive%\progra~1\spyaxe\*.*
IF EXIST %systemdrive%\progra~1\spyaxe rmdir %systemdrive%\progra~1\spyaxe

cls
echo.
echo.
echo Press any key to continue and complete the fix.
echo.
echo Your computer will restart automatically.
echo.
echo.
pause
@echo off
cls
regedit /a ST.reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
echo.>>spyaxe.txt
type spyaxe1.txt >>spyaxe.txt
echo.>>spyaxe.txt
type ST.reg >>spyaxe.txt
del /q spyaxe1.txt
del /q ST.reg

%systemroot%\system32\shutdown.exe -r -t 10 -c "Restarting to complete the removal"

goto done

:2000

@echo off
echo.
echo SpyAxe removal tool by noahdfear © 2005
echo.
echo Please quit all programs since this tool will restart your computer.
echo.
echo If SpyAxe is found installed, the SpyAxe uninstaller will start.
echo.
echo Allow it to continue. Close any browser window it may cause to open.
echo.
echo.
pause
echo SpyAxeFix © by noahdfear>>spyaxe1.txt
echo.>>spyaxe1.txt
ver>>spyaxe1.txt
echo. |date |find "current" >>spyaxe1.txt
echo. |time |find "current" >>spyaxe1.txt
echo.>>spyaxe1.txt
IF EXIST C:\progra~1\spyaxe echo spyaxe directory present>>spyaxe1.txt
echo.>>spyaxe1.txt
IF EXIST C:\progra~1\spyaxe\uninst.exe echo spyaxe uninstaller present>>spyaxe1.txt
IF EXIST C:\progra~1\spyaxe\uninst.exe goto cspyaxe2
IF NOT EXIST C:\progra~1\spyaxe\uninst.exe goto sys2
:cspyaxe2
echo.>>spyaxe1.txt
echo Starting spyaxe uninstaller>>spyaxe1.txt
process -k spyaxe.exe>>spyaxe1.txt
start C:\progra~1\spyaxe\uninst.exe
goto remove2
:sys2
IF EXIST %systemdrive%\progra~1\spyaxe echo spyaxe directory present>>spyaxe1.txt
echo.>>spyaxe1.txt
IF EXIST %systemdrive%\progra~1\spyaxe\uninst.exe echo spyaxe uninstaller present>>spyaxe1.txt
IF EXIST %systemdrive%\progra~1\spyaxe\uninst.exe goto sysspy2
IF NOT EXIST %systemdrive%\progra~1\spyaxe\uninst.exe goto svc2
:sysspy2
echo.>>spyaxe1.txt
echo Starting spyaxe uninstaller>>spyaxe1.txt
process -k spyaxe.exe>>spyaxe1.txt
start %systemdrive%\progra~1\spyaxe\uninst.exe
echo.>>spyaxe1.txt
goto remove2
:remove2
cls
echo.
echo.
echo If the SpyAxe uninstaller has completed,
echo.
echo press any key to continue.
echo.
echo.
pause
goto svc2
:svc2
cls
@echo off
process -k explorer.exe>>spyaxe1.txt
echo.>>spyaxe1.txt
process -k rundll32.exe>>spyaxe1.txt
@echo off
echo REGEDIT4>>fix.reg
echo.>>fix.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]>>fix.reg
echo "{E802FFFF-8E58-4d2c-A435-8BEEFB10AB77}"=->>fix.reg
echo "{A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72}"=->>fix.reg
regedit /s fix.reg
del /q fix.reg
@echo off
echo.>>spyaxe1.txt
IF EXIST %systemroot%\system32\svchosts.dll echo svchosts.dll present>>spyaxe1.txt
IF EXIST %systemroot%\system32\1024 echo 1024 directory present>>spyaxe1.txt
IF EXIST %systemroot%\system32\svchosts.dll attrib -r -h %systemroot%\system32\svchosts.dll
IF EXIST %systemroot%\system32\svchosts.dll del /q %systemroot%\system32\svchosts.dll
IF EXIST %systemroot%\system32\1024\*.* attrib -r -h %systemroot%\system32\1024\*.*
IF EXIST %systemroot%\system32\1024\*.* del /q %systemroot%\system32\1024\*.*
IF EXIST %systemroot%\system32\1024 rmdir %systemroot%\system32\1024
IF EXIST C:\progra~1\spyaxe\*.* attrib -r -h C:\progra~1\spyaxe\*.*
IF EXIST C:\progra~1\spyaxe\*.* del /q C:\progra~1\spyaxe\*.*
IF EXIST C:\progra~1\spyaxe rmdir C:\progra~1\spyaxe
IF EXIST %systemdrive%\progra~1\spyaxe\*.* attrib -r -h %systemdrive%\progra~1\spyaxe\*.*
IF EXIST %systemdrive%\progra~1\spyaxe\*.* del /q %systemdrive%\progra~1\spyaxe\*.*
IF EXIST %systemdrive%\progra~1\spyaxe rmdir %systemdrive%\progra~1\spyaxe

cls
echo.
echo.
echo Press any key to continue and complete the fix.
echo.
echo Your computer will restart automatically.
echo.
echo Your Active Desktop may need to be restored upon restart.
echo.
echo.
pause
@echo off
cls
regedit /a ST.reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
echo.>>spyaxe.txt
type spyaxe1.txt >>spyaxe.txt
echo.>>spyaxe.txt
type ST.reg >>spyaxe.txt
del /q spyaxe1.txt
del /q ST.reg

shutdown -s reboot -l 10 -m "Restarting to complete the removal"
goto done

:win

@echo off
echo.
echo SpyAxe removal tool by noahdfear © 2005
echo.
echo Please quit all programs since this tool will restart your computer.
echo.
echo If SpyAxe is found installed, the SpyAxe uninstaller will start.
echo.
echo Allow it to continue. Close any browser window it may cause to open.
echo.
echo.
pause
echo SpyAxeFix © by noahdfear>>spyaxe1.txt
echo.>>spyaxe1.txt
ver>>spyaxe1.txt
echo. |date |find "current" >>spyaxe1.txt
echo. |time |find "current" >>spyaxe1.txt
echo.>>spyaxe1.txt
IF EXIST C:\progra~1\spyaxe echo spyaxe directory present>>spyaxe1.txt
echo.>>spyaxe1.txt
IF EXIST C:\progra~1\spyaxe\uninst.exe echo spyaxe uninstaller present>>spyaxe1.txt
IF EXIST C:\progra~1\spyaxe\uninst.exe goto cspyaxew
IF NOT EXIST C:\progra~1\spyaxe\uninst.exe goto sysw
:cspyaxew
echo.>>spyaxe1.txt
echo Starting spyaxe uninstaller>>spyaxe1.txt
pv -f -k spyaxe.exe
start C:\progra~1\spyaxe\uninst.exe
goto remove
:sysw
IF EXIST %systemdrive%\progra~1\spyaxe echo spyaxe directory present>>spyaxe1.txt
echo.>>spyaxe1.txt
IF EXIST %systemdrive%\progra~1\spyaxe\uninst.exe echo spyaxe uninstaller present>>spyaxe1.txt
IF EXIST %systemdrive%\progra~1\spyaxe\uninst.exe goto sysspyw
IF NOT EXIST %systemdrive%\progra~1\spyaxe\uninst.exe goto svcw
:sysspyw
echo.>>spyaxe1.txt
echo Starting spyaxe uninstaller>>spyaxe1.txt
pv -f -k spyaxe.exe
start %systemdrive%\progra~1\spyaxe\uninst.exe
echo.>>spyaxe1.txt
goto removew
:removew
cls
echo.
echo.
echo If the SpyAxe uninstaller has completed,
echo.
echo press any key to continue.
echo.
echo.
pause
goto svcw
:svcw
cls
@echo off
pv -f -k Explorer.exe
@echo off
echo REGEDIT4>>fix.reg
echo.>>fix.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]>>fix.reg
echo "{E802FFFF-8E58-4d2c-A435-8BEEFB10AB77}"=->>fix.reg
echo "{A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72}"=->>fix.reg
regedit.exe /s fix.reg
@echo off
echo.>>spyaxe1.txt
IF EXIST %systemroot%\system\svchosts.dll echo svchosts.dll present>>spyaxe1.txt
IF EXIST %systemroot%\system\1024 echo 1024 directory present>>spyaxe1.txt
IF EXIST %systemroot%\system\svchosts.dll attrib -r -h %systemroot%\system32\svchosts.dll
IF EXIST %systemroot%\system\svchosts.dll deltree /Y %systemroot%\system32\svchosts.dll
IF EXIST %systemroot%\system\1024\*.* attrib -r -h %systemroot%\system32\1024\*.*
IF EXIST %systemroot%\system\1024\*.* deltree /Y %systemroot%\system32\1024\*.*
IF EXIST %systemroot%\system\1024 deltree %systemroot%\system32\1024
IF EXIST C:\progra~1\spyaxe\*.* attrib -r -h C:\progra~1\spyaxe\*.*
IF EXIST C:\progra~1\spyaxe\*.* deltree /Y C:\progra~1\spyaxe\*.*
IF EXIST C:\progra~1\spyaxe deltree /Y C:\progra~1\spyaxe
IF EXIST %systemdrive%\progra~1\spyaxe\*.* attrib -r -h %systemdrive%\progra~1\spyaxe\*.*
IF EXIST %systemdrive%\progra~1\spyaxe\*.* deltree /Y %systemdrive%\progra~1\spyaxe\*.*
IF EXIST %systemdrive%\progra~1\spyaxe deltree /Y %systemdrive%\progra~1\spyaxe

cls
echo.
echo.
echo Press any key to continue and complete the fix.
echo Your computer will restart automatically.
echo.
echo.
pause
@echo off
cls
regedit.exe /e ST.reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

echo.>>spyaxe.txt
type spyaxe1.txt >>spyaxe.txt
echo.>>spyaxe.txt
type ST.reg >>spyaxe.txt
deltree /Y spyaxe1.txt
deltree /Y ST.reg
deltree /Y fix.reg

START C:\WINDOWS\RUNDLL.EXE user.exe,exitwindowsexec
goto done

:end
cls
@echo off
echo.
echo Sorry, this tool cannot be run on your system.
echo.
echo Press any key to close this window.
echo.
pause

GOTO done

:done

cls
@echo off
REM copyright 2005 Dave "noahdfear" Fear noahdfear@msn.com
REM SpyAxeFix © by noahdfear
cls
EXIT[b]
  • 0

#5
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Your HijackThis log looks clean and Kaspersky didn't find anything..

Spyaxefix wouldn't tamper with anything other than just removing spyaxe..

Try this and see if it helps..in IE go to Tools > Reset Web Settings

If that doesn't solve the problem, please download Firefox here..

http://www.mozilla.com/firefox/

See if you can access the sites using Firefox..that will help us determine where the problem lies..
  • 0

#6
tired

tired

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I reset the web settings - still does not work. I then downloaded Firefox - it will not connect to anything. I went into Firefox/Tools/Options and enabled auto detect with no luck. Then I put it back to direct connect, again nothing. Even the sites that I can get to with IE (ex. Geekstogo) will not come up in Firefox.
  • 0

#7
tired

tired

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I have it working now. It turned out to be a conflict/problem with Norton Personal Firewall. thanks very much for your help and all the information provided on this forum - I could not have cleared the Smitfraud virus without it. You can close this post. thanks again
  • 0

#8
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Now let's reset your restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please take the following into consideration to maintain a clean computer.

I'll also recommend you to install a monitoring software which will monitor certain areas on your computer and will place alerts when those are being modified. One such software I'll recommend is Prevx, but it's for advanced users as the messages it displays can be hard to decipher. One other similar but more user friendly software is Winpatrol. Both are free programs.
Winpatrol
Prevx

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.


A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe
  • 0

#9
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP