Spyaxe - Gladiator Security Forum

Forum Rules

Greetings,

Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum

Failure to follow these instructions will only result in delays of the cleaning and removal process.

If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.

Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.

Thank You

Spyaxe, how to remove

Options

Blinke View Member Profile	Jan 12 2006, 10:35 PM Post #1
New Member Group: Member Posts: 3 Joined: 12-January 06 Member No.: 17437	I'm having problems removing spyaxe. Can you look at the log please. Thanx Logfile of HijackThis v1.99.1 Scan saved at 9:22:15 AM, on 1/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\system32\spoolsv.exe E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe E:\WINDOWS\system32\nvsvc32.exe E:\WINDOWS\system32\svchost.exe D:\Program Files\VMware\VMware Workstation\vmware-authd.exe E:\WINDOWS\system32\vmnat.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\system32\vmnetdhcp.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\SOUNDMAN.EXE E:\WINDOWS\system32\RUNDLL32.EXE E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslstat.exe E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslagent.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe E:\WINDOWS\system32\ctfmon.exe E:\Documents and Settings\progs\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tportal.hr/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tportal.hr/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = T-Com Internet Explorer R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - E:\WINDOWS\system32\hpD0F7.tmp O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NVRTCLK] E:\WINDOWS\system32\NVRTCLK\NVRTClk.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DSLSTATEXE] E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslagent.exe O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [CloneCDTray] "C:\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [EPSON Stylus C43 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C43 Series" /O6 "USB001" /M "Stylus C43" O4 - HKLM\..\Run: [NavRegReminder] "E:\WINDOWS\temp\NavBrowser.exe" /r /i "E:\WINDOWS\temp\NavLoad.ini" O4 - HKLM\..\Run: [ScanSoft PaperPort 7 Registration Reminder] "E:\Program Files\ScanSoft\PaperPort\NAVBrowser.EXE" /r /i "E:\Program Files\ScanSoft\PaperPort\NavLoad.ini" O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "E:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: LimeWire On Startup.lnk = D:\Program Files\LimeWire\LimeWire.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{C424DF33-86B1-4094-A579-2BD62495C08B}: NameServer = 195.29.150.3 195.29.150.4 O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - D:\PROGRA~1\BT2Net\BT2PLU~1.DLL O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - D:\PROGRA~1\BT2Net\BT2PLU~1.DLL O23 - Service: Autodesk Licensing Service - Unknown owner - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - E:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - E:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware NAT Service - VMware, Inc. - E:\WINDOWS\system32\vmnat.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Mosaic1 View Member Profile	Jan 12 2006, 10:50 PM Post #2
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164	Copy these instructions to notepad and save them to your desktop for easy reference. You will be restarting into Safe mode later. Here's help if you need it. To use the F8 key to start Windows XP in Safe mode Restart the computer. Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening. As soon as the BIOS loads, begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again. Using the arrow keys on the keyboard, select Safe mode and then press Enter. ------ Download smitrem.zip Save the file to your desktop. Double click on smitRem.exe to extract the files it contains. This will create a folder named smitrem on your desktop. We'll use it later. ------------ Download CCleaner. http://www.filehippo.com/download_ccleaner.html Install CCleaner Launch CCleaner and look in the upper right corner and click on the "Options" button. Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours". Click OK Do not run CCleaner yet. You will run it later in safe mode. Download the trial version of Ewido Security Suite: http://www.ewido.net/en/download/ Install ewido. During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido It will prompt you to update click the OK button and it will go to the main screen On the left side of the main screen click update Click on Start and let it update. DO NOT run a scan yet. You will do that later in safe mode. -------------------------- Restart into Safe Mode. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. Run Ewido: Click on scanner Click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK When the scan is finished, look at the bottom of the screen and click the Save report button. Save the report to your desktop Start Ccleaner and click Run Cleaner Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar.If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK. Restart back into regular windows. Go for a free online Virus scan here: http://www.pandasoftware.com/activescan/ Allow it to clean Panda will have the option to create a log afer the scan has finished. Click the See Report button. Then click the save Report button. It will be saved under the name activescan.txt Do that and post that log into your next reply here. Post a new HiJackThis log along with the results from ActiveScan and the ewido scan Open C:\smitfiles.txt and post the contents of that file You may have to reply more than once to fit all the logs into your response.

Blinke View Member Profile	Jan 22 2006, 09:30 PM Post #3
New Member Group: Member Posts: 3 Joined: 12-January 06 Member No.: 17437	Hi. Thanx for all you help. I was away for a few days, tried to do all you sad, sorry it took me so long. Here are the logs: Logfile of HijackThis v1.99.1 Scan saved at 14:14:48, on 22.1.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe D:\PROGRA~1\Ontrack\SYSTEM~1\mxserver.exe E:\WINDOWS\system32\nvsvc32.exe E:\WINDOWS\system32\svchost.exe D:\Program Files\VMware\VMware Workstation\vmware-authd.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\system32\vmnetdhcp.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\system32\RUNDLL32.EXE E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslstat.exe E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslagent.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe E:\WINDOWS\system32\ctfmon.exe D:\Program Files\ewido anti-malware\ewidoctrl.exe D:\Program Files\ewido anti-malware\SecuritySuite.exe D:\Program Files\Opera\Opera.exe E:\Documents and Settings\ina\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [NVRTCLK] E:\WINDOWS\system32\NVRTCLK\NVRTClk.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DSLSTATEXE] E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslagent.exe O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\OFFICE11\REFIEBAR.DLL O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C424DF33-86B1-4094-A579-2BD62495C08B}: NameServer = 195.29.150.3 195.29.150.4 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - E:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Ontrack SystemSuite 2000 Task Manager (mxserver) - Ontrack Data International - D:\PROGRA~1\Ontrack\SYSTEM~1\mxserver.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - E:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 14:01:53, 22.1.2006 + Report-Checksum: DD2CEDF2 + Scan result: HKLM\SOFTWARE\Classes\Image.Image -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\Image.Image\CurVer -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\Image.Image.1 -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-1214440339-1801674531-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F} -> Spyware.CommonName : Cleaned with backup D:\CashBar.dll -> Spyware.CashFiesta : Cleaned with backup D:\cfshtie.dll -> Spyware.CashFiesta : Cleaned with backup D:\Impcfw.dll -> Spyware.CashFiesta : Cleaned with backup D:\ProcMod.dll -> Spyware.CashFiesta : Cleaned with backup E:\WINDOWS\system32\ldC18A.tmp -> Downloader.Zlob.bv : Cleaned without backup E:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Cleaned without backup ::Report End Adware:adware/securityerror E:\WINDOWS\SYSTEM32\ot.ico Adware:adware/cws.searchmeup E:\WINDOWS\SYSTEM32\paytime.exe Adware:adware/spyaxe E:\WINDOWS\SYSTEM32\wbeconm.dll Adware:adware/secure32 E:\WINDOWS\secure32.html Adware:adware/searchaid Windows Registry Adware:Adware/Cashbar D:\CashBar.dll Adware:Adware/Cashbar D:\cfshtie.dll Adware:Adware/IST.ISTBar D:\Documents and Settings\domi\Shared\dungeon siege 2 cd key.zip[setup.exe] Adware:Adware/Cashbar D:\Impcfw.dll Adware:Adware/Cashbar D:\ProcMod.dll Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\CashBar.dll Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\Cashfiesta.exe Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\cfshtie.dll Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\Impcfw.dll Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\ProcMod.dll Hacktool:HackTool/- Read our board rules -Search.A E:\Documents and Settings\ina\Desktop\down s neta\set up-ovi\direktno skida - Read our board rules - u hard i nema virusa.zip[Buscador de - Read our board rules -s.exe] Adware:Adware/SpyAxe E:\WINDOWS\system32\1024\ld482F.tmp Adware:Adware/SecurityError E:\WINDOWS\system32\ldC18A.tmp Adware:Adware/SpyAxe E:\WINDOWS\system32\wbeconm.dll

Mosaic1 View Member Profile	Jan 22 2006, 09:54 PM Post #4
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164	To what report does all this belong? Your post is confusing. Also, if you are visiting - Read our board rules - sites, that is a really good way to get infected. One of the entries looks like you may have visited one. Adware:adware/securityerror E:\WINDOWS\SYSTEM32\ot.ico Adware:adware/cws.searchmeup E:\WINDOWS\SYSTEM32\paytime.exe Adware:adware/spyaxe E:\WINDOWS\SYSTEM32\wbeconm.dll Adware:adware/secure32 E:\WINDOWS\secure32.html Adware:adware/searchaid Windows Registry Adware:Adware/Cashbar D:\CashBar.dll Adware:Adware/Cashbar D:\cfshtie.dll Adware:Adware/IST.ISTBar D:\Documents and Settings\domi\Shared\dungeon siege 2 cd key.zip[setup.exe] Adware:Adware/Cashbar D:\Impcfw.dll Adware:Adware/Cashbar D:\ProcMod.dll Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\CashBar.dll Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\Cashfiesta.exe Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\cfshtie.dll Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\Impcfw.dll Adware:Adware/Cashbar E:\Documents and Settings\ina\Desktop\down s neta\ProcMod.dll Hacktool:HackTool/- Read our board rules -Search.A E:\Documents and Settings\ina\Desktop\down s neta\set up-ovi\direktno skida - Read our board rules - u hard i nema virusa.zip[Buscador de - Read our board rules -s.exe] Adware:Adware/SpyAxe E:\WINDOWS\system32\1024\ld482F.tmp Adware:Adware/SecurityError E:\WINDOWS\system32\ldC18A.tmp Adware:Adware/SpyAxe E:\WINDOWS\system32\wbeconm.dll ---------- May I see the smitfiles.txt contents please? It will be here: E:\smitfiles.txt ------ There has been an issue found recently with Sun Java. When newer versions are installed, the older versions are left behind and malware can call these older versions to exploit flaws. Some malware has been found to install this way. First update to the very latest version of Sun Java, which is 1.5.0_06 Then go into Add Remove programs and uninstall any older versions you find listed there. ----- How is the system running?

Blinke View Member Profile	Jan 28 2006, 11:34 PM Post #5
New Member Group: Member Posts: 3 Joined: 12-January 06 Member No.: 17437	I can't find smitfiles.txt file. I tried through Start-> Find nothing, and I don't see it on E: New logs: Panda's log: Incident Status Location Adware:adware/securityerror Reported E:\WINDOWS\SYSTEM32\ot.ico Adware:adware/cws.searchmeup Reported E:\WINDOWS\SYSTEM32\paytime.exe Adware:adware/secure32 Reported E:\WINDOWS\secure32.html Adware:adware/pesttrap Reported E:\WINDOWS\soft.exe Adware:Adware/IST.ISTBar Reported D:\Documents and Settings\domi\Shared\dungeon siege 2 cd key.zip[setup.exe] Virus:Application/Processor Reported D:\Program Files\Opera\smitRem\Process.exe Virus:Application/Processor Reported D:\smitRem.exe[Process.exe] Ewido's log: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 14:01:53, 22.1.2006 + Report-Checksum: DD2CEDF2 + Scan result: HKLM\SOFTWARE\Classes\Image.Image -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\Image.Image\CurVer -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\Image.Image.1 -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-1214440339-1801674531-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F} -> Spyware.CommonName : Cleaned with backup D:\CashBar.dll -> Spyware.CashFiesta : Cleaned with backup D:\cfshtie.dll -> Spyware.CashFiesta : Cleaned with backup D:\Impcfw.dll -> Spyware.CashFiesta : Cleaned with backup D:\ProcMod.dll -> Spyware.CashFiesta : Cleaned with backup E:\WINDOWS\system32\ldC18A.tmp -> Downloader.Zlob.bv : Cleaned without backup E:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Cleaned without backup ::Report End HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 22:22:52, on 25.1.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\system32\RUNDLL32.EXE E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslstat.exe E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslagent.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\WINDOWS\system32\ctfmon.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe D:\Program Files\ewido anti-malware\ewidoctrl.exe D:\PROGRA~1\Ontrack\SYSTEM~1\mxserver.exe E:\WINDOWS\system32\nvsvc32.exe E:\WINDOWS\system32\svchost.exe D:\Program Files\VMware\VMware Workstation\vmware-authd.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\system32\vmnetdhcp.exe D:\Program Files\Opera\Opera.exe E:\WINDOWS\system32\NOTEPAD.EXE E:\WINDOWS\system32\NOTEPAD.EXE E:\WINDOWS\system32\NOTEPAD.EXE E:\WINDOWS\system32\NOTEPAD.EXE E:\Documents and Settings\ina\Desktop\HijackThis.exe E:\WINDOWS\system32\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [NVRTCLK] E:\WINDOWS\system32\NVRTCLK\NVRTClk.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DSLSTATEXE] E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] E:\Program Files\T-Com MAXadsl CD-ROM\T-Com Siemens ADSL A-100 Modem\Adsl\dslagent.exe O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\OFFICE11\REFIEBAR.DLL O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C424DF33-86B1-4094-A579-2BD62495C08B}: NameServer = 195.29.150.3 195.29.150.4 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - E:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Ontrack SystemSuite 2000 Task Manager (mxserver) - Ontrack Data International - D:\PROGRA~1\Ontrack\SYSTEM~1\mxserver.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - E:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe Those are the three logs you asked? About the Java.... I don't see older versions in Add/Remove but I will uninstal Java that I have and update to the very latest version. About the - Read our board rules -s...I wouldn't know how to use - Read our board rules -, and I know the have troians iinside, so I didn't downloaded any on purpose. And I'm not the only one using this computer, so It could be someone else, but I don't think so. Is there any way the - Read our board rules - could download itself on my computer, without me knowing it? About the sistem...it runs ok, as I see, but it takes it a long time when shutting down...sometimes it takes 20 min. until windows shuts down. What can be a problem? Thank you again :)

Mosaic1 View Member Profile	Jan 29 2006, 05:42 AM Post #6
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164	20 minutes to shut down? Do you have something scanning in the background at shutdown? Maybe your Anti Virus program? This made me question the - Read our board rules -: Hacktool:HackTool/- Read our board rules -Search.A E:\Documents and Settings\ina\Desktop\down s neta\set up-ovi\direktno skida - Read our board rules - u hard i nema virusa.zip[Buscador de - Read our board rules -s.exe] Search for smitfiles.txt on D:\ too please. You didn't follow the directions re: Sun Java. QUOTE There has been an issue found recently with Sun Java. It is very important that you do this. When newer versions are installed, the older versions are left behind and malware can call these older versions to exploit flaws. Some malware has been found to install this way. First update to the very latest version of Sun Java, which is 1.5.0_06 Then go into Add Remove programs and uninstall any older versions you find listed there. Please delete these files: E:\WINDOWS\SYSTEM32\ot.ico E:\WINDOWS\SYSTEM32\paytime.exe E:\WINDOWS\secure32.html E:\WINDOWS\soft.exe D:\Documents and Settings\domi\Shared\dungeon siege 2 cd key.zip[setup.exe] Is anyone on this system file sharing? That's also a great way to become infected.

« Next Oldest · HELP! Think you are Infected? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: