spyaxe and smitfraud-c

Mogor · 12-Dec-2005, 10:43 PM #1

I have run several programs to try and remove these. Spy bot, adaware, ewido, smitrem; but i still can not connect to the internet. When do run ipconfig the black screen flashes the closes. Also the fake little windows update virus popup continues. I am trying to run spyaxefix but i get the message "windows can not access specified device, path, or file. May not have appropriate permission to access this item." I haven't tried it in safe mode. I have done several tutorials to remove spyaxe, and i can not find any remaining files for it. But spybot find smitfruad-c in my registrybut can not remove it. Currently i am on my brothers computer, which is behind mine

. Hope you all can help!!! last highjack and smitfile log.

Logfile of HijackThis v1.99.1
Scan saved at 2:19:47 PM, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Jason\Local Settings\Temp\{EBAA464D-E2B5-449E-9691-B92D695936EB}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://install.charter.com/diskless/bin/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 12/11/2005
The current time is: 21:18:35.87

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

Security Toolbar

~~~ Shortcuts ~~~

Security Troubleshooting.url

~~~ Favorites ~~~

Antivirus Test Online.url

~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp
logfiles

~~~ Icons in System32 ~~~

ts.ico
ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 748 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

badbasser98 · 11:05 PM

You can download lspfix.exe from Here and run that... This fixed mine, and am now able to get to the net, however all the other problems remain, SpyAxe, SmitFraud, etc. However you will be able to access the internet.

As for the rest of it, i'll leave that to someone that knows.

-BB98

Mogor · 12-Dec-2005, 11:30 PM #3

I installed the lspfix,but i am hesitant to use it. Dont want to make things worse.The three keep files are mswsock.dll desription is Tcpip, winrnr.dll description is NTDS; rsvpsp.dll descrip is (protocal handler). What should i do now?

**Cookiegal** · 13-Dec-2005, 09:40 AM #4

Run the LPS Fix to get the connection back and click the "I know what I'm doing" checkbox. (Don't move any files or do anything else).

Then click Finish.

Let us know if that restores your connection please.

Mogor · 13-Dec-2005, 02:40 PM #5

Didnt work, it said repairs were complete with 0 for the for lines below it. Then i restarted my computer and still get no connection.

**Cookiegal** · 13-Dec-2005, 02:58 PM #6

Try this one:

1.) Download http://www.tacktech.com/pub/winsockfix/WinsockFix.zip. (by: Option^Explicit) or http://www.spychecker.com/program/winsockxpfix.html
2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
3.) Run WinsockFix.exe.
4.) Click the Fix button.

Mogor · 13-Dec-2005, 03:26 PM #7

Still no luck

**Cookiegal** · 13-Dec-2005, 03:52 PM #8

Do you have a good system restore point that you could roll back to?

Mogor · 13-Dec-2005, 03:54 PM #9

yes i shouldbut will that bring back spyaxe?

**Cookiegal** · 13-Dec-2005, 04:59 PM **#10**

It may but we can deal with that. We need to get your connection back. If it doesn't work to get the connection back then you can undo the restore.

Mogor · 13-Dec-2005, 05:03 PM **#11**

I will try it tonight after work, and let you know the results

**Cookiegal** · 13-Dec-2005, 05:13 PM **#12**

OK then. That's fine.

Mogor · 14-Dec-2005, 01:46 PM **#13**

I tried four different restore points (one from last month) none worked, it said restoration incomplete. These restore point were basic system check points. I even tried when i installed a game. I get a message before restoration that changes made to drive H: can not be reversed because drive was excluded from the system. This was my portable hd, not sure if this information would help.

Mogor · 14-Dec-2005, 09:55 PM **#14**

on a side note i did see were i have the file ioctrl.dll left in window\system32, and deleting this might get ride of the icon in the task bar. All other spyaxe files to my knowledge have been removed. So should i delete it? Other than that i just need my connection back

**Cookiegal** · 14-Dec-2005, 10:45 PM **#15**

Yes, boot to safe mode and delete that file.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop malware memory monitor motherboard music network printer problem ram registry router server slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!