Major problem - Spyaxe

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

bigboy

Thread Starter
Joined
Jul 4, 2004
Messages
28
Hello,

I got a major problem with the Spyaxe-virus. It keeps popping up messages like "your computer is infected!" in the right bottom of the screen no matter what I try to do to remove it. Also the usually light blue "Windows XP" toolbars are now darkblue or grayish.

Underneath the most recent HijackThis v1.99.1 log. It's really all there is.

I'm not a programmer, so please somebody handwalk me through this. Thank you very much!!!

*******

Logfile of HijackThis v1.99.1
Scan saved at 11:25:54, on 26/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\DOCUME~1\JANJAN~1\LOCALS~1\Temp\Tijdelijke map 4 voor hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.solarmonitor.org/index.php
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 
Joined
Sep 8, 2005
Messages
9,113
Welcome to TSG

First of all, hijackthis is running in the temp folder

Please Download this zip file here
  • Unnzip it and double click the vbs script inside it
  • HJT will be moved from the temp folders and placed properly and opened ready to run
  • If you have a script blocker you might get a message warning about the script.
  • IT IS SAFE so allow it to run

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".


* Click here to download smitRem.exe.
  • Save the file to your desktop.
  • It is a self extracting file.
  • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


* Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Post a fresh hijackthis, ewido, panda, and smitret log
 

bigboy

Thread Starter
Joined
Jul 4, 2004
Messages
28
Hi,

Thanks for the quick reply.

Unfortunately, double clicking the vbs-script (file "Move Hijackthis") returns a message: "Hijackthis.exe not found!". I'm not getting any other automatic messages to run HJT.

Thanks for the help!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
in that case

reboot &

go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

bigboy

Thread Starter
Joined
Jul 4, 2004
Messages
28
Hi,

Here's the HJT-log. Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 12:40:27, on 26/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.solarmonitor.org/index.php
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
well there is something very wrong there as almost all the entries taht should be in a HJT log are missing

have you fixed anything yourself
 

bigboy

Thread Starter
Joined
Jul 4, 2004
Messages
28
No, I didn't. It bothers me too.

A couple of weeks ago, I posted another thread on this forum concerning a slow computer. The problem was solved after I removed the (already inactive) Norton anti-virus scanner. The only thing that was still going slow was the during the start-up (dwelling a long time -longer as usual- on the welcome page before transferring to the opening page). But word, excel, ppt have opened up very quickly ever since.

I have not a clue what I'm doing wrong or what should be in the HJT-log.

I have progressed in the tasks you gave me earlier. I removed the spysweeper (I was not able to change the option, and could not download the software from their webpage). It seems like I only had the .exe file.

I'm ready to start the safe mode boot now, but will await your instructions.

Thanks for your help and patience!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
until we can see what is starting it's going to be very difficult to fix

try this

  • Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    • Reboot back to Normal Mode!
    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Place those results in the next post!
 

bigboy

Thread Starter
Joined
Jul 4, 2004
Messages
28
Hi,

I went ahead and run through the procedure as outlined by sjpritch25 (see message #2). "smitRem" removed the Spyaxe pop-up, ewido removed 50+ (potentially high) virus-threats (well... I did by clicking remove for every possible threat/file that was mentioned like e.g. downloader,...). There were also some spyaxe files which were removed too. I ignored a coupe of quarantine files in the hitmanpro which seemed OK to me. It was a very long procedure (over 2 hours!).

Then I got your reply and applied it this morning.

The computer is running fine now without the spyaxe pop-up. It still takes some time when it dwells on the blue welcome-page, and it takes also a few seconds (after clicking on the icon) before it opens Internet Explorer. Everything else is working (very) quick. I did notice that there is sound (mimicking an opening drawer) when I push on buttons or while opening folders (not when clicking on files). This might have nothing to do with viruses or trojans, but a result of the switching back and forth between safe and normal reboot. Would be nice to know how I can shut down the noise.

Underneath are:
1. the smitrem report (26 Dec 07)
2. the ewido report (26 Dec 07) - "Schoongemaakt met een back-up means "cleaned with a back-up" , and "genegeerd" means "ignored".
3. the WinPFind report (27 Dec 07)
4. the latest HJT-log report (27 Dec 07)

Thank you very much for your patience and time!!




***smitRem***


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [versie 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SpyAxeFix © by noahdfear

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

ioctrl.dll
1024 dir
ld****.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 792 'explorer.exe'
Killing PID 792 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)




***ewido***

---------------------------------------------------------
ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 17:58:19, 26/12/2005
+ Rapport samenvatting: 4E0A89E

+ Scan resultaten:

C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0172569.2 -> Spyware.Hijacker.Generic : Genegeerd
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0172570.3 -> Spyware.Hijacker.Generic : Genegeerd
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0172571.4 -> Spyware.Hijacker.Generic : Genegeerd
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0172572.5 -> Spyware.Hijacker.Generic : Genegeerd
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Schoongemaakt met een backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Schoongemaakt met een backup
C:\!PeperFix\AznG.Vexe -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\!PeperFix\Bin9f.Vexe -> Backdoor.VB.oq : Schoongemaakt met een backup
C:\!PeperFix\CzuOQ.Vexe -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\!PeperFix\DkrJY.Vexe -> Backdoor.VB.oq : Schoongemaakt met een backup
C:\!PeperFix\JqvGn.Vexe -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\!PeperFix\Khk2.Vexe -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\!PeperFix\Srohe2Nf.Vexe -> Backdoor.VB.oq : Schoongemaakt met een backup
C:\!PeperFix\Vxy5Cu7.Vexe -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\!PeperFix\ZejdW.Vexe -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\ieoc\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\ieon\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\msdi\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\msjr\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\msjr\msjr32.Vdll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\sysco\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\syslo\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\syslo\msiesh.new -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\sysnr\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\sysrj\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\wincd\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\wincd\msiesh.new -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\winfi\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Application Data\winob\msiesh.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\Documents and Settings\Jan Janssens\Cookies\jan [email protected][1].txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
C:\Overpro323.Vexe -> Downloader.Agent.ac : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0172574.7 -> Trojan.Small.bm : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173241.11 -> Downloader.Agent.ac : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173243.13 -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173244.14 -> Backdoor.VB.oq : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173245.15 -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173246.16 -> Backdoor.VB.oq : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173247.17 -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173248.18 -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173249.19 -> Backdoor.VB.oq : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173250.20 -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173251.21 -> Backdoor.VB.nb : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\A0173252.22 -> Spyware.WinShow : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\corelsys.24 -> Downloader.Agent.ba : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\msiesh.23 -> Spyware.WinShow : Schoongemaakt met een backup
C:\Program Files\Hitman Pro\quarantine\2005-10-10_17-15-46\Q3567836.1 -> Downloader.Winshow.W : Schoongemaakt met een backup
C:\SaveInstCsSm.exe -> Downloader.Small.kl : Schoongemaakt met een backup
C:\System Volume Information\_restore{66C30699-759A-4919-916B-53E28FE9622B}\RP427\A0174376.dll -> Spyware.WinShow : Schoongemaakt met een backup
C:\System Volume Information\_restore{66C30699-759A-4919-916B-53E28FE9622B}\RP427\A0174377.dll -> Downloader.Agent.ba : Schoongemaakt met een backup
C:\System Volume Information\_restore{66C30699-759A-4919-916B-53E28FE9622B}\RP441\A0192531.exe -> Adware.Spyaxe : Schoongemaakt met een backup
C:\System Volume Information\_restore{66C30699-759A-4919-916B-53E28FE9622B}\RP441\A0192532.dll -> Adware.Spyaxe : Schoongemaakt met een backup
C:\WINDOWS\system32\HotVideo_be-uninstall.exe -> Dialer.Generic : Schoongemaakt met een backup
C:\WINDOWS\system32\notepad.exe.bak -> Dropper.Small.hx : Schoongemaakt met een backup
C:\WINDOWS\Value Radio-veo-10328.exe -> Dialer.Generic : Schoongemaakt met een backup


::Einde rapport




***WinPFind***

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 2/07/2004 15:31:42 149504 C:\CWShredder.exe
UPX! 10/07/2004 16:12:52 470473 C:\FINDnFIX.exe
UPX! 10/07/2004 22:36:04 185856 C:\HijackThis.exe
UPX! 26/12/2005 13:13:38 157750 C:\smitRem.exe
qoologic 26/12/2005 22:51:46 204131 C:\WinPFind.zip
UPX! 6/10/2005 20:21:26 64000 C:\z.Vexe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 7/09/2001 11:00:00 41122 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 9/12/2005 1:21:02 2722144 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/12/2005 1:21:02 2722144 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/08/2004 9:03:00 729088 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 4/08/2004 9:03:20 676864 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 7/09/2001 11:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 4/08/2004 6:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
27/12/2005 7:45:42 S 2048 C:\WINDOWS\bootstat.dat
30/11/2005 22:14:22 H 54156 C:\WINDOWS\QTFont.qfn
1/12/2005 4:46:06 S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
2/12/2005 1:12:44 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
27/12/2005 7:45:30 H 8192 C:\WINDOWS\system32\config\default.LOG
27/12/2005 7:45:58 H 1024 C:\WINDOWS\system32\config\SAM.LOG
27/12/2005 7:45:44 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
27/12/2005 7:46:00 H 61440 C:\WINDOWS\system32\config\software.LOG
27/12/2005 7:45:54 H 770048 C:\WINDOWS\system32\config\system.LOG
16/12/2005 16:46:48 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
18/12/2005 18:07:02 S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
18/12/2005 18:07:02 S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
18/12/2005 18:07:02 S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
18/12/2005 18:07:02 S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
27/12/2005 7:44:52 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/08/2004 9:03:36 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 4/08/2004 9:03:36 554496 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 4/08/2004 9:03:36 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 4/08/2004 9:03:36 137728 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 4/08/2004 9:03:36 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 4/08/2004 9:03:36 156672 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 4/08/2004 9:03:36 359936 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 4/08/2004 9:03:36 132608 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 4/08/2004 9:03:36 380928 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 4/08/2004 9:03:36 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 7/09/2001 11:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 4/08/2004 9:03:36 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/09/2001 11:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 4/08/2004 9:03:36 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 4/08/2004 9:03:36 260608 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 4/08/2004 9:03:36 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 4/08/2004 9:03:36 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 14/12/2003 9:20:50 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 4/08/2004 9:03:38 302592 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 7/09/2001 11:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 4/08/2004 9:03:38 94720 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 4/08/2004 9:03:38 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 3:16:34 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 4/08/2004 9:03:36 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 4/08/2004 9:03:36 554496 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 4/08/2004 9:03:36 156672 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 4/08/2004 9:03:36 132608 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 4/08/2004 9:03:36 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 7/09/2001 11:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 4/08/2004 9:03:36 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 7/09/2001 11:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 4/08/2004 9:03:36 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 4/08/2004 9:03:36 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 7/09/2001 11:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 4/08/2004 9:03:38 94720 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 26/05/2005 3:16:34 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
30/05/2002 16:08:30 HS 84 C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
30/05/2002 15:56:50 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
30/05/2002 16:08:30 HS 84 C:\Documents and Settings\Jan Janssens\Menu Start\Programma's\Opstarten\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
30/05/2002 15:56:50 HS 62 C:\Documents and Settings\Jan Janssens\Application Data\desktop.ini
13/03/2004 16:53:34 46936 C:\Documents and Settings\Jan Janssens\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Zeon.ShellExt
{B8E8494C-9300-48AC-BD8E-EDED185E5A04} = C:\Program Files\ScanSoft\PDF Create! 2\PDF Create! 2\Plugin\ZnShellExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip van de dag = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}
&Discuss = shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adres : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adres : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Koppelingen : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key «
Hint autoplaat
FileName0 C:\WINDOWS\System32\RSACi.rat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 0
PleaseMom 1
Enabled 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
l 4
n 1
s 1
v 4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
NumSys 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 27/12/2005 7:57:26




***HijackThis***

Logfile of HijackThis v1.99.1
Scan saved at 8:17:19, on 27/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.solarmonitor.org/index.php
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 

bigboy

Thread Starter
Joined
Jul 4, 2004
Messages
28
Hi,

Any progress in evaluating the aforementioned scan-reports?

Thanks!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
As you ahve nothing in the hjt log to ananlyse and the otehr logs don't show any disabled starts up I still say you are in a lot of trouble and NO xp system should have taht number of non existing entries

I strongly advise you to format & reinstall and make sure taht you instal;l an antivirus etc as soon as you have reinstalled

It is as if the whole run section of the registry has been removed and teh only things I know that do that are some of the very dangerous rootkits

You have ewido & spysweeper running from the services section but NOT their correspondong O4 start up and nothing else from taht section & I just cannopt believe taht they are all missing or the computer wouldn't even run

You can try this first but I really think it's safer to wipe it out & start again

download & run http://www.sysinternals.com/Utilities/RootkitRevealer.html
save it's log and post back with the log

DO NOT attempt to fix anything it finds as most entries will be legitimate
 

bigboy

Thread Starter
Joined
Jul 4, 2004
Messages
28
Hi,

Here the results of the Rootkitrevealer. Hope this helps!

Thanks for any guidelines in "format & reinstall" as well as a good, free and preferably self-updating anti-virus program.

Thank you for your time!

***Rootkitrevealer***

C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf 3/12/2005 22:17 23.19 KB Hidden from Windows API.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
nothing showing there either

I'll ask someone else to look at it in case I've missed anything
 
Joined
Jul 26, 2002
Messages
46,349
  • Open Spysweeper and click on the "Options" button on the left.
  • Click on the "Program Options" tab and check "Load at windows startup".
  • On the left click on the "Shields" button.
  • Click the "Internet Explorer" tab and then check everything there.
  • Click on the "Startup Programs" tab and check "Startup Shield"
  • Click on the "Browser Add-ons" tab and check "Browser Helper Object (BHO) Shield"
  • Exit Spysweeper.


* Restart your computer.


* Go here , download and install the free version of AVG. Enable all protection.


* Restart your computer and post a new Hijack This log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top