1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

spyaxe removal

Discussion in 'Virus & Other Malware Removal' started by Yellowman, Dec 1, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Yellowman

    Yellowman Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    67
    Hello, I was trying to clean up a friend's computer but don't seem to have much success. I am not sure what was downloaded but it looks like spyaxe is one of the culprits. I have run spybot and http://noahdfear.geekstogo.com/ utility but somehow it only seemed to remove just some of the program itself. Now IE always goes to the spyaxe "update" website and I can't seem to change it, any ideas? Thanks in advance

    Logfile of HijackThis v1.99.1

    Scan saved at 9:57:17 AM, on 12/01/2005

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

    C:\Program Files\Network Associates\VirusScan\Mcshield.exe

    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\WLTRYSVC.EXE

    C:\WINDOWS\System32\bcmwltry.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\mssearchnet.exe

    C:\WINDOWS\system32\nvctrl.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\WINDOWS\System32\hkcmd.exe

    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Apoint\Apntex.exe

    C:\Program Files\Express ClickYes\ClickYes.exe

    C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe

    C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe

    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

    C:\Program Files\Digital Line Detect\DLG.exe

    C:\Program Files\WinZip\WZQKPICK.EXE

    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

    C:\Documents and Settings\mstcyr\Desktop\HijackThis.exe



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.genuitinc.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UNIS LUMIN Inc.

    O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hpE6CC.tmp

    O3 - Toolbar: LinkedIn Toolbar - {BB670D0B-5C46-40C7-B38B-40DD26987723} - C:\Program Files\LinkedIn\IE Toolbar\2.5.0.1032\LinkedinIEToolbar.dll (file missing)

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe

    O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe

    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a

    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Linked&In Search - res://C:\Program Files\LinkedIn\IE Toolbar\2.5.0.1032\LinkedinIEToolbar.dll/CONTEXTMENUSEARCH.HTM

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: LinkedIn - {DDAF92BF-2008-4d7f-8BB3-915E6027C9AF} - C:\Program Files\LinkedIn\IE Toolbar\2.5.0.1032\LinkedinIEToolbar.dll (file missing)

    O9 - Extra 'Tools' menuitem: LinkedIn - {DDAF92BF-2008-4d7f-8BB3-915E6027C9AF} - C:\Program Files\LinkedIn\IE Toolbar\2.5.0.1032\LinkedinIEToolbar.dll (file missing)

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O15 - Trusted Zone: http://www.promys.com

    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab

    O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://beta.promys.com/viewer9/activeXViewer/activexviewer.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

    O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb5/comdlg32.cab

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = unislumin.com

    O17 - HKLM\Software\..\Telephony: DomainName = unislumin.com

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = unislumin.com

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
     
  2. Sponsor

  3. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Before you proceed with the removal directions below you need to turn off MS
    Anti-Spyware's realtime protection as it will interfere with the changes we
    are trying to make.

    Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime
    Protection" in the left pane.

    Remove the check by these:

    "Enable the Microsoft Security Agents on startup (recommended)"

    "Enable real-time spyware threat protection (recommended)"

    Click "Save"

    Now right click the MS Anti-spyware icon in your system tray and choose
    "Shutdown Microsoft Anti-Spyware"

    You should re-enable these when we are finished here.


    Also turn off Spybot's Teatimer!




    * Go to the C:\Program Files\SpyAxe folder and doubleclick the uninstall.exe
    file and let it run.


    * Click here to download smitRem.zip.


    for W2k & XP

    http://noahdfear.geekstogo.com/click counter/click.php?id=1




    * Save the file to your desktop.
    * Unzip smitRem.zip to extract the two files it contains.
    * Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.



    *Download Cleanup from Here


    http://www.stevengould.org/software/cleanup/download.html




    * A window will open and choose SAVE, then DESKTOP as the destination.
    * On your Desktop, click on Cleanup40.exe icon.
    * Then, click RUN and place a checkmark beside "I Agree"
    * Then click NEXT followed by START and OK.
    * A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    * Click OK
    * DO NOT RUN IT YET



    * Download the trial version of Ewido Security Suite.



    http://www.ewido.net/en/


    * Install ewido.
    * During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    * Launch ewido
    * It will prompt you to update click the OK button and it will go to the main screen
    * On the left side of the main screen click update
    * Click on Start and let it update.
    * DO NOT run a scan yet. You will do that later in safe mode.



    * Click here for info on how to boot to safe mode if you don't already know how.


    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:



    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.



    * Run Ewido:

    * Click on scanner
    * Click Complete System Scan and the scan will begin.
    * During the scan it will prompt you to clean files, click OK
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop



    * Run Cleanup:

    * Click on the "Cleanup" button and let it run.
    * Once its done, close the program.


    * Go to Control Panel > Internet Options. Click on the Programs tab then
    click the "Reset Web Settings" button. Click Apply then OK.



    * Next go to Control Panel > Display. Click on the "Desktop" tab then click
    the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you
    should see an entry checked called something like "Security info" or similar.
    If it is there, select that entry and click the "Delete" button. Click OK
    then Apply and OK.


    * Restart back into Windows normally now.


    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner



    * Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm


    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!



    post another hijack this log, the ewido and active scan logs

    Make sure to not space out the next hijack this log as it's difficult to read!
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    * Click here to download smitRem.exe.
    • Save the file to your desktop.
    • It is a self extracting file.
    • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
    • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


    * Download the trial version of Ewido Security Suite here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.


    * Click here for info on how to boot to safe mode if you don't already know how.


    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.


    * Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop


    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


    * Restart back into Windows normally now.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJack This log along with the results from ActiveScan and the Ewido scan.
     
  5. Navarrotech

    Navarrotech

    Joined:
    Dec 6, 2005
    Messages:
    1
    Hey guys,
    I just want you to know that your post was wonderful! I printed it off and handed it to an adjunct instructor here. He is not very literate with computers and he said it took him almost 6 hrs to get through all the steps. But he persevered and said it worked like a charm. I normally do not work on home computers here but sometimes it becomes very difficult to say "no". You guys saved me many hours that I simply could not spare here at the end of the semester.

    Thank you very much!

    I wish peace and comfort for you guys this holiday season...
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok, you're welcome , glad we helped! :)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/421458