HELP!!! I think I have a probelm caused by "SpyAxe"?(RESOLVED)

J I M · #1 (**permalink**) 07-01-2006, 03:13 PM

Hi I am new on here and have found it due to getting very frustrated with my PC!!!!

I have a problem on my PC with strange things happening. Initially my homepage was getting changed to try and get me to download phoney Spyware killing software. I have managed to sort this but am still experiencing a lot of apparent minor problems. I also ended up with “Spyaxe” on my computer which I know think was the root of the problems but I have got rid of it? A few of the problems are:-

I can access the internet and my Yahoo E-mail but I cannot do anything but open E-mails.

I cannot right click on web links to open them in another window.

I cannot remotely access my work E-mail account.

My task Bar has all changed, with icons disappearing etc.

I cannot copy and paste text or drag and move icons around my desktop.

I can bring up my XP start menu but from there I cannot access “help and support” and so can’t get into system restore.

I cannot use my DVD drive or open Excel files.

I have followed instructions in this section and outlined below what I have done:-

I have been unable to download Spybot S&D 1.4, Adaware SE 1.06, AVG 7.1.371 and Avast 4.6.744.

If I right click on any of these the download starts but then I get a message saying Internet Explorer is unable to open the internet site.

I have been able to download the “Highjackthis” program though.

I have used the Add/Remove programs to get rid of what I don’t use anymore.

I have also downloaded X-cleaner and run that and also “Crap Cleaner” which I also have run.

I have manually deleted Temp internet files, cookies and history.

I have tried to use the link for identifying the programs on start-up but the link doesn’t seem to work?

I have now been able to download Spybot using a different method, this I have run on my PC. I have also got AD-aware SE 1.06. I have run these two on my PC identified and deleted what was found.

However, Ad-aware keeps finding “IBIS toolbar” but cannot remove it. I also find “Huntbar” but again despite the programs saying they have removed it, it is still there when I scan again.

Below is my Hijeck this Log:-

Logfile of HijackThis v1.99.1
Scan saved at 20:12:02, on 06/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
O18 - Filter: text/html - {E6BD2857-A0C5-46AE-93B1-441C62A2A13A} - C:\WINDOWS\qsysmsgq.dll
O18 - Filter: text/plain - {E6BD2857-A0C5-46AE-93B1-441C62A2A13A} - C:\WINDOWS\qsysmsgq.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe

Any help would be most grateful as I am faced with a restore and loss of my files otherwise

.

Neal · #2 (**permalink**) 07-01-2006, 07:51 PM

Welcome to DAL,

Go here below to download huntbar removal tool:

http://securityresponse.symantec.com...websearch.html

Did you at one time have wintools?

Run Adaware SE and SpyBot S&D from safe mode and see what turns up.

Safe Mode:

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Come back with feedback and a new HJT log please.

J I M · #3 (**permalink**) 07-01-2006, 10:42 PM

Hi, thank you ever so much for your advice and help.

I cannot access the link you gave as my browser just says the page is unavailable???

I am not sure about wintools it doesn't sound familiar to me.

I have now run Adaware SE and Spybot in safe mode and found the following:-

Adaware SE;

IBIS Toolbar (4 Objects) It said the objects were all Regkey -- Data Miner

It gave these locations?

HKEY_LOCAL_MACHINE:software\BTIEIN
HKEY_LOCAL_MACHINE:system\currentcontrolset\enum\r oot\legacy_tbpssvc\
HKEY_LOCAL_MACHINE:system\currentcontrolset\enum\r oot\legacy_wintoolssvc\
HKEY_LOCAL_MACHINE:system\controlset001\enum\root\ legacy_wintoolssvc\

VIRTUEMONDE (2 Objects)

It then gave these locations?

C:\system volume information\_restore{CB2D7211-9D54-424D-9E9C-8E062E202775}\RP408\A158607.exe
HKEY_ECASSES_ROOT:.key\

SPYBOT;

HUNT BAR

Global settings
HKEY_LOCAL_MACHINE\software\BTIEIN

I hope these make more sense to you than they do to me!!! I have run another Hijack this check but will not be able to copy and paste it in until tomorrow on a different PC as I can't copy and paste on this one.

Thank you again for your help.

Neal · #4 (**permalink**) 07-01-2006, 11:27 PM

Hi,

According to the scan results your computer did at one time have wintools.

Two things please:

Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

Then see if you can download and install this Trojan scanner:

Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.

5. NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If ewido detects a file you KNOW TO BE LEGITIMATE, select NONE as the action.
* DO NOT select "Perform action on all infections"
* If you are unsure of any entry found SELECT NONE for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop

6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

J I M · #5 (**permalink**) 09-01-2006, 05:42 PM

Hello again,

I have since my other post mananged to download and run the HUNTBAR removal tool

This was the report given:-

Symantec Adware.Websearch Removal Tool 1.0.0

registry: HKEY_USERS\S-1-5-21-284587905-346832259-4021508746-1007\Software\WinTools (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filt er\text/html (key deleted)
registry: HKEY_USERS\S-1-5-21-284587905-346832259-4021508746-1005\Software\Microsoft\Internet Explorer\Main: Enable Browser Extensions (value set to "No")

Adware.Websearch has not been found on your computer.

I then ran the Unistall manager in Hijackthis and got this report:-

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Acrobat Reader 3.01
Belarc Advisor 6.1
CC_ccStart
ccCommon
CCleaner (remove only)
Conexant SoftK56 Modem(M)
DivX 5.0.2 Pro Bundle
EPSON Printer Software
ewido anti-malware
Hazard Perception Training 2002-2003
HijackThis 1.99.1
IrfanView (remove only)
Java 2 Runtime Environment Standard Edition v1.3.1_01
LiveReg (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Money
Microsoft Money System Pack
Microsoft Office XP Professional with FrontPage
Microsoft Press Interactive Training
Microsoft Works 2000
MSN Add-in for Windows Messenger
MSRedist
PowerDVD
QuickTime
RealOne Player
Search Assistant
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Spybot - Search & Destroy 1.3
SymNet
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883357
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q331953
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819696
WinRAR archiver
WinZip
Wireless LAN Utility
X-Cleaner Freeware
XTNDConnect Blue Manager 3.1

Then I used the ewido Trojan scanner followed your instructions and then saved this report:-

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:01:33, 08/01/2006
+ Report-Checksum: 5AF91AB9

+ Scan result:

HKLM\SOFTWARE\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ins taller\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-284587905-346832259-4021508746-1005\Software\Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F} -> Downloader.SpyAxe : Cleaned with backup
HKU\S-1-5-21-284587905-346832259-4021508746-1005_Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F} -> Downloader.SpyAxe : Cleaned with backup
C:\Documents and Settings\James Wright\Cookies\james wright@adtech[1].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20060106-172239-661.dll -> Downloader.Zlob.dx : Cleaned with backup
C:\RECYCLER\NPROTECT\00005273.exe -> Dialer.Generic : Cleaned with backup
C:\RECYCLER\NPROTECT\00005299.exe -> Dialer.Generic : Cleaned with backup
C:\RECYCLER\NPROTECT\00006840 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\RECYCLER\NPROTECT\00006867 -> Adware.Spyaxe : Cleaned with backup
C:\WINDOWS\assembly\oledos.exe -> Downloader.Virtumonde.g : Cleaned with backup
C:\WINDOWS\system32\hp100D.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp17DA.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp203E.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp2D6B.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp3811.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp4712.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp4E1E.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp586.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp6555.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp6B19.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp778A.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp82EB.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp8D1A.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hp96D6.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hpA347.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hpAC47.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hpBCFD.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hpC571.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hpC718.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hpD405.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hpD69D.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hpD91A.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\system32\hpED46.tmp -> Downloader.Zlob.dx : Cleaned with backup
C:\WINDOWS\temp\~427324.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\temp\~430777.tmp -> Spyware.Wintools : Error during cleaning

::Report End

Fianlly I have run an anaylsis by Hijackthis and now this is how the Log looks:-

Logfile of HijackThis v1.99.1
Scan saved at 18:08:11, on 08/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB002" /M "Stylus C42"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
O18 - Filter: text/plain - {E6BD2857-A0C5-46AE-93B1-441C62A2A13A} - C:\WINDOWS\qsysmsgq.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe

Thank you for your previous halp and I hope you are able to shed some light on what is going on with my PC?

Thank you again, James.

Neal · #6 (**permalink**) 09-01-2006, 11:41 PM

Hi,

Microsoft anti-spy is a good program but could interfere with this fix so...

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Scan with HijackThis again and place a check next to these items:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h

O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe

O18 - Filter: text/plain - {E6BD2857-A0C5-46AE-93B1-441C62A2A13A} - C:\WINDOWS\qsysmsgq.dll

Close all other windows except HijackThis, and hit Fix Checked

Still in safe mode, hunt for and delete if present:

C:\Program Files\SpyAxe < folder
C:\WINDOWS\qsysmsgq.dll < file

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan from safe mode. Remove everything found.

From safe mode
Now open Ewido Security Suite

Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Save that file for us later.
Close Ewido

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.

J I M · #7 (**permalink**) 11-01-2006, 09:22 PM

Hi Thank you for your help and suggestions, but I am having a few problems.

I have gone into safe mode and scanned with Hijeckthis. On the results I checked and fixed the entries under:-

R3 - Default URL search hook is missing
O4 - HKLM\..\run: [spyaxe]C:\program files\spyaxe\spyaxe.exe/h
O16 - dpf:{ff3f0f03-0f01-131a-a3fu-08f02b23edcc}-http://66.117.37.13/gba2218.exe
O18 - filter:text/plain-{e6bd2857-aoc5-46ae-93b1-441c62a2a13a}-C:\windows\qsysmsgq.dii

as instructed.

I then hunted for:-

C:\program files\spyaxe<folder
C:\windows\qsysmsgq.dii<file

but didn't find anything?

I then opened and ran the SIMTREM device but when it went to the disk clean up it just sat there and did nothing? I left it running all day when at work hoping it would carry it out then as it had said it could take a few hours. Nothing happened.

I tried to run Ad-aware as well (all in safe mode) but this too stopped responding???

Can you suggest anything else?

Neal · #8 (**permalink**) 11-01-2006, 10:35 PM

Hi,

Evidently and it does happen when something is fixed with hijackthis it gets everything file and folder but not always so that is why we have to check to see if those are there after fixing with HJT.

Post a new hijackthis log and we will go from there.

Also, and let the tool remove everything it finds also please.

Download and install Counterspy, 15 day free trial and can be removed easily after we are done getting your computer fixed. If you can post the log/results of the scan counterspy makes. Just be sure and allow the tool to remove everything it finds. Thanks.

http://www.sunbelt-software.com/CounterSpy-Download.cfm

I need Hijackthis after counterspy scan and results from counterspy scan.

J I M · #9 (**permalink**) 11-01-2006, 10:54 PM

Hi Thank you for your reply.

I have downloaded the Counterspy program but when I try to install it I just get a pop-up message saying:-

"Windows installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

I am not running it in safe mode???

Neal · #10 (**permalink**) 12-01-2006, 12:38 AM

Try this:

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start