Please Help me! Spyaxe virus. Hijack log here!!!
-
Please Help me! Spyaxe virus. Hijack log here!!!
I have a problem.
I've got i virus. I think it's Spy axe at www.updateyoursystem.com (Dont click, Maybe you get the virus)
Here is my hijackthis log file. Please help me, what should I do???
Logfile of HijackThis v1.99.1
Scan saved at 16:01:07, on 04.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Norman\bin\ZANDA.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\wdfmgr.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\nvctrl.exe
C:\WINNT\system32\mssearchnet.exe
C:\WINNT\Mixer.exe
C:\WINNT\system32\Linksts.exe
C:\Norman\bin\ZLH.EXE
C:\WINNT\system32\ezSP_Px.exe
C:\Documents and Settings\MARIA AASHEIM\Mine dokumenter\Min musikk\iTunesHelper.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Documents and Settings\MARIA AASHEIM\Mine dokumenter\Min musikk\bin\iPodService.exe
C:\Programfiler\Databibl\Dbview32.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Documents and Settings\ODD MAGNE AASHEIM\Skrivebord\Install.exe
C:\Documents and Settings\ODD MAGNE AASHEIM\Lokale innstillinger\Temporary Internet Files\Content.IE5\7UWJ79WP\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.c2i.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINNT\system32\hp73C8.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Documents and Settings\MARIA AASHEIM\Mine dokumenter\Min musikk\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyAxe] C:\Programfiler\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - Startup: Mannakorn.lnk = C:\Programfiler\Databibl\Dbview32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.c2i.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133702958921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48C6F62A-C58C-4FFB-9C4A-14771B12D948}: NameServer = 193.216.1.10 193.216.69.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Documents and Settings\MARIA AASHEIM\Mine dokumenter\Min musikk\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programfiler\Fellesfiler\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programfiler\Fellesfiler\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups.exe (file missing)
Please help me!
Last edited by Zapci; 04-12-2005 at 04:19 PM.
-
Welcome to DAL, long instructions following:
You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Please download, install, and update the free version of Ewido Security Suite:- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
- From the main Ewido screen, click on update in the left menu, then click the Start update button.
- After the update finishes, the status bar at the bottom will display "Update successful"
- Exit Ewido. DO NOT run a scan yet.
If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
Scan with HijackThis again and place a check next to these items:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINNT\system32\hp73C8.tmp
O4 - HKLM\..\Run: [SpyAxe] C:\Programfiler\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
Close all other windows except HijackThis, and hit Fix Checked
while in safe mode look for and delete if found now
C:\Programfiler\SpyAxe < folder
wuamgrd.exe < file
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.
Next, run Ad-aware and perform a full scan. Remove everything found.
Now open Ewido Security Suite- Open up Ewido Scanner
- Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
- If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
- When the scan finishes, click on "Save Report". This will create a text file. Save that log because we will want to see it in your next post.
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.
Restart your computer in normal mode.
Download SpyAxeFix.exe © noahdfear, and save it to your desktop.- Close all other programs and windows.
- Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder.
- Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool.
- At one point when the tool runs, your taskbar will dissappear, and your computer will restart when the tool completes.
- A text file named spyaxe.txt will be created in the SpyAxeFix folder.
- Post the contents of that log please in your next response.
Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the SpyAxe log, Ewido log, and the Panda log...spyaxe.txt will be created in the SpyAxeFix folder.
Let us know if any problems persist.
