Anti Virus Gold and Spy Axe....

I have read the new and updated "read me first" sticky threads on removal and gone thru the steps but still have Spy Sweeper detecting "Anti Virus Gold" and every time I reboot I have visible signs of maliscious junk as in the lower right hand corner of my comp screen there is a flashing red circle with an x in it flashing over the Windows update icon- and when I click on this the "Spy.Axe" fake syware screen comes up.

I have run tests in both normal and safe mode but upon reboot, the problem persists.

I have run Norton Anti-Virus (which identified 4 threats as "dial" threats- whatever that means), Spysweeper (which initially identified 2 trojan horse programs and 2 popup programs but now just identifies "Anti-Virus Gold"), Ad-Aware, CCcleaner, and CWSshredder.

This isnt the first time Ive visited this sight- you guys are great- so Im a little bit familiar with what the problem may be, although I know nothing compared to you all.

Im assuming the problem lies in my registry and a couple lines look suspicious to me but I dont know enough to start deleting.

Ive included a HJT log and followed the directions on that particular process.

My comp specs:

Sony Vaio
Windows XP
1 gig Ram
2.8 mghz
Nvidia 6800 gt

please help.

thanks ahead of time for any replies.

 

No love for Larium?

Im going to download the SyeAxe removal tool as mentioned in someone else's thread and include as an attachement.

 

See the thread below...

SpyAxe Removal

 

Ok thanks for the reply.

Here's a copy of the text from the removal tool you have listed.....

The removal went fine and as of right now, at least the flashing "x" in the lower right hand corner of my toolbar is gone, but I havent run any more scanners/ Norton anti-virus yet, nor have I fixed/ deleted anything in my registry.

 

Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.

 

Ok Ill do.

I just ran Spysweeper (normal mode) though and it detected nothing but I shall follow your specifics and do so again.

Ive also searched the other threads in the first 10 pages of this site reagarding my issue and read/ identified similar issue characteristics, which was also a big help.

Thanks for the replies.

 

Be sure you get the latest definitions before you run a sweep.

 

ok here's a copy of my latest Spysweeper log.

Doesnt appear to be anything in it so hopefully Im good- Ill reboot again and run other scans and Norton also- and change all my passwords being that Webroot advised to do with the "anti virus gold" trojan- although not really sure what the odds are of having my passwords stolen being that there are hundreds of thousands of other infected comps out there (if not millions).

Thanks for the help and education.

 

Download this trial version of Ewido Security Suite

• First, please download and run CCleaner to clean temp files, cookies, etc; to make the log shorter.
  
• Install ewido security suite
  
• When installing the program, under "Additonal Options" uncheck..
  
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should now be an icon on your desktop, double-click it.
• You will need to update ewido to the latest definition files:
  
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display "Update successful")

If you are having problems with the updater, you can use this link to manually update ewido. Ewido Manual Updates

• Once the updates are installed, exit Ewido.
• Now print the below instructions or save them locally because I want you to have all browsers closed and also have no connection to the internet (unplug your cable) while doing the below:
• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine
• While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report[/size][/color]
• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.
• Reboot into normal mode and reconnect to the internet.

Once your machine reboots please attach the report from Ewido along with a fresh HJT log from normal mode.

 

Ummm....thought I was done. Not!

Ok I forgot to UNPLUG my interent connection while running both ewido and a new HJT log (in normal mode)...but perhaps it wont be necessary I hope???

Here are the attachements....

 

Click on the link below and run the online scan...

Kaspersky Anti-Virus Online Scan

• Click on "Kaspersky Online Scanner"
  
• Click Accept to procede...
  
• If this popup displays, Install Kaspersky's ActiveX Control
  
• If this popup displays, Install the "kavwebscan_unicode.cab"
  
• After all updates are downloaded, click NEXT to continue...
  
• Click Scan Settings and select extended and make sure both boxes are checked at the bottom, Click OK to continue.
  
• Now click on My Computer and let it run!
  
• This scan may take a while but it is very thorough. After the scan is complete save the log as a txt file and attach it to your next post along with a fresh HJT log.

 

Ok here's my Kaspersky text log and a new Hijack log.

 

Ok Im still picking up some "trojan downloader" type junk when I do the ewido scan so Im not sure Im totally free.

Any suggestions?

Again, Thankyou very much for the help.

 

Before we procede with the cleaning, I need you to clean out the Norton Quarantine folder and also disable system restore.

After you complete the above, run the below...

Please Download TrojanHunter 4.2

• Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Click YES to update TH!

• Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

• After you have completed the scan and removed all found infections reboot and attach a fresh HJT log.

 

I retract my statement.....I just did another safe mode ewido scan and detected nothing.

Thanks!!!

Edit:

Ok ill still run the Trojan Scanner you speak of as Ive never run it.

 

Will be awaiting new logs.

 

Ok here they are.

Well for some reason I cant upload the Trojan Hunter log but this is what it said:

Everything was fine (no detections) except the part about an open port which stated:

"Matches Peeper.120. Port being used by process Netscp.exe/PID 1528"

And I did read the section in that scan about what exactly the Port info meant.

 

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, REBOOT INTO SAFE MODE!

Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot and attach a fresh HJT log.

 

I had some apparent problems running the Trend Micro package you linked.

When I tried to scan in safe mode a window poped up saying:

Pattern file "LPT$VPN." is missing, please download a copy.

There was no link to download a copy (even in normal, online mode).

Anyway, I was still able to run the scan behind that window but aborted the scan close to the end.

Ive included a new HJT log.

Thanks for the replies.

 

Download both files from my previous post. The file lpt981 is a compressed file which contains the file it said is missing. You have to extract the contents from this zip file in order to run the scan.

Also, as Chaslang mentioned you must uninstall one of your antivirus programs.

 

I was hoping you werent going to say that.

I have some remnants left of a failed McCrapee uninstalation but I dont have the whole McCrapee package.

I tried to uninstall McCrappe a couple years ago as it was pre installed on this model of computer when I bought it.

During my own uninstalation attempts I couldnt uninstall everything so I phoned McCrappe for assistance and the individual on the phone said something to the extent of:

"It is going to take you 45 mins to manually uninstall our product and your going to need either a 65 page manual that I can email you (he never did) to help or you can call back for $100 (someting in that range) and I will walk you thru it"

Obviously I never called him back nor did he mail any assistance....which is why there is still a little garbage left over.....but not sure if its really negatively affecting my comp performance.

Thanks for the replies,

Possible to continue without having to deal with McCaffee leftovers?

 

Ok I extracted the compressed file you mentioned but am still getting the same box popping up on top of the scan window saying that file is missing and I need to download it...at least in non safe mode, havent tried it in safe mode yet.

Not sure if this is even relevant but.......I extracted the file into C/ documents and settings and then when I tried to open it (online) a window pops up saying I need to use the web to find the appropriate program and refers me to something about "Cknow" or something.

But like I mentioned, i just tried to run the scan withour opening that file and still got the same response about the missing file.

Thanks

 

Ok Thanks

 

Larium,

All the files for the TrendSys Clean needs to be in the same folder for it to run properly. We will address the Mcafee issue once we get your system cleaned.

 

Ok everything worked fine this time as I extracted the files into the same folder. Scan took at least 3 hours.

Here's my latest HJT log.

 

bump.

Thanks again for the education.

So Im curious, Am I pretty much done as far as successful cleaning and have only McCrappee leftover drivel to remove?

 

Your HJT log is clean, lets take care of the McAfee now

Download Your Uninstaller! 2006 5.0.0.215 and save to your desktop. Once downloaded, install and run the program.

See if you can locate McAfee in the list of programs and uninstall. If you get an error the program will remove it anyway. If you cant remove it with this program let me know.

 

There is no McAfee icon, or anything related to McAfee, on the list of programs in the uninstaller program you mention.

I tried to use the search button with the program also but to no avail.

I have also tried to locate anything McAfee in the "Change/Remove Programs" screen via "My Computer" but there is nothing.

To give you more background info on my McAfee issues.....

Like I stated earlier I tried to remove it a while back. After I removed "some" of it every time I reboot Windows (XP) one of the first things that appears on my fresh screen is the following:

2 overlapping boxes with the bigger background box/screen, that is black and blank inside- same type of box/screen that one runs a "command prompt" in or uses to trace a router (sorry Im not that versed in specific comp lingo), that has at the top of it:

C:\program files\mcafee.com\agent\mcagent.ex

the smaller gray overlapping box has as its header "16 bit ms-dos subsystem" and then inside it states

C:\program files\mcafee.com\agent\mcagent.
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT.
The system file is not suitable for running MS-DOS and Microsoft Windows applications.

I can close these boxes out and I dont "think" they are running in task manager (although I havent checked lately or remember) and besides being an annoyance I dont think they are lagging my system which is why I havent bothered to get them out.

Hopefully my attempt to provide as much detailed info as possible isnt just creating more confusion.............

 

What McAfee products do you have installed, exactly whats installed?

 

I have no idea....Chaslang said he/she identified McAfee in my HJT log and recomended I remove "it".

Honestly though, I dont care if its still in my system as long as it poses no threat and doesnt cause lag.

Does it?

Thanks ahead of time for any replies

 

It really needs to be removed, each application has its on files and registry entries so if you could tell me what product and version you have I could get a manual removal.

Just reboot into Safe Mode and delete the folder below...

C:\Program Files\McAfee.com

NOW:
Click Start > Run > type services.msc and Click OK

Locate McAfee SecurityCenter Update Manager (mcupdmgr.exe) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate McAfee Personal Firewall Service (MpfService) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Now reboot and let me know how things are running!

 

Ok thanks but before I do that I need to mention that the Kaspersky scanner program you mention in this thread is STILL picking up trojans and malware even after Ive gone thru all these steps.

but if my HJT log is clean does it even matter?

Here's a fresh HJL....

 

I should have uploaded this in my last reply...

Most recent Kaspersky log...

 

Allrighty...your specific McAfee removal suggestions seems to be working and upon my first normal reboot Im not getting any of the McAfee filler I had previously alluded to.

Nor did I see anything resembling (at least to my eye) McAfee in my latest HJTL of which Ill attache.

But like I mentioned earlier Im still gettting trojans and malware detected in the Kaspersky online scanner (but after running tojanhunter immediatley after, as advised earlier in this thread, Im not picking anything up besides an open port used by netscape).

Does my system appear to be clean regardless of what Kaspersky is claiming?

Thanks ahead of time for any replies

 

First, I need you to open Norton and empty the Quarantined items. After you complete this, procede with the below...

Run the Panda Online Scan. After the scan attach the log to your next post with a fresh HJT log.

 

By "empty the quarantined items" so you menat the junk in my Norton protected recycle bin? I empty that every time I run CCleaner which is every time right before I log off.

I cant find any "quarantined items" by opening up my full service Norton AV icon.



Thanks a bunch for all the help

 

No, I meant the quarantined items, the disinfection of viruses when Norton detects them.

Please see the site below to clean these...

Removing files from Norton AntiVirus Quarantine

 

Ok here are both my latest HJTL and Panda scan results.

 

Before we clean anything, run one more Kaspersky scan and attach that log.

 

For some reason I cannot upload the Kaspersky results which I saved to my desktop as text in wordpad.

Do you want me to save the log as an html? or website address? And then upload as an attachement? Or is that a no-no on this site?

Thanks ahead of time for any replies.

 

Just paste the log inline and I will convert it for you.

 

Edit

 

Kaspersky

 

Cant even do that

Ive also tried to delete 90% of the text to get it to an "uploadable" size, or pasteable, but its not happening after repeated attempts.

But

I think I may know how to radically reduce the size of the log.....

Many of the isses in the Kaspersky log seem to be rooted in my Norton AV Quarantined section, even though there are no issues in the "quarantine" section that you all directed me to delete a few posts ago.

However, there are about 380 virus/ adware looking issues in the "backup" section of Norton AV so Im assuming.....I need to delete all these?

Thanks ahead of time for any responses!

 

How come you cant paste it inline?

 

I thought you guys had all the answers?

Im just your average, doesnt-know-all-that-much-about-comp-issues person.

When I try to paste either 50 lines or 300 lines and hit the submit reply button in my response......takes too long (like more than a couple minutes which obviously doesnt seem right).

Im going to delete some items from my Norton AV "backup" section and try to reduce the amount of garbage showing up in my Kaspersky log....

 

That's what I requested you do a few post back to reduce that log.