Spyaxe Installed and Popups ???

Came home to Spyaxe auto installed w/o my consent. Also getting popup ads from the desktop and fake windows taskbar warnings. Ran:

Run HiJackThis, my “infection” was HomepageBHO, delete it;
Run regedit and find this key:
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
policies\
Explorer\
run
mssearchnet and nvctrl entries - delete them outright (right click, delete).

I Also Did Spyaxe removal tool, this tool seemed to get rid of the spyaxe.exe file but did nothing about the popups and fake windows taskbar warnings. Removal tool found at:
http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=48&blogId=3

I ran a virus scan and It came back w/ a few dialers. Deleted em
gdnUS2218[1].exe
kjaaceic.exe

Adware found a ton of malware related to spyaxe and deleted it.

Spybot finds something called Smitfraud-C but it cannot delete it, even in safe mode, tried to delete manually through sys reg but I can't seem to find a folder named Domains under "ZoneMap":
Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1647877149-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\*!=W=4

I've attached the latest HiJack Log

Someone recommended me to this community said you guys are great. Any help is appreciated

 

Follow the steps in the thread below...

SpyAxe Removal

 

Installed and ran Spyaxe.exe in safe mode

Inline log attached!

Still having pop up issues.?? Sent most recent hijack log

 

Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.

 

Ran Spysweeper attached log.
Also attached HJ Log

Still having windows taskbar popup issues

 

Update:

Seems like the pop-ups have stopped but I still have a few viruses that can't seem to get cleaned up.

PandaScan:
Adware:adware/spyaxe Not disinfected C:\WINDOWS\system32\hpA681.tmp
Adware:adware/securityerror Not disinfected C:\WINDOWS\system32\mscornet.exe

Spybot still finding:
Smitfraud-C

BitDefender:
mscornet.exe (Behaveslike:Win32.Exploit)

 

Download this trial version of Ewido Security Suite

• First, please download and run CCleaner to clean temp files, cookies, etc; to make the log shorter.
  
• Install ewido security suite
  
• When installing the program, under "Additonal Options" uncheck..
  
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should now be an icon on your desktop, double-click it.
• You will need to update ewido to the latest definition files:
  
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display "Update successful")

If you are having problems with the updater, you can use this link to manually update ewido. Ewido Manual Updates

• Once the updates are installed, exit Ewido.
• Now print the below instructions or save them locally because I want you to have all browsers closed and also have no connection to the internet (unplug your cable) while doing the below:
• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine
• While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report[/size][/color]
• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.
• Reboot into normal mode and reconnect to the internet.

Once your machine reboots please attach the report from Ewido along with a fresh HJT log from normal mode.

 

Logs attached

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Spy Sweeper

Viewpoint

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Was not available to fix on Hijack Log. Could have been because I deleted the program before running the report.

Ad-Adware found 1 MRU but did not identify it. It did fix it though.
Spybot S&D still finding the Smitfraud-C (attached log of that report)

Thanks

 

Your HJT log is clean! Follow the below to remove the Spybot detection, after you run the below you will need to immunize in Spybot again.

After you complete this post reboot and let me know how things are running.

Please download DelDomains and unzip it to your desktop. Do not run it yet.

• Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

 

Spybot does not detect Smitfraud after doing the below steps. (attached log)
Also attached HiJack Log.

After rebooting Norton AV goes to some sort of windows installer upon startup then gives me a message
"Norton AntiVirus 2005 does not support the repair feature . . . " My only option is to click OK

Norton Auto Protect also dectected some kind of Hacktool.Rootkit
C:\windows\system32\msvol.tlb
I quarantined it in safe mode

This seems to be related to the Spyaxe thing from what I'm reading. Any suggestions?

 

Ran new Spyaxe instuctions. Still having same issues. Attached log

After rebooting Norton AV goes to some sort of windows installer upon startup then gives me a message
"Norton AntiVirus 2005 does not support the repair feature . . . " My only option is to click OK
Also some icon flashes quickly then goes away in windows taskbar. I says something about NAV, but it goes away to quickly to read what exactly it says. The icon looks like Windows Firewall Off warning??

This has been happening since the Spyaxe thing happened so I think it's related somehow.

Any help is appreciated

Thanks

 

Has the start menu folder for Norton been renamed or moved? This could be the cause, if not then I would try to contact Symantec or post in the Software Forum.

Are you having any current malware problems?

 

RE: NAV Issue
I'm not sure how to check to see if the start menu folder has been moved or renamed? I will post this issue in the Software forum.


RE: Malware Issue
The windows taskbar firewall icon is the last issues I have. After doing several logins and logouts to see what this says it appears to be some sort of "click here to protect" advertisement using the windows firewall icon. Once again it comes across so quickly then goes away it's hard to read. I'm guessing it's embedded in the startup reg somewhere? Could I manually delete this because the latest Spyaxe removal proceedure doesn't seem to correct this issue?

Thanks for all your help.

Is there any good free spyware program to prevent this from happening in the future? Also what would you recommend for good IE browser settings?

 

See this article on How to Protect yourself from malware!

I would recommend installing ZoneAlarm for your firewall.