SpyAxe

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Please follow the steps below:

- Run the steps in this Smitfraud and PSGuard Removal Make sure you save the smitfiles.txt file and post it later.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

After completing the READ & RUN ME and posting your HJT log, we should be able to complete the fix for SpyAxe.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp43EE.tmp (file missing)
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SpyAxe <--- the whole folder

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now!

 

Yes! I figured they would be because there is more to do.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Make sure no browsers (even this one) are open while doing the below. So print or save these steps locally.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\mssearchnet.exe

Now exit HJT.

Immediately run Windows Explorer to delete (if found):
C:\WINDOWS\system32\1024 <--- the whole folder if found
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\msvol.tlb
C:\WINDOWS\system32\ncompat.tlb
C:\WINDOWS\system32\ts.ico
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\svchosts.dll <--- it is possible that deleting this will give you trouble! If so, let me know when you come back. Do not try to delete any other similarly named files on your own. Some are valid files (like svchost.exe). If you see any other files beginning with the letters svc, just let me know what you see.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

If you have trouble deleting any of the above files reboot into safe mode and repeat the above file deletions. Then continue with the below in either case.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Are you sure it was svchosts.exe and not svchost.exe?

Did you run the steps in safe mode?

Do it again, but this time instead of trying to delete svchosts.dll, I want you to right click it and drag it (that is move it) to your Desktop. Do the same for svchosts.exe and svclog.dll?
Then once they are moved to your Desktop, renamed them (right click on them and select Rename) as below:
svchosts.dll to svchosts.ddd
svchosts.exe to svchosts.xxx
svclog.dll to svclog.ddd

Then reboot in normal mode and tell me how things are working. If the you cannot move them to your Desktop continue with the below.

- now close down ALL applications including this browser Window (print or save these steps locally for reference while offline)
- disconnect your cable to the internet (physically unplug it)
- click Start, Run, and enter cmd and click OK. This will open a command prompt window.
- in the command prompt window enter cd c:\windows\system32 and hit enter. This will change to the system32 folder where the files are located. Leave this Command prompt window opened.
- hold down CTRL-SHIFT-ESC to bring up Task Manager and then click the Processes tab
- locate explorer.exe in Task Manager. The next step will cause your Desktop (icons, taskbar etc) to disappear . Do not be alarmed. This is normal.
- Right click on explorer.exe and select End Process Tree
- go back to the Command prompt window and enter the below sequence of commands written in bold print.

attrib -s -h -r svchosts.dll
attrib -s -h -r svchosts.exe <--- be careful to only enter exactly this filename
attrib -s -h -r svclog.dll
del svchosts.dll
if the delete (del is delete)does not work, try renaming, use: ren svchosts.dll svchosts.ddd

del svchosts.exe
if the delete (del is delete)does not work, try renaming, use: ren svchosts.exe svchosts.xxx

del svclog.dll
if the delete (del is delete)does not work, try renaming, use: ren svclog.dll svclog.ddd

c:\windows\explorer <--- this should bring back your Desktop.
exit <--- will close the command prompt

Okay now reboot in normal mode and let me know the results.

 

Which procedure wound up working?
1) The move to Desktop
2) The end Explorer.exe and delete from command prompt.

You still have SpyAxe in your HJT log:
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
Have HJT fix this line and delete the C:\Program Files\SpyAxe (in safe mode if necessary)

Some items for your Epson Printer seem to be missing. Do you need these?
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)

 

Okay your clean now. Time to check this out: How to Protect yourself from malware!

Those Epson lines have something to do with Web Printing. So it may be only if you use that feature, you will have a problem.