updateyoursystem.com problem resolved?

kkiesel · December 2005

I stumbled onto this forum while I was trying figure out how to get rid of the updateyoursystem.com and SpyAxe malware that suddenly besieged our office computer two days ago. Until this happened, we had no anti-virus or anti-spyware software installed. I downloaded the AVG trial from Grisoft, and it, combined with a Microsoft Antispyware deep scan, got rid of the annoying security messages and virus warnings popping up out of the taskbar every 3-5 seconds. However, it did not resolve my problems with the homepage on Internet Explorer. I downloaded Firefox so that we would at least have something to work with. This morning my task bar started shouting urgent messages at me again, so I spent the afternoon scanning and rebooting and going through every bit of the instructions from the 11-26 thread regarding what to do about this problem. I have never had a virus or spyware infestation before so these are the results of a very uninformed attempt to get rid of these things. Take a look and if anything seems funny, please let me know. I'm concerned because something malicious has turned up in absolutely every scan I've done over the past three days, including two spyware threats in the Panda ActiveScan I just finished with.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:57:03 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hp7242.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133281193406
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

smitRem © log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 12/01/2005
The current time is: 18:03:23.76

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

SpyTrooper
Security Toolbar

~~~ Shortcuts ~~~

Online Security Center.url

~~~ Favorites ~~~

Free XXX Sites List.url
Antivirus Test Online.url

~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp

~~~ Icons in System32 ~~~

ts.ico
ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

ewido security suite - Scan report

+ Created on: 4:19:22 PM, 12/1/2005
+ Report-Checksum: C68AE02D

+ Scan result:

:mozilla.10:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Tiff\Application Data\Mozilla\Firefox\Profiles\3sw34omr.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Tiff\Cookies\tiff@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tiff\Cookies\tiff@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Tiff\Cookies\tiff@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Tiff\Cookies\tiff@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\Documents and Settings\Tiff\Local Settings\Temp\asmfiles.cab/asm.exe -> Spyware.Altnet : Error during cleaning
C:\Documents and Settings\Tiff\Local Settings\Temp\asmfiles.cab/asmps.dll -> Spyware.Altnet : Error during cleaning
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@a.as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@ads.specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@counter.hitslink[1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@ehg-aol.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@gator[2].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@pro-market[2].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Tiff\Local Settings\Temp\Cookies\tiff@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup

::Report End

Panda Activescan:

Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Tiff\Favorites\Take It Here - Daily Updated Porn Links.url
Adware:adware/antivirus-gold Not disinfected Windows Registry

Many thanks!

--Kristie

SpywareShooter · December 2005

O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hp7242.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

Fix those entries then find and delete the following file:
C:\WINDOWS\system32\hp7242.tmp

And the bold folder:
C:\Program Files\Security Toolbar\

Then reboot your computer and post a new log.

kkiesel · December 2005

Pardon my ignorance, but how do I fix the files you mentioned above?

Thanks for the help!

--Kristie

SpywareShooter · December 2005

Place checkmarks in the boxes next to those entries and click "Fix Checked".

kkiesel · December 2005

I got the files fixed through HJT, but I was not able to locate the other two files that you advised me to remove. I scanned the system again and deleted two files just after posting those logs, so I wonder if those might have been the files that were deleted. The ones I deleted appeared to be highly undesirable internet links (of the yucky nasty sort), so I can't say for sure if those were the ones. I did a search for the file names and nothing turned up.

Not sure if you wanted all those logs again, but here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:20:39 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133281193406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

How does that look?

--Kristie

SpywareShooter · December 2005

Your HijackThis log is clean! Now we'll just get rid of a few non-executable files that were dropped by this trojan. Run a free virus scan here and post the log that it gives.

http://pandasoftware.com/activescan/

kkiesel · December 2005

Sorry to take so long. Here's the Panda ActiveScan log:

Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Tiff\Favorites\Take It Here - Daily Updated Porn Links.url
Adware:adware/antivirus-gold Not disinfected Windows Registry

SpyAxe mysteriously reappeared on our computer a few days ago and was immediately removed by one of my new anti-spyware programs. Not sure why this computer is predisposed to getting it. Any advice?

Thanks!

--Kristie

kkiesel · December 2005

SpyAxe has come up again twice in scans I've done this week. It's not bothering me with all the popups like usual, but I'm wondering how it keeps finding its way onto the computer.

Thanks for your help!

--Kristie

Trogan · December 2005

Once SpyAxe is gone, a Windows Update should prevent it from coming back

updateyoursystem.com problem resolved?

Comments