another poor soul spyaxe has got

Hi Toad53, welcome to DaniWeb :)

Spyaxe is one of those infections that demands special removal steps; Norton, SpyBot, etc. alone can't kill it.

Let's start with the first step; please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Hi Toad53, welcome to DaniWeb :)

Spyaxe is one of those infections that demands special removal steps; Norton, SpyBot, etc. alone can't kill it.

Let's start with the first step; please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Thanks D M R
However, i have solved my spyaxe problem but now i have another unknown problem. I downloaded hijack this 3 times from 2 different downloads, but i cannot get it to run a "scan and save log" command without the microsoft window appearing "we have encountered error etc it will scan but i can't save,copy or move the log. I solved my spyaxe problem by doing a complete system restore with pioneer sonic simple back up (i did a complete back up 2 weeks ago when everything was ok) Any ideas on what chaos i have caused to the inner workings? Once again thanks.

Sounds like some odd permissions problem; where did you save the HijackThis program and the log file? Please give the full and exact path of that folder.

Sounds like some odd permissions problem; where did you save the HijackThis program and the log file? Please give the full and exact path of that folder.

Hi again
Hijack this was the self extracting version saved to c:/my documents/downloads/hijack (this is a new folder i created and the program hijack this. exe is here with a blank hijack this log file created by notepad).What have i done wrong? Thanks again.

Weird; that folder location should be fine. Obvious question, but did you try downloading the file from the link I posted? That's the plain (unzipped) hijackthis.exe program on one of my own FTP servers; I know it works.

Hi DMR
I am in australia so one of the downloads was from internode site.Ihave just downloaded again from U.S.A T.X and the same result.Additional information when i closed nero 6.0 program yesterday an error message came up The instruction at "0x04221643" referenced memory at "0x04500ba0". The memory could not be read. This is the first time that i have used nero since spyaxe hit. Can i reload windows without having to do a complete rebuild or losing any data? Thanks again.

Hi DMR
This is an information update i downloaded microsoft antispy ware and ran it. Found 6 items in the registry and deleted them. Hijack this still won't save log.

Hi DMR
As you can proberbly tell i have the day off. Information update i have downloaded every programe you have listed and ewido is the only one to find the spyaxe downloader.Report reads-C:\WINDOWS\system32\wbeconm.dll (date 1/2/2006 (risk)high) (infected with) Downloader.Spyaxe
C:\WINDOWS\system32\nvctrl.exe (date risk etc) Trojan.Agent.il
Plus 7 medium risk cookies. Any help to you there? Ihave checked the address and both spyaxe and trojan have been removed.

I'll ask this again, since you didn't specifically answer my question:

Obvious question, but did you try downloading the file from the link I posted? That's the plain (unzipped) hijackthis.exe program on one of my own FTP servers; I know it works.

I need to log off and get some sleep right now, but I'll come back to this tomorrow.

Hi DMR
Answer to your question is yes. Three separate downloads from major geeks authors site,internode australia, and major geeks TX U.S.A.All scan but cannot save log.

Sorry, I think I see where the confusion may lie- I was asking if you downloaded HijackThis from the link I gave in the body of my post, not the HijackThis link in my sig.
The reason I'm asking you to download HJT from that location is that the file there is not zipped/compressed; it is the "ready-to-run" hijackthis.exe program itself. I've never seen anyone have the particular problem you're having with HJT, so I'm just trying to eliminate the possibility that it has something to do with trying to run the program from within the downloaded compressed/zip archive or something like that.

Sorry, I think I see where the confusion may lie- I was asking if you downloaded HijackThis from the link I gave in the body of my post, not the HijackThis link in my sig.
The reason I'm asking you to download HJT from that location is that the file there is not zipped/compressed; it is the "ready-to-run" hijackthis.exe program itself. I've never seen anyone have the particular problem you're having with HJT, so I'm just trying to eliminate the possibility that it has something to do with trying to run the program from within the downloaded compressed/zip archive or something like that.

Hi DMR
Sorry about the time wasting confusion i have now downloaded hijackthis from stevewolfonline but the result is exactly the same. The programe will scan but will not save any logs.when i first did the hijackthis scan the only antivirus program running was norton antivirus 2006 with all available updates. Would this make any difference? Do you think the complete system back up i did has lost some memory as i now have that error message when closing nero? All other programs that i have run ( dvd decrypter, belight/besweet,word or any of the new anti virus programs) are ok. Weird eh? Thanks for persisting with my problem.

I've never seen Norton interfere with HijackThis before, but that doesn't mean it isn't a possibility. Try running HJT with Norton totally disabled.

Do you think the complete system back up i did has lost some memory as i now have that error message when closing nero?

No, doing a backup has nothing to do with memory at all. The error message could be the result of a few things, but I don't have enough information about your system or its problems to start chasing that particular problem yet. As far as reinstalling Windows goes, there's no guarantee that doing so would fix the Nero error, and it really isn't recommended that you reinstall Windows over a currently unstable or infected install.

Is it really only Nero that has problems as far as you've seen?

I've never seen Norton interfere with HijackThis before, but that doesn't mean it isn't a possibility. Try running HJT with Norton totally disabled.

No, doing a backup has nothing to do with memory at all. The error message could be the result of a few things, but I don't have enough information about your system or its problems to start chasing that particular problem yet. As far as reinstalling Windows goes, there's no guarantee that doing so would fix the Nero error, and it really isn't recommended that you reinstall Windows over a currently unstable or infected install.

Is it really only Nero that has problems as far as you've seen?

Hi DMR
Only nero has the closing error i have ran all other programes no errors. Ran hijack this with all anti virus programes off same result can't save log.

1. Unfortunately, I have no idea what's going on with HijackThis; I've never seen that problem before.

2. You can try the recommended SpyAxe fix without using HijackThis. Give it a try and then post the contents of the smitfiles.txt log file genreated by the fix.

3. The Nero corruption may or may not be related to the infection; the error you're getting has been reported by others in cases where spyware was not involved. The first thing I would suggest is to uninstall Nero entirely and reinstall it.

1. Unfortunately, I have no idea what's going on with HijackThis; I've never seen that problem before.

2. You can try the recommended SpyAxe fix without using HijackThis. Give it a try and then post the contents of the smitfiles.txt log file genreated by the fix.

3. The Nero corruption may or may not be related to the infection; the error you're getting has been reported by others in cases where spyware was not involved. The first thing I would suggest is to uninstall Nero entirely and reinstall it.

Hi DMR
I have uinstalled/reinstalled nero but same result ( no great problem as clicking ok closes it down) Ran smitfiles here are the results as you can see no nasties.Thank you for all your help.
smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 01/05/2006
The current time is: 6:44:41.93

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

1024 dir
msvol.tlb
mscornet.exe

~~~ Icons in System32 ~~~

ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1048 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

Smitrem seems to think it's doing its job, but I take it you still have the tray icon and the bogus warning bubble, yes?

Smitrem seems to think it's doing its job, but I take it you still have the tray icon and the bogus warning bubble, yes?

Hi DMR
Not any more the only problem is the error message when closing nero (but this is no real hassle as one click on ok and it is closed) and the problem in saving a hijackthis log. Apart from those 2 my computer is running ok now. All antispyware/malware programes you advised me to get are installed and working so i think you have solved my initial spyaxe problem and i am very grateful to you for that. Thanks. I will keep checking the forum in case anyone else gets the " can't save hijackthis log problem" and someone finds out what the cause is. Thanks again.