Technology Spy Axe

Jibster

Jibster

Active Member
#1
#1
Ok, i got a little bubble similar to a Windows update sayin my computer is infected with Spy-ware, click here to remove etc so i got taken to the Spy Axe home page. Realising it was spy-ware i shut the window and ignored it. However it kept popping up so i updated ad-aware and AVG and ran it but nothin was detected. This carried on and every now and then i got re-directed to the Spy-Axe site.

Then i went to Add/Remove programs and uninstalled it, as soon as it uninstalled my browser re-directed me to Spy-Axe homepage again then minutes later the Spy Axe icon is in my quicklaunch again. After several un-installations i figured it wasn't going to sort it so i ran AVG, Ewido Security Suite and Ad-Aware in safe mode. Ewido picked up loads of infected files from my system32 and cookies folder so i deleted them, cleared my cookies etc and re-booted as normal. As soon as i opened my browser it's back on molesting my computer.

It may have come in with someting called mssearch.exe which kept re-appearing when closed in task manager, that went after the safe mode clearout though. Any ideas for getting rid of this bastard? Really pissing me off.
 
Jibster

Jibster

Active Member
#3
#3
There's another logfile below too, one is straight after removing it using Add/Remove, second is once it's re-appeared.




Logfile of HijackThis v1.99.1
Scan saved at 10:16:35, on 23/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINNT\system32\hp376A.tmp (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{05DBE410-1142-4E57-9396-5ABDC53E9C20}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{05DBE410-1142-4E57-9396-5ABDC53E9C20}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{05DBE410-1142-4E57-9396-5ABDC53E9C20}: NameServer = 192.168.0.1
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)



Thanks for this Illu. :thumb: Repped.
 
Jibster

Jibster

Active Member
#4
#4
Logfile of HijackThis v1.99.1
Scan saved at 10:42:40, on 23/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\James' ChemFindIt Folder\Software\Anti-Virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINNT\system32\hp376A.tmp (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [internat.exe] internat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{05DBE410-1142-4E57-9396-5ABDC53E9C20}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{05DBE410-1142-4E57-9396-5ABDC53E9C20}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{05DBE410-1142-4E57-9396-5ABDC53E9C20}: NameServer = 192.168.0.1
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)



Forgot to mention, the first one is a scan done straight after i removed it using Add/Remove. The second is once it's re-appeared in my Quicklaunch etc.
 
Illuminattile

Illuminattile

New Member
#5
#5
Move HijackThis! to its own folder on the C:\ drive, then scan again and remove the following:


O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINNT\system32\hp376A.tmp (file missing)

O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h

O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)

Also, can you go into:

Control Panel > Display > Desktop > Customize Desktop > Web and make sure nothing's checked there. If Windows 2000 has that option, I'm not sure it does.

Also, if you don't already have it, download KillBox. Run it, and paste the following into the box:

C:\WINNT\System32\svchosts

Make sure you copy and paste it correctly; svchosts is malicious, svchost is not.
 
Jibster

Jibster

Active Member
#6
#6
What can i say Illu, you're a legend. The killbox thing sorted it, the icon next to my clock was the problem, even startig in safe mode and it was the one thing that would not go. Did the Killbox on the svchost.dll and problem solved. Much appreciation!
 
You must log in or register to reply here.

Latest posts

Donate

Any donations will be used to help pay for the site costs, and anything donated above will be donated to C-Dub's son on behalf of this community.

Members online

No members online now.
Total: 76 (members: 0, guests: 76)
Top