Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

hawk8060

72 Posts

15830

December 31st, 2005 22:00

Trojan Virus & SPYAXE v3.0

Would like some help removing the SpyAxe s/w from my desktop.
 
Attached is my system logfile:
 
Logfile of HijackThis v1.99.1
Scan saved at 6:04:33 PM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Billy Hawkins\Local Settings\Temporary Internet Files\Content.IE5\Z3FDOK5S\hijackthis[1]\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

ejn63

9 Legend

 • 

87.5K Posts

December 31st, 2005 22:00

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137512

Once it's gone, make sure you've updated Windows with all critical patches, and install and keep current an antivirus and firewall application.

B4runo

1.1K Posts

December 31st, 2005 22:00

For a quicker and more informed response, you should consider re-posting your Hijack This log at the Hijack This board, http://forums.us.dell.com/supportforums/board?board.id=si_hijack&page_of_message_id=26107, not here at the Dimension - General Hardware board.

speedstep

9 Legend

 • 

47K Posts

January 1st, 2006 02:00

Support options based on the model of your machine (desktop, laptop, OptiPlex, Dimension, Latitude, etc) in order for your call to be routed to the appropriate technician.

What are the Dell™ Express Service Code and Service Tag, and where can I find them?

http://support.dell.com/support/topics/global.aspx/support/kb/en/document?dn=FA1027149

You will need:

1. To be in front of the computer while you are online.

2. The make and model of the computer

3. The Service Tag and/or the Express Service Code for your computer-

* The Service Tag can be found on the back or bottom of your computer as a bar code label

* The Service Tag and/or Express Service code may also be found by running Express.exe in the Dell directory of your C:\ Drive

* The Service Tag and/or Express Service code may also be found from the Start Menu---> Programs ---> Dell Accessories --->Express Service Code

4. The Dell Support CDs that came with the computer if they are available.

The web site is
http://support.dell.com/us/en/kb/


 

Jbirk

339 Posts

January 1st, 2006 04:00

It doesn't really show where it is loading from.

Obviously, you want to end task on C:\Program Files\SpyAxe\spyaxe.exe

I dont' see where it is loading from though and you are using the newest HiJackThis.


YOu should definitly try Ad-Aware and Spybot Search and Destroy and steer clear of IE.

Anyway, I researched it and spyaxe.exe registers a DLL with the system.

Here are the removal instructions taken from http://www.spyany.com/program/article_adw_rm_SpyAxe.html

1. Reboot the computer to safe mode (click F8 when Windows start).
2. Open a DOS command prompt window ( Start > Run , type 'cmd' (on Windows NT/2000/XP ) or 'command' (on Windows 95/98/Me)) and enter the following commands,

cd %systemroot%\system32\
regsvr32 /u svchosts.dll
attrib -r -h svchosts.dll
attrib -r -h hp*.tmp
del /q svchosts.dll
del /q hp*.tmp
3. Open Windows Explorer, open directory "%WinDir%\System32". Find and delete the folder "1024".
4. Delete the folder "C:\Program Files\SpyAxe" and all the content in it.
5. Reboot the computer.



The instructions make sence. Essentially, you boot to safemode, so it won't be resident in memory. Then you unregister the dll and delete it and all its other files and folders then reboot and be happy it is gone.

Justin

peterfelgate_ce40d3

1.3K Posts

January 1st, 2006 09:00

I'd definitely also recommend Microsoft's own beta antispyware;  I have found that particularly stubborn malware claimed to be removed by other products but which aren't are effectively dealt with.  Also be aware that malware writers are ahead of published work-arounds using safe mode;  these often work on early versions but the malware is re-written so the instructions don't work!

NVRambo

1.9K Posts

January 1st, 2006 12:00

 

I removed this same program over the phone with an acquaintaince just last weekend using a combination of : AdAware SE Personal, MS anti-spyware, and Symantec's online scanner.  Scanned with System Restore *disabled* in order to access all of the infected files.

AdAware fully recognizes SpyAxe as Malware and removes it - or at least it did in this case.

ravik521

2 Intern

 • 

1.6K Posts

January 1st, 2006 13:00

can anyone help me with this?
 
ugglapqb - blocked program by firewall
 
C:\Documents and Settings\Owner\Local Settings\Temp\atcwdqbw.exe => atcwdqbw.exe
 
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BARJ9EV0\ise5[1].php BackDoor-AZV
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BARJ9EV0\ise5[1].php BackDoor-AZV
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TCHPVJ6R\runfile[1] Generic AdClicker.d
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temp\atcwdqbw.exe Generic AdClicker.d
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TCHPVJ6R\runfile[1] Generic AdClicker.d
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temp\atcwdqbw.exe Generic AdClicker.d
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TCHPVJ6R\runfile[1] Generic AdClicker.d
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BARJ9EV0\get2[1] Proxy-Agent.a.dr
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temp\kqbuzsxc.exe Proxy-Agent.a.dr
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BARJ9EV0\get2[1] Proxy-Agent.a.dr
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temp\kqbuzsxc.exe Proxy-Agent.a.dr
12/29/2005 8:03 PM Infected SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BARJ9EV0\get2[1] Proxy-Agent.a.dr
12/29/2005 8:03 PM Clean Error SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BARJ9EV0\ise5[1].php BackDoor-AZV
12/29/2005 8:04 PM Deleted SYSTEM C:\Documents and Settings\Owner\Local Settings\Temp\atcwdqbw.exe Generic AdClicker.d
12/29/2005 8:05 PM Move Error SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TCHPVJ6R\runfile[1] Generic AdClicker.d
12/29/2005 8:05 PM Moved SYSTEM C:\Documents and Settings\Owner\Local Settings\Temp\atcwdqbw.exe Generic AdClicker.d
12/29/2005 8:06 PM Delete Error SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TCHPVJ6R\runfile[1] Generic AdClicker.d
12/29/2005 8:06 PM Delete Error SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TCHPVJ6R\runfile[1] Generic AdClicker.d
12/29/2005 8:08 PM Deleted SYSTEM C:\Documents and Settings\Owner\Local Settings\Temp\kqbuzsxc.exe Proxy-Agent.a.dr
12/29/2005 8:10 PM Delete Error SYSTEM C:\Documents and Settings\Owner\Local Settings\Temp\kqbuzsxc.exe Proxy-Agent.a.dr
12/29/2005 8:16 PM Delete Error SYSTEM C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BARJ9EV0\get2[1] Proxy-Agent.a.dr
not sure if it is all gone. did not see any more pop ups. no performance change or anything.....
i went the the maximum pc site and looked at their software reviews, went to the dvd ripper site and got the virus any help and suggestions would be helpful. Mcaffee Virus scan, adware se pro, and microsoft antispyware beta

 

Jbirk

339 Posts

January 1st, 2006 19:00

Man, you are in somebody elses topic starting a totally new topic. In addition, you are on the wrong forum and your post doesn't make much sence.

Was this post helpful?

View All

No Events found!

Top