Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyaxe Infection


  • Please log in to reply
1 reply to this topic

#1 bleed

bleed

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 27 December 2005 - 09:25 PM

Hello,

My husband's computer was infected with SpyAxe last night. I am not 100% sure of what actions he took before he told me about it.

I have tried the fix from smitRem, but even after it runs the uninstall program, the "Your computer is infected!" baloon continues to popup.

I ran spybot at one point & it found 9 infected files, from 3 programs including spyaxe. It "fixed" them, but the popup balloon continued.

I've run smitRem in & out of safe-mode. When running normally, the Ewido popped up and found SpyAxe when the uninstaller came up, I told it to take no action & let smitRem run. But when it finished, the popup balloon started again & Ewido caught it. This time I let it quarantine, but it did not help.

Also, it seems the computer has changed themes from XP to "Classic Win2k" - I'm thinking the blue bg screen is from smitRem as it says it will, but i'm not sure about the classic view change.

I have installed hijackthis, so here is the log :

Logfile of HijackThis v1.99.1
Scan saved at 7:57:33 PM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\WINDOWS\Mixer.exe
G:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
G:\PROGRA~1\MICROS~3\GAMECO~1\common\swtrayv4.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
G:\Program Files\ewido anti-malware\ewidoctrl.exe
G:\Program Files\ewido anti-malware\ewidoguard.exe
G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\explorer.exe
G:\Program Files\ewido anti-malware\securitysuite.exe
G:\Documents and Settings\Cartman\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [EM_EXEC] G:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] G:\PROGRA~1\MICROS~3\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyAxe] G:\Program Files\SpyAxe\spyaxe.exe /h
O4 - Global Startup: Logitech Desktop Messenger.lnk = G:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/220b5e354957ad2f3e15/...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120433903953
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_398/w...OCX/FlashAX.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - G:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


I'm really at a loss here, I've tried everything I could find about this, but the balloon will not stop making that noise & coming up - even if I do not close it.

Thanks in advance for any help you may be able to give.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:55 PM

Posted 01 January 2006 - 08:04 PM

You need to delete the smitrem folder that you previously made when you downloaded it. Then redownload it via the instructions here:

http://www.bleepingcomputer.com/forums/t/36868/how-to-remove-spyaxe-and-svchostsdllwbeconmdll/

The program has been updated since you posted this log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users