Spy Axe

  • Thread starter Thread starter Alan
  • Start date Start date
Thanks.

Do you know if this process "cures" the non-availability of Safe Mode?
Apart from VX2 this is the 2nd time I have heard of trojans affecting the
availability of Safe Mode.

Still studying the effects of these. There seems to many variants of
SpyTrooper, SpyAxe & Winfixer.

Thanks

Stephen Howe
 
From: "Stephen Howe" <stephenPOINThoweATtns-globalPOINTcom>

| Thanks.
|
| Do you know if this process "cures" the non-availability of Safe Mode?
| Apart from VX2 this is the 2nd time I have heard of trojans affecting the
| availability of Safe Mode.
|
| Still studying the effects of these. There seems to many variants of
| SpyTrooper, SpyAxe & Winfixer.
|
| Thanks
|
| Stephen Howe
|

Yes there are *many* variants and I am trying my best to keep up with them. It isn't easy.

I don't know much about the Vx2. However, there are many forms of malware may insert
themselves in to the Safe Mode by adding entries in the following Registry locations...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network



Example REG file ...

----------------------

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\avpx32.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\avpx64.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\avpx32.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\avpx64.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MEMLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WINLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MEMLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WINLOW]
 
(From Alan, the original query)
Hi Dave,
In my case I could still bootup in safe mode, but Spy Axe was still running
if that's of any help,
Regards,
Alan.
 
From: "Alan" <[email protected]>

| (From Alan, the original query)
| Hi Dave,
| In my case I could still bootup in safe mode, but Spy Axe was still running
| if that's of any help,
| Regards,
| Alan.

Let me see if I understand this....

You downloaded both utilities.
You ran both utilities in Normal Mode.
You ran both utilities in Safe Mode.

And you still have it ?

Download HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log File

Post the log file in one of the below expert forums.

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

{ borrowed from the alt.privacy.spyware News Group }
 
From: "Alan" <[email protected]>

| No Dave,
| I got rid of it, I was describing what happened when I did have it,
| Sorry!
| Alan.


Phew...
I thought you might have had a new variant that needed utility tweaking !

I am glad you have resolution.
 
Hello Allan,
I'm having same problems and thoughts. Spy Sweeper provided some help and
temporary relief. XsoftSpy looked good and helped some it seemed just by
doinga scan. Check out
http://weblogs.asp.net/cfranklin/category/2131.aspx/rs. Stopped short of
paying for XsoftSpy until I decide if and when I reformat hard drive. Norton
did not help, Microsoft Antispy did not help, Yahoo Antispy did not even see
anything wrong. Even though Spybot Search and Destroy sees and removes
problems, they are still there. Spy Sweeper find bad things and removes them
but finds them again right after reboot. Hope someone call help us. It
doesn't seem right that crooks should be smarter than the talent at the large
corporations, but seems like they are.
Good Luck,
Estateprotector
 
From: "estateprotector" <[email protected]>

| Hello Allan,
| I'm having same problems and thoughts. Spy Sweeper provided some help and
| temporary relief. XsoftSpy looked good and helped some it seemed just by
| doinga scan. Check out
| http://weblogs.asp.net/cfranklin/category/2131.aspx/rs. Stopped short of
| paying for XsoftSpy until I decide if and when I reformat hard drive. Norton
| did not help, Microsoft Antispy did not help, Yahoo Antispy did not even see
| anything wrong. Even though Spybot Search and Destroy sees and removes
| problems, they are still there. Spy Sweeper find bad things and removes them
| but finds them again right after reboot. Hope someone call help us. It
| doesn't seem right that crooks should be smarter than the talent at the large
| corporations, but seems like they are.
| Good Luck,
| Estateprotector
|


Two part reply..

Perform Part 1 and then perform Part 2.

Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072
 
From: "Willie Turner" <nospam@invalid>

| Hello Allen ,
| My boss at work had the same issue in his laptop. He had to download
| the virus suite from AOL. After that everything was ok. I hope that
| helps you out
|

AOL would be adding to the problem. AOL doesn't write anti malware software. They
integrate third party applications into their software.

You want to go to the source of the software, not to one who repackages it !
 
Hello Allen ,
My boss at work had the same issue in his laptop. He had to download
the virus suite from AOL. After that everything was ok. I hope that
helps you out

estateprotector:
 
get super adblocker, that'lls remove it.

estateprotector said:
Hello Allan,
I'm having same problems and thoughts. Spy Sweeper provided some help and
temporary relief. XsoftSpy looked good and helped some it seemed just by
doinga scan. Check out
http://weblogs.asp.net/cfranklin/category/2131.aspx/rs. Stopped short of
paying for XsoftSpy until I decide if and when I reformat hard drive. Norton
did not help, Microsoft Antispy did not help, Yahoo Antispy did not even see
anything wrong. Even though Spybot Search and Destroy sees and removes
problems, they are still there. Spy Sweeper find bad things and removes them
but finds them again right after reboot. Hope someone call help us. It
doesn't seem right that crooks should be smarter than the talent at the large
corporations, but seems like they are.
Good Luck,
Estateprotector
Click to expand...
 
My name is jason and i to have the same spy axe issue and it even prevents me
from checking email. I need help!!!!!!!!!!!!!
 
From: "Jason" <[email protected]>

| My name is jason and i to have the same spy axe issue and it even prevents me
| from checking email. I need help!!!!!!!!!!!!!
|


Two part reply..

Perform Part 1 and then perform Part 2.

Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072




Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *
 
Thanks for the 2 step program ! it worked very well ..... but now i have a
question, how can I prevent for this to happening again? does pc-cilin
internet security work? what program do you recommend ?

By the way, heres my report

Thanks again and happy new year!

--------------------
smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 12.28.2005
The current time is: 2:07:36.28

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 (e-mail address removed)
Killing PID 1620 'explorer.exe'
Killing PID 1620 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

--------------------------------------

Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Information
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4660 created Dec 27 2005
Scanning for 167896 viruses, trojans and variants.


--------------------------------------------------------------------------------
Virus Scan Results
--------------------------------------------------------------------------------




12/28/2005 02:15:48


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /MIME /HTML
"C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\Program Files\Viewpoint\Viewpoint Manager\VETScriptInterpreter.dll ...
Found potentially unwanted program Viewpoint.
The file or process has been deleted.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl ... Found
potentially unwanted program Viewpoint.
The file or process has been deleted.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe ... Found
potentially unwanted program Viewpoint.dr.
The file or process has been deleted.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll ... Found
potentially unwanted program Viewpoint.
The file or process has been deleted.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe ... Found
potentially unwanted program Viewpoint.dr.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 146540
Clean: ................. 146458
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 5
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:50.55
 
From: "Reginaldo Hernandez" <Reginaldo (e-mail address removed)>

| Thanks for the 2 step program ! it worked very well ..... but now i have a
| question, how can I prevent for this to happening again? does pc-cilin
| internet security work? what program do you recommend ?
|
| By the way, heres my report
|
| Thanks again and happy new year!
|


YW -- Glad to help.

To prevent this and futiure problems, you must practice Safe Hex...
http://www.claymania.com/safe-hex.html

You must also make sure that you are up-to-date in installing all security related patches,
upgrades or HotFixes.

That means installing the lastest OS Service Pack and Critical Updates.

If you have Sun Java prior to JRE version 5, it is strongly suggested that you remove
any/all Java Java installations on the PC and install the latest version of Sun Java JRE
version 5 update 6 as there is a belief that a vulnerability in older versionas are making
such malware easier to be auto-installed.
http://www.java.com/en/download/manual.jsp

Trend Micro PC-Cillan is good anti virus software. It is not a non-viral anti malware
application.

The following are good tools to have installed...

Spybot Search & Destroy 1.4
http://www.safer-networking.org/en/download/

Ad-Aware SE v1.06 (Note: this is soon to be replaced by Ad-aware 2006)
http://www.lavasoftusa.com/software/adaware/
http://www.download.com/Ad-Aware-SE...153545.html?part=dl-ad-aware&subj=dl&tag=top5
 
Dave:

I've seen your two-part solution to Spyaxe posted in several threads
and replies for satisfied users, so I thought (hoped) it might be the
solution to this very persistent trojan that leaves a constant malware
warning in my system tray. However, I am fearing that a new variant
must have appeared, at least as of 12/27, because absolutely no
solution posted in this newsgroup has worked for me.

To recapitulate:

The problem was picked up, probably from a web site, on 12/27 and
slipped by a running Norton and MS Antispyware. One thing that was
immediately notable about this virus, to me, was that the system-tray
warning appears, whether booted to normal mode or to safe mode in
Windows XP Pro. I have never had any other item that has managed to
invade safe mode.

To attempt to remove, I have:

-- run redgedit and removed all references to the files herein
mentioned: mssearchnet.exe, nvctrl.exe, spyaxe.xxx, etc., plus deleted
any and all of these files in any directories, where found

-- run latest Ewido scan
-- run full MS Antispyware scan
-- run Norton scan
-- run Antipuper utility
-- downloaded and run your two-part solutions

All the above have been run more than once. Initially, Ewido and your
two-part scan found a couple issues and "fixed" them. But, the tray
warning still appears, both in safe and normal modes. Then, I re-ran
the solutions and found no hits; I also manually reviewed the registry
and files for named issues and found none. Therefore, I am wondering
whether a "new" version has appeared.

One thing that would be helpful, I think, is to use Task Manager, or
something, to try to identify what process and thread represents the
tray icon warning. I haven't had success in making this ID. Perhaps,
you can specify a procedure for that. Maybe, a new file name is in use
by this monster.

In any case, any suggestions appreciated. Not looking forward to a
disk wipe.

Thanks.
 
tacker said:
I've seen your two-part solution to Spyaxe posted in several threads
and replies for satisfied users, so I thought (hoped) it might be
the solution to this very persistent trojan that leaves a constant
malware warning in my system tray. However, I am fearing that a
new variant must have appeared, at least as of 12/27, because
absolutely no solution posted in this newsgroup has worked for me.

To recapitulate:

The problem was picked up, probably from a web site, on 12/27 and
slipped by a running Norton and MS Antispyware. One thing that was
immediately notable about this virus, to me, was that the
system-tray warning appears, whether booted to normal mode or to
safe mode in Windows XP Pro. I have never had any other item that
has managed to invade safe mode.

To attempt to remove, I have:

-- run redgedit and removed all references to the files herein
mentioned: mssearchnet.exe, nvctrl.exe, spyaxe.xxx, etc., plus
deleted any and all of these files in any directories, where found

-- run latest Ewido scan
-- run full MS Antispyware scan
-- run Norton scan
-- run Antipuper utility
-- downloaded and run your two-part solutions

All the above have been run more than once. Initially, Ewido and
your two-part scan found a couple issues and "fixed" them. But,
the tray warning still appears, both in safe and normal modes.
Then, I re-ran the solutions and found no hits; I also manually
reviewed the registry and files for named issues and found none.
Therefore, I am wondering whether a "new" version has appeared.

One thing that would be helpful, I think, is to use Task Manager, or
something, to try to identify what process and thread represents the
tray icon warning. I haven't had success in making this ID.
Perhaps, you can specify a procedure for that. Maybe, a new file
name is in use by this monster.

In any case, any suggestions appreciated. Not looking forward to a
disk wipe.
Click to expand...

What about infections of other types?
Have you ran AdAware? Spybot S&D? CWShredder? HijackThis?
SpywareBlaster? IE-SpyAd?

May want to download/install/run/update/scan with and immunize with those as
well.
 
From: "tacker" <[email protected]>

| Dave:
|
| I've seen your two-part solution to Spyaxe posted in several threads
| and replies for satisfied users, so I thought (hoped) it might be the
| solution to this very persistent trojan that leaves a constant malware
| warning in my system tray. However, I am fearing that a new variant
| must have appeared, at least as of 12/27, because absolutely no
| solution posted in this newsgroup has worked for me.
|
| To recapitulate:
|
| The problem was picked up, probably from a web site, on 12/27 and
| slipped by a running Norton and MS Antispyware. One thing that was
| immediately notable about this virus, to me, was that the system-tray
| warning appears, whether booted to normal mode or to safe mode in
| Windows XP Pro. I have never had any other item that has managed to
| invade safe mode.
|
| To attempt to remove, I have:
|
| -- run redgedit and removed all references to the files herein
| mentioned: mssearchnet.exe, nvctrl.exe, spyaxe.xxx, etc., plus deleted
| any and all of these files in any directories, where found
|
| -- run latest Ewido scan
| -- run full MS Antispyware scan
| -- run Norton scan
| -- run Antipuper utility
| -- downloaded and run your two-part solutions
|
| All the above have been run more than once. Initially, Ewido and your
| two-part scan found a couple issues and "fixed" them. But, the tray
| warning still appears, both in safe and normal modes. Then, I re-ran
| the solutions and found no hits; I also manually reviewed the registry
| and files for named issues and found none. Therefore, I am wondering
| whether a "new" version has appeared.
|
| One thing that would be helpful, I think, is to use Task Manager, or
| something, to try to identify what process and thread represents the
| tray icon warning. I haven't had success in making this ID. Perhaps,
| you can specify a procedure for that. Maybe, a new file name is in use
| by this monster.
|
| In any case, any suggestions appreciated. Not looking forward to a
| disk wipe.
|
| Thanks.

If you are using any version of Sun Java that is prior to JRE Version 5.0, then
you are are strongly urged to rmove an/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in it and they are actively being exploited.
It is possible that is how you got infected with malware.

After you remove the Sun java you have, install JRE Version 5.0 Update 6
http://www.java.com/en/download/manual.jsp

Please download and execute HiJack This!
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a log file.
Email me a copy of the log file as well as post the log file in one of the below forums.

To email me, just remove ~nospam~ from; [email protected]

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

{ borrowed from the alt.privacy.spyware News Group }
 
Have run spybot, lavasoft. Spybot did find a spyaxe directory that had
had its files deleted by some other program I ran or manual deletion,
which I can't recall.

In any case, something VERY well hidden is reinstalling spyaxe and its
customary warning.

Will run hijackthis, as per Dave's suggestion.
 
Same problem here. I do beleive its a new variant. this leech will not let
go. any help will be greatly appericated.

Thanks
Jason
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Spy Axe=Carnival Casino = popentertain.com 2
how to remove "spy crush" ?? 9
XP & Spy Sweeper ICON Problem 5
Another victim of SPY AXE !!! 4
Winspyprotect 8
Spy Ax 5
Spy Ax a Problem? 1
Firewall keeps turning off 1

Back
Top