SpyAxed!

[Guest]

I have recently had a problem with SpyAxe, which I thought I cleared up
by using Spybot SD. Spybot removed Spyaxe, and it did not reinstall itself
like it did after using MS Antispyware. BUT, the windows update icon
continues to flash from the update icon to a red circle with a white circle
in it. I have read on other posts that this is related to SpyAxe. Since
being infeced by this malware I have esperienced a whole host of problems.
A windows explorer box has been popping up since Iattempted to uninstall
spyaxe. It reads "COCUME~1\Bob\LOCALS~1\Temp\Sa7c.exe is not a valid Win32
application." If I switch user at 7:00PM, by the next morning, around
8:00AM, when I sign back on, around 25 of those windows explorer boxes will
have popped up.
Clicking on things have become a chore, and often requires me to click
on something many, many, times in order to get a response. This problem
comes and goes. Sometimes I have to wait for a little while after signing on
in order to be able to click on anything. I can move the mouse around fine,
but clicking (left or right) proves futile. It is not a hardware issue, as
under any other account clicking works fine. Also, all problems, including
Spyaxe, only occur under my account.
Every 10 seconds or so a noise plays like a pop-up window is being
blocked. This occurs even when I have no IE windows open. I suspect evil
ghosts, but what do I know.
After I got infected with the malware Spyaxe, I tried to do a basic
Windows search for Spyaxe, which resulted in a "Not Responding" end now.
Every time I try to search for something, the search app locks up. I am not
sure if this is related, but I thought that it is weird that before spyaxe I
could search, and now, nothing.
Sorry about the length, but I like to include everyting in order to give
the best picture of what is happening. Well, hopefully I will be able to
click on post.

 

[David H. Lipman]

From: "king_bob" <[email protected]>

| I have recently had a problem with SpyAxe, which I thought I cleared up
| by using Spybot SD. Spybot removed Spyaxe, and it did not reinstall itself
| like it did after using MS Antispyware. BUT, the windows update icon
| continues to flash from the update icon to a red circle with a white circle
| in it. I have read on other posts that this is related to SpyAxe. Since
| being infeced by this malware I have esperienced a whole host of problems.
| A windows explorer box has been popping up since Iattempted to uninstall
| spyaxe. It reads "COCUME~1\Bob\LOCALS~1\Temp\Sa7c.exe is not a valid Win32
| application." If I switch user at 7:00PM, by the next morning, around
| 8:00AM, when I sign back on, around 25 of those windows explorer boxes will
| have popped up.
| Clicking on things have become a chore, and often requires me to click
| on something many, many, times in order to get a response. This problem
| comes and goes. Sometimes I have to wait for a little while after signing on
| in order to be able to click on anything. I can move the mouse around fine,
| but clicking (left or right) proves futile. It is not a hardware issue, as
| under any other account clicking works fine. Also, all problems, including
| Spyaxe, only occur under my account.
| Every 10 seconds or so a noise plays like a pop-up window is being
| blocked. This occurs even when I have no IE windows open. I suspect evil
| ghosts, but what do I know.
| After I got infected with the malware Spyaxe, I tried to do a basic
| Windows search for Spyaxe, which resulted in a "Not Responding" end now.
| Every time I try to search for something, the search app locks up. I am not
| sure if this is related, but I thought that it is weird that before spyaxe I
| could search, and now, nothing.
| Sorry about the length, but I like to include everyting in order to give
| the best picture of what is happening. Well, hopefully I will be able to
| click on post.
|



Two part reply..

Perform Part 1 then perform Part 2.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0, then
you are are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp




Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072



Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *

 

[Malke]

I have recently had a problem with SpyAxe, which I thought I
cleared up
by using Spybot SD. Spybot removed Spyaxe, and it did not reinstall
itself
like it did after using MS Antispyware. BUT, the windows update icon
continues to flash from the update icon to a red circle with a white
circle
in it. I have read on other posts that this is related to SpyAxe.
Since being infeced by this malware I have esperienced a whole host of
problems.
A windows explorer box has been popping up since Iattempted to
uninstall
spyaxe. It reads "COCUME~1\Bob\LOCALS~1\Temp\Sa7c.exe is not a
valid Win32
application."

(snippage)

Your computer is still not clean. Here are various links about cleaning
up Spyaxe:

noahdfear's SmitFraud and SpyAxe removal tool -
http://noahdfear.geekstogo.com/click counter/click.php?id=8
References - http://www.bleepingcomputer.com/forums/topic36868.html
http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=48&blogId=3

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool
http://secured2k.home.comcast.net/tools/AntiPuper.exe
http://forums.mcafeehelp.com/viewtopic.php?t=65072

General malware removal steps:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, use HijackThis (links to program/forums at site
above).

Malke

 

[Rob graham]

I found that mscornet.exe in the System32 folder was the problem and I
deleted it in safe mode.

Rob Graham

 

[Alison Dew]

Use both of these in that order

Crap Cleaner
http://www.ccleaner.com

AntiPuper v1.1 by secured2k
http://secured2k.home.comcast.net/tools/AntiPuper.exe

 

[David H. Lipman]

From: "Rob graham" <[email protected]>

| I found that mscornet.exe in the System32 folder was the problem and I
| deleted it in safe mode.
|
| Rob Graham
|

That's a KLob Trojan and is only a smalll part of the problem.

Please read my post and follow its instructions to remove all aspects.

 

[Guest]

First off, thanks all for your posts.
David, I tried your advice about smitrem and smitfraud. First, I downloaded
and used smit rem, norm mode and safe, no problems. Next, I downloaded
smitfraud, and ran it. I don't think it worked properly. The program kept
saying XXXX...is password protected. Does that mean it couldn't acces
something? The reason I thought it didn't work right, is that it would get
to a certain line, and then just stop. I let it stay like that for about
five minutes and it became unresponsive. It did that all 4 times I tried to
run it (2x in norm mode, 2x in safe mode).
The good thing is that it appears to have gotten rid of the malware
spyaxe, the fake windows update is gone. Although I still can't search.
Performing a windows search just results in an unresponsive program. And I
still get a pop-up blocking sound, even when nothing is happening.
Some addidtional info: my OS is winXp sp2, IE 6. I also checked my
java vers, it is 1.5, I do not know how I would even go about uninstalling it
though.

 

[Guest]

Oh, I followed Malke's advice and downloaded and ran hijackthis. After I
ran a scan it wanted to know what to fix. I have no clue what to fix, there
a bunch of things in the list, it saved a log of the scan. Let me know if
the log will help, and I will post it. Also, what should I "fix" as
hijackthis wants to know? It cautions that removing files that you need
could be harmful.

 

[David H. Lipman]

From: "king_bob" <[email protected]>

| First off, thanks all for your posts.
| David, I tried your advice about smitrem and smitfraud. First, I downloaded
| and used smit rem, norm mode and safe, no problems. Next, I downloaded
| smitfraud, and ran it. I don't think it worked properly. The program kept
| saying XXXX...is password protected. Does that mean it couldn't acces
| something? The reason I thought it didn't work right, is that it would get
| to a certain line, and then just stop. I let it stay like that for about
| five minutes and it became unresponsive. It did that all 4 times I tried to
| run it (2x in norm mode, 2x in safe mode).
| The good thing is that it appears to have gotten rid of the malware
| spyaxe, the fake windows update is gone. Although I still can't search.
| Performing a windows search just results in an unresponsive program. And I
| still get a pop-up blocking sound, even when nothing is happening.
| Some addidtional info: my OS is winXp sp2, IE 6. I also checked my
| java vers, it is 1.5, I do not know how I would even go about uninstalling it
| though.

Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

Some anti malware utilities quarantine malware found. They will password protect those
fiiles to keep them safe. That's what a good qurantine should do. There are other type of
files that may be password protected as well such as a ZIP file.

I would have to see the EXACT message for the file scanned. it really isn't too important
in what the sceen shows about files, what's more important is what gets put into the created
HTML log file.

As for the search capabilities...

There is still the alternate utility.

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


When it comes to a HiJack This! Log...
The following is where you post these logs and you'll get expert anlaysis...

Choose one.

NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

{ borrowed from the alt.privacy.spyware News Group }

 

[Malke]

Oh, I followed Malke's advice and downloaded and ran hijackthis.
After I
ran a scan it wanted to know what to fix. I have no clue what to fix,
there
a bunch of things in the list, it saved a log of the scan. Let me
know if
the log will help, and I will post it. Also, what should I "fix" as
hijackthis wants to know? It cautions that removing files that you
need could be harmful.

You should do what I suggested in that post and what Dave Lipman
suggested in a later post: go to one of the specialty HijackThis
forums, register, read their posting FAQ, and post your HJT log there
(not here). Dave gave you a long list of HJT forums and for your
convenience, here is my list:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Malke

 

[Guest]

Ok, here is the html file you wanted david.

Virus Scan Report File
Virus Scan Information
McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4663 created Dec 30 2005
Scanning for 168331 viruses, trojans and variants.

12/30/2005 22:35:31

Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /MIME /HTML
"C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
C:\install.cab\ISEARCH.CAT ... Found potentially unwanted program
Adware-Isearch.
Scanning C:\*.*

Thanks for all the links. After new years I will get a chance to check
them out and if you want info about what I find out, let me know and I'll
post back.
Again, I looked at the sun java thing, IE, Tools, Sun Java Console. It
says that it is version 1.5. I know you said it should be 5.0, but I don't
know how to remove it. I went to IE, Tools, Options, Programs, Manage
Add-ons and found listings for sun java console, JScrispt language, two java
plug-in 1.50_05's, and a Java plug-in 1.50_03. It gives filenames for each,
but I am unsure of how to delete them, and which ones to delete in the first
place.
Thanks for your responses and happy new year!

 

[Guest]

I went to the elephant computer site that you gave a link to, and I have
been using S&D for a while. I think that I just realized what david said
about certain things being password protected from an immunization when I ran
smitfraud. I had just run S&D: immunize, after I got infected by spyaxe, in
the hopes it would quarrentine it. You and David have both given me alot of
links/info that I will thouroughly investigate.
I will never understand how a business could hope to get customers by
first infecting them with their own product, as is the case with SpyAxe. If
anything, the last thing I would do is give money to the "business" that
caused the problem in the first place. Thankfully people like you guys in
these forums exist to help laypersons like myself. Thanks for taking the
time to point me in the right direction concerning malware. Well, have a
good new year!

 

[David H. Lipman]

From: "king_bob" <[email protected]>


Replies are inline...

| Ok, here is the html file you wanted david.
|
| Virus Scan Report File
| Virus Scan Information
| McAfee VirusScan for Win32 v4.40.0
| Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
| reserved.
| (408) 988-3832 LICENSED COPY - Sep 23 2004
|
| Scan engine v4.4.00 for Win32.
| Virus data file v4663 created Dec 30 2005
| Scanning for 168331 viruses, trojans and variants.
|
| 12/30/2005 22:35:31
|
| Options:
| /ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
| /PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /MIME /HTML
| "C:\MCAFEE\SCANREPORT.HTML"
|
| Scanning C: []
| C:\install.cab\ISEARCH.CAT ... Found potentially unwanted program
| Adware-Isearch.
| Scanning C:\*.*


That's it ? It stopped right there ?

At least I can say delete; C:\install.cab

I would *REALLY* like to see the McAfee Scan go through completion.

I have an updated version of my tool; SmitFraud.exe

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe



|
| Thanks for all the links. After new years I will get a chance to check
| them out and if you want info about what I find out, let me know and I'll
| post back.
| Again, I looked at the sun java thing, IE, Tools, Sun Java Console. It
| says that it is version 1.5. I know you said it should be 5.0, but I don't
| know how to remove it. I went to IE, Tools, Options, Programs, Manage
| Add-ons and found listings for sun java console, JScrispt language, two java
| plug-in 1.50_05's, and a Java plug-in 1.50_03. It gives filenames for each,
| but I am unsure of how to delete them, and which ones to delete in the first
| place.
| Thanks for your responses and happy new year!
|

Sun Java's version numbering system is confusing. It sound like you have a non-vulnerable
version of Sun Java.