Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My Spyaxe experience

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My Spyaxe experience

Unread postby Jeff in Ohio » December 30th, 2005, 4:19 pm

just finished de-infecting my father-in-laws computer after it picked up Spayaxe the day after Christmas. Followed the instructions found elsewhere (use the smitrem, ewido and ad-aware) and the pop up kept comming back and then eventually loading spyaxe. Eventually found another thread about Kaspersky-Labs virus scan. My father-in-law runs AVG anti-virus and ZoneAlarm firewall and Microsoft Antispyware. The Microsoft kept trying to get rid of it. The AVG found NO virus. The Kaspersky found the virus and spyware hidden in some system restore files (dated several months ago). I eventually unhooked his cable modem and deleted all the infected stuff in the system restore files. As soon as I started deleting items from the system restore file, the pop-up balloon dissapeared. Yee-hah! After deleting what Kaspersky found, I finally just turned off system restore logging, left the modem unplugged, restarted (again for like the 100th time) in safe mode, ran the adaware and ewido scans, restarted in regular mode, hooked up the internet after firewall and everything else loaded, then turned back on system restore logging. Damn thing is G-O-N-E.

The system restore files had the zlob virus and that was what was loading up spyaxe. The infected files system restore pointed too were leftovers from a 3D Butterfly screensaver he thought he had erased months ago. His Zonealarm does not kick in untill AFTER his cablemodem makes contact and loads up. I think the virus went out and got Spyaxe after he did a system restart a few days ago and the internet fired up on the cable before the Firewall and AntiVirus fired up. So, it snuck out, grabbed spyaxe and started the infection beofre the fireawall kicked in. That's the only thing I can figure it happened.....

My advice would be to diaable system restore while you are doing the whole safemode/smitrem/ewido/adaware thing. Then start back up system restore when you are sure that thing is gone.
Jeff in Ohio
Active Member
 
Posts: 2
Joined: December 30th, 2005, 4:03 pm
Advertisement
Register to Remove

Unread postby jwbirdsong » December 30th, 2005, 4:53 pm

The problem with disabling System restore before you are clean is that if some unrecoverable error happens..Not common but it does happen.... an infected recover is better than none at all...
Ewido , online and Anti-Virus scan WILL pick up the infection in _restore and some time deal with it as best it can..it can be a nuisance but no worse than that.

You can NOT become reinfected from the files in _restore UNLESS a System restore is ran.
So in My opinion ( and I think the general consensus
of the Anti-Malware community) it is better to leave them in place until computer is healthy again and THEN clear the restore cache
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Unread postby Jeff in Ohio » December 30th, 2005, 5:29 pm

I uninstalled EVERYTHING on the machine except Windows XP and antiviruse stuff before I started the whole process. I ran Ewido, Ad-Aware, AVG more times than I can remember always in safe mode an always after doing smitrem. Hijackthis never showed anything unusual. Here was a typical hijackthis file WHILE the machine was infected:

Logfile of HijackThis v1.99.1
Scan saved at 11:10:26 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armstrongmywire.com/index.php
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37490.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B65476B8-EAE6-4329-9EC1-B4A15467A181}: NameServer = 67.36.244.32,67.36.240.32
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Here was a typical smitrun file


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 12/28/2005
The current time is: 22:05:01.87

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1628 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)



I ran these programs and went thru the whole restart safemode process running scans with ewido, adaware, and AVG ant-virus at least a dozen times and it always came back. Kaspersky was finally run and it found this:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 28, 2005 20:53:19
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/12/2005
Kaspersky Anti-Virus database records: 168084
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 45209
Number of viruses found: 5
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 4227 sec

Infected Object Name - Virus Name
C:\buchxx.chm/on-line.exe Infected: Trojan.Win32.Dialer.ce
C:\buchxx.chm Infected: Trojan.Win32.Dialer.ce
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP581\A0067235.exe Infected: not-a-virus:AdWare.Win32.Gator.d
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP581\A0067236.exe Infected: not-a-virus:AdWare.Win32.Gator.d
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP581\A0067291.exe Infected: not-a-virus:AdWare.Win32.Gator.a
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP581\A0067292.exe Infected: not-a-virus:AdWare.Win32.Gator.a
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP657\A0084631.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP658\A0085635.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP658\A0085669.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP660\A0085744.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP660\A0085778.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP660\A0086800.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP660\A0086804.exe Infected: Trojan-Downloader.Win32.Zlob.bv


System Restore was NEVER run at all during my many hours of scanning. Not untill I removed the above items from the system restore did the spyaxe popup finally go away. I was pretty damn close to f-disking the whole thing before I ran Kaspersky. AVG ran so many times I can't remember and never found anything. AdAware and Ewido would always find the same items and remove them (but they NEVER found anything in the system restore). Kaspersky was the only program to finsd something that when that something was removed, the infection was gone.

Really doesn't make sense since a system restore was NEVER run, but clearing out the system restore finally kicked spyaxe and it's damn pop up off the machine for good......

Considering adding a second harddrive and migrating everything except microsoft products to it. That way when some jackass kid in some part of the world invents something new to corrupt windows/explorer/outlook, etc, Only one drive will be messed and all other files (pics, music, spreadsheets, word files, etc) will be safe elsewhere. Then the simple way is just to kill windows on the 'microsoft drive' and start over. Spent over 14 hours getting rid of that thing. F-disk and re-install would have been much faster.......
Jeff in Ohio
Active Member
 
Posts: 2
Joined: December 30th, 2005, 4:03 pm

Unread postby NonSuch » January 5th, 2006, 3:20 am

As it appears you have resolved this issue yourself, and the system is experiencing no further difficulties, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 60 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware