PDA

View Full Version : Spy Axe / Spy Trooper



BertV
2005-12-18, 19:05
Hi, I could use some help.

My computer is infected with malware. I'm not the only one who uses this computer, so I don't really know how or when this was installed.
The following things have been happening, these last days:
-A spyware program is installed "Spy Axe" which shows a long list of spyware. I managed to uninstall it, but when I restart my PC, the program is installed again.
-When I start my internet browser, it starts on the following adress: www.needupdate.com, a page that looks like an official windows-page. It says my private info is collected by W32.Sinnaka.A@mm and that I should download Spy Axe or Spy Trooper.
-My Nortan Anti-virus doesn't detect any problems.
-Spybot finds some spyware and removes it, but that doesn't fix the problem.
-A lot of pop-ups appear (mostly ads of porn-channels).

I'll post you a HijackThis-logfile.

I really need some help. I need my computer for work and studies.
Many thanks.
Bert

BertV
2005-12-18, 19:06
Logfile of HijackThis v1.99.1
Scan saved at 16:09:19, on 18/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\hjt\HijackThis.exe
C:\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pandora.be/zoeken
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pandora.be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pac.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpBD09.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pandora.be
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

LonnyRJones
2005-12-21, 02:08
Hi Bert, Welcome.

Download smitRem.exe (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1) and save the file to your desktop. (By noahdfear.)
Double click on the file to extract it to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite here:
install then from within the program check for updates BUT dont scan yet
ewido security suite: http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.
Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup (http://rstones12.geekstogo.com/adawareSE_setup.htm)
Don't run it yet!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, please reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items if there, then click FIX CHECKED:
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpBD09.tmp
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Spybot check for and fix any problems found.
Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Restart back to a normal windows session
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Get this free onlines scan and post the results
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

Post a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist

BertV
2005-12-21, 02:13
Hi, excuse me for rushing into things.

After reading the topic "before you post", I ran the 3 online virus-scans and the spybot-scan. I found and deleted some viruses (which my Norton anti-virus didn't find) and a lot of spyware.

My starting page is still "www.needupdate.com". I still get security alerts and pop-ups.
2 Files which were identified by the online scanners as viruses can not be deleted ("mscornet" and "mssearchnet.exe").
Every time I run a spybot-scan, it detects Smitfraud (some kind of spyware). It fixes the problem, but it returns everytime I run a new scan.
And just as I'm typing this message I get a security alert that a backdoortrojan virus is installed(Trojan.Zlob), and it can't be removed with my virus scanner.

I'll post a new log-file

please, help

Bert

LonnyRJones
2005-12-21, 02:21
Hi

Still, fallow the advice in my last post.

BertV
2005-12-22, 03:14
Hi,
thank you for your advice.
I followed your guidelines and things seem to work much better so far. There have been no more pop-up screens. My starting page is back to normal. No more SpyAxe alerts.
The kaspersky scan still showed some problems as you can see.

Thank you for your help so far. I would be lost without.
Bert

BertV
2005-12-22, 03:18
And here is the attachement for the hijack log.

LonnyRJones
2005-12-22, 11:39
Hi

Those logs look fine even kaspersky's, good work.

If there are no problems now is a good time to flush the old system restore points.
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

BertV
2005-12-23, 02:30
Amazing!
My computer was a real wreck before i came here for advice. Now it's working as new. I haven't had anymore problems so far.
Spybot doesn't find any problems anymore. Neither does ad-aware or ewido.
No more spy-axe or virus warnings, no more pop-ups, no more Smitfraud. Clean as can be.
I also followed your advice about the system restore.

You guys make the world wide web a better and cleaner place. Keep up the good work! Thanks a lot!

Bert :bow:

LonnyRJones
2005-12-23, 03:46
Thats Great :bigthumb:


Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly
How did that go ?

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

BertV
2005-12-25, 03:24
Hi, everything is working fine so far. I did some more spybot and ad-aware scans and it didn't find any spyware anymore.

I adjusted my internet settings as adviced on Setting the internet zone (http://www.mvps.org/winhelp2002/restricted.htm#Setting)
I adjusted my Privacy settings as advised on Protecting your privacy. (http://www.mvps.org/winhelp2002/cookies.htm)
Then I replaced the host file. Everything went well. I didn't encounter any big problems so far.

Thanks, I learned a lot these last days. Now I 'm going through the rest of "So how did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279) and the other help-pages.

BertV
2005-12-25, 05:28
Hi, I followed the instructions of http://forums.spybot.info/showthread.php?t=279
I installed Windows Anti-Spyware. But it causes errors while working as a different user than the one active during installation. So I uninstalled it again. Maybe that problem will be fixed soon.

I went to Jason Levine's Browser Security Tests (http://www.jasons-toolbox.com/BrowserSecurity/) and tested my computer, but the results were very poor. I changed my internet and privacy settings as advised in Setting the internet zone (http://www.mvps.org/winhelp2002/restricted.htm#Setting)and Protecting your privacy (http://www.mvps.org/winhelp2002/cookies.htm) but it didn't stop the javascripts or cookies .

Thanks so far, any more tips are always welcome.
Merry Christmas

LonnyRJones
2005-12-25, 08:10
Sounds like you have a handle on the PC :)


Merry Christmas

BertV
2005-12-25, 08:16
I installed cwsherdder, and it didn't find any coolwebsearch.
Installed Winpatrol.
Installed Spywareblaster.
Installed spywareguard
I tested my firewall on SchieldsUp (https://grc.com/x/ne.dll?bh0bkyd2). That gave excellent results. The results said this was exceptional for a Windows XP SP2 user.
I also went back to Jason Levine's Browser Security Tests (http://www.jasons-toolbox.com/BrowserSecurity/) but added his page to Restricted Zones in my internet settings. My browser didn't load any cookies or javascripts now.

It looks like my computer has turned into a real fortress. And all the programs I installed and are running don't slow my computer down. I even get the impression evrything works faster now.

LonnyRJones
2005-12-26, 00:00
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let me know.