Results 1 to 4 of 4

Thread: vcodec directing to spyaxe

  1. #1
    Junior Member
    Join Date
    Dec 2005
    Posts
    1

    Default vcodec directing to spyaxe

    Gents, I need some help. I have a problem with a strange thing. It is identified by spybot with vcodec and sg else. I tried to run Win XP in save mode , tried spybot and ad-aware zo remove the lousy thing. It still is here and starts: directing me to spyaxe, downloading it, ..displaying message infected .. spybot shows some changes in registry ... and so on.

    Here is a log from hijackthis. Please advise:
    Logfile of HijackThis v1.99.1
    Scan saved at 13:55:48, on 28.12.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    C:\Programme\Nokia\Nokia D211\D211CTL.exe
    C:\Programme\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\mssearchnet.exe
    C:\Programme\Synaptics\SynTP\SynTPLpr.exe
    C:\Programme\Synaptics\SynTP\SynTPEnh.exe
    C:\Programme\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Programme\VERITAS Software\Update Manager\sgtray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
    C:\Programme\Nokia\Nokia D211\D211STRT.EXE
    C:\Programme\FreePDF_XP\fpassist.exe
    C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
    C:\Programme\Copernic Desktop Search\CopernicDesktopSearch.exe
    C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Programme\A-Trust GmbH\a-sign Client\a-sign client.exe
    C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Programme\Textual\anagram\anagram.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Programme\Palm\HOTSYNC.EXE
    C:\Programme\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Programme\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
    C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Programme\Internet Explorer\iexplore.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Programme\Internet Explorer\iexplore.exe
    C:\Dokumente und Einstellungen\Hans Paepke\Eigene Dateien\Programinstallations\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp77D.tmp
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Programme\Copernic Desktop Search\CopernicDesktopSearchIntegration789.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [QCWLICON] C:\Programme\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [StorageGuard] "c:\Programme\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [D211STRT.EXE] "C:\Programme\Nokia\Nokia D211\D211STRT.EXE"
    O4 - HKLM\..\Run: [MySetup] D:\setup.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
    O4 - HKCU\..\Run: [pdfSaver3] "C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
    O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Programme\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: HotSync Manager.lnk = C:\Programme\Palm\HOTSYNC.EXE
    O4 - Global Startup: A-Trust a-sign Client.lnk = C:\Programme\A-Trust GmbH\a-sign Client\a-sign client.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: anagram.lnk = C:\Programme\Textual\anagram\anagram.exe
    O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O12 - Plugin for .esd: C:\Programme\w-form\w-netuser\w-plugin.dll
    O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfvi...iewerSetup.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Nokia D211 (D211CTL) - Nokia Corporation - C:\Programme\Nokia\Nokia D211\D211CTL.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
    O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

  2. #2
    Junior Member
    Join Date
    Dec 2005
    Posts
    1

    Thumbs up See: SpyAxe keeps coming back ...

    Hello all, thanks for help. I have tried the procedure proposed in the threat Spay Axe keeps coming back and I cant run SDHELper. The steps suggested by LonnyRJones worked fine with me. It seems that this solved after a lot of hours my problem. If I experience sg like this again.. I will let you know.
    Thanks to Lonny :dancing-c

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,694

    Default

    Hi there.
    Please post a fresh log so someone can make sure the system is clean.

    Also please read here:
    Before you post a log

    Respond in this, your own topic. Thanks.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,694

    Default

    This topic will be archived.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •