Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 33

Thread: SpyAxe - Is it ever really gone?

  1. #11
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default

    Hello steam

    I have screen captures of the issues I described but I'm not certain if it is okay to post them? One of the images includes information on a Norton error message that was occurring while the program was sabotaged.

    Here is the copy the ewido log with the Hijacker.SpyAxe entries. I also noticed (unrelated?) cookies but I don't recognize the location?

    I will be back in an hour or so with a more detail reply.

    Oh and "Happy 2006!"

    Regards,
    O

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 12:16:16 PM, 28/12/2005
    + Report-Checksum: 21618B86

    + Scan result:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724510c3-f3c8-4fb7-879a-d99f29008a2f} -> Hijacker.SpyAxe : Cleaned with backup
    HKU\S-1-5-21-3631192919-4047014472-3028651874-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{724510C3-F3C8-4FB7-879A-D99F29008A2F} -> Hijacker.SpyAxe : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wfl4kpd5gbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wgkysnc5eco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjkoamdzgdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjliajazccp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjliond5gdq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjny-1lcpcg.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjny-1scpek.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup


    ::Report End

  2. #12
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default

    Hello steam,

    Thank you for your continued help with my issue

    From your first post...

    ===
    Quote:
    something resembling the SpyAxe Shield had attached itself to the "Turn Off" Option.
    ===

    It looks like that was the windows update shield ... which is now resolved ?
    This is most likely correct. The Shield in question was the same as the one that I later found displayed in the Control Panel as the icon for the "Security Center". I was concerned because I had never encountered that message before and I had it set in my mind that installing updates requires a Restart not a Shut Down :o

    ===
    Quote:
    b) I have Spybot-S&D Version 1.4 installed already but I think that it is not running properly. (I cannot make the Resident "SDHelper" active.) If advisable, I would like to uninstall and reinstall this version. If this is okay, I need to know if there are any special instructions?
    ===

    How are you trying to enable it ? is the account you are using an admin account ?
    I am unclear about use of an admin account? I remember that when I would start the computer in Safe Mode I would be prompted about which user and would answer Admin but I never had to enter a password or anything. Generally speaking how would I know which account I was using?

    Load spybot > click "tools" > make sure "resident" is ticked > then click the resident shield on the left hand side...

    Under "resident protection status" make sure both boxes are ticked. If they aren't... tick them.
    I checked the settings in my Spybot and I am able to make changes by ticking and ticking various boxes including the Resident "Tea Timer". The Resident "SD Helper" highlights but I am unable to place a tick in the box. I believe I may have inadvertantly deleted the entry for this function because I did not fully understand how to use the Resident "Tea Timer" window?

    If you want to uninstall & reinstall, that's OK...remember you will lose any backups spybot has made, so if you want to replace anything which has been removed by spybot, you should do that first (I doubt you have anything which is needed).... so go to add\remove programs in the Control panel and uninstall it.... then download and install a fresh copy.
    No worry about my wanting to Recover anything

    ===
    Quote:
    c) The current version of smitRem that is on my desktop is 2.8 (according to the log from the last fix.) I am not sure how to remove it, do I just delete the entries on my desktop and then empty my Recycle Bin or are there specific instructions?
    ===

    The Smitrem exe file is a self extracting file, which creates a folder in the same location as the smitrem.exe file, this folder contains all the necessary files to run the tool ... to remove it simply delete the smitrem.exe file and the folder which it created.
    Thanks I will proceed with the removal.

    ===
    Quote:
    A side note is that the Malicious Software removal tool for November was displaying on my Add/Remove programs list before I went to bed that night. When I awoke the next morning it was gone and 2 of the 3 critical updates were installed. The missing one was the Malicious Software removal tool for December.
    ===

    I wouldn't read too much into this ...The "Malicious Software removal tool for December." was successfully downloaded to my computer (KB890830) but does not show in my add\remove either (in any form)

    The file downloads and runs once each month, if you want to run it more often, you need to go here :-

    http://www.microsoft.com/security/ma...e/default.mspx

    When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. The tool creates a log file named mrt.log in the %WINDIR%\debug folder.

    -snip-

    To see if it ran OK ... see what your log says...
    Thanks for letting me know that there is a log and how to find it. I will check after I finish this reply.

    ===
    Quote:
    The Security Center in my control panel is unavailable
    ===

    I don't know what you mean by this ... are you saying that when you click the "security center" icon in Control Panel... nothing happens ?
    When I access the "Security Center" in the Control panel I see the following message:

    Security Essentials

    The Security Center is currently unavailable because the "Security Center" service has not started or was stopped. Please close this windo, restart the computer (or start the "Security Center" service), and then open the Security Center again.

    Manage security settings for:

    *icon* Internet Options *icon* Automatic Updates *icon* Windows Firewall
    Hopefully I haven't missed responding to something important?

    4 1/2 hours to 2006 for me ... see you next year :beerbeerb

  3. #13
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    554

    Default

    steamwiz and Oppressed: Excuse me for butting in, but thought a couple pieces of info could help.
    Quote Originally Posted by Oppressed
    I am unclear about use of an admin account? I remember that when I would start the computer in Safe Mode I would be prompted about which user and would answer Admin but I never had to enter a password or anything. Generally speaking how would I know which account I was using?

    I checked the settings in my Spybot and I am able to make changes by ticking and ticking various boxes including the Resident "Tea Timer". The Resident "SD Helper" highlights but I am unable to place a tick in the box. I believe I may have inadvertantly deleted the entry for this function because I did not fully understand how to use the Resident "Tea Timer" window?
    Spybot's SDHelper.dll which is also known as Bad Download Blocker will not allow itself to be enabled (ticked box) if the dll file doesn't exist in the main Spybot S&D folder under the Program Files folder. This might have been deleted by malware, though there could be other causes. A non-administrator can generally enable/disable this since it's actually a BHO (Browser Helper Object).

    A reinstall of the program is one way to recover the SDHelper.dll file, but I believe they've also got a copy posted somewhere for download since a couple malware target this file for deletion. Ask Lonny, I can't find the reference.

    Quote Originally Posted by Oppressed
    No worry about my wanting to Recover anything
    A normal uninstall of Spybot S&D deletes most configuration items, including logs, but not the Recovery files. This is so you won't loose these backups during a panic uninstall where someone suspects that Spybot is causing a problem.

  4. #14
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Hi

    I won't quote anything, we're going to get confused with quotes of quotes of quotes...

    --
    The 2 spyaxe "files" referenced in the ewido report, are not files, they are registry keys which got missed in the cleanup, I don't believe you still have a spyaxe problem...

    --
    You say you don't recognise the location?

    C:\Documents and Settings\Derek\Cookies

    The cookies which were found, I believe come from ebay ... they are believed to be tracking cookies so should be removed.

    As for windows updates requiring a Restart or a Shut Down ... it's the same thing really isn't it.

    --
    re: admin accounts...

    "Generally speaking how would I know which account I was using?"

    Go to the Control Panel and click "user accounts" ... if it says "computer administrator" next to the account, it has admin rights

    See bitman's post about the "SD Helper"

    --
    RE: security Center

    Let's start the service and see if that helps



    Start > Run > Type: services.msc > Click OK

    Scroll down to and double click Security Center service

    Set the "startup type" to Automatic

    Click the Start button > When Security Center service has started, close Services...

    --
    bitman ... please feel free to "Butt in" anytime...

    By the way, I took the comment about the admin account directly from the relevant page in spybot itself..."With an administration account, you can also install or uninstall the blocker here"

    Thanks for the tip about spybot not deleting the recovery files ... I didn't know that.

    --
    Well I think that's everything, if I've missed anything... let me know.

    steam

  5. #15
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    554

    Default

    Oppressed: See steamwiz' comments above.

    steamwiz:
    Quote Originally Posted by steamwiz
    By the way, I took the comment about the admin account directly from the relevant page in spybot itself..."With an administration account, you can also install or uninstall the blocker here"
    I hadn't realized you were referring to installation, I was focused on the enable via the check (tick) box.

    For more clarity; the 'Show more information' entry you referenced above is slightly inaccurate. It's correct to state that only an Administrator account can install the SDHelper.dll file, or TeaTimer.exe for that matter, in the main Spybot S&D Program Files folder when using the NTFS file system with a Win 2000/XP OS.

    However, the check box to enable both the SDHelper and TeaTimer resident programs is created in the HKey_Current_User portion of the registry since the Spybot S&D 1.3 version. So each user can individually enable or disable either of these once they are installed using an Adminstrator account, which is always done during the main installation process.

  6. #16
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default

    bitman,

    Thank you for the assistance provided.

    steamwiz,

    I have very little understanding of the workings of Windows XP. I have only owned and used one other personal computer which was running with Windows 98SE.

    Also, my understanding of the workings of computers comes from information and advice given by others. One piece of information was that a Shut Down and a Restart might not always provide the same end result. I believe this information came after a software install or upgrade repeatedly failed because I had used a Shut Down rather then a Restart. Being quite gullible I am sure I have been easlily mislead on many occasions and it now appears that instance was one of those times.

    The reason I do not recognize the location is because Internet Explorer is not mentioned. As well the use of the word Documents and Settings is new. Maybe a Windows XP term?

    I apologize for any inconvienance I have caused you do to my lack of understanding of and appropriate use technical terminology.

    LonnyRJones,

    If you are reading this Thread I would like to request instructions for replacing the SDHelper.dll

    If I am required to complete the process suggested by Corrine before this will be allowed please let me know so I can proceed.

    Regards and Happy New Year to All,
    O

  7. #17
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default

    p.s. steamwiz, Thank you for the information on recognizing Admin Accounts and on starting the Security Center.

  8. #18
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    HI bitman

    I think we are saying the same thing here...

    If the sdhelper was not installed when spybot was installed, then ticking the box will install and enable it ...on an admin account

    If you try to tick it on a non-admin account you will not be able to.

    Oppressed ... If your husband installed spybot on his admin account, but did not install the sdhelper, and your account is a non-admin account, you wont be able to install or enable it.

    If both of your accounts are admin, then you can forget all of this as it does not apply to you.

    Go here :- start > MY Computer > C: > Program Files > Spybot - Search & Destroy ... that's...

    C:\Program Files\Spybot - Search & Destroy

    Look in this folder and see if you have an SDHelper.dll file ....

    let us know...

    ====
    This I would like confirmed by bitman or someone else first

    If you don't see one... Go here :-

    http://www.spywareinfo.com/~merijn/w....html#sdhelper

    and download SDHelper.dll

    Copy the file to the C:\Program Files\Spybot - Search & Destroy

    The SDHelper.dll file at Merijn's site says (version 1.3) and is 728 KB in size

    The current SDHelper file on my computer is 834 KB (version 1.4)

    Is it OK to use the one on Merijn's site ? or do we need to get the one from this site (if we can find it)


    --
    The C:\Documents and Settings folder is a standard folder on all XP systems and contains all the user accounts...

    Win2000 & WinME also have a Documents and Settings folder

    steam

  9. #19
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default

    Quote Originally Posted by steamwiz
    Oppressed ... If your husband installed spybot on his admin account, but did not install the sdhelper, and your account is a non-admin account, you wont be able to install or enable it.

    If both of your accounts are admin, then you can forget all of this as it does not apply to you.
    Thank you again for your assistance.

    I was the one who installed Spybot. The "SDHelper" was working up till the 2nd time (3 weeks ago) when SpyAxe messed with the computer. I was visiting this Site and the "TeaTimer" warning came up stating that the Browser Helper was deleted and I responded with a "Deny change" that didn't seem to take as I was asked the question over and over and over again until I replied something like "Deny all". I thought this was the prudent answer? After this all the "Deny" buttons disappeared and the pop-up kept returning insistantly everytime I closed it. Right now I don't remember how I made it stop /go away? Maybe I unticked the "TeaTimer" box in SpybotSD Resident Window? Or finally just said "Allow"? Either would probably have had the same result?

    Also, yesterday when I looked in the Control Panel under User Accounts there were only my husband's Account which is Admin and a Guest Account with the message "Guest Account is Off". I'm not certain if this is normal or if the person who built the computer created this Account for themself?


    Quote Originally Posted by steamwiz
    Go here :- start > MY Computer > C: > Program Files > Spybot - Search & Destroy ... that's...

    C:\Program Files\Spybot - Search & Destroy

    Look in this folder and see if you have an SDHelper.dll file ....

    let us know...
    I followed the instructions and did not find the SDHelper.dll file listed.

    Quote Originally Posted by steamwiz
    --
    The C:\Documents and Settings folder is a standard folder on all XP systems and contains all the user accounts...

    Win2000 & WinME also have a Documents and Settings folder

    steam
    Thanks for the information.

    I look forward to reinstating the "SD Helper" when the DL information is verified.

    Regards,
    O

  10. #20
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    554

    Default

    steamwiz is correct, you must be an administrator to enable/disable as well as install the SDHelper.dll file, though the file is always installed with the program. I confused this with TeaTimer.exe which can be enabled/disabled by each user individually, though it must be installed by an Administrator initially. The actual specifics for this on each version of OS and XP Home vs. Pro are slightly different, but don't really matter in this case.

    Don't install that older 1.3 version of SDHelper.dll, since it isn't current and might create problems. Since from your description it appears that Spyaxe deleted the file and you may have created other issues with TeaTimer with your answers, I'm going to recommend a complete re-install of the Spybot S&D program.

    First, make sure you either have the original installation file named spybotsd14.exe or download a copy from one of the mirrors found here:
    http://www.spybot.info/en/mirrors/index.html

    Go into Control Panel, Add/Remove Programs, click Spybot - Search & Destroy 1.4 and click Remove
    Answer any prompts to uninstall the program

    Now, re-install the program by double-clicking the spybotsd14.exe file and follow the prompts.

    Once it's installed, check whether Spybot Scans OK and TeaTimer shows up in the System Tray. If TeaTimer starts making lots of pop-ups, let us know, but just disable it until we can help. There is a known problem with the TeaTimer buttons display which may be why you had issues with it, so leave it off if you'd rather.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •