Page 1 of 4 1234 LastLast
Results 1 to 10 of 33

Thread: SpyAxe - Is it ever really gone?

  1. #1
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default SpyAxe - Is it ever really gone?

    Hello

    I am posting on these Forums because the one where I received assistance is closed for the Holidays and I would like some input on new issues with my XP SpyAxe infected computer.

    I had believed that this scourge had been removed from my system but apparently this is not so.

    After receiving a "Clean Bill of Health" I shut that computer down. Today when I turned it on my first action was to download updates for my various Security programs.

    I started with Norton AntiVirus only to find on restart that my Norton had been sabotaged! I needed to Fix 5 issues but could not. Live Update seemed to work but Norton indicated this Fix had not been successful. None of my Auto Protect features could be turned on. I was also unable to complete a Full System Scan.

    I next went to my start>Turn Off Computer and noticed that something resembling the SpyAxe Shield had attached itself to the "Turn Off" Option. The note reads, "Click Turn Off to install important updates and turn off your computer. Click here to turn off without installing updates."

    Needless to say I have renewed concerns especially with regards to Shutting Down my Computer.

    Also, I checked for Windows Updates and what I found was also alarming. Apparently there are 3 High-priority updates for my computer (KB910437, KB905915 and KB890830) but they all show 0KB to download with the message (Downloaded; ready to install) and all have a publish date of 12/13/2005. Call me paranoid but this all seems very odd! Can I even trust that I am at a legitimate site? Or is this, another SpyAxe trick? To be on the safe side I didn't do anything. I don't know for sure but I believe that at the time I had turned the computer off these updates would not have even been available. So how could I have even downloaded them? And not installed them? I know I only found them today and took NO action at all. I also know with my Windows 98 computer I have to authorize a download but I don't know about Windows XP. Would it automatically download but not install? And it is my belief that installs require a restart NOT a Shut Down?

    Anyway, next I used ewido security suite; found and installed updates; did a scan which found "2" NEW Hijacker.SpyAxe files which had previously not been found. After cleaning these I did a restart and my Norton Status was once again green (Good).

    I’m still afraid my computer is a lost cause. I’m afraid to do a Shut Down and it is now going to be scheduled for a reformat thanks to the malicious &*%$&# that thinks it is fun to cost innocents their hard earned money.

    I just thought I would bring this further SpyAxe infection issue to everyones attention as well, if anyone can enlighten me regarding how exactly I should expect the Windows Update to work and if this patches/fixes are legit?

    Thanks in advance for any help

  2. #2
    Security Expert Corrine's Avatar
    Join Date
    Oct 2005
    Location
    Upstate, NY
    Posts
    62

    Default

    Hi, Oppressed. Welcome to Safer Networking Forums. More than likely you had a newer variant of this infection on your computer. If you have the smitRem© fix tool on your computer, please remove it and download a new copy as shown in the thread below. The tool was updated the other night.

    Please see the thread linked below for complete instructions.

    As you have already posted a first HJThis log, just proceed with the remaining steps and post the other logs as reply to this topic for a final check.

    Thank you.

    http://forums.spybot.info/showthread.php?t=1316
    Windows Insider MVP * * * Microsoft MVP, 2006-20016

    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

  3. #3
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Quote Originally Posted by Oppressed
    … Also, I checked for Windows Updates and what I found was also alarming. Apparently there are 3 High-priority updates for my computer (KB910437, KB905915 and KB890830) but they all show 0KB to download with the message (Downloaded; ready to install) and all have a publish date of 12/13/2005. Call me paranoid but this all seems very odd! Can I even trust that I am at a legitimate site? Or is this, another SpyAxe trick? To be on the safe side I didn't do anything. I don't know for sure but I believe that at the time I had turned the computer off these updates would not have even been available. So how could I have even downloaded them? And not installed them? I know I only found them today and took NO action at all. I also know with my Windows 98 computer I have to authorize a download but I don't know about Windows XP. Would it automatically download but not install? And it is my belief that installs require a restart NOT a Shut Down? …
    This may be normal situation depending on your settings for Automatic Updates. Check your settings for Automatic Updates. In Windows XP if you have Automatic Updates set to "Download updates for me, but let me choose when to install them", then the updates will automatically download any time you are online after they are made available by Microsoft. Windows XP will normally notify you when the updates have been downloaded and are ready to be install.

    As far as the rest of your questions, possibly someone can help you if you follow the scanning and posting instructions here:

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  4. #4
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default

    Hello Corrine & md usa spybot fan,

    Thanks for the prompt replies.

    I will be away from my computer for the better part of today but will proceed with the instructions at my earliest opportunity.

    md usa spybot fan,

    Thanks for the information re: Windows Updates. That is most likely how the issue occurred. I received the update but not the advisory notice, probably do to SpyAxe.

    Regards,
    O

    p.s. I sure would like to have ewido available retail in my area, it wins over Norton anyday! I'll have to check into this further

  5. #5
    Security Expert Corrine's Avatar
    Join Date
    Oct 2005
    Location
    Upstate, NY
    Posts
    62

    Default

    I don't believe Ewido is available on the retail market, just through the website.
    Windows Insider MVP * * * Microsoft MVP, 2006-20016

    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    Hi Oppressed.

    You might want to let steamwiz know if you believe the infection has returned.

    The site does not appear to be down:
    http://www.help2go.com/component/opt...rum/Itemid,32/
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  7. #7
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default

    Hi Corrine

    Thanks for the information on ewido.

    tashi,

    I didn't realize that it was only part of the help2go Forums. I used my Favorite and went straight to the Spyware Help Boards and everything was Locked Down so I didn't think to look further.

    http://www.help2go.com/component/opt...topic/t,17277/

    I'll post or send a PM to steamwiz to let them know :o

  8. #8
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default Before I Proceed ...

    Hi Corrine,

    Thank you in advance for your patience as I work to re-learn how to use some of the steps.

    I have reviewed the instructions given on the Link provided and reacquainted myself with the procedures.

    Before I continue I require some additional information.

    What I need to know is:

    a) I have version 1.99.01 of HijackThis.exe already installed in a Folder on my C Drive. Is this the correct version or do I need to upgrade? Also, I don't have an entry in my start menu or a Desktop shortcut; previously I just ran the program by double-clicking on the icon in the Folder. Is it okay to run the program from the Folder as I did it previously?

    b) I have Spybot-S&D Version 1.4 installed already but I think that it is not running properly. (I cannot make the Resident "SDHelper" active.) If advisable, I would like to uninstall and reinstall this version. If this is okay, I need to know if there are any special instructions?

    c) The current version of smitRem that is on my desktop is 2.8 (according to the log from the last fix.) I am not sure how to remove it, do I just delete the entries on my desktop and then empty my Recycle Bin or are there specific instructions?

    Thanks again for helping me out with this issue.

    O

  9. #9
    Member
    Join Date
    Dec 2005
    Posts
    42

    Default

    Quote Originally Posted by tashi
    Hi Oppressed.

    You might want to let steamwiz know if you believe the infection has returned.

    The site does not appear to be down:
    http://www.help2go.com/component/opt...rum/Itemid,32/
    Hi tashi,

    I'm posting to let you know that I have posted to let steamwiz know.

    Quote Originally Posted by md usa spybot fan
    This may be normal situation depending on your settings for Automatic Updates. Check your settings for Automatic Updates. In Windows XP if you have Automatic Updates set to "Download updates for me, but let me choose when to install them", then the updates will automatically download any time you are online after they are made available by Microsoft. Windows XP will normally notify you when the updates have been downloaded and are ready to be install.
    Hi md usa spybot fan,

    I thought I had posted an update re this information. My computer was set up to Automatically download and install Every day at 3:00am. (Just a minute while I double-check.) I know my computer was turned on after that time and when I went manually to the Windows Update Web Site to do a manual Update using the Install Button nothing was installed. A side note is that the Malicious Software removal tool for November was displaying on my Add/Remove programs list before I went to bed that night. When I awoke the next morning it was gone and 2 of the 3 critical updates were installed. The missing one was the Malicious Software removal tool for December. Also, on inspection the Mystery "Shield" is no longer attached to my "Shut Down" Option. The Security Center in my control panel is unavailable. My Windows Firewall shows it is turned on though. And last point of interest is that when I checked my System Restore today there was made @ 3:00:14 am the night following my original posting here a "Software Distribution Service 2.0" restore point. This was even though the computer with the issue was disconnected from the Internet at the time and still is. To me it looks like the Automatic Update took priority over an attempt to manually install the Critical Updates. This seems strange to me that I wouldn't be able to manually check for Critical Updates?

    Regards,
    O

  10. #10
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    HI Oppressed

    From your first post...

    something resembling the SpyAxe Shield had attached itself to the "Turn Off" Option.
    It looks like that was the windows update shield ... which is now resolved ?

    Anyway, next I used ewido security suite; found and installed updates; did a scan which found "2" NEW Hijacker.SpyAxe files which had previously not been found. After cleaning these I did a restart and my Norton Status was once again green (Good).
    I would like to see the ewido log showing the location of these 2 new spyaxe files ?

    from post #8

    a) I have version 1.99.01 of HijackThis.exe already installed in a Folder on my C Drive. Is this the correct version or do I need to upgrade? Also, I don't have an entry in my start menu or a Desktop shortcut; previously I just ran the program by double-clicking on the icon in the Folder. Is it okay to run the program from the Folder as I did it previously?
    Yes to everything ... if you want a shortcut on your desktop, right click the exe file > create shortcut > drag & drop it onto your desktop, or cut & paste.

    b) I have Spybot-S&D Version 1.4 installed already but I think that it is not running properly. (I cannot make the Resident "SDHelper" active.) If advisable, I would like to uninstall and reinstall this version. If this is okay, I need to know if there are any special instructions?
    How are you trying to enable it ? is the account you are using an admin account ?

    Load spybot > click "tools" > make sure "resident" is ticked > then click the resident shield on the left hand side...

    Under "resident protection status" make sure both boxes are ticked. If they aren't... tick them.

    If you want to uninstall & reinstall, that's OK...remember you will lose any backups spybot has made, so if you want to replace anything which has been removed by spybot, you should do that first (I doubt you have anything which is needed).... so go to add\remove programs in the Control panel and uninstall it.... then download and install a fresh copy.

    c) The current version of smitRem that is on my desktop is 2.8 (according to the log from the last fix.) I am not sure how to remove it, do I just delete the entries on my desktop and then empty my Recycle Bin or are there specific instructions?
    The Smitrem exe file is a self extracting file, which creates a folder in the same location as the smitrem.exe file, this folder contains all the necessary files to run the tool ... to remove it simply delete the smitrem.exe file and the folder which it created.

    A side note is that the Malicious Software removal tool for November was displaying on my Add/Remove programs list before I went to bed that night. When I awoke the next morning it was gone and 2 of the 3 critical updates were installed. The missing one was the Malicious Software removal tool for December.
    I wouldn't read too much into this ...The "Malicious Software removal tool for December." was successfully downloaded to my computer (KB890830) but does not show in my add\remove either (in any form)

    The file downloads and runs once each month, if you want to run it more often, you need to go here :-

    http://www.microsoft.com/security/ma...e/default.mspx

    When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. The tool creates a log file named mrt.log in the %WINDIR%\debug folder.

    This is my mrt.log

    ***
    Microsoft Windows Malicious Software Removal Tool v1.11, December 2005
    Started On Sat Dec 31 14:52:06 2005

    Results Summary:
    ----------------
    No infection found.

    Return code: 0
    Microsoft Windows Malicious Software Removal Tool Finished On Sat Dec 31 14:52:30 2005
    ***

    To see if it ran OK ... see what your log says...

    The Security Center in my control panel is unavailable
    I don't know what you mean by this ... are you saying that when you click the "security center" icon in Control Panel... nothing happens ?

    steam

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •