SpyAxe, ooh, coming to get me

[Kinslayer777]

Hello, i'm currently running microsoft XP

 

 

 

On a Vaio Sony Desktop computer (not mine, my colleagues. I dont know which year he bought it)

 

 

 

 

 

 

 

I've used Macfee, Spybot, Ad-aware, Trend Micro, microsoft anti-spyware.

 

 

 

 

 

 

 

Some of these can find variants of Spyaxe, and even remove a few. A few variants though, and the main still stays. If you want my Hijack log, i'll post it at the end.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To any mods: I'm having a little dificulty serving on this cruddy computer (i need to post with it to post the log) and so i am sincerely sorry if i'm going against a sticky.

 

 

 

 

 

 

 

 

 

 

 

Ps, i use also Zonealarm Pro (trtial) on this computer. It wont pick up anything but Giga Pocket (known), Sony IPT Framework, and Sony Vaio (acting as server).

 

 

 

 

 

 

 

I've tried smitRem (runthis.bat) removal for spyaxe. Perhaps, though, i'm not using it properly. I did remove all visible traces of it. But, i know its still there...

 

 

 

 

 

 

 

(some other random info. I have CCleaner.

 

 

 

 

 

 

 

 

 

 

 

Oh, and before i came to help fix the comp, only Macfee virus payed security was on.

 

 

 

 

 

 

 

Hijack Log:

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

 

 

 

Scan saved at 4:54:45 PM, on 12/14/2005

 

 

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\Explorer[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\htpatch[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\mcafee.com\agent\mcagent[Caution: ExecutableFile]

 

 

 

C:\Program Files\McAfee.com\VSO\mcvsshld[Caution: ExecutableFile]

 

 

 

C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile]

 

 

 

C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]

 

 

 

C:\Program Files\McAfee.com\VSO\oasclnt[Caution: ExecutableFile]

 

 

 

C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: ExecutableFile]

 

 

 

C:\Program Files\Java\jre1.5.0_06\bin\jusched[Caution: ExecutableFile]

 

 

 

c:\program files\mcafee.com\agent\mcdetect[Caution: ExecutableFile]

 

 

 

c:\PROGRA~1\mcafee.com\vso\mcshield[Caution: ExecutableFile]

 

 

 

c:\PROGRA~1\mcafee.com\agent\mctskshd[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\Program Files\Sony\VAIO Media Music Server\SSSvr[Caution: ExecutableFile]

 

 

 

C:\Program Files\sony\giga pocket\gps[Caution: ExecutableFile]

 

 

 

C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd[Caution: ExecutableFile]

 

 

 

C:\Program Files\Sony\giga pocket\GPVSvr[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\ZoneLabs\vsmon[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework[Caution: ExecutableFile]

 

 

 

C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\ZoneLabs\isafe[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\MOZILL~1\FIREFOX[Caution: ExecutableFile]

 

 

 

C:\Documents and Settings\Andrzerj Brzezinski\Desktop\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

 

 

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople

 

 

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

 

 

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

 

 

 

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\agent\mcagent[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [McUpdateexe] c:\PROGRA~1\mcafee.com\agent\mcupdate[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr[Caution: ExecutableFile]" /checktask

 

 

 

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime

 

 

 

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS[Caution: ExecutableFile]" /background

 

 

 

O4 - Global Startup: OptiCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\OptiCAL\OptiCAL[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule[Caution: ExecutableFile]

 

 

 

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL[Caution: ExecutableFile]/3000

 

 

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

 

 

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

 

 

 

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PIOTR'~1\AIM95\aim[Caution: ExecutableFile]

 

 

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

 

 

 

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mci ... insctl.cab

 

 

 

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab

 

 

 

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc[Caution: ExecutableFile]

 

 

 

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe[Caution: ExecutableFile]

 

 

 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: ExecutableFile]

 

 

 

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile]

 

 

 

O23 - Service: McAfee WSC Integration (McDetect[Caution: ExecutableFile]) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect[Caution: ExecutableFile]

 

 

 

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield[Caution: ExecutableFile]

 

 

 

O23 - Service: McAfee Task Scheduler (McTskshd[Caution: ExecutableFile]) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd[Caution: ExecutableFile]

 

 

 

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr[Caution: ExecutableFile]) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr[Caution: ExecutableFile]

 

 

 

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile]

 

 

 

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd[Caution: ExecutableFile]" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

 

 

 

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv[Caution: ExecutableFile]

 

 

 

O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr[Caution: ExecutableFile]" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)

 

 

 

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd[Caution: ExecutableFile]" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

 

 

 

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework[Caution: ExecutableFile]

 

 

 

O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv[Caution: ExecutableFile]

 

 

 

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd[Caution: ExecutableFile]" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

 

 

 

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework[Caution: ExecutableFile]

 

 

 

O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\giga pocket\GPVSvr[Caution: ExecutableFile]" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (Application) (file missing)

 

 

 

O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd[Caution: ExecutableFile]" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)

 

 

 

O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework[Caution: ExecutableFile]

 

 

 

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon[Caution: ExecutableFile]

[Kinslayer777]

Thanks for any help. Off to safe mode for now, i'll be back later =)

[Kinslayer777]

Back :)

[Sharper]

I don't see any nasties in your HiJackThis log. But I noticed you do have way too many things running on startup. It would be best to keep the amount of applications that run on startup down or your computer will not perform as best as it could.

 

 

 

 

 

 

 

Open up Start Menu > Run. Type msconfig and press Enter. Go to the Startup tab and it lists your startup items. You have some HP and McAfee items set to startup, as well as I can see Nero, iTunes, MS Anti-spyware, Java updater and Quicktime files. Are they all neccessary? From my understanding McAfee already starts up the Antivirus protection services on startup and the ones you have listed are part of their online scanning (Not sure how they work this, I don't have McAfee).

 

 

 

 

 

 

 

I normally have absolutely nothing running on startup for my computer at work and at home. I'm pretty sure those applications that startup for McAfee etc aren't part of the actual virus protection. There are services running for that. They are probably just for the console and updaters.

 

 

 

 

 

 

 

I'm seeing no indication of this SpyAxe in your log, doesn't look too bad.

[coltm4carbine]

Spyaxe ain't active anymore. (usually an o4 entry).

 

 

 

 

 

 

 

Have you ran smitrem already?

 

 

 

 

 

 

 

SMitrem usually takes care of it. After running smitrem (Which i think you have already) run an online scan to take care of the rest.

 

 

 

 

 

 

 

From my understanding McAfee already starts up the Antivirus protection services on startup and the ones you have listed are part of their online scanning (Not sure how they work this, I don't have McAfee).

 

 

 

 

 

 

 

Yes it does (the McAgent[Caution: ExecutableFile] (something like that)). The other one should be the real time protection and the auto-updater.