Fun with SpyAxe

Normally I don’t hit by viruses. I’m very good with Windows Update and keeping the anti-virus signatures up to date on my machine. Thus, I was very surprised yesterday afternoon when I saw a blinking tray icon and a badly worded balloon message indicating that I had an “infection”.


A quick check showed that a program called “SpyAxe” had shown up installed on my system. What’s worse, I found two suspicious processes named MSSEARCHNET.EXE and NVCTRL.EXE running. Attempts to kill them using TaskMgr and Process Explorer (ProcExp) weren’t successful, as they kept re-spawning. Definitely virus behavior.


With this info in hand, I hit MSN Search and found that there was a recent upswing in activity related to SpyAxe “tool” (As well as the similar SpySherriff), staring around 12/28/05. Warning, I don’t claim to be a virus expert, nor claim to offer useful advice on helping others who get hit by this. What follows is just some of my observations. Your mileage may vary.


My first attempt to rid my system of this was to download the latest AV signatures from the corporate network. A full scan of my system later, no viruses detected, but I still definitely had badness on my system.


At this point I was starting to take off the gloves. Long time readers of my MSDN column know that I know a think or two about mucking around with processes. J


Early on I had noticed several files with current creation times in my \windows\system32 directory, including MSSEARCHNET.EXE and NVCTRL.EXE. I couldn’t delete any of them, as they were all “locked” by another process. Using one of my favorite tricks, Image File Execution Options, I was able to stop them from continuously re-spawning. After deleting the files, I thought I was done. A second check of \windows\system32 showed there was still a file: LDxxxx.TMP that was locked. (Where xxxx is four random numbers.)


Using ProcExp, I determined that this file was loaded by WinLogon.exe. A quick check of my wife’s machine showed that her WinLogon.exe had nothing similar going on. Hmm… badness. What’s worse, I ran my PEDUMP utility on the LDxxxx.TMP file, and found it calling functions like Process32First/Next, RegSetValue, and WININET.DLL functions. They were exactly the combination of functions you’d use to download files and inject bad code into unsuspecting processes.


Entering the phrase “WinLogon .TMP DLL” into MSN Search, I found that this is a well known exploit, and that the .TMP DLL actually adds registry values to this key:




The added registry values redirect various DLLs loaded by Internet Explorer. Even worse, when I deleted those registry entries, at least one of them reappeared. Definitely evil behavior.


At this point I cranked up RegMon, deleted the offending registry values, then checked to see who was re-writing them. Turns out it was WinLogon.exe. Whoever’s responsible for this isn’t your garden variety kiddie hacker.


Question of the day: How would you stop this evil DLL from continuously resetting the key value back? Being brave (or foolhardy) I attached a debugger to WinLogon.exe. For the debugger, I chose PEBrowseInteractive because of its great breakpoint setting abilities.) My intent was to trap when the DLL called RegSetValue, and NOP out the code.


However, the breakpoint never appeared to get hit. At the same time, Explorer started acting very sick. I reset the machine to try the trick again, but when I rebooted, I saw no trace of the WinLogon LDxxxx.TMP DLL anymore. Not completely sure that I’d eliminated the malware, I dig a bunch more searching, verified a ton of registry keys, carefully examined each process, and at the moment it appears like I’m clean.


Just to be safe, I ran RootkitRevealer, and it came up clean as well.


Since then, I’ve been running IE at the “High” security level, and only adding well known sites to the trusted sites list.


Sorry if this post sounds like an ad for SysInternals and SmidgeonSoft, but there stuff is just good. Incidentally, be sure to read Mark R’s post on this same topic.

Comments (13)

  1. matt says:

    Just curious… are you running as a limited user or an administrator on your machine?

  2. Gabe says:

    An easy way to get rid of processes that keep respawning themselves is to simply debug all of them simultaneously. That will cause them to all be suspended and can then just be terminated at will. In the case where one of them is something important, like WINLOGON, you would have to set a breakpoint at CreateProcess and remove the offending portion of code.

  3. Jeff Parker says:

    Actually I am more curious if you figured out where you got it at yet? Or How

  4. Mithun says:

    Isn’t Data Execution Prevention (DEP) supposed to prevent code injection? DEP is turned on by default on XP-SP2 and it should (atleast theoretically) throw exceptions each time injected code is executed from heap / stack etc (non-code segments)

    Can you throw some light on this?



  5. Matt Pietrek says:

    Sadly, no idea where I picked it up.

    DEP apparently is only set for essential programs and services in XP SP2. I’ve toggled it to the more aggressive setting and will monitor how it works for me.

  6. You could well have been hit by the WMF exploit, which as a Win31 developer you may find amusing; they use the SetAbortCallback() operation to set a callback on escaped printing; insert this into a metafile and then on playback time as soon as you Escape() in the doc it gets invoked.

    Any malicious image sent by spam or IM could have triggered it. just be grateful that they payload was a spyware+advertising, not something subtle like a keystroke logger.

    There is an "unofficial" fix at, but as you have access to GDI32 source, you could patch it at origin. The fix comes with source for you to review and compile yourself incidentally.

    As an aside, I dont ever trust a machine that has had spyware on it. Clean build the bunny. You know it makes sense; your registry will love you for it. Then move to vmware hosted windows sessions which can be rolled back/destroyed more easily.


  7. Rosyna says:

    Matt, I imagine you got hit by the recent WMF vulnerability. Heck, what you describe (the Spyware antispyware thing) is exactly how people figured out the cause of the exploit. You can be exploited by just browsing the internets using IE, even if you go to trusted sites. Many exploits are done by buying adspace on frequently visited websites then serving up an image that runs the exploit. I imagine this is how you got it.

    In order for DEP/NX to prevent this you really need the hardware support.

  8. Matt Pietrek says:

    I agree. I’m not terribly inclined to trust an infected machine.

    Luckily I’m really close to purchasing a new X64 X2 box as my main home machine, and repaving my current box to act as a Windows Media Center server.

  9. Norman Diamond says:

    > I’m not terribly inclined to trust an

    > infected machine.

    Beware, there’s more you can’t trust. To wit:

    > I’m really close to purchasing a new X64 X2

    > box as my main home machine

    Oh good. Would you like to start a list of motherboard makers, graphics board makers, etc., who lie in their published specifications regarding their compatibility with Windows XP x64, 4GB of RAM, etc.?

    When a board maker doesn’t mention compatibility with an X2 or doesn’t have XP x64 drivers or whatever, no problem, I just don’t consider buying one. But when makers say they support 4GB of RAM and have x64 drivers etc., and the fact is they don’t and they never even tested their own stuff, that is fraud. Last fall, falsified specs persuaded me to spend money on garbage. During the holidays I replaced it by spending money on other makers’ garbage. Some internet surfing revealed that these kinds of lies by makers are rampant.

  10. hskoglund says:

    I had more or less the same experience with a early cousin to that notorious WinLogon LDxxxx.TMP DLL at some customer’s PC last year. (It was some kind of malware/adware virus built on top of it.) And yes, when it dawns on you that it isn’t the normal vanilla hacker pattern, it gets interesting!

    Of course a normal antivirus program is useless in removing that LDxxxx.TMP DLL, since it is locked so good. I thought of writing a custom service etc. to remove it, but WinLogon is launched before services.exe! After some coffee I remembered the MoveFile program available from System Internals, and I tried to queue up the destruction of that nasty WinLogon hooking Dll upon the next reboot. But alas, it polled that part of the registry too!

    And a safe boot was pointless as well, since WinLogon is equally well up and running in that environment (with the notify hooks and all). So I ended up using the XP bootCD and the recovery console to successfully purge the DLL from the system. And that would be my answer to your Question of the day: use the recovery console to remove the DLL.

    I remember, I thought that that malware platform design smelled Russian somehow. Someone good at chess has written an "malware" SDK for sale perhaps…

    Best regrds Henry

  11. Robert says:

    I also did battle with SpyAxe on my lads PC, infernal thing. In the end these instructions did it for me:

    Not sure its the wmf exploit — I thought it was a December one: