New threat: Spyaxe

Hi there,

I recently had an infection on a friend's PC which I could not detect or repair with Spybot S&D, Ad-Aware, MS's Anti-Spyware beta, SpyBouncer, or AVG. It is from Spyaxe, a bogus anti-spyware product that hijacks your taskbar, pops-up an annoying message ("Windows has detected spyware", etc.), spawns and redirects IE to the Spyaxe homepage (I won't link to it for fear of spyware), and disables the Taskbar and Start Menu control panel. It infects the System32 folder. Looks like the guys at spywareinfoforum.com have discovered the details:

http://www.spywareinfoforum.com/index.php?showtopic=61139&hl=spyaxe

My friend dug around his System32 folder and manually pulled out the offending files; since he knew when the infection occured, he could pull all files modifeid at a certain time. Most people are obviously not so lucky as to know when such infections occured.

This is a very recent problem - two weeks ago there were no posts on the Net about this via Google. Now there seem to be several.

I hope SpywareBlaster gets a blocker for this, and that someone sues or arrests the turds at Spyaxe!

 

Spxaxe.com themselves are offering a solution and acknowledging the problem. Follow these directions and you'll be done with it. They are easy and they worked for me.

In order to clean your PC from infections related to Spyware Axe product, please follow the instructions below:

1) Save Uninstallers.zip from http://www.spyaxe.com/uninstall/uninstallers.zip to your desktop or HDD.

2) Extract 2 files "illegal_adv_uninstall1.exe" and "illegal_adv_uninstall2.exe" to your desktop or your HDD using WinZip.

3) Execute both of them one by one by double-clicking with your mouse.
*note: they will run instantly in the background. So don't be concerned when you don't visually see anything happening.

4) Reboot your PC

5) Your PC is now clean from the infections.

If you haven't done so already, delete the entire spyaxe directory from your drive under program files. Good luck

 

As well as the above
I also deleted the file C:\Windows\System32\svchosts.dll
this seems to have done the trick

 

Never delete svchosts.dll this is a dll who is usedby several legal programs. When deleted your system may beinstable...

Steven

 

yep
they claim one of their affiliates has done these drive by installs
thus the uninstaller ( which seems to remove other associated malware too )

they also claim that the affiliate who did this is no longer an affiliate

 

thanks. it looks like it has worked so far. But now I can't delete the spyaxe folder from my program files. it says 'cannot delete dbghelp.dll. access denied.the souce file may be in use. When I try to unistall it takes me to the spyaxe website to send feedback. what should I do?thanks

 

you might try to delete the file in safe mode.

 

This program can tell you who/what has the files locked, and can unlock them: http://ccollomb.free.fr/unlocker/

You may want to take note of programs that are accessing the folder
and research them before unlocking/deleting anything.

Also, svchost is just that--a host for services. In this case it just happened
to be hosting something suspicious, but unless the file has been altered,
svchost in itself should not be dangerous.

And don't get carried away with 'unlocker.' <g> You only want to unlock
known offenders.

 

I was infected with the Spyaxe mess this morning and as with the others I couldn't seem to do much about it. I had to constantly X out of the spyaxe box just to do anything with Control panel or anything else. Finally I did a system restore to yesterday, I emptied my recycle bin, deleted the Norton protected recycle files and did a search for Spyaxe and it comes up with nothing. Could I really gotton rid it it so easy?

 

If you use the MVPS hostfile you won't get this, it's on the list.

 

I found that in order to delete the malware that was redirecting my homepage I had to go in safe mode in order to effect delete. The other phoney alert kept running even in safe mode but it was easy to find and kill.

 

Like I said yesterday, all I had to do was do was a system restore to the previous day (I've got Windows XP Pro OS) and delete what was left in recycle bin. I didn't do any other deleting of files. It's been 36 hours and no sign of it left.

 

how do you go into safemode? im not really a computer elite and ive been infected by the virus

 

To do this with Windows XP, you can follow these steps from Microsoft:

1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
3. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

 

Well in the ongoing battle with spyaxe, the uninstallers http://www.spyaxe.com/uninstall/uninstallers.zip are now no longer available at the spyaxe website, and I just got the virus. Can anyone post the zip file so that those who get this in the future may remove the problem?

 

Hi all.

It appears Spyaxe has removed their web site from the internet. This makes downloading their 2 unistall files impossible. For those infected running Windoxs XP, a system restore to a previous date fixed my friend's problem.

 

I got it today. I tried several solutions found in various blogs and none of them worked. I tried every anti-spyware and anti-virus I could find. I have norton internet security pro which didn't get it. I did the system restore to yesterday and it worked. The svchost.dll is gone as well.

 

System Restore Worked!!

 

Can u tell me how you got rid of the alert please? I can't find it...
thanx

 

Is it still gone? No need to do anything else to get rid of it permanently?

 

i used this and it worked for me. BTW it creates a file called svhosts.dll notice the s on the end. Also be aware i have heard reports of the uninstaller from spyaxe simply installing more crap on your computer....

http://www.sysinternals.com/Forum/forum_posts.asp?TID=2200&PN=1&TPN=5

 

The windows file that you and others have referred to is svchost.dll but the file associated with spyaxe is svchosts.dll

 

to all spyaxe victims:

Spyware Expert Noahdfear has made a tool to remove this infection:
download smitRem.exe from
http://noahdfear.geekstogo.com/click counter/click.php?id=1


after downloading doubleclick the self extractor to install it to a folder on your desktop
then reboot into safe mode ( important )

when in safe mode:

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish., then run scans with your spyware scanner , your virus-scanner and your antitrojan, allowing them to fix what they find.

it should be gone after a reboot

note that there may be other associated registry entries still remaining, you must manually remove them ( extra caution should be taken when editing the registry, errors can result in a disaster! always back up the registry before editing it )

if you experience any troubles with it ( run it on your own risk ! )
please ask for cleaning help on one of the spyware cleaning forums listed here

http://asap.maddoktor2.com/

 

Unfortunately there is a NEW version of SpyAxe out there that only sits there and laughs at all previous solutions. It is MUCH worse and instead of dropping extra files into your system which you can find and delete, it attacks certain critical system files and changes their function so they support the evil purposes of the creators.

Really, these guys take the cake. I am thinking evil thoughts about them, even as the little nag message sits in the lower right of my screen even now reminding me that I have not yet been able to kill this bug.

On my system, the following files are modified:

wuauclt.exe
wuauclt1.exe
ctfmon.exe

The first two you can get back from your windows install disk or from the latest service pack archive. The third one you only have if you have Microsoft Office installed (I do) so presumedly they attack a different file if you do not.

There is also at least ONE other critical file affected, and if I knew which one that is, I might be able to get ahead, but unfortunately I do NOT.

WARNING! The latest version of Adaware claims to be able to kill SpyAxe but it only works on the earlier kinds. If you have this latest one, it TELLS you that its deleting it, but as soon as you reboot it comes BACK and worse than ever.

 

spyaxe has no relation to Winfixer 2005 or WinAntiSpyware 2005 does it