New threat: Spyaxe

can you check winlogon.exe properties, post them here, thank you
also i'd like you to scan that file with jottis malware scan, http://virusscan.jotti.org

see above, if there is something odd at your winlogon.exe, could you upload it to http://www.thespykiller.co.uk/forum/index.php?board=1.0

see instructions for uploading here:
http://www.thespykiller.co.uk/forum/index.php?topic=5.0

thank you in advance

edit: Jim, i would like to see your hijackthis log, see this page for info:
http://www.tomcoyote.org/hjt/

other victims see here:
https://www.wilderssecurity.com/showthread.php?t=42148

 

spyaxe removal explanation and instructions here:
spyaxe

 

How I dealed with Spyaxe

I dealed with spyaxe simply by downloading a free trial of Spy Sweeper. I ran a sweep, it caught SpyAxe, then told me to reboot. I rebooted a minute ago, and lo and behold, I have no annoying little popup at the corner of my screen, and my homepage is back to normal.

Why waste time with dangerous file deletion when Spy Sweeper can do it for you?

 

Here you can read latest spyaxe news

 

Huzzah SPYAXE axed!

 

Re: New threat: Spyaxe (.bat->.cmd)

This advice worked for me ...

>Spyware Expert Noahdfear has made a tool to remove this infection:
>download smitRem.exe from
>http://noahdfear.geekstogo.com/click...click.php?id=1

... BUT the RunThis.bat file wouldn't run on my XP Pro system, until
I renamed it to RunThis.cmd (inspired by a French version of this file
I found elsewhere).

Hope this helps anyone else out there with the same problem.

Cheers

 

Our folks put together a spyaxe removal in our Malware Removal and Prevention Procedure:

http://wiki.castlecops.com/SpyAxe_Removal

As part of the overall MRP:

http://wiki.castlecops.com/MRP

 

SPYAXE SUCKS!

Dont go anywhere near this product that purports to be a free malware scanner. I did and even taking advised steps to clear it, it kept re spawning, coming up with multiple pop ups and incescent warning that my PC was infected. Yes it was Spyaxe! Going to their site for the removal tool did not allow me to download it - a pure scam. This is a gotU product in an effort to make you buy their product. After 2 or 3 hours trying to remove it from various program files and many registry entries I was still getting problems.

I tried Norton, Spybot and Adaware all to no avail although they did remove some files. Finally I dowloaded PC Tools Spyware Doctor - a first class product that finally deleted all the malware etc that had been installed from SpyAxe.

This was money well spent on Spyware Doctor as it clered up some other issues but most importantly includes "On Guard" to protect from other companies and downloads similar to SpyAXE.

Wll Spaxe refund the cost of Spyware Doctor? I think not as they are abunch of crooks.

 

Hi,

Tried all the various solutions to the SpyAxe problem, nothing worked, including all the older downloadable fixes and uninstallers -- this must be one of the new ones -- managed to find my way through MSInfo to a solution which seems to have worked for me.

I found that the file "wbeconm.dll" located in the folder c:\windows\system32 was creating the annoying pop-up taskbar message. This can actually be located and renamed without any recourse on your computer and seems to solve the problem. However, we found that the SpyAxe initial installation, even if not completed, leaves a trojan called Trojan.Zlob.D which creates fake entries in the registry at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Delete the file located in the string 'Kernel32.dll - [file name]' then delete the entry in the registry, check any others here as well (I found the others were problems too).

Cheers.

 

Has anybody come up with a solution to this latest version of Spyaxe? Because it is really messing up my week.

 

Have you tried the link in this post?

It takes you through to this link of which I have used the enclosed tool successfully to remove spyaxe/smitfraud.

Let us know how you go...

Cheers

 

Hello,

I've been attacked with this stupid thingy as well since yesterday afternoon.

I've litterally tried everything proposed here, but nothing worked... it keeps coming back!
I assume it must be a new version which smitRem doesn't remove?
(BTW, the links to smitRem are dead this morning...?)

Here's my HT-log, I hope someone can help me!
THX

~snip~ removed HJT Log

 

Hi Stoffel, have you followed the instructions in my post above yours?

Cheers

 

That's what I tried, yes... didn't work though.

When I try to run the smitRem-tool, I see lots of "not found"-thingies appearing and stuff... but it doesn't remove SpyAxe

 

And this was done in Safe Mode? The instructions have to be followed precisely or they will not work.

Cheers

 

Hi

Yes, I did it in Safe Mode


But I've found another solution now!
sienaworld wrote about it a bit earlier as well... I had to remove the wbeconm.dll first!

When I did that, the smitRem-tool and Ewido solved the problem.
(It wouldn't work without removing that dll though)

Afterwards, I also removed all values containing the name "SpyAxe" in the register.
And I removed all folders and files on my computer also containing that name.

And now it doesn't seem to come back... so: yippee


THX!

 

Thanks to all for your postings and help - I just got stung by this piece of turd software. I did the system restore and that seems to have worked. For those like me who are relative novices at pcs here is what to do in Windows XP:
- click on the start menu
- select "help and support"
- at the top left of this screen, there is a "search" box. In it type "system restore wizard"
- you will get two options - pick the one that says "Run the System Restore Wizard"
- choose "restore my computer to an earlier time" and click next
- you will see a calendar with some dates that are in bold type face. These are the days that you can restore your system to. Pick a date that is before the infection by spyaxe and hit "next" and then follow instructions.

 

i was trying to get rid of the alert for 3 days, after i downloaded the spy sweper, then it is gone. and funny thing is that spy sweeper is free for 14 days. you can download it from their official website. but still my homepage is coverded by their page( securitywarning.net). do u know how i can remove this page fom my cover. one more thing i have scanned my computer with spyware doctor, it says i have still registriesd files left from the spyaxe, but spy sweeper doesnt, how come?

 

In case any of you haven't mentioned it yet, there is a SpyAxe removal tool that can be found at this link:

http://bleepingcomputer.com/forums/topic/36868.html

Look for a program called smitRem (Do a search on the web site if needed), and download the file. It removed SpyAxe AND the Trojan that downloaded it.

Killerbfb12345

 

Or
Start
Programs
Accessories
System Restore
"- choose "restore my computer to an earlier time" and click next"

 

system restore worked fine for me, piece o' cake. I run XP Pro...

 

Hi

It seems that I have got the same kind of new Spy Axe since yesterday morning, struggling to get rid of the sucking spyware. Now that merely using smitRem and ewido under safe mode did not improve the situation, I am trying the way posted above.
I do find the wbeconm.dll, but unable to remove it. Please help me to show the way to remove it!!

 

STOPzilla (www.stopzillia.com) or Spyware Doctor really work. Tried Xoftsoft, spybot, (the trio of Smitfraud, Ewido and Adware SE), McCafee virus plus sypware, Etrust Pest Control, the microsoft spyware to no evail. I am not a spokesperson for Stopzilla, but it worked. Will have to pay a few dollars though when the trial period expires, $19.95.

 

" do find the wbeconm.dll, but unable to remove it. Please help me to show the way to remove it!!"

Im having the same problem, I had it before... had to format my comp... i'm thinking im going to have to do this again!

Yes im in safe mode... spywear doctor removed everything but the taskbar window.... then it redownloaded itself later

 

Hi, there!

You have an enterprising friend, or an anti-enterprising friend. I just need help! This annoying fake has prevented me from getting my usual educational homepage, I have to set up my web page for the spring semester, and Iwant out!

I can't get in touch with my smart people at my job until after New Year -- you're right -- there should be a lawsuit!!!

xxx,

Prof. Sullivan