New threat: Spyaxe

Discussion in 'other security issues & news' started by uclajd, Nov 9, 2005.

Thread Status:
Not open for further replies.
  1. uclajd

    uclajd Registered Member

    Joined:
    Jan 13, 2005
    Posts:
    5
    Hi there,

    I recently had an infection on a friend's PC which I could not detect or repair with Spybot S&D, Ad-Aware, MS's Anti-Spyware beta, SpyBouncer, or AVG. It is from Spyaxe, a bogus anti-spyware product that hijacks your taskbar, pops-up an annoying message ("Windows has detected spyware", etc.), spawns and redirects IE to the Spyaxe homepage (I won't link to it for fear of spyware), and disables the Taskbar and Start Menu control panel. It infects the System32 folder. Looks like the guys at spywareinfoforum.com have discovered the details:

    http://www.spywareinfoforum.com/index.php?showtopic=61139&hl=spyaxe

    My friend dug around his System32 folder and manually pulled out the offending files; since he knew when the infection occured, he could pull all files modifeid at a certain time. Most people are obviously not so lucky as to know when such infections occured.

    This is a very recent problem - two weeks ago there were no posts on the Net about this via Google. Now there seem to be several.

    I hope SpywareBlaster gets a blocker for this, and that someone sues or arrests the turds at Spyaxe!
     
  2. Detres

    Detres Guest

    Spxaxe.com themselves are offering a solution and acknowledging the problem. Follow these directions and you'll be done with it. They are easy and they worked for me.

    In order to clean your PC from infections related to Spyware Axe product, please follow the instructions below:

    1) Save Uninstallers.zip from http://www.spyaxe.com/uninstall/uninstallers.zip to your desktop or HDD.

    2) Extract 2 files "illegal_adv_uninstall1.exe" and "illegal_adv_uninstall2.exe" to your desktop or your HDD using WinZip.

    3) Execute both of them one by one by double-clicking with your mouse.
    *note: they will run instantly in the background. So don't be concerned when you don't visually see anything happening.

    4) Reboot your PC

    5) Your PC is now clean from the infections.

    If you haven't done so already, delete the entire spyaxe directory from your drive under program files. Good luck
     
  3. Mell

    Mell Guest

    As well as the above
    I also deleted the file C:\Windows\System32\svchosts.dll
    this seems to have done the trick
     
  4. StevenMe

    StevenMe Guest

    Never delete svchosts.dll this is a dll who is usedby several legal programs. When deleted your system may beinstable...

    Steven
     
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    yep
    they claim one of their affiliates has done these drive by installs
    thus the uninstaller ( which seems to remove other associated malware too )

    they also claim that the affiliate who did this is no longer an affiliate
     
  6. bighorn

    bighorn Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    2
    thanks. it looks like it has worked so far. But now I can't delete the spyaxe folder from my program files. it says 'cannot delete dbghelp.dll. access denied.the souce file may be in use. When I try to unistall it takes me to the spyaxe website to send feedback. what should I do?thanks
     
  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    you might try to delete the file in safe mode.;)
     
  8. TalWolfe

    TalWolfe Registered Member

    Joined:
    Jul 11, 2005
    Posts:
    14
    This program can tell you who/what has the files locked, and can unlock them: http://ccollomb.free.fr/unlocker/

    You may want to take note of programs that are accessing the folder
    and research them before unlocking/deleting anything.

    Also, svchost is just that--a host for services. In this case it just happened
    to be hosting something suspicious, but unless the file has been altered,
    svchost in itself should not be dangerous.

    And don't get carried away with 'unlocker.' <g> You only want to unlock
    known offenders.
     
  9. gov2mod

    gov2mod Registered Member

    Joined:
    Nov 18, 2005
    Posts:
    2
    I was infected with the Spyaxe mess this morning and as with the others I couldn't seem to do much about it. I had to constantly X out of the spyaxe box just to do anything with Control panel or anything else. Finally I did a system restore to yesterday, I emptied my recycle bin, deleted the Norton protected recycle files and did a search for Spyaxe and it comes up with nothing. Could I really gotton rid it it so easy?
     
  10. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    If you use the MVPS hostfile you won't get this, it's on the list.:)
     
  11. termy57

    termy57 Guest

    I found that in order to delete the malware that was redirecting my homepage I had to go in safe mode in order to effect delete. The other phoney alert kept running even in safe mode but it was easy to find and kill.
     
  12. gov2mod

    gov2mod Registered Member

    Joined:
    Nov 18, 2005
    Posts:
    2
    Like I said yesterday, all I had to do was do was a system restore to the previous day (I've got Windows XP Pro OS) and delete what was left in recycle bin. I didn't do any other deleting of files. It's been 36 hours and no sign of it left.
     
  13. sochookedcer

    sochookedcer Registered Member

    Joined:
    Nov 22, 2005
    Posts:
    1
    how do you go into safemode? im not really a computer elite and ive been infected by the virus
     
  14. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    To do this with Windows XP, you can follow these steps from Microsoft:
    1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
    2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
    3. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
     
  15. AaronW

    AaronW Guest

    Well in the ongoing battle with spyaxe, the uninstallers http://www.spyaxe.com/uninstall/uninstallers.zip are now no longer available at the spyaxe website, and I just got the virus. Can anyone post the zip file so that those who get this in the future may remove the problem?
     
  16. RussHahn

    RussHahn Guest

    Hi all.

    It appears Spyaxe has removed their web site from the internet. This makes downloading their 2 unistall files impossible. For those infected running Windoxs XP, a system restore to a previous date fixed my friend's problem.
     
  17. montanero

    montanero Guest

    I got it today. I tried several solutions found in various blogs and none of them worked. I tried every anti-spyware and anti-virus I could find. I have norton internet security pro which didn't get it. I did the system restore to yesterday and it worked. The svchost.dll is gone as well.
     
  18. muttlyone

    muttlyone Guest

    System Restore Worked!! :cool:
     
  19. Abe Twist

    Abe Twist Guest

    Can u tell me how you got rid of the alert please? I can't find it...
    thanx
     
  20. Anh

    Anh Guest

    Is it still gone? No need to do anything else to get rid of it permanently?
     
  21. mebored81

    mebored81 Guest

  22. Roffy

    Roffy Guest

    The windows file that you and others have referred to is svchost.dll but the file associated with spyaxe is svchosts.dll
     
  23. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    to all spyaxe victims:

    Spyware Expert Noahdfear has made a tool to remove this infection:
    download smitRem.exe from
    http://noahdfear.geekstogo.com/click counter/click.php?id=1


    after downloading doubleclick the self extractor to install it to a folder on your desktop
    then reboot into safe mode ( important )

    when in safe mode:

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish., then run scans with your spyware scanner , your virus-scanner and your antitrojan, allowing them to fix what they find.

    it should be gone after a reboot

    note that there may be other associated registry entries still remaining, you must manually remove them ( extra caution should be taken when editing the registry, errors can result in a disaster! always back up the registry before editing it )

    if you experience any troubles with it ( run it on your own risk ! )
    please ask for cleaning help on one of the spyware cleaning forums listed here

    http://asap.maddoktor2.com/
     
  24. Jim Selleck

    Jim Selleck Guest

    Unfortunately there is a NEW version of SpyAxe out there that only sits there and laughs at all previous solutions. It is MUCH worse and instead of dropping extra files into your system which you can find and delete, it attacks certain critical system files and changes their function so they support the evil purposes of the creators.

    Really, these guys take the cake. I am thinking evil thoughts about them, even as the little nag message sits in the lower right of my screen even now reminding me that I have not yet been able to kill this bug.

    On my system, the following files are modified:

    wuauclt.exe
    wuauclt1.exe
    ctfmon.exe

    The first two you can get back from your windows install disk or from the latest service pack archive. The third one you only have if you have Microsoft Office installed (I do) so presumedly they attack a different file if you do not.

    There is also at least ONE other critical file affected, and if I knew which one that is, I might be able to get ahead, but unfortunately I do NOT.

    WARNING! The latest version of Adaware claims to be able to kill SpyAxe but it only works on the earlier kinds. If you have this latest one, it TELLS you that its deleting it, but as soon as you reboot it comes BACK and worse than ever.
     
  25. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest
    spyaxe has no relation to Winfixer 2005 or WinAntiSpyware 2005 does ito_O
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.