Spy Axe

[Alan]

Hi,
I've been infected by a program called Spy Axe which is telling me that I
have dangerous malware on my system. Its a New Zealand based company whose
Web Page looks quite legitimate.
I have both Webroot Spy Sweeper and Microsoft Anti Spyware running and they
are finding nothing. There is an icon on my bottom toolbar which flashes and
gives the message in a balloon. If I close this balloon down, it pops up
again within five seconds.
I've tried everything I know to get rid of it without success. This scum
company is effectively blackmailing me into buying their product which I
will not do, I'll reinstall Windows or buy a new computer before I give this
scum one penny. I cant be the only one with this, anyone have any ideas how
to get rid of it?
Regards,
Alan.

 

[Will Denny]

Hi

Try running the following programs to check for any spyware that may be on
your system:

Spybot - http://www.safer-networking.or­g/
CWShredder - http://forum.aumha.org/downloads/cwshredder.zip
Ad-Aware - www.lavasoftusa.com
Spy Sweeper - www.webroot.com

Try SpyWareBlaster to stop intrusions:

http://www.javacoolsoftware.co­m/spywareblaster.html

Also see the following links:

http://aumha.org/a/parasite.ht­m
http://mvps.org/winhelp2002/un­wanted.htm

--


Will Denny
MS MVP Windows Shell/User
Please reply to the News Groups

 

[Yves Leclerc]

Hi,
I've been infected by a program called Spy Axe which is telling me that I
have dangerous malware on my system. Its a New Zealand based company whose
Web Page looks quite legitimate.
I have both Webroot Spy Sweeper and Microsoft Anti Spyware running and they
are finding nothing. There is an icon on my bottom toolbar which flashes and
gives the message in a balloon. If I close this balloon down, it pops up
again within five seconds.
I've tried everything I know to get rid of it without success. This scum
company is effectively blackmailing me into buying their product which I
will not do, I'll reinstall Windows or buy a new computer before I give this
scum one penny. I cant be the only one with this, anyone have any ideas how
to get rid of it?
Regards,
Alan.

Of course you have malware on your system. Spy Axe is the Malware. Look
thru this newsgroup and you will find several other postings about this and
several possible solutions.

 

[Nepatsfan]

Hi,
I've been infected by a program called Spy Axe which is
telling me that I have dangerous malware on my system. Its a
New Zealand based company whose Web Page looks quite
legitimate. I have both Webroot Spy Sweeper and Microsoft
Anti Spyware
running and they are finding nothing. There is an icon on my
bottom toolbar which flashes and gives the message in a
balloon. If I close this balloon down, it pops up again
within five seconds. I've tried everything I know to get rid
of it without
success. This scum company is effectively blackmailing me
into buying their product which I will not do, I'll
reinstall Windows or buy a new computer before I give this
scum one penny. I cant be the only one with this, anyone
have any ideas how to get rid of it? Regards,
Alan.

Download, install and run the free 14 day evaluation version of
Ewido Security Suite:
http://www.ewido.net/en/download/

Download and run Smitrem.exe from this web site:
http://noahdfear.geekstogo.com/

Note: Both of these programs should be run in Safe Mode.

Safe Mode
http://kgiii.info/windows/all/general/safemode.html

If you aren't able to boot your computer into Safe Mode you
should download and run this free utility:

BootSafe

http://www.superadblocker.com/bootsafe.html

If these programs don't remove Spyaxe, try the following:
Hit Ctrl + Alt + Del to launch Task Manager.
On the Processes tab, look for the following two entries:
mssearchnet.exe and nvctrl.exe.
If you find them, run Windows Explorer and navigate to the
C:\Windows\System32 folder.
Look for the following files: mssearchnet.exe and nvctrl.exe.
Right click on these files and select Rename from the menu.
You can change them to mssearchnet.old and nvctrl.old.
Reboot you computer see if you're still the warnings that
Spyaxe generates.
Go back and delete the files you renamed.

FYI: This thing is a royal PITA. My last suggestion, renaming
files, was the only way I could stop it on a remote computer.

Good luck

Nepatsfan

 

[David H. Lipman]

From: "Alan" <[email protected]>

| Hi,
| I've been infected by a program called Spy Axe which is telling me that I
| have dangerous malware on my system. Its a New Zealand based company whose
| Web Page looks quite legitimate.
| I have both Webroot Spy Sweeper and Microsoft Anti Spyware running and they
| are finding nothing. There is an icon on my bottom toolbar which flashes and
| gives the message in a balloon. If I close this balloon down, it pops up
| again within five seconds.
| I've tried everything I know to get rid of it without success. This scum
| company is effectively blackmailing me into buying their product which I
| will not do, I'll reinstall Windows or buy a new computer before I give this
| scum one penny. I cant be the only one with this, anyone have any ideas how
| to get rid of it?
| Regards,
| Alan.
|

Two part reply...

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.


* * * Please report back your results * * *

 

[Alan]

Thanks to you all, I'm trying all what you suggest,
BTW
'FYI: This thing is a royal PITA.'
Nepatsfan, You are certainly right about that! I'd like to pay this crowd a
visit with a baseball bat in my hands,
Regards,
Alan.

 

[R. McCarty]

I got to spend a few hours removing it from a customer's PC last
week. Here is a link to the Removal/Repair tool I used to get rid
of it:
http://swandog46.geekstogo.com/aproposfix.exe

 

[David H. Lipman]

From: "R. McCarty" <[email protected]>

| I got to spend a few hours removing it from a customer's PC last
| week. Here is a link to the Removal/Repair tool I used to get rid
| of it:
| http://swandog46.geekstogo.com/aproposfix.exe
|

That's only a component for the Adware-Apropos --
http://vil.nai.com/vil/content/v_101223.htm
However, it may or may not be present on Alan's PC.

 

[Plato]

Nepatsfan, You are certainly right about that! I'd like to pay this crowd a
visit with a baseball bat in my hands,

Get with the program. Use an RPG.

 

[Alan]

Right!

Get with the program. Use an RPG.

 

[Alan]

Hi,
I finally got rid of the b*****d thing. What a mission that was!
I ran all the programs suggested by all of you, but the one that finally
killed it was smitRem. Ewido Security Suite found 4350 (Really!) infections
in C:\Documents and Settings\Owner\Complete and C:\Windows\Uploads which I
have deleted but it wouldn't kill Spy Axe. Incidentally I cant find the file
'Complete' in Documents and Settings.
Strange that neither Microsoft AntiSpyware or Webroot Spy Sweeper found any
of these.
Once again, my thanks to you all, these are the details of my system and the
contents of a text file that smitRem put in my C drive in case this is of
any use to any of you for reference.

HP machine about 4 years old,
Windows XP Pro,
Pentium 4 CPU 2.2Ghz
768Meg Ram
Cable 3 Meg Broadband,

____________________________________________________

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 13 Dec 05
The current time is: 13:51:35.32

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

SpyAxe


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 (e-mail address removed)
Killing PID 788 'explorer.exe'
Killing PID 788 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

 

[David H. Lipman]

From: "Alan" <[email protected]>

| Hi,
| I finally got rid of the b*****d thing. What a mission that was!
| I ran all the programs suggested by all of you, but the one that finally
| killed it was smitRem. Ewido Security Suite found 4350 (Really!) infections
| in C:\Documents and Settings\Owner\Complete and C:\Windows\Uploads which I
| have deleted but it wouldn't kill Spy Axe. Incidentally I cant find the file
| 'Complete' in Documents and Settings.
| Strange that neither Microsoft AntiSpyware or Webroot Spy Sweeper found any
| of these.
| Once again, my thanks to you all, these are the details of my system and the
| contents of a text file that smitRem put in my C drive in case this is of
| any use to any of you for reference.

< snip >

I'm glad that you have resoltion.

Since you posted noahdfear's SmiRem Log.

Could you please post the contents of the the following log...
C:\mcafee\ScanReport.HTML

Thanx...

 

[Alan]

Hi Dave,
I'm sorry, but after I got rid of Spy Axe I deleted the whole MacAfee
folder, the reason being that as you've probably gathered I know a little
bit about this sort of thing but I'm no expert. As I use Norton as opposed
to MacAfee I was afraid of some kind of conflict developing between the two.
I disabled everything in Safe Mode before I ran any of the programs I
downloaded on advice from you and the others in the group.

Although this episode for me has been a pain in the butt, there are two
positives that have emerged,
1. After running Ewido (which I had never heard of before) and it enabling
me to delete 4350 potentially malicious files, my computer is noticeably
faster than it was before. I had noticed these files before when running Spy
Sweeper and AdAware, but as I said before, I could never locate the file
'Complete' in C:\Documents And Settings.

2. It has made me aware that legitimate Spyware programs like Spy Sweeper,
Ewido etc will not all find all spyware, one will find some and another will
find others, how to know the best one to use? There are so many that one
would need to be a rich man to use them all.

I cant tell you how much I am grateful for the advice from you and the
others for assisting me to get rid of that parasite, as to the staff and
owners of Spy Axe, 'May all their rabbits go blind and bump into one
another',
Regards,
Alan.

 

[David H. Lipman]

From: "Alan" <[email protected]>

| Hi Dave,
| I'm sorry, but after I got rid of Spy Axe I deleted the whole MacAfee
| folder, the reason being that as you've probably gathered I know a little
| bit about this sort of thing but I'm no expert. As I use Norton as opposed
| to MacAfee I was afraid of some kind of conflict developing between the two.
| I disabled everything in Safe Mode before I ran any of the programs I
| downloaded on advice from you and the others in the group.
|
| Although this episode for me has been a pain in the butt, there are two
| positives that have emerged,
| 1. After running Ewido (which I had never heard of before) and it enabling
| me to delete 4350 potentially malicious files, my computer is noticeably
| faster than it was before. I had noticed these files before when running Spy
| Sweeper and AdAware, but as I said before, I could never locate the file
| 'Complete' in C:\Documents And Settings.
|
| 2. It has made me aware that legitimate Spyware programs like Spy Sweeper,
| Ewido etc will not all find all spyware, one will find some and another will
| find others, how to know the best one to use? There are so many that one
| would need to be a rich man to use them all.
|
| I cant tell you how much I am grateful for the advice from you and the
| others for assisting me to get rid of that parasite, as to the staff and
| owners of Spy Axe, 'May all their rabbits go blind and bump into one
| another',
| Regards,
| Alan.

I understand Alan. However the McAfee Command Line Scanner is just a utility, it is NOT and
installed package and will not conflict with *any* installed AV package. I am the author of
the second tool, SmitFraud.exe, and I included the McAfee Command Line scanner in this tool
because of its library of ~164,000 infectors. It is not uncommon for Mcafee to find
something that Ewido does not. I know beacase I constantly submit samples to them.

Happy Holidays !

 

[Alan]

You Too!
Alan.

 

[Guest]

Dave can this work

I have been smitten . . . Although MS Antispyware Beta1 has detectected this
PITA malware it has not been able to remove it.

Thanks to MS Anti Spyware Beta 1 tools, I have been albe to identify all of
the Registry keys where it does exists in my Registry. Can I just go to
REGEDIT in safemode and delete them without doing any harm.

I have read and printed all of the other suggestions but they seem so
involved.

Here is the list;

Spyware Scan Details
Start Date: 12/13/2005 2:00:19 AM
End Date: 12/13/2005 2:07:53 AM
Total Time: 7 mins 34 secs

Detected Threats

SpyAxe Potentially Unwanted Software more information...
Details: SpyAxe is an antivirus/antispyware program confirmed to be
installed via Trojan Exploit on some websites. In addition to the application
itself, a toolbar may be installed as well.
Status: Quarantined
High threat - High-risk items have a large potential for harm, such as loss
of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\rNrbzZvPyd
FRROq_bvYOS@ekPzrGs@qsZ~[]w
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\yhqvezzchizG
UEYsCvGtSyW]yxVMfB
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F} PSFactoryBuffer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SpyAxe
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\SpyAxe
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\SpyAxe DisplayName SpyAxe 3.0
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\SpyAxe UninstallString C:\Program Files\SpyAxe\uninst.exe
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\SpyAxe DisplayIcon C:\Program Files\SpyAxe\spyaxe.exe
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\SpyAxe DisplayVersion 3.0
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\SpyAxe NSIS:StartMenuDir SpyAxe
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\fuqiG
aqeKCG]eDgd{~DiF
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\SpyAxe URLInfoAbout http://www.spyaxe.com
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\SpyAxe Publisher SpyAxe
HKEY_LOCAL_MACHINE\Software\SpyAxe
HKEY_LOCAL_MACHINE\Software\SpyAxe ref 100064
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\gcwvhfkxjkZ
xtfk_yqplgtCb\[eNNkP@z
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\InprocServer32 C:\WINDOWS\system32\els.dll
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\iqhXv
hbAUre~AVZ{R}mIW
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\lOPmamTtw
^x[PsLYxMQtc{v|Zj`t
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\PdwUXijhKmsku
``IwUYyRmOpxWBsxWKJf}
HKEY_CLASSES_ROOT\clsid\{957BAB51-81FF-8195-F273-D7E286EA702F}\qsJdZTmtD
AHE\^cC[TuGKlrTqqLxINl


Detected Spyware Cookies
No spyware cookies were found during this scan.

--
Long ago when men cursed and beat the ground
with sticks, it was called witchcraft..
Today, it''s called golf

Was this post helpful to you?

 

[David H. Lipman]

From: "DennyG" <[email protected]>

|
| Dave can this work
|
| I have been smitten . . . Although MS Antispyware Beta1 has detectected this
| PITA malware it has not been able to remove it.
|
| Thanks to MS Anti Spyware Beta 1 tools, I have been albe to identify all of
| the Registry keys where it does exists in my Registry. Can I just go to
| REGEDIT in safemode and delete them without doing any harm.
|
| I have read and printed all of the other suggestions but they seem so
| involved.
|
| Here is the list;
|

< snip >

The Registry info is correct. But it will NOT remove the DLL and EXE files and the
infection will just change the Registry back after you change it or the malware will protect
the keys and the changes won't be made.

The following instructions are involved but, it will kill the running processes, delete the
malware files and remove pertinent Registry information.

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.


* * * Please report back your results * * *

 

[Guest]

Thanks Dave . . .

 

[Stephen Howe]

Two part reply...

Pardon me for being dense David but I don't get this.

(i) Do you mean that we choose Part 1 or Part 2 for removal, that they are
alternative removal strategies?
(ii) ...or do you mean that we run Part 1 and follow with Part2?

I think you mean (ii) but I am not sure what each step is for.

At the moment I am trying remotely to remove SpyTrooper from my brothers PC
which is some distance away. He can follow simple instructions but is not a
programmer, just a simple user, non-technical. I found

C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe

on his Windows XP PC but the strange thing is he cannot get into Safe Mode.
One wonders if this trojan has installed part of itself as a critical
component. Fortunately I will be staying with him over the Christmas period
and I will give it my full attention. HiJackThis 1.99.1 reveals that it
seems be full of crap.

Thanks

Stephen Howe

 

[David H. Lipman]

From: "Stephen Howe" <stephenPOINThoweATtns-globalPOINTcom>


Replies ae inline....
|
| Pardon me for being dense David but I don't get this.


Dense -- No way. I am sorry if the instructions are too short and/or unclear !


|
| (i) Do you mean that we choose Part 1 or Part 2 for removal, that they are
| alternative removal strategies?
| (ii) ...or do you mean that we run Part 1 and follow with Part2?


Part 2 subsequent to using Part 1


| I think you mean (ii) but I am not sure what each step is for.
|
| At the moment I am trying remotely to remove SpyTrooper from my brothers PC
| which is some distance away. He can follow simple instructions but is not a
| programmer, just a simple user, non-technical. I found
|
| C:\WINDOWS\system32\nvctrl.exe
| C:\WINDOWS\system32\mssearchnet.exe
|
| on his Windows XP PC but the strange thing is he cannot get into Safe Mode.
| One wonders if this trojan has installed part of itself as a critical
| component. Fortunately I will be staying with him over the Christmas period
| and I will give it my full attention. HiJackThis 1.99.1 reveals that it
| seems be full of crap.
|
| Thanks
|
| Stephen Howe
|

I know my script in Part 2 covers those files and I believe that noahdfear's script in Part
1 does as well.

Some parts in both sets of scripts may be redundant. However, the script in Part 2 adds the
McAfee Command Line Scanner and will detect other tTrojans, viruses and malware tyhrough
signature identification so it can actually do more.