SpyAxe

[Guest]

My system is infected with a "program" called Spyaxe and I cannot remove it.
I keep seeing a little balloon in my taskbar that says I am infected. This
stays around, even after I remove the program and its shortcut. When I
restart the system, it re-installs itself. It also appears to bring in other
trouble, such as something called "antivirus gold". Is there some
step-by-step removal procedure "for dummies"? Somebody mentioned a
noahdfear--any comments?

Many thanks in advance, and best wishes for the New Year,

 

[Carey Frisch [MVP]]

Microsoft Live Safety Center
http://safety.live.com/site/en-US/default.htm

Microsoft Windows AntiSpyware
http://www.microsoft.com/downloads/...a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

Here's what you can do to enhance the security on your PC
http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

-------------------------------------------------------------------------------------------

:

| My system is infected with a "program" called Spyaxe and I cannot remove it.
| I keep seeing a little balloon in my taskbar that says I am infected. This
| stays around, even after I remove the program and its shortcut. When I
| restart the system, it re-installs itself. It also appears to bring in other
| trouble, such as something called "antivirus gold". Is there some
| step-by-step removal procedure "for dummies"? Somebody mentioned a
| noahdfear--any comments?
|
| Many thanks in advance, and best wishes for the New Year,
| --
| Harry Keijzer

 

[David H. Lipman]

From: "Harry Keijzer" <[email protected]>

| My system is infected with a "program" called Spyaxe and I cannot remove it.
| I keep seeing a little balloon in my taskbar that says I am infected. This
| stays around, even after I remove the program and its shortcut. When I
| restart the system, it re-installs itself. It also appears to bring in other
| trouble, such as something called "antivirus gold". Is there some
| step-by-step removal procedure "for dummies"? Somebody mentioned a
| noahdfear--any comments?
|
| Many thanks in advance, and best wishes for the New Year,
|



Two part reply..

Perform Part 1 then perform Part 2.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp




Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *

 

[Alan]

Search on here for Spy Axe, (go 'Find' Spy Axe). I had it recently and got
rid of it with the help of the good people on here, the information you need
is all there,
Regards,
Alan.

 

[David H. Lipman]

From: "Carey Frisch [MVP]" <[email protected]>

| Microsoft Live Safety Center
| http://safety.live.com/site/en-US/default.htm
|
| Microsoft Windows AntiSpyware
|
http://www.microsoft.com/downloads/...a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
|
| Here's what you can do to enhance the security on your PC
| http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
|

Carey:

Please don't post the following...

Microsoft Live Safety Center
http://safety.live.com/site/en-US/default.htm

It is a Beta and on a scale from 1 to 10 it is a 2

If you are going to ost a online scanner post one that actually has a high catch rate.

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

I have been in communication with Randy Treir and I have been testing the site. Straight
talk -- it sucks !

I gave it a zoo and it had a 22% catch rate.

When I tested an "Exploit-WMF" sample Yesterday, these were the results...

AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found


Today however it is causght...

Microsoft ?? 12.30.2005 Exploit:Win32/Wmfap

Just because you are a Microsoft MVP, please don't suggest a low quality product wjhen there
are high quality alternatives.
Especially when it is a security related issue !

 

[Spikey]

My system is infected with a "program" called Spyaxe and I cannot remove
it.

Searching google Spyaxe is apparently an anti spy ware program. Follow this
link to their home page.
http://www.spyaxe.com/index.php

If this is what you have did you install it at some time??

It is reported as being oversensitive and produces false positives maybe
accounting for the frequent balloons you are seeing????

Go to start/settings/control panel/ then add/remove programs. If it shows
up in the list uninstall it and reboot.

 

[Alan]

That doesn't work with this one, its the most insidious bugger I've ever
come across.
It's not so much a spyware program as a spy infection that demands that you
pay them to stop it driving you mad. Also the 'Malware' that it displays is
crap, just made up file names that aren't really on your system at all. Note
that as far as I am aware, most anti spyware programs like SpySweeper and
Microsoft Antivirus wont stop it, even if they find it. I speak from
experience.
It even uses the internal speaker to bleep the warning every time the
balloon pops up so you cant switch it off, and apparently its capable of
preventing your machine from booting up in Safe Mode to hamper attempts to
delete it although I didn't encounter this myself.
If you tried the marketing techniques of this scum anywhere else but on the
internet you'd wind up doing five years
Follow the advice of David H. Lipman, he knows what he's talking about on
this, he got rid of it for me,
Regards,
Alan.

 

[Leythos]

If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
for Puper or Alemod that can not seem to be removed automatically, please
try this automated removal tool.

AntiPuper v1.1 by secured2k
http://secured2k.home.comcast.net/tools/AntiPuper.exe

What does this tool do?
This tool will attempt to delete several known Trojan files. These files are
modified by the malware authors and encrypted to avoid detection.
Fortunately, many of these tend to use the exact same file names. If the
files are in use, locked, protected, etc, this program will schedule Windows
to remove the files upon restarting.

This program will also remove some common security policies that are changed
by viruses and worms. Policies that lock out your desktop changes, windows
update, Windows Firewall, Explorer Run policies, Registry editing, and more
are all reset.

Finally, if you have an infected Alemod WININET.DLL file, this program will
try to copy a clean version from your Windows File Protection folder and
replace the bad copy on restart. If a backup copy can not be found, the tool
will quickly look for McAfee Antivirus files and attempt to clean a copy of
the file to replace the bad one on reboot. If all of this fails, you will
need to manually replace/clean your WININET.DLL file.

 

[Leythos]

NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net 69.237.53.123

I see that you still have no means to prove you didn't pilfer the apps
and that you still can't post with your real name to MS Usenet services.

Impersonating me does not help your case, but it's funny that you feel
the need to do it - I've not see anyone that wanted to impersonate you.

 

[Spikey]

Follow the advice of David H. Lipman, he knows what he's talking about on
this, he got rid of it for me,

Have filed for future reference. Lets hope I never need it.

 

[Guest]

Hi,

My Spyaxe problem appears to have been corrected. SpySweeper showed that I
had several adware items again last night: SpyAxe, SpyAxe Fakealert and
Trojan-downloader-zlob. So I ran SpySweeper after upgrading to the latest
definitions file and deleted the adware items. No more pop-up balloon or
icon in the task tray. Re-booted several times, with no problems. I did
this with my Internet connetion disabled. Next, I ran SpySweeper several
more times, with no adware being found. Then, I (hesitantly) enabled my
Internet connection again--no problems.

Ran Ad-Aware SE which showed a bunch of malware-items in my registry;
quarantined those. Everything still works. Fingers crossed, of course...

Many thanks to everyone for your input!

 

[David H. Lipman]

From: "Harry Keijzer" <[email protected]>

| Hi,
|
| My Spyaxe problem appears to have been corrected. SpySweeper showed that I
| had several adware items again last night: SpyAxe, SpyAxe Fakealert and
| Trojan-downloader-zlob. So I ran SpySweeper after upgrading to the latest
| definitions file and deleted the adware items. No more pop-up balloon or
| icon in the task tray. Re-booted several times, with no problems. I did
| this with my Internet connetion disabled. Next, I ran SpySweeper several
| more times, with no adware being found. Then, I (hesitantly) enabled my
| Internet connection again--no problems.
|
| Ran Ad-Aware SE which showed a bunch of malware-items in my registry;
| quarantined those. Everything still works. Fingers crossed, of course...
|
| Many thanks to everyone for your input!

And your version of of Sun Java is the latest ?

Since you had one Downloader Trojan, you may have other Trojans or virsues that SpySweeper
won't find.

If you had applied my SmitFraud.exe tool, you would have permed a McAfee anti virus command
line scan of your computer.

Please use the following tool and and use the McAfee module.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Rock]

If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
for Puper or Alemod that can not seem to be removed automatically, please
try this automated removal tool.

PCbutts troll alert posting as Leythos.

 

[Leythos]

PCbutts troll alert posting as Leythos.

Thanks Rock, I'm not sure why he likes posting as my Nickname so much,
while I think it's funny, he's not fooling anyone. It's just another
nail in his ethics coffin.

 

[Rock]

Thanks Rock, I'm not sure why he likes posting as my Nickname so much,
while I think it's funny, he's not fooling anyone. It's just another
nail in his ethics coffin.

No problem. That coffin was buried a long time ago.

 

[Guest]

Sorry, but your question "And your version of of Sun Java is the latest ?" is
way over my head--how do you even check this?

Harry Keijzer

--
Harry Keijzer

From: "Harry Keijzer" <[email protected]>

| Hi,
|
| My Spyaxe problem appears to have been corrected. SpySweeper showed that I
| had several adware items again last night: SpyAxe, SpyAxe Fakealert and
| Trojan-downloader-zlob. So I ran SpySweeper after upgrading to the latest
| definitions file and deleted the adware items. No more pop-up balloon or
| icon in the task tray. Re-booted several times, with no problems. I did
| this with my Internet connetion disabled. Next, I ran SpySweeper several
| more times, with no adware being found. Then, I (hesitantly) enabled my
| Internet connection again--no problems.
|
| Ran Ad-Aware SE which showed a bunch of malware-items in my registry;
| quarantined those. Everything still works. Fingers crossed, of course...
|
| Many thanks to everyone for your input!

And your version of of Sun Java is the latest ?

Since you had one Downloader Trojan, you may have other Trojans or virsues that SpySweeper
won't find.

If you had applied my SmitFraud.exe tool, you would have permed a McAfee anti virus command
line scan of your computer.

Please use the following tool and and use the McAfee module.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: "Harry Keijzer" <[email protected]>

| Sorry, but your question "And your version of of Sun Java is the latest ?" is
| way over my head--how do you even check this?
|
| Harry Keijzer
|
Easiest way is to look in...

C:\Program Files\Java\

You'll see a folder such as;

C:\Program Files\Java\jre1.5.0_06

 

[Guest]

I can't find any folder named Java under Program Files. I do have a folder
named Java under Windows; it contains two empty folders named "classes" and
"trustlib".

I think I will just keep an eye on things for the next few days; SpySweeper,
Ad-Aware and NoAdware all tell me I'm OK. Maybe one of these days I'll have
my PC looked at by somebody who does know his stuff (as opposed to myself...
;-()

Many thanks for your help, though, and best wishes for 2006!

 

[David H. Lipman]

From: "Harry Keijzer" <[email protected]>

| I can't find any folder named Java under Program Files. I do have a folder
| named Java under Windows; it contains two empty folders named "classes" and
| "trustlib".
|
| I think I will just keep an eye on things for the next few days; SpySweeper,
| Ad-Aware and NoAdware all tell me I'm OK. Maybe one of these days I'll have
| my PC looked at by somebody who does know his stuff (as opposed to myself...
| ;-()
|
| Many thanks for your help, though, and best wishes for 2006!

Tha's means you are still using Microsoft's version of Sun Java that was licensed to
Microsoft..

 

[maitre]

Hi,
You could find information about spyaxe in:
www40. brinkster. com/ spyaxe/ spyaxe-info. asp

thanks Maitre