A friend of mine’s PC has gotten infected with “SpyAxe” – one of those spyware trojan-horse programs that masquerades as a spyware cleaner/blocker. He keeps getting a popup that seems to come right from the toolbar (is that the word?) at the bottom of his desktop – “Your computer is infected! Click here to remove the threat!” And whenever you open Internet Explorer, you’re directed straight to a website that purports to sell spyware-protection software (I hesitate even to put a single mouseclick anywhere on that page). I’ve run several spyware-removal programs (that I trust) for him (he’s not too computer-savvy – nor am I, but more than he), and I even helped him buy and download two new ones (Xblock and Regblocker), but nothing works. I’ve tried removing it via the “Add-Remove Programs” function in the control panel and searching/deleting all “SpyAxe” files; nothing works. Periodically a box (purporting to be) from Microsoft Antivirus pops up in the lower right-hand corner, with a big red X, advising us that SpyAxe is trying to install and would you like to remove it? I’ve done that several times (and it always closes all open Internet windows in the process and tells you to reboot the PC afterwards), and when it’s done it tells you “SpyAxe has been removed”; but it doesn’t stop that dangerous balloon from popping up, nor does it change the browser’s default setting to that “spyware protection” page; and besides, you can’t just ignore this warning box because there’s no way to x it closed and it appears on top of whatever else is being displayed. And this program seems to be so cunningly crafted that, for all I know, that warning box is actually part of the SpyAxe program itself and using it just embeds the program even deeper in your system.
Weird, I’ve just returned from my friends house after removing this.
Download this utility and extract it to a folder on your hard drive. Restart the PC and press F8 before the XP logo comes up. Choose to restart in Safe Mode (the first option). Navigate to the folder and run “RunThis.bat”. The tool should remove all instances of the SpyAxe malware. Restart as normal and it should go.
I tried other tools I found online as well as MS Antispyware, but this was the only one that worked.
I spent most of sunday afternoon removing this from my pc. And like Dominic Mulligan I used the smitRem tool from nofear. but it did reload itself I finally found this in my registry.
Acording to the mcaffee site it’s part of the spyaxe crap so I deleted it and reran SmitRem and it seems to be gone. I’m going to back-up all my Important stuff and format and reinstall windows anyway because its been a year and spring cleaning is always good!
Say, I don’t suppose the problem might have anything to do with this? http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability
And I’ve always wondered if some or maybe all spyware programs were actually made by the manufacturers of the anti-spyware programs . . . for marketing purposes . . . Is that thinking just too cynical even for this decade?
I’ve also been hit with some really tenacious adware/spyware/password stealer malware lately. The latest stuff seems super tenacious and anti-spyware programs (I tried several) can flag them but can’t remove them.
My final soution was to use the "hijack this" tool in XP safe mode, that reads out what is loading via the registry when your system starts and offres the option to delete that loading line. It’s a brute force solution but it was the only thing that stopped the malware it from interactively re-loading itself.
I just got hit with something similar as well, called SpySherrif and SpyHound. While cleaning them off, I found a plaintext file culled from my Autocomplete feature in IE. The file consisted of websites, my logins, and my passwords.* Further research tells me that this malware contains its own SMTP engine, so I presume that after culling my passwords, it promptly sent them out to the bad guys.
If you’ve been hit by this, change all your passwords as soon as you get the crap cleaned off.
My method of cleaning was to note the exact time of infection, reboot into safe mode, and search for files created at that time. After deleting all those, and fixing some registry settings, I was clean again.
*I don’t use autocomplete for anything critical like banking, just forum passwords and the like. But, still.
