Re: Lavasoft Rapid Response to SpyAxe in Security

Re: Lavasoft Rapid Response to SpyAxe in Security http://www.dslreports.com/forum/r14985639 en Sun, 29 Nov 2009 03:37:14 EDT Sun, 29 Nov 2009 03:37:14 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15252992 Anonymous : It seems to me you need to get some protection. Re-imaging is no fun if you have to do it on a daily basis.]]> http://www.dslreports.com/forum/remark,15252992 Sun, 15 Jan 2006 19:48:33 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15115697 anon : wbeconm.dll was the file causing the pop-up. I had the same file so probably not randomly generated. Removing it caused the icon to disappear. freakin, lets form a mob and go slaughter those bastards who are responsible for this garbage.]]> http://www.dslreports.com/forum/remark,15115697 Wed, 28 Dec 2005 04:12:08 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15114937 anon : wow, some crappy day of my vacation dealing with this pos. Tried everything on the net to get rid of it, spybot, adaware, avg, spyware blaster, smitrem, housecall, ewido, hijackthis(i think that's about it) following directions that have supposedly worked for others.

Even in safemode I couldn't get rid of the popup!!!!!!!!!

Since it had to be something registered in explorer.exe, I used the itty bitty process manager in hijack to check EACH of the dll's in explorer. Finally I came to one with no info, searching google and microsoft for the filename - i came up with NO INFO FOUND ON THE FILE. This must be it.

I used killbox with options: end explorer shell, unreg dll.

File name for me was: wbeconm.dll

When explorer.exe was restarted, no more popup box.

No homicidal thoughts towards spyaxe publicly posted, or they'll know who did it.... god just let me bill them for the entire day of fixing my machine. This is so illegal but no one will ever pay for it.

I must have gotten a new version of this pos, as little of the removal documentation referred to me. Make sure you gather your tools, get into safemode, note the file creation date on the bad files in system32, procede to run spyware programs and virus programs, then start tactical manual strike scouring for remnants, especially those in the system32 folder.

Edit: I opened the dll in txt and it contains the popup message. This file isn't mentioned anywhere on the net yet, so it must be quite new or partially/wholly randomly generated.]]> http://www.dslreports.com/forum/remark,15114937 Wed, 28 Dec 2005 00:19:34 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15104103 siljaline : Works for me ;) Calamity hard at work, as usual...]]> http://www.dslreports.com/forum/remark,15104103 Mon, 26 Dec 2005 11:40:47 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15104060 CajunTek : Or.. from closer to home ;) »Security »Zlob/Smitfraud Removal
--
Lost in Texas]]> http://www.dslreports.com/forum/remark,15104060 Mon, 26 Dec 2005 11:33:35 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15104024 siljaline : How To Remove Spyaxe
»www.bleepingcomputer.com/forums/···868.html
--
siljaline MS - MVP Windows (IE/OE) & Security, AH-VSOP]]> http://www.dslreports.com/forum/remark,15104024 Mon, 26 Dec 2005 11:23:23 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15103263 Fat City : Ad-Aware still not working for me in removing this pest. Got hit again this morning and NAV 2005 found and removed ioctrl.dll. Immediately ran Ad-Aware with the 12/19 defs but it failed to find anything save a few questionable tracking cookies. Searched C:\Windows\system32 and found the following: mssearchnet.exe, mscornet.exe, and nvctrl.exe. Once again, I imaged my way back to spyaxe-free.
--
Another flaw in the human character is that everybody wants to build and nobody wants to do maintenance. - Kurt Vonnegut, Jr.]]> http://www.dslreports.com/forum/remark,15103263 Mon, 26 Dec 2005 05:46:10 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15061577 anon : McAfee AntiSpyware latest update cleans it fully (and is free!). I was ready with SmitREM, but gave McAfee a go first on customer's PC. It's gone - reg entries and exe files (5 variants). Nothing in System32, Temp or registry. HJT log is clean. It hasn't spawned itself again since restart.
Now to sort out or get rid of the AOL spyzapper rubbish he's got on here...]]> http://www.dslreports.com/forum/remark,15061577 Tue, 20 Dec 2005 01:49:55 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15040697 Doctor Four : From F-Secure's News From The Lab:

»www.f-secure.com/weblog/#00000739

According to the above blog entry, SpyAxe is responsible
for 2500 infections per hour on US owned machines. No wonder
this site and others that offer help for spyware infections
are getting swamped.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. Taking the 'L' out of Play: the Big Music/Hollywood Mantra]]> http://www.dslreports.com/forum/remark,15040697 Fri, 16 Dec 2005 22:22:41 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15035130 Profixer : thats what we're here for ;)]]> http://www.dslreports.com/forum/remark,15035130 Fri, 16 Dec 2005 08:22:15 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15035119 anon : just wanted to say that the most recent adaware finally remove spyaxe for me. i have been battling that s.o.b. for a week now and nothing would remove it. thanks adaware]]> http://www.dslreports.com/forum/remark,15035119 Fri, 16 Dec 2005 08:19:44 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15024122 ylen131 : so far haven't hit me but keeping an eye open for it.]]> http://www.dslreports.com/forum/remark,15024122 Wed, 14 Dec 2005 20:44:02 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15023108 anon : It seems that this is comming from porn sites. My friends wife went to a porn site one that she usually goes to and she clicked on something that acted wierd and then the spyaxe kept popping up after that. ]]> http://www.dslreports.com/forum/remark,15023108 Wed, 14 Dec 2005 18:45:28 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15023022 anon : My friend got hit with spyaxe a few days ago. His wife was watching porn on the computer and it either got in because of her or some of his crap websites. I guess spyaxe will ruin porn sites for everyone now. I had to get rid of spyaxe u can google it and get this program smitrem and run the run this bat file. You will have to do this in safe mode. I had good luck with smitrem. It does not get rid of all of it however. I am going to try the latest definiton files from lavasoft to get rid of the rest of it. ]]> http://www.dslreports.com/forum/remark,15023022 Wed, 14 Dec 2005 18:35:39 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15022740 justin : Large number of inbounds to this topic.
»/trackback/18564968
obviously annoying a lot of people as Lavasoft says.]]> http://www.dslreports.com/forum/remark,15022740 Wed, 14 Dec 2005 18:08:34 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15022083 CalamityJane : Thanks again, Steve. Keep us posted on any developments!]]> http://www.dslreports.com/forum/remark,15022083 Wed, 14 Dec 2005 16:50:33 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15021868 Profixer : There are alot being installed by variants of Trojan.Downloader.Zlob.. people should keep there eye out for svchosts.dll / svchost.dll especially... the method of choice for SpyAxe install is a fraudlent Windows Update icon in the tray, popping a bubble saying "Your computer is infected with spyware, click here to install the latest anti-spyware"... or something of that nature....]]> http://www.dslreports.com/forum/remark,15021868 Wed, 14 Dec 2005 16:26:40 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15018880 richtig : BOclean has it covered. That means it does remove it.

I have not encountered SpyAxe, and I hopefully wont.
--
We are the music makers, We are the dreamers of dreams. Arthur William Edgar O'Shaugnessy ]]> http://www.dslreports.com/forum/remark,15018880 Wed, 14 Dec 2005 09:39:57 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15018809 CalamityJane :

said by Profixer

:

I will keep you posted

Thank you for your efforts! Appreciate it :)

Was wondering why we're seeing so many new victims of this. Any idea what exploit they are using (or other method of install) so we can warn folks how to prevent it?
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,15018809 Wed, 14 Dec 2005 09:27:40 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15018784 Profixer : No problem Calamity!... Its peeing us off just as much as our users, and the community, I promise you....

there is a ton of downloaders out there, installing new variants on a daily basis... and we are trying our best to get both the downloaders, and the variants they are spitting out....

I will keep you posted]]> http://www.dslreports.com/forum/remark,15018784 Wed, 14 Dec 2005 09:22:48 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15018442 CalamityJane : Thanks for the feedback LS SteveJ. I'm glad to hear Adaware continues to work on detection and removal for the new variants. We have certainly noticed an increase in cries for help here.

Meanwhile, the SmitRem tool by Noadfear can help and has been updated to include SpyAxe. New FAQ added last night to give some steps on removing SpyAxe and other Smitfraud variants:
»Security »Zlob/Smitfraud Removal
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,15018442 Wed, 14 Dec 2005 08:10:14 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15018377 Profixer : From what we can see... it is a possibility that a huge number of SpyAxe variants were pre-built before the whole mess started, and this has resulted in an huge amount of them out in the wild from day one.... we have received 9 more variants in the past 2 days and are adding these to detection.... it seems there may be on average 5 new variants a week... this IS a serious issue, which we are working hard to get it resolved.]]> http://www.dslreports.com/forum/remark,15018377 Wed, 14 Dec 2005 07:53:55 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15017520 siggyx : I agree with Corrine, If it wasn't for noahdfear's smitRem© fix we would be heavily bogged down at TC with unresolved logs. As it is we are seeing more and more everyday.
--
90% of sports is mental, the other half is physical]]> http://www.dslreports.com/forum/remark,15017520 Wed, 14 Dec 2005 01:22:29 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15017320 Fat City : Got hit with SpyAxe again this evening so I tried Spybot - S&D (with latest updates) for removal. Nothing doing---pieces of SpyAxe remained, including the annoying little icon in systray with its constant click, click, click. :(

So I tried Ad-Aware (again, latest updates) and that didn't remove it either. Pieces of SpyAxe were all over the place including the icon from hell. :(

Popped in the Terabyte Image for Windows Boot CD and restored to a known good configuration. SpyAxe is gone. :)

Why aren't Spybot and Ad-Aware successful in removing SpyAxe?
--
Men willingly believe what they wish. - Gaius Julius Caesar]]> http://www.dslreports.com/forum/remark,15017320 Wed, 14 Dec 2005 00:40:57 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,15010706 Corrine : We've been buried at Freedomlist with this infection for some time. If it wasn't for noahdfear's smitRem© fix, there would be a lot of unsolved logs there & elsewhere.
--
Corrine, Administrator Freedomlist; Proud Charter Member ASAP Since 2004 (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,15010706 Tue, 13 Dec 2005 09:53:19 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,14993582 TheJoker :

said by trparky

:

Nice to see someone else seeing this, Google searching didn't result in much when I had to remove this.

I'm surprised you didn't find much on Google. You should go to »www.forums.spywareinfo.com and do a search for spyaxe. You'd be surprised at the number of people there are that have been infected by this hijack. It was supposedly released by one of SpyAxe's affiliates that was supposedly dropped after releasing the hijack that said you were infected and prompted people to download and install SpyAxe. SpyAxe released a supposed fix to remove the hijack, and even the fix is detected by Ewido as malware.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,14993582 Sat, 10 Dec 2005 20:59:57 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,14992050 anon : The speread of SpyAxe was exceeding I so a RR would be appropriate don't you think?]]> http://www.dslreports.com/forum/remark,14992050 Sat, 10 Dec 2005 17:07:37 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,14989218 trparky :

said by Fat City

said by trparky

:

...Nothing in the Add/Remove Programs like a normal program should have an entry in, so I got to the point where I just told AdAware to remove all junk, it was gone when the removal was complete.

I don't know, like I said, when I was removing it, there wasn't much information out there on it. And the little there was was buried.
--
WedgeAntilles250

Tom's Rant]]> http://www.dslreports.com/forum/remark,14989218 Sat, 10 Dec 2005 09:02:22 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,14988723 Fat City :

said by trparky

:

...Nothing in the Add/Remove Programs like a normal program should have an entry in, so I got to the point where I just told AdAware to remove all junk, it was gone when the removal was complete.

Are you sure it's all gone? Do the following files still remain:
mssearchnet.exe
nvctrl.exe

Reason I ask is because I've been hit with SpyAxe several times and I just can't ever seem to get rid of it all. I end up having to restore a known good partition image with Image for Windows.

If SpyAxe installs itself again on my machine I'll try Ad-Aware for removal, and I'll check to see that those two files disappear. If they don't, then I'll restore C:\ once again.
--
Men willingly believe what they wish. - Gaius Julius Caesar]]> http://www.dslreports.com/forum/remark,14988723 Sat, 10 Dec 2005 03:54:00 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,14985639 trparky : Interesting, I had to remove this from someone's machine before. Nice to see someone else seeing this, Google searching didn't result in much when I had to remove this.

Nothing in the Add/Remove Programs like a normal program should have an entry in, so I got to the point where I just told AdAware to remove all junk, it was gone when the removal was complete.
--
WedgeAntilles250

Tom's Rant]]> http://www.dslreports.com/forum/remark,14985639 Fri, 09 Dec 2005 18:07:19 EDT Re: Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,14985608 MrBradTX : One anti-spyware program targeting another as hostile. This should be entertaining to watch.

FWIW I agree with the stand Lavasoft has taken. Software that installs itself by stealth is hostile by definition, regardless of its intent.]]> http://www.dslreports.com/forum/remark,14985608 Fri, 09 Dec 2005 18:03:35 EDT Lavasoft Rapid Response to SpyAxe http://www.dslreports.com/forum/remark,14985540 NICK ADSL UK : quote
We have received numerous reports from customers and users about the ever increasing problem
of SpyAxe.

SpyAxe is an Anti-Spyware application which is currently known to be installed without user consent.

Users can be misled by a fake 'Windows Update' message generated by a trojan, claiming that "Your computer is infected" and advising you to click a link to install SpyAxe.

Du to the increase in complaints and variants in the last few days we are releasing a rapid response update to address this problem.
»www.lavasoft.com/support/download/
--
Wilders Security Forum Admin ]]> http://www.dslreports.com/forum/remark,14985540 Fri, 09 Dec 2005 17:54:52 EDT