NICK ADSL UK
Premium,MVM
join:2004-02-22
| Lavasoft Rapid Response to SpyAxe
quote
We have received numerous reports from customers and users about the ever increasing problem
of SpyAxe.
SpyAxe is an Anti-Spyware application which is currently known to be installed without user consent.
Users can be misled by a fake 'Windows Update' message generated by a trojan, claiming that "Your computer is infected" and advising you to click a link to install SpyAxe.
Du to the increase in complaints and variants in the last few days we are releasing a rapid response update to address this problem.
»www.lavasoft.com/support/download/
--
Wilders Security Forum Admin |
|
MrBradTX
join:2001-05-23
Carrollton, TX | One anti-spyware program targeting another as hostile. This should be entertaining to watch.
FWIW I agree with the stand Lavasoft has taken. Software that installs itself by stealth is hostile by definition, regardless of its intent. |
|
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
 ·AT&T U-Verse
| Interesting, I had to remove this from someone's machine before. Nice to see someone else seeing this, Google searching didn't result in much when I had to remove this.
Nothing in the Add/Remove Programs like a normal program should have an entry in, so I got to the point where I just told AdAware to remove all junk, it was gone when the removal was complete.
--
WedgeAntilles250
Tom's Rant |
|
Fat City
Premium
join:2003-03-10
Freedonia
| said by trparky  :...Nothing in the Add/Remove Programs like a normal program should have an entry in, so I got to the point where I just told AdAware to remove all junk, it was gone when the removal was complete. Are you sure it's all gone? Do the following files still remain:
mssearchnet.exe
nvctrl.exe
Reason I ask is because I've been hit with SpyAxe several times and I just can't ever seem to get rid of it all. I end up having to restore a known good partition image with Image for Windows.
If SpyAxe installs itself again on my machine I'll try Ad-Aware for removal, and I'll check to see that those two files disappear. If they don't, then I'll restore C:\ once again.
--
Men willingly believe what they wish. - Gaius Julius Caesar |
|
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
·AT&T U-Verse
| reply to Fat City
Re: Lavasoft Rapid Response to SpyAxe
said by Fat City :said by trparky :...Nothing in the Add/Remove Programs like a normal program should have an entry in, so I got to the point where I just told AdAware to remove all junk, it was gone when the removal was complete. Are you sure it's all gone? Do the following files still remain: mssearchnet.exe nvctrl.exe Reason I ask is because I've been hit with SpyAxe several times and I just can't ever seem to get rid of it all. I end up having to restore a known good partition image with Image for Windows. If SpyAxe installs itself again on my machine I'll try Ad-Aware for removal, and I'll check to see that those two files disappear. If they don't, then I'll restore C:\ once again. I don't know, like I said, when I was removing it, there wasn't much information out there on it. And the little there was was buried.
--
WedgeAntilles250
Tom's Rant |
|
SoloN00b013176
@cust.bredbandsbolage | reply to Anon
The speread of SpyAxe was exceeding I so a RR would be appropriate don't you think? |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to trparky
said by trparky :Nice to see someone else seeing this, Google searching didn't result in much when I had to remove this. I'm surprised you didn't find much on Google. You should go to »www.forums.spywareinfo.com and do a search for spyaxe. You'd be surprised at the number of people there are that have been infected by this hijack. It was supposedly released by one of SpyAxe's affiliates that was supposedly dropped after releasing the hijack that said you were infected and prompted people to download and install SpyAxe. SpyAxe released a supposed fix to remove the hijack, and even the fix is detected by Ewido as malware.
--
Proud ASAP member since 2005 |
|
Corrine
Premium
join:2004-08-27
| reply to TheJoker
Re: Lavasoft Rapid Response to SpyAxe
We've been buried at Freedomlist with this infection for some time. If it wasn't for noahdfear's smitRem© fix, there would be a lot of unsolved logs there & elsewhere.
--
Corrine, Administrator Freedomlist; Proud Charter Member ASAP Since 2004 (Alliance of Security Analysis Professionals) |
|
Fat City
Premium
join:2003-03-10
Freedonia
| reply to Fat City
Got hit with SpyAxe again this evening so I tried Spybot - S&D (with latest updates) for removal. Nothing doing---pieces of SpyAxe remained, including the annoying little icon in systray with its constant click, click, click. 
So I tried Ad-Aware (again, latest updates) and that didn't remove it either. Pieces of SpyAxe were all over the place including the icon from hell.
Popped in the Terabyte Image for Windows Boot CD and restored to a known good configuration. SpyAxe is gone. 
Why aren't Spybot and Ad-Aware successful in removing SpyAxe?
--
Men willingly believe what they wish. - Gaius Julius Caesar |
|
siggyx
Siggy
Premium
join:2003-12-10
Cambridge
| reply to NICK ADSL UK
I agree with Corrine, If it wasn't for noahdfear's smitRem© fix we would be heavily bogged down at TC with unresolved logs. As it is we are seeing more and more everyday.
--
90% of sports is mental, the other half is physical |
|
Profixer
join:2005-07-01
| From what we can see... it is a possibility that a huge number of SpyAxe variants were pre-built before the whole mess started, and this has resulted in an huge amount of them out in the wild from day one.... we have received 9 more variants in the past 2 days and are adding these to detection.... it seems there may be on average 5 new variants a week... this IS a serious issue, which we are working hard to get it resolved. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
|  Thanks for the feedback LS SteveJ. I'm glad to hear Adaware continues to work on detection and removal for the new variants. We have certainly noticed an increase in cries for help here.
Meanwhile, the SmitRem tool by Noadfear can help and has been updated to include SpyAxe. New FAQ added last night to give some steps on removing SpyAxe and other Smitfraud variants:
»Security »Zlob/Smitfraud Removal
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
Profixer
join:2005-07-01
| No problem Calamity!... Its peeing us off just as much as our users, and the community, I promise you....
there is a ton of downloaders out there, installing new variants on a daily basis... and we are trying our best to get both the downloaders, and the variants they are spitting out....
I will keep you posted |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| said by Profixer :I will keep you posted Thank you for your efforts! Appreciate it
Was wondering why we're seeing so many new victims of this. Any idea what exploit they are using (or other method of install) so we can warn folks how to prevent it?
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs: | reply to NICK ADSL UK
BOclean has it covered. That means it does remove it.
I have not encountered SpyAxe, and I hopefully wont.
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
Profixer
join:2005-07-01
| reply to CalamityJane
There are alot being installed by variants of Trojan.Downloader.Zlob.. people should keep there eye out for svchosts.dll / svchost.dll especially... the method of choice for SpyAxe install is a fraudlent Windows Update icon in the tray, popping a bubble saying "Your computer is infected with spyware, click here to install the latest anti-spyware"... or something of that nature.... |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Thanks again, Steve. Keep us posted on any developments! |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | reply to NICK ADSL UK
Large number of inbounds to this topic.
»/trackback/18564968
obviously annoying a lot of people as Lavasoft says. |
|
