SpyAxe
SpyAxe is a new (as of December 2005) malware that is infecting unsuspecting computers by actually pretending to be an antispyware application. It is typified by an icon in the system tray that has a constant popup saying the computer has been infected. If the user clicks on the popup, the web browser will ultimately be directed to the SpyAxe homepage, with an invitation to sign up for their service. Credit card payments go through something call "psbill", which appears to be based in Russia. There are several variants of this spyware. It is hard to remove because often it includes a rootkit. In early 2006 SpyAxe was rebranded or cloned to SpywareStrike. It also goes under the guise of "SpySheriff". It may attempt to change the computer's wallpaper/desktop and permanently change Internet Explorer's homepage, even though a different one has been selected in "Tools - Internet Options - Home Page." This is done via group policy.
Amongst others, SpyAxe installs the following:
Processes
- mscornet.exe
- mssearchnet.exe
- nvctrl.exe
- spyaxe.exe (multiple instances)
DLLs
- ioctrl.dll
- svchosts.dll
- webconm.dll
- wbeconm.dll
Directories
- C:\Program Files\SpyAxe
- C:\Windows\System\1024
- C:\Windows\System32\1024
- C:\Winnt\System32\1024
External links
- http://www.spywaredb.com/remove-spyaxe/
- Remove SpyAxe
- Article in Spyware blog
- http://www.f-secure.com/sw-desc/spyaxe.shtml
- http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=48&blogId=3
- http://www.truebluefilms.com/Tiff/spyaxe%20remove.htm
- http://noahdfear.geekstogo.com/
- Instructions for removing SpyAxe manually
- Spyware Removal Tool removing SpyAxe
- Spyaxe Step-by-Step Removal
- SpywareStrike and SpyAxe Removal Instructions
- StopBadware.org Report of SpyAxe