SpyAxe
SpyAxe is a malicious software program (more commonly known as malware) that infects computers by pretending to be an antispyware application, and is a member of the AntiVirus Gold family.
Infection
A trojan already on the computer (usually the Zlob trojan) may display an icon in the system tray that has a constant popup saying the computer has been infected, which, when clicked, downloads and then installs SpyAxe. Once SpyAxe is installed any malware it detects (including the trojan that installed it) requires the user to go to SpyAxe's website and purchase the software before it will allow removal. Credit card payments go through an online Credit Card processing centre called PSBill, (based in Gibraltar).
Symptoms
It may attempt to change the computer's wallpaper/desktop and permanently change Internet Explorer's homepage, even though a different one has been selected in "Tools - Internet Options - Home Page." This is done via group policy causing it to Appear as if the network's administrator changed the home page.
Amongst others, SpyAxe installs the following:
Processes
- mscornet.exe
- mssearchnet.exe
- nvctrl.exe
- spyaxe.exe (multiple instances)
DLLs
- ioctrl.dll
- svchosts.dll
- webconm.dll
- wbeconm.dll
Directories
- C:\Program Files\SpyAxe
- C:\Windows\System\1024
- C:\Windows\System32\1024
- C:\Winnt\System32\1024
Known Variants
There are several variants of this adware. In early 2006 SpyAxe has been distributed under a variety of names including SpywareStrike (identical to SpyAxe), SpySheriff, SpyFalcon, SpywareQuake, and MalwareWipe, AntiVirGear and many other pseudonyms.
Removal
SpyAxeFix, later renamed to smitRem was the first tool designed specifically for the removal of SmitFraud variants. Development of this tool has halted, and SmitFraudFix is currently the most popular tool used to remove this infection.
See also
- Malware
- Spyware
- Adware
- Rogue software
- Wikipedia's Spyware removal category