Malware Removal: SpyAxe Removal

Additional rogue antispyware products removed by SmitfraudFix:

VirusBlast, VirusBurst family*, Malwarewipe family*, Spy-Heal, AntivirusGolden, PestTrap, Spyware Soft Stop, BraveSentry, Security Toolbar, AlfaCleaner, SpyKiller, Daily Weather Forecast, AdwareDelete, Safety Bar,Trustin Bar,TrustIn Contextual

Note: Family includes all variations of the same rogue product name. For example, the Malwarewipe family includes Malwarewipe, MalwareWiped, MalwareWiper.

[edit] Infected Zlob Codecs

The Zlob Trojan installs the following infected codec programs that are also removable with the SmifraudFix:

IECodec, Video iCodec, VideoAccessCodec, Video ActiveX Access, Video AX Object, Video ActiveX Object, MovieCommander, Private Video, MovieBox, SiteEntry, Generic Renos, Image ActiveX, Key Generator, SiteTicket, DirectVideo,VideoKeyCodec, Brain Codec, iVideoCodec, VidCodecs, TrueCodec, VideoCompressionCodec, My Pass Generator, Gold Codec, Silver Coded, Perfect Codec, Super Codec, QualityCodec, EliteCodec, VideoKeyCodec, PowerCodec, HQVideoCodec, MMediaCodec, MediaCodec, iMediaCodec, SoftCodec, VideosCodec, WinMediaCodec, Mpvideocodec, strCodec, PCODEC, IntCodec, Media-Codec, PornPass Manager, FreeVideo, JPEG Encoder, X Password Generator

Trojan-Downloader.Zlob.Media-Codec is the number one threat reported by the CounterSpy Research Center. The Codec threats are particularly malicious in that they download and install a multitude of new threats onto your computer. They can also be accompanied by rootkits - which are programs that specialize in hiding active threats so that they can remain undetected. Some stealth zlob variants have incorporated hiding technology into their own design. Finally, the rootkit driver core.sys has recently been associated with some of the more tenacious and bothersome Smitfraud infections.

Note: To rid your computer of all malicious and dangerous Zlob components be sure to scan your system with the Malwarebytes' Anti-Malware scan as directed in the Follow Up Removal Instructions.

[edit] Symptoms of Specific Variants

Note: AntiVirGear Victims!
A recent AntiVirGear variant has taken a new strategy by installing an infected DLL into the winsock chain. It will produce one or more entries in a HJT log similar to the following:

O10 - Unknown file in Winsock LSP: c:\windows\system32\laf2.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf1.dll

This variant requires extra removal instructions besides using S!ri's SmitfraudFix. They are outlined in our Removal Instructions below.

Note: Titan Shield / Antispywarebox victims!
June 2006 A new and very tenacious SpySheriff variant has surfaced. The SmitfraudFix discussed below can remove this variant. There is also a Titan Shield Removal Guide available at Bleeping Computer.

Note: SpySheriff and Antispylab Victims!
May 12 2006 A new and very difficult to remove SpySheriff variant has surfaced. Please use the Bleeping Computer SpySheriff And Antispylab Removal Tutorial to remove SpySheriff and redirects to Antispylab.com. Then finish up by returning to complete the remainder of the Malware Removal and Prevention Overview

Note: SpyFalcon Victims

All added May 2006 variants with infective DLLs:
C:\WINDOWS\system32\sbnudh.dll
C:\WINDOWS\system32\fyhhxw.dll
C:\WINDOWS\System32\iqzv.dll
C:\WINDOWS\system32\oqipt.dll
C:\WINDOWS\system32\htey.dll
C:\WINDOWS\system32\appmagr.dll
C:\Windows\System32\reglogs.dll.

April 25 2006 variant with infective DLL: C:\windows\system32\twain32.dll
Please use the Bleeping Computer SpyFalcon Removal instructions to remove Spy Falcon. Then finish up by returning to complete the remainder of the Malware Removal and Prevention Overview

Note: SpywareQuake Victims:
May 2, 2006 a new DLL located in the WIndows system directory emerged called dvdcap.dll
In April 2006, three new infective DLLs emerged, all located in the Windows system directory:
suprox.dll
xenadot.dll
sivudro.dll
Please use the manual removal instructions at Bleeping Computer to remove SpywareQuake. Then finish up by returning to complete the remainder of the Malware Removal and Prevention Overview

Your HJT log may indicate these SpyAxe/SpywareStrike/SpyFalcon/SpywareQuake associated processes are running:

• C:\WINDOWS\system32\mssearchnet.exe
• C:\WINDOWS\system32\nvctrl.exe

Signature SpyAxe/SpywareStrike/SpyFalcon/SpywareQuake/Titan Shield HJT entries ( 02 BHO entry with a random file name hp***.tmp is almost always found ):

• O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp77C0.tmp
• O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
• O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
• O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
• O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
• O4 - Startup: titanshield.lnk = C:\Program Files\TitanShield Antispyware\titanshield.exe

Panda online Antivirus scanner or other antimalware scanners may detect these files but may not be able to disinfect them:

• C:\WINDOWS\system32\xxfgmy.dll, dbqlrij.dll , tpedvf.dll --> Added to Virus-Bursters 6.3 on 27-November-2006
• C:\WINDOWS\system32\suprox.dll, xenadot.dll, sivudro.dll -->Added to SpywareQuake April 2006
• C:\WINDOWS\system32\stickrep.dll -->Added to SpywareQuake 25-March-2006
• C:\Windows\System32\ginuerep.dll -->Added to SpyFalcon 02-March-2006
• C:\WINDOWS\system32\interf.tlb -->Added to SpyAxe clones 20-March-2006
• C:\WINDOWS\SYSTEM32\dfrgsrv.exe --> If installed via mediacodec
• C:\WINDOWS\system32\dxmpp.dll. --> New to SpyFalcon
• C:\WINDOWS\system32\svchosts.dll - notice the spelling which is plural.
  

Note: Do NOT delete C:\WINDOWS\system32\svchost.exe which is a required system file

• C:\WINDOWS\system32\ioctrl.dll. - this seems to have replaced svchosts.dll as the latest incarnation of the infective DLL
• C:\WINDOWS\system32\ncompat.tlb
  
• C:\WINDOWS\system32\msvol.tlb
  
• C:\WINDOWS\system32\ NetWrap.dll --> new to SpywareStrike
• C:\WINDOWS\system32\replmap.dll ----> new to SpywareStrike as of 1/24/06
• C:\Program Files\SpyAxe\uninst.exe
• C:\Program Files\Security Toolbar\Security Toolbar.dll
• C:\WINDOWS\system32\drivers\core.sys <== rootkit driver began appearing around April 2007 and detectable using the Kapersky Online Scanner, AVG Antispywareand System Repair Engineer
  

Note: The fix will automatically remove all these files/folders and many more known to be associated with a smitfraud infection.

[edit] REMOVAL INSTRUCTIONS

For all variants

Windows 2K/XP/Vista Users

Note: Smitfraud fix is now Vista compatible so Vista users can safely use it. However, the Vista Removal instructions can be used by Win 2K, XP, and Vista users for a more thorough removal of all "rogue" antispyware program components.

S!Ri has written an excellent SmitFraud Removal Tutorial which uses the SmitfraudFix Utility which S!Ri also developed.

The SmitfraudFix is updated as soon as a new SmitFraud variant is discovered, and it will remove ALL known Smitfraud variants listed above including SpyCrush, SpyLocked, SpyFalcon, SpywareQuake, and SpySheriff, to name a few.

Does Smitfraud give you a warning message about using LSPFix?
Very Important Note:: Recently a new Smitfraud variant called AntiVirGear began using a different method of infection by installing an LSP (layered service provider) into the Windows Winsock chain. So far the DLL files that it inserts into the Winsock chain, ARE removed by the SmitfraudFix (specifically laf1.dll -> laf5.dll). However, because Smitfraud changes frequently to avoid removal - it's possible that a new infective DLL may dodge the SmitfraudFix temporarily. If that happens - SmitfraudFix will give you a warning similar to the following:

C:\WINDOWS\system32\laf1.dll Detected, use LSPFix.exe to delete !

Your DLL file name may differ slightly from the one in the above example.

If SmitFraudFix does inform you that you have a malware LSP that requires LSPFix.exe to delete it, then it is critical that you follow the Bleeping Computer Guide on How to remove an LSP found when running SmitFraudFix

If you do not remove the malware LSP and an automatic scanner removes it incompletely, you may lose internet access.

You do NOT want this to happen - so either use the Guide or seek our assistance by Getting Expert Help With Your HijackThis Log


** Keep in mind, that only those users that receive a malware LSP warning by SmitfraudFix, need to do this. **

Windows Vista Users

Please follow Smitfraud/Rogue Antispyware Removal for Vista users using RogueRemover.

Note: Windows XP/2K users may also follow these directions for extra measure, in addition to running the SmitfraudFix.

[edit] Follow Up Removal Instructions

After completion of the Rogue Antispyware Removal procedure:

1. Very Important - Perform a Malwarebytes' Anti-malware Scan. This will remove all malicious components associated with the Zlob trojan including hidden rootkit drivers such as core.sys, as well as any remaining Rogue Antispyware remnants in both the Registry and file system.
2. Perform an online Panda AV scan
3. Give your PC a thorough workout, and see if it is now problem free. If so, it is important to undertake some followup Malware Prevention measures to prevent a Spy Axe reinfection of your computer.
4. If you find that your PC remains infected with SpyAxe or some other malware, please continue with step 9 of our Malware Removal Procedure - AntiTrojan Scans

If you are still infected, be sure to provide all requested materials when posting your HJT log:

1. Reference HJT log ( Taken before before removal of your Smitfraud variant)
2. AVG Anti-Spyware (formerly ewido) or TrojanHunter scan report
3. Panda scan report
4. HJT log taken after completing Smitfraud removal instructions
5. rapport.txt - the SmitfraudFix log file located in root drive (C:\) usually this is Local Disk C:
   

• You may inspect the rapport.txt file with notepad to verify that the SmitfraudFix completed properly.