spyaxe - cant get rid of it

[MadJuggla9]

i know all of you think "google it you tard", but trust me, i have. i usually run adaware/spybot/AVG/zonealarm/hijackthis as my spyware/antivirus stuff. I found out that none of these did any good for this situation. i downloaded the spyaxe removal tool, foxie, and ewido.

first i went into safe mode and deleted ALL temporary files, then for each and every account, i scanned with all 7 programs. everything was gone. i got my homepage back, i didnt get those annoying fake security popups, and everything seemed to be ok.

today my homepage has already been hijacked, that damn security center triangle keeps blinking at me every 5 seconds (luckily the red cirlce with a white X hasnt come back YET), and my spybot blocks registry change attempts so much that i have a full column of blocks stacked on top of one another.

everytime i scan i seem to be getting this crap back for no reason. hijack consistently finds a file in c:\windows\system32 named 'hp%' where % can be anything. i can totally clear it all off .... but it keeps coming back. anyone else removed this successfully? i work on computer spyware literally everyday and i have not seen anyhting like this in quite some time now, so i decided to post.

 

[nighthawke]

Had client's system that had the same problem as you do. The cleaner is useless since the authors of the particular kit changed the code and filenames around to nullify the cleaner. Trojan.SPYAXE is a pain in the neck since it masks itself from current spy/ad/malware cleaners, including the legendary Spybot Search and Destroy, the unbeatable Ad-aware, and the (formerly Giant) MS Antispyware Cleaner.
The other thing that it also does it download other ad/spy/malware packages and install them. Very typical of a kit of this caliber.

I had to do some serious digging using Google and the forums to come up with this manual solution that actually did the job.
It's nasty, dirty and you have to dig thru the system files and system registry so all disclaimers are in effect.

Shut down and restart in safe mode, administrator account.

Search and destroy the following files:
svchosts.dll
mscornet
spyaxe
mssearchnet.exe
nvctrl.exe

Launch MSCONFIG and uncheck the boxes corresponding to the filenames. Some files may not show up. But will show up in the system registry.

Restart in the normal fashon and see if this clears out the garbage.

Now for the geeks out there there is a SVCHOSTS.EXE file, which is a TRUE system file. Don't get it confused with the virulent svchosts.dll and kill the wrong bloody file now.