Help for those infected by SpyAxe

I apologize in advance for this being so long but it is very helpfull.

SpyAxe Virus Removal

Well Techies and Computer Users from all over the world, here is some very helpful information on what to look for and just exactly how to remove the SpyAxe Virus/Worm from your PC.

What is SpyAxe you ask? Very good question.

Answer: SpyAxe is a piece of software that has gotten loaded into your PC via one of two ways, 1 being e-mail 2 being a webpage.
It is a little pop-up that looks like the Microsoft shield from service pak 2, and it pops up stating your PC is infected, click here to remove.
It is also a pain in the Ass.

Here is what it looks like:

Of course you click on it and bam, your pc is worse off now that it ever was.
There is a legitimate website for SpyAxe and they claim to be an adaware/spyware removal program.
I however know this is not true, I have spent several hours trying to get this little bugger cleaned up with their un-installer and other garbage from there site and it only made things worse not better.

I have looked up the information on the website just like many of you are going to do, or have already done, I have used the various removers and un-installers, and I know that 3 of the 10 files I used to try and clean this problem up with were infected.
And DO NOT use the smit-remove tool, doesn’t work and is a big joke.

After exhaustive research on this parasite, I have found the following information.
This little program buries itself deep into your computer and the registry file.
For the home user I do not recommend that you try this on your own PC, PLEASE call a professional to help you with this. If you mess up your registry file you may as well just reformat it and start all over again.
For you more advanced techies, please use caution and good judgement and make a backup.

This particular parasite cannot be cleaned up by any anti-virus tools such as Mcafee and Nortons or even AVG, it will detect it but not clean it up. The same can be said for HiJackthis as well.
This program reproduces itself in several ways, it buries itself deep in the registry and with so many different files involved, it also creates a butt-load of different files right in your Windows directory and they do need to be cleaned out as well.
If you get or have already gotten this pain in the keister, here is a list of things to do first and foremost.

1: Call in a professional. This is for those that are not technified.
2: Click on Start –Shutdown – Restart and boot the PC into SAFE MODE
3: Click on Start – Search –Files and folders
4: Search on the following files:
SVCHOSTS.DLL – MSSEARCHNET.EXE – MSTHOST.EXE – MSCORNET.EXE – MVSVOL.TLB – TS.ICO – OT.ICO

All of the files listed above EXCEPT the SVCHOSTS.DLL can be deleted while in safe mode.

While still in the Safe-Mode portion of this process we need to clean out a few things.
The first thing we need to do is click the Start – Run and then type “regedit”, once the regedit comes up we need to be at the top of the tree list, click File – Export then give it a filename and save, this is to make sure you have a backup of your registry in the unfortunate event that you screw up.
Then click your “CTRL – F” for find, when the find box comes up type in the word “SpyAxe” and hit Enter, it should be found in several places. [Most I have found is 3 instances] after it finds the first instance, click on it and delete the entry for it, then hit your F3 key and it will find the next instance and you will delete it as well, and do these steps till a box pops up and says no more matches.

Move your mouse back up to the top of the tree and start over again with the following file names: SVCHOSTS.DLL – MSSEARCHNET.EXE – MSTHOST.EXE – MSCORNET.EXE – MVSVOL.TLB – TS.ICO – OT.ICO
Use the CTRL-F for the find mode and the F3 key to search.
Delete all instances of the above mentioned files.

After that is all cleaned up, get back to the top of the tree and click on the following areas as listed: [There is 2 areas of concern]
First Area:
[HKEY_LOCAL_MACHINE\SOFTWARE\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER]
There should only be 3 Items listed here and they should look like this:



You are looking especially for a tag line that says “Reload Browser” and delete it.
Anything else listed other than what you see must be deleted.

Second Area:
[HKEY_LOCAL_MACHINE\SOFTWARE\WINDOWS\CURRENTVERSION\
SHELLSERVICEOBJECTDELAYLOAD]

There should only be 3 OR 5 Items listed here and they should look similar to this:


You are looking especially for a tag line that says “Reload Browser” and delete it.

Anything else listed other than what you see must be deleted.

In order to delete the SVCHOSTS.DLL file you must boot the PC up with your WIN XP CD or Win 2000 CD. [Do not delete the file SVCHOST.DLL, this file is ok and is needed to run Windows]
After the system boots up, select the repair from console option and then select the primary drive and log onto it.
Once your at the command prompt type “CD \SYSTEM32” And hit Enter
Type “del SVCHOSTS.DLL” And then hit Enter.
[DO NOT DELETE THE SVCHOST.DLL] the one you want is the one with an S at the end.
Then type “EXIT” to reboot the PC.

When the PC reboots your PC problems should all be gone.

Special Note of Interest: Out of all the cleanings I have done with this Parasite I have had one that the pop-up stayed on the taskbar, if this happens I have found out why and how to correct it to.

The why is because it corrupted the user account in XP and it cannot be cleaned up.
The fix is this:
logon under your account.
Goto start – control panel – user accounts
Create a new account and a password and DO NOT make it private as of yet.
After that is done:
Right mouse click on start and click on Explore it will bring you up a folder list.
Click on the tools – folder options and then click the View tab and go down to hidden files and click Show all hidden files, click apply and ok.
Find the my documents folder and click on it, then hold your CTRL-A to select all files and then click on edit - copy and then expand out your new account name and find the my documents folder there, select it and then click edit and paste this will copy all your documents pictures and so on in the new account name.
Do the same thing for your favorites and desktop.
If you use Microsoft Outlook as your e-mail, open the program up and then click on file – import/export. Export to file and then select the .PST click the personal folder and then click all subfolders and then browse to your new account my documents and save it there.
You will have to re-create the Email accounts but then you can import all your e-mail and contact lists.

If youre using outlook express do the following steps listed above but you also have to open up the address book and do the same for it. And then re-create your e-mail account and your back in business.

After you have jumped thru all these hoops sign is as your new account click on Start – Control panel and then click user accounts and delete the old account.

When you logged onto your new account you should notice that the pop-up parasite was not there.

Good luck all….And yes I want to kill the jerk that created this problem.

 

Sorry I stepped on someones toes was just trying to help.
And as for the smitrem it did not work and the one i d/l form the thread was infected.
I completely went thru all your posts and there was laot of info. in them but this is the total clean for the issue.
Sorry again if i stepped on anyones toes

 

Sorry about that lack of info they were images and they did not carry thru

 

Hmmmmm they are listed correctly in my document, but they did not carry over to the post.
Attached is the document i created in MS Word

 

I appreciate that bit of info.
I have yet to see the SVCHOSTS.EXE yet but i have see the svclog.dll