Spyaxe Virus

Donald Kenney (donaldkenney@gmail.com)
Last Update: Mon Jun 22 10:10:50 2009



Introduction

I've just finished removing an especially nasty virus from my wife's Windows XP PC. At least I hope I have.

The thing is called Spyaxe.

Spyaxe has apparently been around a while. It's most obvious and annoying feature is an icon in the system tray that spews out a steady stream of warnings about the computer running slowly, being infected with spyware, running without virus protection, etc, etc, etc. It posts occasional bright red-orange virus alerts attributed to the Windows Security Center, and occasionally opens a browser window pointing to a spyware remover site. It also disables the task manager such that pressing ctrl-alt-del produces a message that the Task Manager has been disabled by the System Administrator. It replaces the screen theme with a blue background with a message about spyware infestation tastefully displayed in yellow. In our case, it also apparently download a wide variety of adware. trojans and viruses and installed them on the PC. And oh, yes, it monitors attempts to remove it and tries to prevent removal. And it runs as a process in Safe Mode making Safe Mode ... well, Unsafe.

I believe that there are a number variants of the program with different system tray icons and other changes. In our case, the system tray icon was a yellow triangle with a black exclamation point in it.

One problem I ran into when trying to remove Spyaxe is that the volume of dubious advice on the Internet for dealing with malware seems to be increasing steadily over time. Most of the advice I found was to download any of about 20 different removal tools along with a lot of messages saying that most of the tools don't work. I have nothing against downloading removal tools, but I had removed the network cable from the PC and didn't especially want to reattach it since my guess was that the first thing Spyaxe would do when the network was reconnected would be to download a selection of additional viruses that might be even more difficult to dislodge.

If you have a Spyaxe infestation, and want to try a removal tool, here's a link. Is it safe? Will it work? I haven't a clue.

Here's what I did to get rid of Spyaxe:

1. Disconnected the network cable. If I didn't have a copy of HijackThis on the PC, I'd have downloaded it before cutting the network connection.

2. Ran an antivirus scanner (Avast) without rebooting to clear some of the trash out. It did NOT find and remove everything. In particular, it did not kill Spyaxe.

3. Rebooted with F8 depressed to get into SAFE MODE. To my disgust, Spyaxe spits on my Safe Mode and sits in the System Tray spewing specious messages. I run Avast again anyway. As I expected, it does not find or remove Spyaxe.

4. Ran HijackThis -- a simple and safe tool that checks all the known ways for autostarting a Windows program. I then went through the output and, on another computer, checked each and every program being automatically started to see if it was a real and useful Windows component. If it was, I added it to the ignore list.

.Note1: watch out for helper programs like Userinit.exe or Run32dll.exe. These programs are legitimate Windows components that can start another executable whose name will follow theirs. If name of the executable being started by the helper is OK, ignore the entry.

.Note2: Occasionally malware will hide in a file with the name of a legitimate component, but in the wrong directory. I didn't encounter any of these, but you might.

5. Ran HijackThis again and marked everything it found (all the stuff not in the ignore list) to be "fixed" (i.e. removed). I removed the virus entries and rebooted to SAFE MODE as quick as I could hoping that I could get a reboot before Spyaxe put all the bad stuff back.

6. Rebooted to SAFE MODE. The bad news -- Spyaxe is still there. The good news, HijackThis sees only one dubious startup entry instead of three dozen. I removed it and rebooted.

7. Rebooted to SAFE MODE. This time Spyaxe is not running and HijackThis sees no dubious entries.

8. Ran Avast again to clear out malware files even though there is now hopefully no way that they can be invoked.

9. Ran Regedit and searched for the string DisableTaskManager. For each entry that was not 0, selected modify and set it to 0. After doing that, Control-Alt-Delete now brings up the Task Manager.

10. Rebooted to normal mode. Clicked Run, Control Panel, Display, and clicked the Theme and changed it to Windows Classic in order to get rid of the "spyware infestation" theme. (You can certainly use another theme if you are not one of us folk who believe that Windows has been sliding into chaos ever since it peaked at Windows 95 OSR2.)

11. Let the computer run for a while to verify that Spyaxe has not been hiding somewhere.

12. Reconnected the network cable.

13. Found that the task manager was disabled again in Normal Mode. Ran Regedit and manually sought out HKCurrentUser\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disable TaskManager and set it to zero.

14. Ran Avast and Adaware in order to take a whack to any remaining Viruses/Spyware/Adware/etc.

And lo and behold, it finally seems to be fixed.

Point 1: This took a great many hours that I would rather have spent doing something else -- about 14 overall. If I were billing my time, I'd have to bill about $500 to fix a PC that is maybe worth $200. ... And I work cheap ... really.

Point 2: Why didn't I just reinstall? Because by the time I managed to get XP reinstalled and the important software reloaded and the backed up data restored to the proper places (without inadvertently reinstalling the malware) and the bugs ironed out, and everything tested. I would have put in about 14 hours.

Point 3: How about Restore checkpoints? How about them indeed? The first thing that modern malware tries to do after is secures a beachhead and digs in, is to either install itself in the restore files or corrupt them so they are unusable.

Point 4: Unlike MSDOS and Unix, Windows can not be restored by installing a couple of bootstrap files then simply copying the rest of the files from a backup.

Point 5: I was actually lucky. If Spyaxe were a bit better engineered, the approach I used wouldn't have worked because it would have fully reinstalled all its pieces every time I managed to remove any one of them. Future malware probably will be better engineered. There is a war going on between malware and malware removers. The malware is winning.

Point 6: Windows wasn't that great an OS to begin with. In the presence of advanced malware, it looks to be changing from a mediocre OS to an unusable OS.