Removing "SpyAxe"
The horror. I just spent 4 hours over the weekend disinfecting a PC from SpyAxe - a nasty piece of spyware/malware/trojan. This one snuck in while using Firefox, so you know it's nasty. The scurvy pigfu**ers who wrote this jem derserve to be the loaded onto the next CIA rendition flight to an undisclosed black site for advanced interrogation. But we don't torture (wink wink, nudge nudge), oh no, of course not. Or so claims Secretary of State Condoleezza Rice today. Yea right.
Anyway, the symptoms of this infection are: re-appearing SpyAxe desktop icon and annoying popups coming from the Taskbar. Clicking on the popup launches Explorer and downloads more crap. A check of processes running (Alt-Crtl-Del, click "Processes" tab) shows several rouge program doing God only know what: mssearchnet & nvctrl. Try to kill one of these manually and they just relaunch themselves. Not good. So here's the removal steps I followed.
Anyway, the symptoms of this infection are: re-appearing SpyAxe desktop icon and annoying popups coming from the Taskbar. Clicking on the popup launches Explorer and downloads more crap. A check of processes running (Alt-Crtl-Del, click "Processes" tab) shows several rouge program doing God only know what: mssearchnet & nvctrl. Try to kill one of these manually and they just relaunch themselves. Not good. So here's the removal steps I followed.
- Backup, backup, backup! Anytime your system is compromised, rule #1 is to immediately backup any critcal data. That way, you are not totally screwed in the event of system failure. And I don't mean that you should backup your entire system since that would most likely also include the spyware/virus, just backup your latest project and/or key data.
- Disable Taskbar popups by right-clicking on the Taskbar, select "Customize." The annoying icon is called something like "Virus Alert". Select "Always hide" option to temporarily shut it up.
- Download HiJackThis and SpyAxeFix.exe
- Close all programs, run SpyAxeFix. This will restart your computer upon completion. After restart, check your taskbar - the Virus Alert should be absent (malicious processes are still running, however).
- Reboot the computer in safe mode (Go to Start > Run > type "msconfig" Under boot tab select Safebook, click ok, and restart.)
- Once in Safe Mode, remove SpyAxe program using Control panel > Add/Remove programs option.
- Go to C:\Windows(or WinNT)\System32 and delete mssearchnet.exe & nvctrl.exe
- Run HiJackThis, check entry that includes "HomepageBHO" and delete it.
- Run regedit (Start > Run> regedit) and find this key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows CurrentVersion policies Explorer runYou’re looking for the mssearchnet and nvctrl entries - delete them outright (right click, delete).
- Reboot in normal mode (Start > Run > msconfig, deselect Safe Mode, click ok, reboot).
posted by Bradley Thomson at 6:57 AM
0 Comments:
Post a Comment
<< Home