Ok so I have spybot, ad-aware, and hijackthis installed and now this "spyware removal" program called spyaxe is on my pc, I know for a fact that spyaxe is spyware just by how it reacts to installing and uninstalling. I have googled on how to remove and cant seem to find anything, when going to support on their site it only asks you to email them. I prolly made a mistake by actually trying to remove from the add/remove program list, oops. Has anyone else had this and successfully removed without formatting??? If not, I guess it is time to setup a ghost image and create backups. :(

Thanks

Hi i have the same problem. But i did not install it i think. Do u also have a icon in ur taskbar displaying virus alert?
Also check ur system 32, look for mssearchnet.exe and nvctrl.exe
If u found the solution let me know.

Greetings

well i have gotten rid of mssearchnet however nvctrl which seems to run the virus alert has been deleted and does not show up in processes but still is in start menu, and I DLed msconfig but it does not show up in the startup. If you want directions to get rid of the majority of this I may be able to help, it rarely pops up for me since I edited the registry.

thanks for response, I was going crazy last night :)

See reponse #4 to Glennos at this link Computing.net #16942

Response Number 3 link

16934

Thanks Abnormal

You're welcome jabuck.

Found the cure to the SpyAxe popup activity! I actually got desperate enough to complain last night through their website email form. Tonight I got a reply from them stating a lot of complaints came thru due to affiliate's illegal advertising of their product. They provide a simple fix that really worked. Here is the instructions they sent:
------------------
In order to clean your PC from infections related to Spyware Axe product, please follow the instructions below:

1) Save Uninstallers.zip from http://www.spyaxe.com/uninstall/uninstallers.zip to your desktop or HDD.

2) Extract 2 files "illegal_adv_uninstall1.exe" and "illegal_adv_uninstall2.exe" to your desktop or your HDD using WinZip.

3) Execute both of them one by one by double-clicking with your mouse.

4) Reboot your PC

5) Your PC is now clean from the infections.
-------------

Thank you BMAC-Daddy! :-)

I just tried that out & it works. I still had to go to 'add/remove programs' under control panel to uninstall the SpyAxe program itself, but it appears my computer is now problem-free!

Thanks for having the courage to ask (I didn't-- I was afraid I might make things worse, I was so pissed).

I wonder if this 'illegal adevertising' story is true, or if this is just an 'escape hatch' for them when push comes to shove? What would someone ELSE (other than SpyAxe) gain by doing that?

Regardless of who is at fault here, it certainly soils their reutation big time!

J

THANK YOU BMAC-Daddy

I was afraid I was going to have to format (I was going to create a ghost image this time). That worked very well. Thanks again.

Thank you BMAC-Daddy!! I'm so glad I googled this website! This was one aggravating spyware problem and I'm indebted to you for getting the solution!

Spyaxe moved to corrupt antispyware list.

Why is there no mention on the SpyAxe homepage of the "problem" and the "cure"

A Google search on the SpyAxe site for "illegal" and "unninstallers" returns zilch!!

Highly suspicious, if you ask me.

A Google search on "SpyAxe" now shows a sponsored link at the top to XoftSpy, itself a malicious piece of c..p-ware.

I wouldn't be surprised if these two companies were the same or affiliated.

Look to "www.spywarewarrior.com" for further info

Help! I tried the above mentioned solution but the programs will not execute. The download and the extraction seemed to work OK but I still can't execute the files.

I was able to take care of the Windows portion of this program. But my home page is still rerouoting to http://www.syserror.com.
I've checked my IE set up and the home page has not been changed. So can anyone help with this problem?

Thanks!
Jim Smith

My IE is having the same problem even after clearing spyaxe with my home page being rerouted to the syserror.com web site related to spyaxe. Will removing and reinstalling Internet Explorer clear it??

Thanks,
Mike

Jim,

I ran Nortons antivirus with the IE browser open and it took care of the problem of rerouting my homepage back to syserror.com.
I did run the http://www.spyaxe.com/uninstall/uninstallers.zip programs first as instructed in message #7 by BMAC-Daddy. Hope it helps.

Mike

Jim, Mike,

I was unable to get rid of syserror.com with my antivirus software. I went into
Tools -> Internet Options -> Programs and clicked <Reset Web Settings>. I kept the box checked to "Also reset my home page."

Everything cleared up.

Gigi

by no means am i a pro, but what worked for me was to boot to safe mode, dlete everything with the date the error started from c:\windows\system32 including mssearchnet msvol ncompat nvctrl etc..... and rebooted and i was fine, so far, hope it works for u yo, spyware SUCKS Good look

Thankyou B-Mac daddy and 2leo. using these two solutions I think I have pretty much removed spyaxe from my system.

Was nieve enough to think my antivirus and firewall was protection enough against these things but obviously not!!
Now installed Ad-Aware SE which should hopefully help.

Any suggestions on other software to stop these sort of things??

I too am on this date trying to rid this menace from my daughter's laptop. I download the zipped SpyAxe uninstall from the link in BMAC-Daddy's post above, but it only contained a single file, "illegal_adv_uninstall". No noticable activity when the file is executed, and reboot provides no cure.

Does anyone still have the older two files that they can forward to me?

i think the b-mac daddy method doesnt work anymore for some reason. i too only get one file which is useless. i need the 2 files...anyone?

i need those 2 programs also, it took over my homepage and lower taskbar with a fake spyware warning..or just an website where i can download ....thanks

i can only get one of the file now too,
it took over my homepage and is rerouting it to updateyoursystem.com

If you are having spyaxe problems just start a new thread stating the problem.There are several methods of removal depending on the mutation but so far all can be removed.

Using the perpetrator's removal tool is seldom a good idea.

I found another cure that worked for me:
XoftSpy
can be downloaded from: http://www.paretologic.com/ (click on where it says free scan)

this was the only anti spyware or anti virus program that actually found Spyaxe on my computer and recoginised it as malware (this was my first indication that spyaxe wasnt ligitamate.
you will need to restart and let XoftSpy run at startup again to completely remove SpyAxe, this worked for me, good luck

DO NOT USE XoftSpy it is by same company as SpyAxe !! I have been researching this of a company SpyAxe.

They are trying to force you to buy their stupid software SpyAze.

Also, do not click on any of the sponsered adds on google when you do a search for SpyAxe !!! All the sponsered links are actually SpyAxe companies. I called Google myself today to complain. I advise everybody to call google and get them off...

They have a brilliant SCAM they Trojan you with SpyAxe then when you try to search for removal software they sell you their software. What a SCAM ! Nobody at Norton, Trend Micro know about this because it is a very new thing.

I have found the solution though after many many sleepless nights!

Go to www.ewido.net/en/download/ and download their 14 day trial.. Install it BUT DO NOT RUN it ! Go to SAFE MODE and then run it and then reboot, then un-install SpyAxe through the un-install feature and then go to Program Files and delete it's folder. This should work for you.

I am really angry at Google for allowing this to happen!

Hi, i am also suffering from the spyaxe problem.

I have ZoneAlarm, and it seems that after Winlogon asks to access the internet, the mayhem gets worse, i denied it but it didn't do anything. I have used the vendor's uninstall file, and it seems to have minimized the annoyance, but i realize now that it is still in the background.

After running trend micro's virus scan, mcaffee, adaware 6.whateveriscurrent, and spybot, the only thing that seems to have been of help was trend micro's virus scan. It detected mssearchnet.exe but could not delete it since it was "in use" and someone above is saying msvol, ncompat, and nvctrl are related and my browser has also been hijacked and sends me to updateyoursystem.com. I'm running windows xp home, but F8 doesn't seem to want to start safe mode after reboot, prior to thewindows screen.

In the task manager, nvctrl and mssearchnet won't respond to the end process command as they just come right back and will not allow for easy deletion from the windows/system32 directory.

How do i remove mssearchnet and nvctrl?

To stop the SpyAxe from reloading itself after delete, do this, it works.
I finally got rid of this adware/malware. The following seemed to take care of it:

deleted file C:\Windows\System32\svchosts.dll

Every anti-spyware tool i tried (AdAware, ewido, HijackThis) could not remove it.

I have no clue how this malware worked.

New removal tool

SpyAxeFix by Noahdfear

The download referenced in the link in Response #29 may contain a virus. AVG Antivirus flagged it as infected. Be careful if you download it!

Report false positive to AVG, NOT A VIRUS!
No anti-virus can remove this infection.

It takes trusted malware removers to make
tools to take up the slack.

The big boy's don't find anything.

AntiVir
Found SecurityPrivacyRisk/Processor.20
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found BAT/ExitWin
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found Tool.Prockill
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

http://virusscan.jotti.org/

In other words, scan everything else you download in the first place like the codec for a free video of behind the scenes filming of Harry Potter that got you the
infection in the first place.

And research the removal tool, before others
may give up and care less also.

sorry guys i just found something on zdnet that supports the don't download the solution from the wolf http://blogs.zdnet.com/Spyware/index.php?p=702

it even mentions the bogus posting of someone downloading the file that fixed the problem

i hope these guys fry. im playing tech support for relatives now and i HATE that

music for the muses and putting the indie in film
www.indiematrix.com
www.avantstrangel.com

Related post
http://www.spywarewarrior.com/viewtopic.php?t=17738

found spyaxe removal instructions here: spyaxe

I started having SpyAxe problems earlier today - it highjacked my homepage and continually popped up an alert message from my toolbar. I was finally able to get rid of it. Here is what I did.

1. Edited my registry and reset the home page and default home page (this took care of the homepage highjacking).
2. Downloaded and ran the latest version of Ad-Aware (Ad-Aware SE Personal 1.0.6.0) from www.lavasoft.com. Even though this found about 100 malicious objects, it did not recognize SpyAxe.
3. Rebooted in Safe Mode by running msconfig at command prompt and removed the SpyAxe program via Add/Remove Programs.
4. There was also a shortcut to SpyAxe in the Start Menu folder - deleted this too.
5. Rebooted in normal mode.

This took care of it!!!

spyaxe removal instructions

After removing SpyAxe as I described in Response Number #36, I noticed that my IE homepage was still being highjacked by SpyAxe.

I found the file that was causing SpyAxe to highjack the IE homepage. It is called hpA75B.tmp. This file will be in the folder C:\Windows\System32. Remove this file and your homepage will no longer be highjacked by SpyAxe.

Just fixed it using response #18... You don't need any of that other software.... Just get in safe mode and delete all Windows/System32 files that were installed the day you picked up the virus...
It is so frustrating when they do that to us.......

In windows XP just use system restore to go back to a earlier restore point.

I removed SpyAxe, but the homepage is stuck on http://www.updateyoursystem.com/ . Added to that some "Security Alert" balloon has been popping up every 20 seconds. It has something to the effect of "System encountered spyware that collects your personal data...cliuck here to find out more ways to protect your computer etc"
What do I do ? I was hit out of nowhere by this stupid thing.

Spyaxefix has been updated by noahdfear. It is integrated with his SmitRem tool and should now fix everything. I've updated my post to reflect this.

http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=48&blogId=3

Anduinl,

The file responsible for taking you to http://www.updateyoursystem.com instead of your homepage is c:\windows\system32\hpA75B.tmp. This file was put on your system by the good ole SpyAxe folks. I was having the same problem until I figured out that this file was causing this. Delete this file and this problem will stop.

Nick, thanks for the update info and
thanks to Noahdfear for the removal tool.
SpyAxeFix by Noahdfear

The BHO (browser helper object) Deerhunter
speeks of looks like this in a hijackthis log
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp5F56.tmp
O2 - BHO: (no name) - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hp59F7.tmp
O2 - BHO: (no name) - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp7138.tmp

http://www.castlecops.com/tk26075-hp_tmp_random_char_or_digit.html

Booting into safe mode and deleting all files with a date equal to or new than the infection date within the C:\Windows\system32 folder worked like a charm.

thanks for the fix,

Jeff

The safe mode method worked for everything except for deleting C:\Windows\System32\svchosts.dll. I had to rename it to svchosts.old, uninstall the SpyAxe program as well as the browser "Security" toolbar and boot up normally before it all went away. Either way, a big pain in the you-know-what!

Yup, the safe mode then delete approach killed the SpyAxe gremlin for me, though I also had to do the rename of one of the files and then go in safe mode again to delete it. Imagine my shock though when it resurected itself as I came back to add this - closed my IE window and upon re-launch took me to their page again, then the shield icons turned up! Seems OK on second attempt so far, though I did delete files from a few days before as well in case it snuck in on an earlier trojan.

I went the Safe Mode method as well, and was able to remove most of what I saw from that date as well. Including the blinking icon in the task bar. But I have a feeling there is more to this than what meets the eye. Spybot is still coming up the Smitxxx item and can't get it off. AVG as indicating that this Spyaxe allows others to come in on it's coat tail.
A few other forums are talking about it, seems like it has everyones attention, and AVG has a couple of updates already posted. But even though I stopped the bleeding, I do not think it is over.

my cure:
1/ neither anti-spyware nor antivirus programs cant help

2/try to remember the date and more important the time since when you have been having the problem

3/ go to safe mode = turn on PC and click F8

4/ go to C:\windows diretory and search for all the files which arose on the date of the problem start

5/ delte all the files, which arose on the date and time on which you got the problem, espceially mssearchnet.exe,nvctrl.exe.

6/ check with antivirus program all .tmp files in C:\windows\system or C:\windows\system32 direstories
if a trojan found, remove with antivirus or delete

7/go to start, run, enter "regedit" (write without inverted commas), go to
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\Browser Helper Objects and remove

8/ exit

9/ start - run - enter "netsh winsock reset"

10/ reboot

11/ go thorugh with anti-spyware and antivirus porgrams

12/ should be OK

I am getting there, However when I try to delete or rename svchosts.dll it will not let. It says file is in use by Windows.

What can I do to delete it?
(running windows 2000)

I tried multiple spyware utilities with no effect. Mcafee doesn't have an automated tool, but you can go to a forum on their site (Free Virus Removal and Support) called Virus Discovery and Removal Support and find a step by step guide that worked for me in about 15 minutes worth of work. Good Luck. A pox on the folks who created this Trojan.

http://forums.mcafeehelp.com/viewforum.php?f=49&sid=fb4fb84d549495cb8765cfd2b9b01148

Everyone's right about most of the security you currently have on your system not detecting SpyAxe. And most of this has already been stated somewhere in this forum, but this is all of it in easy numbered instructions.

The following worked for me:

1... Reboot in safe mode (pressing F8 repeatedly as soon as boot-up begins).

2... Go to C:\Windows\System32

3... Go up to "view", and select "details".

4... Go up to "view" again, and arrange icons according to LAST Modified.

5... Simply delete the ones with the date & time (or later than the date & time) that the infection occured. Some may reappear while you are doing this, so do a <ctrl><alt><del>, and select "processes". Kill the processes of files along the lines of mssearchnet, msvol, ncompat, nvctrl, and any other that seem to reappear.

6... While still in safe mode, Go to Settings/control panel/internet options, and under the "general" tab, delete cookies, delete files, and clear history. Switch over to the "programs" tab, and click "reset web settings," leaving checked the box saying "also reset my home page."

If there are files that it won't let you delete during this process, then rename them(change the extention to ".old" or something), and move them to the desktop (They are probably not associated with the infection.)

Reboot back into normal mode. Presto - everything should be fine! You may have to move any of those files that you renamed and moved to the desktop BACK to the C:\Windows\System32 folder.

In my case, I never did find any file named "svchosts.dll", so that may be why it was this easy. That last "s" is very important! REMEMBER: DO NOT delete "svchost.dll"!

I solved very quicly using a restore. I used the the one before the date I began with the problem it really get my nuts. Nobody has to buy spyaxe, they has to pay for what they are doing.

I've got the same thing.......i tried to go into system 32 and delete msseach, nvctrl and mscornet, but it won't let me delete because it says active files in use. When I go to taskmanager, mssearch keeps popping up after I try to select and end process.
I've got Spybot and Ad-aware and NOTHING. I realize this SpyAxe is the culprit itself and does anyone know why this software maker can't simply be shutdown???? I talked to the organizaiton trying to shutdown these guys and he said its referred to as extortionware. This stuff is driving me mad. I did download Mozilla which works ok, because this SpyAxe had hijacked my homepage taking be back to its offer to download their spytrooper and spyaxe.........

I think the best method would be to use the windows XP SYSTEM RESTORE feature.
I got the spyaxe 2 h before, tried to delete the associated exe's by startin in safe mode/command prompt but didn't help.
Then I restored my windows to a previous date.

Everything OK now.

THANK YOU BIRDIEGUY!! I LOVE YOU!!
I am a fourteen year old kid who wanted some game demos and what I got was a full scale attack on my computer.

I got rid of most but this one was tickin' me off and I knew if I told my dad what I did, well, let's not go there.

THANK YOU SOOOOOOOOO MUCH!

Greetings all,

Birdieguy's instructions helped this poor boy out. I am running Window XP Pro and it worked like a champ. I love forums like this and hope one day I can provide some useful info to you all. Thanks again.

You're welcome! However, I'm not completely convinced that the next time I reboot, it won't be back, so I've done another few hours of looking around, and was directed to this page. There's a TON of excellent stuff here in case anyone needs it:

http://www.spywareinfo.com/articles/hijacked/

It reminded me of one important additional thing I wish to add to my list from last night:

1 - Go to "Start", then "run", and type in "msconfig.exe".

2 - Select the Startup tab, and look to see if "SpyAxe" is listed. If so, uncheck it, click apply, and then OK. (IT WAS IN MINE, just now!)

I haven't tried the system restore feature. That kinda scares me, but GENTLEMAN may have something there.

I'm afraid to reboot, but when I do, if all this comes back (which I fear) I'll do everything I've done before, and then I'll be hitting hard the page I linked above.

Take care, all!

Every time I get rid of the things that you guys have said are infected, they just seem to come right back. What do you say we storm the 'spyaxe' headquarters and molitov cocktail their roof :)

Please help me remove this junk.
-Greg

Logfile of HijackThis v1.99.1
Scan saved at 5:57:56 AM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\Workspace Macro Pro 6.0\WMPHotkeys.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Documents and Settings\Kelli\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp327A.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Workspace Macro Pro Hotkeys.lnk = C:\Program Files\Workspace Macro Pro 6.0\WMPHotkeys.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Thanks Birdieguy. I got infected today with Spyaxe and tried your method. It worked as i managed to detect the file "ioctrl.dll" instead of "svchost.dll". I renamed the .dll extension to .old. This should temporary solve the problem until antispyware tools such as adaware comes out with their latest definition.

Stay cool!

CORRECT SPUNKY- Saved my ass- It appears that svchosts.dll is so early November- THE NEW OFFENDING FILE IS IOCTRL.DLL. It will be in your Win32 folder. It must be killed using Killbox. As soon as I murdered it in Safe Mode, the damn popup in the tray (which even ran in safe mode) poofed. Dead.

So they got smart and re-named the DLL.

Fox

Hello all, Thanks for the info! I think i got it ok. I`m no tech of any means but the info was invaluable! I think i did this right . The only thing i dont know if it was right was the svchosts.dll . It wouldnt delete so i changed the dll to old. Is this what i was supposed to do? Everything stopped for now so maybe i`m on the right track. By the way i got this thing from downloading adobe reader so i could read a bus schedule from my local county website! Let me know if i need to change anything. Thanks again Guys!!

All the credit goes to Birdieguy...I bow to you my friend!!

I tried to put it all in very simplistic terms for people that aren't that computer savvy to understand. It was quite a challenge for me to say the least. If I forgot something please let me know :)
Start your computer and push "F8" vigorously till you come to a black screen. At the top of the black screen you'll see "Safe mode", using your arrows scroll up, highlight it and hit "enter". This will take you to a screen that will allow you to access your desktop. Wait till your desktop appears. Go to start menu...then click "search"...then click "files and folders in C Drive"...then search for "ioctrl.dll"...right click on "ioctrl.dll" and at the bottom you'll see "rename"...rename it to "ioctrl.old"...then restart your computer in normal mode and it shouldn't show up in the icon tray. Using the same process to search for a file as I stated above from the start menu, find the file "ioctrl.old"...right click it and hit delete...it should take a short trip to your recycle bin...now delete it from there also...nice huh...it works :) Now go find the file from response #43 and delete it also. It would also probably be a good idea to delete anything in "System32" that has shown up there since the whole problem started...all this really isn't that diffucult...GOOD LUCK!!

PS >> Instead of the file "ioctrl.dll", you might find "svchosts.dll", just rename the "dll" part to "old" it should work for either one.

Paul

MS is trying (they don't want IE to drop another 10-20 points)

Use tools and Advance to get best use of the program

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Spyware Scan Details
Start Date: 12/12/2005 9:23:36 AM
End Date: 12/12/2005 9:29:43 AM
Total Time: 6 mins 7 secs

Detected Threats

SpyAxe Potentially Unwanted Software more information...
Details: SpyAxe is an antivirus/antispyware program confirmed to be installed via Trojan Exploit on some websites. In addition to the application itself, a toolbar may be installed as well.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
C:\Program Files\Security Toolbar\Security Toolbar.dll
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr7BDD\SpyAxe.exe
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr7BDD\uninst.exe

Detected Spyware Cookies
No spyware cookies were found during this scan

its good that All spyware removers started adding spyaxe to their removal lists.
anyway they are a bit late. Spyaxe spread a lot.
Anyway from my personal research the first program which added spyaxe to their removal list (and it was a month ago) was spyware doctor. A bit later added spysweeper, counterspy. Adaware and Msantispyware added just few days ago. I saw post that spyware doctor remove spyaxe without comming back, spysweeper has some issues.

Hi,

I was just wondering if anyone had any new solutions to this problem? I've tried everything and can't get rid of it. I've used Norton antivirus, panda, hijackthis, smitrem, killbox, ewido, adaware and still nothing! I've also tried to remove all svchosts.dll files,

Thanks

I would just like to say a massive thanks to phorr20 (Paul) for making the solution so simple. I'm not the best with computers and I found this solution works a treat. At last I have got rid of the annoying pop-up speech bubble! It was ioctrl.dll I had to get rid of and not svchosts.dll. Hopefully it won't come back again! Now if only I could think of a way of getting SpyAxe back...

Thanks, Paul...my system is free of Spy Axe!!!

Birdieguy is the one that had the solution...I just got more detailed on how to do it. I'm glad we could help!

Paul :)

I have a problem: neither ioctrl.dll nor svchosts.dll are found on my computer! Please help, this program is driving me nuts!

Huge thanks to both Birdieguy and Phorr20 !!

My system is finally SpyAxe FREE!!!

Just doing full system scans with Norton and Trend Micro AntiSpyware , defrag and all should be as fast as ever !!

Thanks again !!!!

Pete

Go to the start menu...search in "Local Hard Drives (C:)" for "system32"...the system32 folder should show up...open it...go up in the top left corner of the page and click "VIEW"...when that opens click "details"...that should make it easier to search for it. They should be alphabetized...also look for folders that were created about the same time the problem started. If you don't find either folder there...I don't think I can help you...it's the only way I know...Good Luck!! If I forget something someone please let me know!

Paul :)

ummmmmmmmmmmmmm.......... this is that fourteen year old kid, and I restarted my computer once more and spyaxe appeared again. I was nervous and decided to take another look at this forum, and saw that I had forgotten to delete ioctrl.dll. I just did this and I am too afraid to restart again. I also see that people are saying this is a temporary fix.......oh, god PLEASE tell me this is a full fix, I have no idea what to try if it comes back, AGAIN!:(

Thank you Birdieguy!

However, being the novice as I am, I nedd to ask one follow-up question.

SpyAxe is still in my Start menu (Start - All Programs - Spyaxe)

I have no more problems with pop-ups and so on, so the REAL treath is gone.
I would howver be happy to get totally rid of spyaxe. I'm a bit affraid of messing arround with is as it may be a "sleeping bear"...

Please advice!

ty!

ET

Many thanks to "Birdieguy" and to "phorr20" for the simplification of the process (I'm a complete duffer on these matters)

I followed the instructions from "phorr20" the problem appears to be sorted, I could not find c:\windows\system32\hpA75B.tmp. being from response 43 (DeerHunter)I may need another simplification from "phorr20" to find this or it may not exist.
Again many thanks to you both (and to DeerHunter, who I am sure has given sound advice).
Merry Christmas and a Happy New Year to all (except obviously those B***ards at spyaxe).

Hi,
Thanks again to the advice on this forum that helped me get rid of the annoying pop-ups from spyaxe. I know this may sound like a stupid question, but since spyaxe came on my computer, the borders for my microsoft programs (Search, favorites, back buttons etc.) has changed to what seems like the older version. I know it's just an aesthetic problem but it would be nice to change it back to the modern look! I was wondering if anyone knew how to change this? I've searched 'help' and can't find any solutions there.
I also still have spyaxe in my start menu, but I'm not touching it in case it all starts again!
Thanks to everyone and Merry Christmas!

ET (#74)...go to your start...find it in your programs and uninstall it...everything should be alright. I'm no co