SpyAxe, Spy Sheriff, Brave Sentry, Spy Trooper, SpywareQuake and other similar Malware Removal Instructions and Help

Hits:23

How Did My Computer Become Infected with SpyAxe, Spy Sheriff, Brave Sentry, etc?


If your computer has become infected with one of these "spyware removal programs", then you probably were infected by a Windows exploit discovered on December 26, 2005 called the WMF exploit or another exploit called the VML exploit that was discovered in September 2006. These exploits affect Windows XP/2000 and Windows 2003 Server-based computers. Microsoft describes the WMF exploit in its security bulletin this way:
A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system.


This exploit, and other similar unpatched problems, open the way for a variety of trojans, viruses, spyware and other malware to attack the system. Most of these attacks happen through a automatic download from an infected webpage. Which means if you do not have the patch loaded for this Windows Meta File (WMF) Exploit or for the Vector Markup Language (VML) Exploit, you could visit a particular web page and become infected. Sunbelt Software, makers of Counter Spy, compiled a list of various malicious web sites where this exploit was being used. Some of these sites are listed below (do not visit these sites or your computer will be infected.)

008k[dot]com
600pics[dot]com
beehappyy[dot]biz
buytoolbar[dot]biz
crackz[dot]ws
dailyfreepics[dot]us
keygen[dot]us
iframeurl[dot]biz
m.cpa4[dot]org
mscracks[dot]com
mmxo.megaman-network[dot]com
pornsites-reviews[dot]com
teens7[dot]com
unionseek[dot]com
www.tfcco[dot]com

Viruses like Troj.Zlob.AN, which was the main trojan spreading the SpyAxe problem, and other viruses, trojans, and spyware then load into the comprised computers after the initial problem. Unfortunately an exploit such as this has created more than 100 different varieties of malware problems. Many times the Task Manager will be disabled, the computer's date will be changed, and the computer will slow down considerably after such an infection. Also, the main home page may be pointed to sites like http://www.updateyoursystem.com/, http://www.safetyuptodate.net or http://www.needupdate.com/ which pose as Online Security Centers telling visitors their computers are infected with the W32.Sinnaka.A@mm worm which is an actual worm, however this worm is not part of this exploit, its just another smoke screen to scare visitors into buying a spyware removal tool that most likely wont clean their system anyway. A screenshot of one of these sites is below:



HijackThis will show various problem files, a typical Hijackthis log infected with this issue will look similar to this: You'll notice the HOSTS file entries rerouting internet queries for banking, credit cards, etc. to an oversees IP address.

Logfile of HijackThis v1.99.1
Scan saved at 1:14:40 PM, on 3/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Test\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phillipswest.org
F3 - REG:win.ini: run=C:\WINDOWS\inet20004\services.exe
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O2 - BHO: HBO Class - { 5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20004.02.00.dll
O3 - Toolbar: &Radio - { 8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [keyboard] c:\keyboard1.exe
O4 - HKLM\..\Run: [mousepad] c:\mousepad1.exe
O4 - HKLM\..\Run: [gimmysmileys] c:\gimmysmileys1.exe
O4 - HKLM\..\Run: [skoonqaA] C:\WINDOWS\skoonqaA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys011606072759-] C:\WINDOWS\sys011606072759-.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\System32\slk8x2peu.exe"
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [{ 54-46-64-49-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\twinrrag.exe CORN001
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - HKLM\..\Run: [System service] C:\WINDOWS\System32\system.exe
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\msoff.exe
O4 - HKLM\..\Run: [rscn] C:\WINDOWS\System32\bum83.exe ymmud
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\Test\LOCALS~1\Temp\A.tmp
O4 - HKCU\..\Run: [qkom] C:\PROGRA~1\COMMON~1\qkom\qkomm.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe

What's the Best Way to Remove SpyAxe, Spy Sheriff, Brave Security, Spy Trooper and other problems?

Intentionally infecting a test computer with Spy Sheriff, Brave Security and a couple other variations of this problem, I have come up with a multiple step approach to cleaning the system. Unfortunately, because this exploit opens the doors for several different trojans, viruses, and spyware to attack your computer, you'll need a few pieces of software to effectively delete these problems.

Before attempting this removal procedure, download the following removal tools to your desktop and install them.

SmitRem by NoahdFear - Tool to remove Spyaxe, SpySheriff, PSGuard, WinHound, and other issues
Ewido Anti-Malware - Highly recommended anti-malware, anti-spyware program
HijackThis 1.99.1 - Essential tool for finding spyware, virus, trojan, and other problems
CCleaner - Free tool for removing temporary files, cookies, history, and cleaning up registry problems
Killbox - useful program to delete files that are "in use" by Windows preventing normal deletion
Removal Procedure

1) Download the programs above to your desktop, extracting and install them. Then update the signatures for Ewido Anti-Malware. Once this is complete, reboot your computer in Safe Mode

2) Open the SmitRem folder and double-click on RunThis.bat to start the SmitRem removal procedure. Besides removing particular files that it looks for, the tool also runs the Disk Cleanup tool to remove temporary files on the hard drive that may contain problem files. For a Tutorial on using SmitRem click here

3) After SmitRem has finished, open Ewido Anti-Malware and run a full system scan deleting anything it finds.

4) While still in Safe Mode, run CCleaner. Analyze and Clean files it finds, then click on the Issues button on the left side of the screen and Scan and Fix any Registry issues CCleaner discovers. Run both the Registry Scanner and the File Analyzer until nothing else is found.

5) Search for and manually delete the following directories and files if they remain.

svchosts.dll
wbeconm.dll
webconm.dll
mssearchnet.exe
mscornet.exe
nvctrl.exe
spyaxe.exe
netwrap.dll
ntzl.exe
ioctrl.dll
intelli321.exe
hpA75B.tmp or all the files similar to hpXXXX.tmp where X may be any character.
c:\windows\inet20004 or c:\windows\inetXXXXX directory (where X represents a random number) and all files
C:\Program Files\SpyAxe
C:\Program Files\Spy Sheriff
C:\Program Files\SpywareQuake.com
C:\Program Files\BraveSentry
C:\Program Files\AlfaCleaner
C:\Windows\System24
C:\Windows\System3224
C:\Winnt\System3224

6) Run Hijackthis and Remove any leftover issues. If you are not sure, if a line in Hijackthis is a problem, reboot in normal mode and use the Online HiJackthis Scanner to see if the file is a threat. Just copy and paste your Hijackthis log file into the scanner and let it analyze it for you. Although its not perfect, it will give you an idea if your system is clean or still needs some work. Do not delete anything with Hijackthis unless you are absolutely sure what the file is and what it does.

For items in the Hijackthis log like the following, that will not delete manually, use KillBox to browse to the location of the file and delete it or delete it on reboot. Items that are impossible to remove unless using Killbox usually show up in the 20 section of Hijackthis.

O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: winrir32 - C:\WINDOWS\SYSTEM32\winrir32.dll
O20 - Winlogon Notify: dvd4free - C:\WINDOWS\SYSTEM32\dvd4free.dll

7) Reboot computer in Normal mode

8) Fix your desktop wallpaper by going to Control Panel, double-click on Display, on the Desktop tab, make sure the background wallpaper is correct, then click on Customize Desktop and click on the Web tab. On this tab is usually where active components such as web pages have taken over your desktop. Delete any problems here and click OK twice to leave the Display settings. Return to your desktop and check to make sure its correct.

9) Scan your computer with online virus scanner like Housecall, BitDefender, or ETrust or download and install an antivirus program and run a complete scan. A list of online scanners is below, some however will only scan but not remove issues.

Online Virus Checkers
Trend Micro Housecall - will scan and remove threats
BitDefender Scan Online - will scan and remove threats
Ewido Online Scanner - will scan and remove threats
Panda Activescan - appears to only scan for but not remove threats
McAfee FreeScan - appears to only scan for but not remove threats
eTrust Antivirus Web Scanner - will scan and remove threats
Symantec Security Check - will scan and remove threats
Dr.Web Online Check - user can upload and test for threats on particular files

Trojan Scanner
TrojanScan by WindowsSecurity.com

Free Antivirus Programs to Download
ANTI-VIR
AVAST
AVG


You may also want to run a thorough scan for adware/spyware using Ad-aware SE, Spybot Search and Destroy, or Microsoft Antispyware now known as Windows Defender as well to make sure your system is absolutely clean of other malware.

Congratulations! Your computer should be free of the dreaded SpyAxe, Spy Sheriff, WinHound, Brave Sentry, Spy Trooper, Alfa Cleaner, or other similar bogus spyware removal tool and problems. However, now that your computer is running better, patch this problem exploit before you visit another webpage. Follow the instructions below to download the patch for this exploit. If for some reason, you are still experiencing problems or have files that you are not sure of, you can email me a Hijackthis log and I'll see if I can help.

Update Windows with the Latest Patches

Visit Windows Update and download any Critical Updates for your computer

How to Patch the WMF Exploit

Click on the following link to visit Microsoft's Security Bulletin for the WMF exploit and download the patches available.

Microsoft Security Bulletin MS06-001:
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)

WMF Exploit Patch Downloads

Microsoft Windows 2000 Service Pack 4 ¨C Download the update

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 ¨C Download the update

Microsoft Windows XP Professional x64 Edition ¨C Download the update

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 ¨C Download the update

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems ¨C Download the update

Microsoft Windows Server 2003 x64 Edition ¨C Download the update

How to Patch the VML Exploit

Click on the following link to visit Microsoft's Security Bulletin for the VML exploit and download the patches available.

Microsoft Security Bulletin MS06-055:

Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
 

VML Exploit Patch Downloads

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 - Download the update
Microsoft Windows XP Service Pack 2 - Download the update
Microsoft Windows XP Professional x64 Edition - Download the update
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Download the update
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Download the update
Microsoft Windows Server 2003 x64 Edition - Download the update