I have had spy axe for three days. I figured out how to get it off. It does something I haven't seen before. It follows you into safe mode. I knew the file names so I went into dos and deleted them. The files are: (svchosts.dll) and (nvctrl.exe) and (mssearchnet.exe). They are also part of SpyTrooper.
These are the people at the bottom of this problem.

SpyTrooper Development Team
Tooley 73a City: London Zip: EC1Y 1BL Country: United Kingdom

Dear Fred 99,

I also got infected with SPYAXE.

By doing the following, I have eliminated most of the problems like popups and the flashing icon on the toolbar:

I ran Spybot
I ran Spyware Doctor
I cleaned up my Temp Files (where there was a Spyaxe Installer).
I downloaded the smitRem.exe from Noahdfear and ran this in Safe mode.

I HAVE NOT downloaded and run Ewido because this software scares me as I know so little about what to delete and what not to delete.

Scans of Spyware Doctor now come back 100% clean and so does Spybot with one exception on the Smithfraud-C.

Spybot still says I have the Smithfraud-c and can not remove since its in memory (even though I ran the smitRem.exe):

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-3834227258-2264835413-2960356022-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\*!=W=4

Any suggestions on how to remove the Smithfraud-C and any other remnants of Spyaxe (that may not be showing up in Spybot or Spyware Doctor)?

Thanks,
Stevie2

Hi there.
We encourage people who have malware infections to do the following and be assisted by volunteers trained in its removal.

Follow these instructions.
Before you post a log (http://forums.spybot.info/showthread.php?t=288[/url)

Start a topic here:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

stevie2
I moved your log to the Malware forum as linked in my post above. :)

Here is how I eliminated both smithfraud.c and Spyaxe.

I ran Spybot.
I installed and ran Spydoctor.
I cleaned up my Temp files (where there was a Spyaxe Installer)
I downloaded the smitRem.exe from Noahdfear and ran this in Safe mode.

For 24 hours after doing the above, smithfraud.c continued to show up when I ran Spybot. Also during this time, Mcafee Virus software told me that I had two potenially unwanted programs on my PC (smitRem.exe, and smitRem/Process.exe). I assumed these PUP Name:PrcViewer were ok and did not delete under Mcafee.

In the approx. 24th hour, Mcafee Antivirus showed a third PUP on my PC:
C:/System Volume Information/_restore{B37680B2-4E5D-BF30-83E44C588624}/RP2/A0000403.exe

After this 3rd PUP appeared, I ran Spybot and the Smithfraud.c trojan HAD BEEN DELETED!

I have no idea what this third PUP restore is or came from, but Spybot says my PC is NOW CLEAN!!!

I have Mcaffee Anti Virus software.

Mcaffee auto deleted the 3rd PUP referenced in my prior posting:

C:/System Volume Information/_restore{B37680B2-4E5D-BF30-83E44C588624}/RP2/A0000403.exe

When Mcaffee cleans the above PUP off my PC, when I run Spybot, the smithfraud.c trojan reappears. With Spybot reporting that it can not delete smithfraud.c

stevie2

A malware removal specialist will take a look at your log asap. :)

http://forums.spybot.info/showthread.php?p=3541#post3541

Please make sure you note there any new moves you have taken since the log was posted please.

Manual malware removal is often sequence specific.