Anti-spyware spread by spyware
There are many, many reports of anti-spyware programs appearing on user's desktops (link to screenshot), sometimes actually hijacking the desktop and replacing the wallpaper, when the user has no idea how they got there or where they came from. Programs known for this behavior are listed on the Rogue/Suspect Anti-Spyware Products & Sites page, authored and updated by spyware expert Eric Howes. At SpywareWarrior, I've blogged about these anti-spyware apps I call Super Rogues and mentioned them in my post here about spyware tricks.
The infections have been labeled Smitfraud by antivirus and anti-spyware vendors. Another example of the smitfraud infection can be seen here. So called anti-spyware programs seen downloaded by spyware through security exploits and deceptive ads include Spy Sheriff, PSGuard, WorldAntiSpy, RazeSpyware and Spy Trooper. In the last week, I've seen increasingly frequent reports of a similar problem with a newer supposed anti-spyware app called SpyAxe. A user (victim) posted at computing.net's security forum:
Ok so I have spybot, ad-aware, and hijackthis installed and now this "spyware removal" program called spyaxe is on my PC, I know for a fact that spyaxe is spyware just by how it reacts to installing and uninstalling. I have googled on how to remove and cant seem to find anything, when going to support on their site it only asks you to email them. I prolly made a mistake by actually trying to remove from the add/remove program list, oops. Has anyone else had this and successfully removed without formatting???
In a follow up post the user reports he emailed the company through their online email form and received a response that the problem was "due to affiliate's illegal advertising of their product" with instructions to download 2 files from the company's site and execute them, then uninstall the program in the Add/Remove list in the Control Panel. Ah, so that explains the problem... affiliates illegally advertising the product, the oldest excuse in the book. My question to the SpyAxe company is what are they doing about the problem? Are they tracking down the naughty affiliates and terminating them? I looked at every page on the SpyAxe website, but I saw no mention of this problem and did not find any link to download the uninstall files.
See the screenshot in this link of the fake warning appearing from what looks like a Windows update icon in the system tray. If readers find this page while searching for help with removing this infection, I'd suggest going to one of the reputable spyware help forums and posting for help. The uninstall files from the SpyAxe site may work but personally I'm not sure I'd trust a company whose unsolicited software appeared on my desktop. SpyWareBeware, the home of ASAP, the Alliance of Security Analysis Professionals lists member sites where users can get expert help with spyware removal from trained volunteers.
Update on December 19, 2005: It appears this post is getting lots of page views still. If you need help removing SpyAxe and its accompanying infections, see this post by anti-malware blogger Nick for full instructions on removing SpyAxe. That post has over 250 comments at present from people saying the fix worked for them.