Anti-spyware spread by spyware

Anti-spyware spread by spyware

Summary: There are many, many reports of anti-spyware programs appearing on user's desktops (link to screenshot), sometimes actually hijacking the desktop and replacing the wallpaper, when the user has no idea how they got there or where they came from.  Programs known for this behavior are listed on the Rogue/Suspect Anti-Spyware Products & Sites page, authored and updated by spyware expert Eric Howes.

SHARE:
TOPICS: Malware
10

There are many, many reports of anti-spyware programs appearing on user's desktops (link to screenshot), sometimes actually hijacking the desktop and replacing the wallpaper, when the user has no idea how they got there or where they came from.  Programs known for this behavior are listed on the Rogue/Suspect Anti-Spyware Products & Sites page, authored and updated by spyware expert Eric Howes.  At SpywareWarrior, I've blogged about these anti-spyware apps I call Super Rogues and mentioned them in my post here about spyware tricks.

The infections have been labeled Smitfraud by antivirus and anti-spyware vendors.  Another example of the smitfraud infection can be seen here.  So called anti-spyware programs seen downloaded by spyware through security exploits and deceptive ads include Spy Sheriff, PSGuard, WorldAntiSpy, RazeSpyware and Spy Trooper.  In the last week, I've seen increasingly frequent reports of a similar problem with a newer supposed anti-spyware app called SpyAxe. A user (victim) posted at computing.net's security forum:

Ok so I have spybot, ad-aware, and hijackthis installed and now this "spyware removal" program called spyaxe is on my PC, I know for a fact that spyaxe is spyware just by how it reacts to installing and uninstalling. I have googled on how to remove and cant seem to find anything, when going to support on their site it only asks you to email them. I prolly made a mistake by actually trying to remove from the add/remove program list, oops. Has anyone else had this and successfully removed without formatting???

In a follow up post the user reports he emailed the company through their online email form and received a response that the problem was "due to affiliate's illegal advertising of their product" with instructions to download 2 files  from the company's site and execute them, then uninstall the program in the Add/Remove list in the Control Panel.  Ah, so that explains the problem...  affiliates illegally advertising the product, the oldest excuse in the book.  My question to the SpyAxe company is what are they doing about the problem?  Are they tracking down the naughty affiliates and terminating them?  I looked at every  page on the SpyAxe website, but I saw no mention of this problem and did not find any link to download the uninstall files. 

See the screenshot in this link of the fake warning appearing from what looks like a Windows update icon in the system tray.  If readers find this page while searching for help with removing this infection, I'd suggest going to one of the reputable spyware help forums and posting for help.  The uninstall files from the SpyAxe site may work but personally I'm not sure I'd trust a company whose unsolicited software appeared on my desktop.  SpyWareBeware, the home of ASAP, the Alliance of Security Analysis Professionals lists member sites where users can get expert help with spyware removal from trained volunteers.

Update on December 19, 2005:  It appears this post is getting lots of page views still.  If you need help removing SpyAxe and its accompanying infections, see this post by anti-malware blogger Nick for full instructions on removing SpyAxe.  That post has over 250 comments at present from people saying the fix worked for them. 

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • ALWAYS use well-known, trusted programs!

    Never, [b]EVER[/b] just click on some ad or popup that claims your system is infected and needs to be cleaned.

    [b]ALWAYS[/b] check to ensure the anti-spyware product is from a vendor with a good reputatation.

    I cannot stress this enough - [i]right now, there's a [b]big[/b] problem with fake anti-spyware ripping off other, well-known products and installing their own spyware![/i]
    CobraA1
    • Yup, very true.

      It's rediculous to see how someone with limited computer knowledge surf the internet not being careful what they're visiting. I'd say that no matter what browser you're using, be very careful where you're heading to. Don't treat websites as having a thousands of TV stations in the world.

      C'mon everyone. Use your common sense and be more educated.
      Grayson Peddie
    • Yup, very true.

      It's rediculous to see how someone with limited computer knowledge surf the internet not being careful what they're visiting. I'd say that no matter what browser you're using, be very careful where you're heading to. Don't treat websites as having a thousands of TV stations in the world.

      C'mon everyone. Use your common sense and be more educated.
      Grayson Peddie
  • ALWAYS use well-known, trusted programs!

    Never, [b]EVER[/b] just click on some ad or popup that claims your system is infected and needs to be cleaned.

    [b]ALWAYS[/b] check to ensure the anti-spyware product is from a vendor with a good reputatation.

    I cannot stress this enough - [i]right now, there's a [b]big[/b] problem with fake anti-spyware ripping off other, well-known products and installing their own spyware![/i]
    CobraA1
  • Repeat after me: Don't run as admin. (NT)

    (NT)
    PB_z
  • Repeat after me: Don't run as admin. (NT)

    (NT)
    PB_z
  • We were all new to the net once

    We were all new to the net once -- I can see how a newbie could be fooled. But the computer is already infected when the user sees that warning on their computer. That's what makes it so maddening.

    Testing to see if all talkbacks get double-posted....
    Suzi_z
    • Double posted talkbacks..

      [b]Testing to see if all talkbacks get double-posted....[/b]

      The other day, I had a bunch of things "double post." It seems to have cleared itself up.

      When I clicked the "Submit my reply" button, I first got taken to a 404 page saying the system couldn't find it. The post was not apparent when I checked a fresh copy of the original article or in the talkbacks. After hitting the Back button, I hit the Submit button again and at that point the system posted the message twice.
      Wolfie2K3
  • PS Guard

    My ex's boyfriend (who thinks he knows something about computers) installed PSGuard on my son's computer. It took me half a day to find a tool to remove it and clean up the mess. It confused me at first because the virus's it claimed to find on the machine weren't even defined on other standard vendors. Big scam - i install a bug on your machine, claim to find it for you, and if you register the product ($50) we'll remove it for you. To find a tool for that one search for SmitFraud.
    rfuller8
  • root and user levels

    I'm on a user level on my Mac and although I can get to the root
    level, it hasn't proven necessary. On a PC, I'd like to not be at the
    root level and like the Mac, I'd like to authorize software
    installations instead of have them take place autonatically in the
    background without my knowing about it. How can I get the PC to
    be more Mac like?
    trm1945