About a week ago, I received a customer support
ticket about an unwanted program that kept returning after deletion
and a browser that was hijacked. This unwanted program was called
SpyAxe which is supposedly an anti-spyware application.
I reviewed the customer’s diagnostic log files and I quickly
located three possible malicious files on the customer’s system.
These files were uploaded to us by the customer, so that we could
take a closer look at them. The files were then transferred to my
test machine. I then placed one of the files, nvctrl.exe, into the
‘System32’ folder—the same folder it resided in
on the customer’s computer. I executed this file and immediately,
four other files were dropped into this folder:
Directory of C:\WINDOWS\system32
I proceeded to open Internet Explorer to check for a hijacked homepage,
and sure enough, the homepage was taken over with the following
The new homepage displays a warning message that says the user’s
“private info is collected by W32.Sinnaka.A@mm” and
entices the user to “…download official anti-spyware
software.” The “official” anti-spyware software
is actually Spy Axe. It’s ironic how a spyware infection shows
up and then alongside it, a “simple” solution is revealed.
How could SpyAxe or the creator of the homepage hijack have possibly
known that a user’s computer was infected? Did they infect
the computer to lure unsuspecting users to purchase their product?
Why would a solution to spyware hijack a user’s homepage?
I see so much irony in this type of infection.
After opening Internet Explorer and seeing the hijacked homepage,
a pop-up window immediately showed up:
Not only does the homepage get hijacked with a warning message,
but a pop-up showing a new and completely different warning message
is also displayed. Now I’m infected with “stealthSWs114.h!dll”
and “my private data and information is in danger”.
Could this be more scare tactics to get me to “Click the ‘OK’
button to visit the official Anti-Spyware website?” I clicked
the ‘OK’ button and a new window was opened showing
the www.spyaxe.com website. It’s obvious that this infection
is promoting specific software and in my opinion, is a very immoral
Upon further investigation of the infection, I discovered several
registry keys and browser helper objects created.
The hp14FB.tmp file that is dropped by nvctrl.exe, creates the
homepage hijack by using a ‘Browser Helper Object’.
The hp14FB.tmp file is randomly named when it is dropped and it
usually takes the form of hpXXXX.tmp, where ‘XXXX’ is
usually numbers and/or letters. The hijack can be temporarily removed
if this ‘hpXXXX.tmp file is deleted. However, when the computer
is restarted, the ‘explorer\run’ registry key above
will call and execute nvctrl.exe to restore the infection completely.
To solve this problem, a solution was integrated into Spyware Nuker
where it removes the above files and registry keys to prevent any
possibility of the infection restoring itself.
The customer said SpyAxe was continually being restored after removal
from the computer. When I researched the customer’s files,
I found that SpyAxe did not get installed at all. I referred back
to the diagnostic log files and found an unknown .dll file, ioctrl.dll,
which hooked into explorer.exe. Explorer.exe is a process that is
run everytime Windows starts because it is the graphical shell of
the Windows operating system. When explorer.exe is run, ioctrl.dll
will be executed also:
WINDOWS EXPLORER  - C:\WINDOWS\Explorer.EXE
I received the ioctrl.dll file from the customer and proceeded
with the investigation. I found that the ioctrl.dll file causes
a system tray icon to appear that displays a tray tip message:
"Danger malware infection was detected on your PC. The system
will now download and install most efficient antimalware program
to prevent data loss and your private information theft..Click here
to protect your computer from the biggest malware threats. Your
computer is infected!"
Again, we see more scare tactics and I’m not surprised when
I found out that this tray icon lead to www.spyaxe.net. The file
also makes a silent connection to http://www.spyaxe.net/download2.php?track_id=10006
where it automatically downloads and installs SpyAxe. Since it’s
tied in with explorer.exe, the ioctrl.dll file will perform this
operation every time Windows starts up. It was silently restoring
SpyAxe on the customer’s system whenever their computer was
We have gotten to the bottom of this infection and integrated a
complete solution into Spyware Nuker. Once again, Spyware Nuker
has triumphed over wicked Spyware that plagues the internet.