About a week ago, I received a customer support ticket about an unwanted program that kept returning after deletion and a browser that was hijacked. This unwanted program was called SpyAxe which is supposedly an anti-spyware application.

I reviewed the customer’s diagnostic log files and I quickly located three possible malicious files on the customer’s system. These files were uploaded to us by the customer, so that we could take a closer look at them. The files were then transferred to my test machine. I then placed one of the files, nvctrl.exe, into the ‘System32’ folder—the same folder it resided in on the customer’s computer. I executed this file and immediately, four other files were dropped into this folder:

Directory of C:\WINDOWS\system32
hp14FB.tmp
mssearchnet.exe
msvol.tlb
ncompat.tlb
nvctrl.exe

I proceeded to open Internet Explorer to check for a hijacked homepage, and sure enough, the homepage was taken over with the following warning message:

The new homepage displays a warning message that says the user’s “private info is collected by W32.Sinnaka.A@mm” and entices the user to “…download official anti-spyware software.” The “official” anti-spyware software is actually Spy Axe. It’s ironic how a spyware infection shows up and then alongside it, a “simple” solution is revealed. How could SpyAxe or the creator of the homepage hijack have possibly known that a user’s computer was infected? Did they infect the computer to lure unsuspecting users to purchase their product? Why would a solution to spyware hijack a user’s homepage? I see so much irony in this type of infection.

After opening Internet Explorer and seeing the hijacked homepage, a pop-up window immediately showed up:

Not only does the homepage get hijacked with a warning message, but a pop-up showing a new and completely different warning message is also displayed. Now I’m infected with “stealthSWs114.h!dll” and “my private data and information is in danger”. Could this be more scare tactics to get me to “Click the ‘OK’ button to visit the official Anti-Spyware website?” I clicked the ‘OK’ button and a new window was opened showing the www.spyaxe.com website. It’s obvious that this infection is promoting specific software and in my opinion, is a very immoral practice.

Upon further investigation of the infection, I discovered several registry keys and browser helper objects created.

[HKLM\SOFTWARE\Classes\CLSID\{724510C3-F3C8-4FB7-879A-D99F29008A2F}]
@="HomepageBHO"

[HKLM\SOFTWARE\Classes\CLSID\{724510C3-F3C8-4FB7-879A-D99F29008A2F}\InprocServer32]
@="C:\\WINDOWS\\System32\\hp14FB.tmp"
"ThreadingModel"="Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{724510c3-f3c8-4fb7-879a-d99f29008a2f}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724510c3-f3c8-4fb7-879a-d99f29008a2f}]

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"nvctrl.exe"="nvctrl.exe"
"kernel32.dll"="C:\\WINDOWS\\system32\\mssearchnet.exe"

The hp14FB.tmp file that is dropped by nvctrl.exe, creates the homepage hijack by using a ‘Browser Helper Object’. The hp14FB.tmp file is randomly named when it is dropped and it usually takes the form of hpXXXX.tmp, where ‘XXXX’ is usually numbers and/or letters. The hijack can be temporarily removed if this ‘hpXXXX.tmp file is deleted. However, when the computer is restarted, the ‘explorer\run’ registry key above will call and execute nvctrl.exe to restore the infection completely. To solve this problem, a solution was integrated into Spyware Nuker where it removes the above files and registry keys to prevent any possibility of the infection restoring itself.

The customer said SpyAxe was continually being restored after removal from the computer. When I researched the customer’s files, I found that SpyAxe did not get installed at all. I referred back to the diagnostic log files and found an unknown .dll file, ioctrl.dll, which hooked into explorer.exe. Explorer.exe is a process that is run everytime Windows starts because it is the graphical shell of the Windows operating system. When explorer.exe is run, ioctrl.dll will be executed also:

WINDOWS EXPLORER [1696] - C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ioctrl.dll

I received the ioctrl.dll file from the customer and proceeded with the investigation. I found that the ioctrl.dll file causes a system tray icon to appear that displays a tray tip message:

"Danger malware infection was detected on your PC. The system will now download and install most efficient antimalware program to prevent data loss and your private information theft..Click here to protect your computer from the biggest malware threats. Your computer is infected!"

Again, we see more scare tactics and I’m not surprised when I found out that this tray icon lead to www.spyaxe.net. The file also makes a silent connection to http://www.spyaxe.net/download2.php?track_id=10006 where it automatically downloads and installs SpyAxe. Since it’s tied in with explorer.exe, the ioctrl.dll file will perform this operation every time Windows starts up. It was silently restoring SpyAxe on the customer’s system whenever their computer was restarted.

We have gotten to the bottom of this infection and integrated a complete solution into Spyware Nuker. Once again, Spyware Nuker has triumphed over wicked Spyware that plagues the internet.