Attempted SpyAxe Installation

Malwarebytes Anti-Malware
I backed up a system I was fairly certain was badly infected with malware (the user reported pornographic popups were appearing on the system) and then booted it into Windows XP Professional on January 6, 2006. Almost immediately after booting I saw a message appear in the lower right-hand corner of the screen warning me that malware was detected on the system.
Your computer is infected!

Dangerous malware infection was detected on your PC
The system will now download and install most efficient
antimalware program to prevent data loss and your private
information theft.
Click here to protect your computer from the biggest malware 

When updates are available from Microsoft for the operating system, you will see a message associated with an icon in the system tray that looks like a globe with the Microsoft flag logo in its upper left-hand corner. This malware warning was associated with an icon that looked like the Microsoft updates icon. The logo flashed between that icon and a red circle with a white "X" in it. But the message certainly didn't look like it was from Microsoft.

Malware warning

Someone else reporting this same message on a forum at Malware/porn popups/Spyaxe links stated that clicking on the message took him to The "track_id" at the end is likely an identifying number so that the SpyAxe distributor can pay an "affiliate" with that ID for directing a potential buyer to their website. Some software providers rely on disreputable affiliates to drive traffic to their website via spam or adware installations that popup windows directing a user of an infected system to the website of the software provider.

When I clicked on the message, a warning appeared from Microsoft AntiSpyware, which was running on the system.

WARNING! Microsoft AntiSpyware Alert!
Warning, SpyAxe Potentially Unwanted Software is trying to install!
Microsoft AntiSpyware has detected the threat SpyAxe trying to install itself on your computer. If you would like to allow SpyAxe to run click the 'Allow' button below.

SpyAxe had previously been removed by Microsoft AntiSpyware from this system on January 4, 2006 when Microsoft Antispyware ran automatically at 2:00:13 AM (see report). The spyware definitions were dated December 30, 2005 at 9:09:22 AM. SpyAxe was the only malware detected by Microsoft AntiSpyware at that time.

SpyAxe is listed at Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites as "rogue" antispyware meaning that the product is of unknown, questionable, or dubious value as anti-spyware protection. The information provided by the Spyware Warrior site for SpyAxe, which is identified as being the same application as AdwareDelete, AntiVirus Gold, and SpywareStrike, is shown below.

Product Domains Comments
deceptive advertising (1); false positives work as goad to purchase; uses inadequate scan/detection scheme; dubious corp. associations (1); same app as AntiVirus Gold, SpyAxe, & SpywareStrike [A: 6-14-05 / U: 1-4-06]

A Dave's World noahdfear's page links the Trojan-Spy.HTML.Smitfraud.c malware infection to AntivirusGold, PSGuard Spyware Remover, SpySheriff, Spy Trooper, SpyAxe, Security Toolbar, WinHound and SpywareStrike. The page states that some of those may modify the Dynamic Link Library (DLL) wininet.dll, which is located in a Windows system directory. The webpage offers a SmitRem tool to remove Trojan-Spy.HTML.Smitfraud.c.

Removal instructions for SpyAxe are posted at How To Remove Spyaxe And Svchosts.dll/wbeconm.dll. Those instructions detail how you can use the smitRem tool to remove SpyAxe.

I uploaded the c:\windows\system32\wininet.dll file to Jotti's Online Malware Scan, but none of the 14 antivirus programs it uses detected any problem with the file. [ Scan Results ]. I also scanned the file with Symantec AntiVirus Corporate Edition 8.0 on another system, but it did not report it as infected either.

Either something remained of SpyAxe after Microsoft AntiSpyware removed it previously, which managed to resusitate the software or some other trojan, virus, etc. still on the system was attempting to reinstall SpyAxe.

I rebooted the system in Safe Mode and ran a quick scan with Microsoft AntiSpyware. The only malware detected was SpyAxe. No files were listed, but many registry entries related to SpyAxe were found (see AntiSpyware Found SpyAxe, which shows all of the registry entries found). One of the registry entries reported was "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SpyAxe"

I ran regedit and checked the keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I saw the following key.

SpyAxeREG_SZC:\Program Files\SpyAxe\spyaxe.exe /h

I checked the virus definitions date for Symantec AntiVirus Corporate Edition 8.0, which is the antivirus software on the system. The definitions were 12/30/2005 rev. 4.

I don't see a SpyAxe folder beneath "C:\Program Files", however, even checking for hidden and system files. I've seen malware often hide itself so that files and directories aren't visible through the Windows Explorer and when using the dir command at a command prompt, even when Windows Explorer is set to display hidden and system files and folders and when the dir /ah and dir /as are used at a command prompt to show hidden and system files, but booting into safe mode usually reveals those invisible files and folders. However, just to make sure a SpyAxe directory under C:\Program Files didn't exist, I booted with a PLoP Linux boot CD and looked for such a directory. None existed.

I rebooted into safe mode again, but this time selected "Safe Mode with Networking". Unlike when I selected "Safe Mode" the previous time, this time I got the "Your computer is infected! Dangerous malware infection was detected on your PC" message again. I brought up Microsoft AntiSpyware again and had it remove SpyAxe. I then rebooted into "Safe Mode with Networking" again. Almost immediately after rebooting I saw the same "Your computer is infected" message again. Though I rebooted into "Safe Mode with Networking" mode, I had not connected the system to the network at any time since I received it from the user on January 5. So obviously something was escaping Microsoft AntiSpyware's notice.

I ran another quick scan with Microsoft AntiSpyware. This time Microsoft AntiSpyware did not detect anything.

A How to Remove Spyaxe and Svchohsts.dll/wbeconm.dll webpage updated on December 28, 2005 mentions the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Program Files\SpyAxe\spyaxe.exe /h registry key and states the SmitRem tool has been updated to include the removal of c:\windows\system32\wbeconm.dll. I looked in the c:\windows\system32 directory and found wbeconm.dll. Symantec AntiVirus Corporate Edition 8.0 on the system did not report it as malware when I scanned it nor did the same version of Symantec AntiVirus on another system with 1/4/2006 rev. 6 virus definitions report it as malware. However, when I uploaded it to Jotti's Online Malware Scan for scanning by 14 different antivirus programs, five of the fourteen reported it as malware [ Scan Results ].

AntiVirus ProgramVirus Reported
AntiVirAdware-Spyware/NXegt.DLL adware
F-Prot AntivirusW32/Adclicker.OZ
Kaspersky Anti-Virus not-virus:Hoax.Win32.Renos.ak
Norman Virus ControlW32/Spywad.AG

The Kapersky site indicates the malware was detected on December 29, 2005 by Kapersky Lab and states "Currently there is no description available for this program."

I checked to see what process had the wbeconm.dll module loaded with tasklist /m wbeconm.dll. The process listed was explorer.exe.

Image Name                   PID Modules                                      
========================= ====== =============================================
explorer.exe                1440 wbeconm.dll

An analysis of the file with FileAlyzer, a tool provided by the developer of Spybot Search & Destroy, showed the malware warning message inside the file when I used FileAlyzer's hex dump facility to search for strings inside the file (see FileAlyzer screen capture).

I downloaded the smitRem.exe tool using another system and then transferred it by floppy disk to the infected system, which was booted in "Safe Mode with Networking" mode, but unconnected from any network. I put the file on the desktop and then double-clicked on it. SmitRem.exe is a self-extracting file which created a smitRem folder on the desktop containing the following files.


I then double-clicked on RunThis.bat in that folder to remove the malware. During the removal process a message appeared from the removal procedure that "Disk cleanup has been known to take up to 3 hours to complete. Please be patient and allow ample time for it do so so." The process then ran Windows Disk Cleanup procedure, which fortunately took only a few minutes on this system. After the process completed, I rebooted Windows XP normally. The user's background was changed to a plain blue background. The malware warning message no longer appeared.

I then updated Spybot Search & Destroy's spyware definitions to the latest ones available and checked the system with that antispyware program. It reported entries for both PSGuard and SpyAxe, as well as some other malware. But for PSGuard and SpyAxe, there were no files listed, just registry entries. SmitRem didn't remove registry entries used by PSGuard and SpyAxe, but, since it removed the files and folders associated with these suspect antispyware programs, they should no longer be a threat to the system. For a list of files and folders that smitRem checks, see List of Files and Folders Targeted by the smitRem Tool. I had Spybot remove everything it found (see Spybot Results).

SmitRem malware removal tool
wbeconm.dll malware DLL available for analysis (userid: zoo, password: malware


  1. Microsoft AntiSpyware
  2. SpyAxe
    Microsoft Corporation
  3. Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites
  4. Dave's World
  5. How to Remove Spyaxe and Svchohsts.dll/wbeconm.dll
    December 6, 2005
  6. Malware/porn popups/Spyaxe links
    Last updated: December 28, 2005
  7. List of Files and Folders Targeted by the smitRem Tool


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Monday January 9, 2006 9:22 PM