While browsing the internet last night all of a sudden my virus scanner went off and I noticed software began to install itself on my machine. Somehow, this software exploited a flaw in my Internet Explorer browser and was using that flaw to wreak its havoc. I soon discovered it installed a suite of malicious software called SpyAxe, Smitfraud-C, and Vcodec. Using AVG anti-virus got rid of some infections, Lavasoft’s Ad-Aware got rid of some more, Spybot Search & Destroy, and Hijack this got rid of even more. But I couldn’t get rid of this damn popup window that complained “Your computer is infected!” even though it was the one doing the infecting.
I downloaded a tool called smitRem which claimed to remove SpyAxe’s infection. I followed many different web instructions posted on forums (thanks to all) telling me to use the tool along with a half dozen other anti-spyware tools to no avail. No matter how many tools I used the popup kept coming back (though by this time I believe it was the only thing left from the infection).
My eureka moment came when I found a website telling me to remove the windows registry entries that are abused by the Trojan.Spaxe trojan horse. I found that one of the entries listed here (specifically the CLSID entries) pointed to a file called wbeconm.dll. A google search turned up nothing on this file (though it was very similar to a file in the German version of windows called “wbemcomn.dll”. Oftentimes hijackers will use similar names to fool the unsuspecting eye).
What I noticed about this file wbeconm.dll was that it resided in my c:\windows\system32 directory, a common place for malware to insert its DLLs (essentially, ready to run software libraries), and that the date on the file was about 6:45pm the same day, to the minute when the infection began. That was enough for me to spring into action. I removed the registry entries pointing to this file and using Hijack This’s tools, I told it to delete “c:\windows\system32\wbeconm.dll” upon reboot (the file was in use and undeletable). Lo and behold, that did it! My popup was gone, and none of my adware searching suite found any malicious entries.
So off to Windows Update I go to see if they have a patch for this exploit. What do you know? Nothing. So that meant I could be hit again at any time. I didn’t like that, so I browsed over to Mozilla’s Firefox and downloaded it. And while it had a little trouble importing my bookmarks for some reason, it seems to be working very well. I even have the spellchecker working and it hasn’t even been twenty four hours. I like its customizability and its speed. So, long story short, I’m posting this here in the hopes that it might help someone, and also let you know why I’ve abandoned IE in favor of the popular alternative.