I am having trouble with my office computer (HP with Windows XP).
Every five or six seconds an alert pops up on my screen. The pop up
comes up as soon as I start my computer, even when I am not on-line.
The alert states : Your computer is infected. Dangerous malware
infection on your PC. Click here for help...  When I click on the
alert, my computer will try to connect to the internet and when it
does, the site for "SkyAxe 3.0" comes up telling me that I need to
purchase their software for (49.95$ - written this way.  I haven't
purchase their software because I already have Malware protection and
spy alert alread installed on my computer. After I update with Windows
and ran the check hard drive. I removed all viruses and spyware that
came up. I did find a folder for SkyAxe and deleted the file....but
the problem is still there. The pop up is still there...coming up
every five or six seconds.... For some reason my restore was turned
off so I can't restore to a time before this problem.

---

Request for Question Clarification by sublime1-ga on 04 Jan 2006 20:43 PST

jimwb1951...

You shouldn't click on the popup, much less buy their
software, because they are the scumbags that infected
your computer with this adware in the first place.

The only thing your PC is likely infected with is their
adware. This is a very common ploy by those selling
cheap and relatively useless protection software.

Unfortunately, they seem to be one of the newer scumbags
in town, as a search for SkyAxe doesn't even turn up 
their website, or any spam alerts from people who've
been similarly hijacked.

Deleting the program files is a good start, but most
of these adware programs also install a file somewhere
else and set it to run when Windows starts. If you 
know how to use msconfig, you could locate it with 
that tool, but a more comprehensive tool for finding
out what's going on with your system would be the
HijackThis program:
http://www.spywareinfo.com/~merijn/

If you download, install, and run this, it will 
create a logfile of everything running on your
computer, and allow for discovering what entries
in Windows startup or your registry need to be
deleted, along with the associated files.

If you shut down all unnecessary programs that
are running in your system tray before creating
the log, it will make it smaller, and easier to
decipher.

sublime1-ga

---

Request for Question Clarification by sublime1-ga on 05 Jan 2006 01:38 PST

Ah! If the program goes by the name of SpyAxe, as noted
by grthumongous-ga (Thanks!), then it does have a web
presence under that name - a homepage as well as the
removal instructions, on this page from BleepingComputer:
http://www.bleepingcomputer.com/forums/topic36868.html

Let me know where this takes you...

sublime1-ga

---

Request for Question Clarification by sublime1-ga on 10 Jan 2006 14:11 PST

I thought I'd check in and ask you how you were doing with
this problem. I'll be glad to assist you further until your
situation is resolved, but it would help if you post a 
Clarification to detail your progress or additional questions.

A user's guide on this topic is on skermit-ga's site, here: 
http://www.christopherwu.net/google_answers/answer_guide.html#how_clarify 
 
sublime1-ga

---

Clarification of Question by jimwb1951-ga on 10 Jan 2006 18:56 PST

Thanks for all of the help. I have temporary removed it or put a lid
on it for awhile. The only problem is that as soon as I go on the
internet..it (adware/malware) comes right back with the warning
concerning my computer being infested and to go to SkyAxe to remove
and correct this problem. So far I have not been back on the internet
with that computer, but I need to soon. As soon as I go on line the
warning pops up and then I get other popups. Then As soon as I get off
(the internet) I restore my computer to before going on the internet. 
I will try going to Microsoft tomorrow (but with dial up at work) this
takes up a lot of time downloading and everything that goes with it.
I know I have to do this because I don't like work around this worm.  
    Thanks for all of the help and I will let everyone know if the
problem is fixed.    Jimwb1951

I had a similar problem. The malware I got put a little yellow
triangle icon with an exclamation mark in it on the taskbar (tray?)
and generated the same popup every few seconds. The short-term
solution to turn off the popups while I fixed the problem was as
follows (in XP):

Start--> Control Panel---> Taskbar and Start Menu--> Click on
"Taskbar" tab--> Click on "Customize"--> find the offending icon-->
click on "Hide when Inactive" next to it (or "Always Show," if that's
what it says) and change to "Always Hide."

This is akin to turning up the radio to drown out a dying bearing in
your car, but it gives you a break from the popup.

It may also go by the aliases Spyaxe and/or Spy Trooper and don't
reward the computer "kidnappers" by paying "49.95$".

It seems to me you may have a version of this ? It is a New
virus/exploit found in Windows XP and Windows 2003.  Microsoft are not
putting out a patch til next week.  It sounds like u have what I had
and I spent 2 days getting rid of the bugger. This virus is very very
nasty and you WILL be infected simply by visiting a webpage with a
malicious image file on it.  That's right an IMAGE file.

This program here is a temporary patch that fixes Windows.  Install it
and when the proper patch comes out next week uninstall it from
Add/Remove programs in Control Panel.

http://handlers.sans.org/tliston/wmffix_hexblog14.exe

I would recommend you install the patch on all XP/2003 computers.  If
you get hit with this exploit you WILL be formatting and reinstalling
everything from scratch.

Remember that normally you get viruses by clicking on executable files
such as exe, com, vbs blah blah blah ..... This bugger is an image and
Internet Explorer will happily open it and infect your computer. 
Firefox and others are also vulnerable as the exploit is in XP but
they are less likely to allow the infection.

Google "WMF exploit" for more info and also make sure you are running
this patch, antivirus and anti-spyware like MS Antispyware.

UPDATE UPDATE UPDATE:::::

Ok Microsoft have released their patch 6 days early.

So we need to remove the old patch I just posted, reboot then visit
Windows Update to install the MS patch.

Open Control Panel  and the Open Add/Remove Programs.

Find the program entry called "WMFHotFix something something something".
Click remove. 

Reboot then visit. http://update.microsoft.com or click the Tools menu
and Windows Update when in Internet Explorer.

The Microsoft patch merely protects the computer against the malware
that gets in just by viewing a JPEG file; it doesn't remove the bug.