Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

AXEL.DAV

27 views
Skip to first unread message

Teeekay

unread,
Nov 10, 2004, 9:29:22 AM11/10/04
to
On 11-2-04 in the morning, some malicious code was run on an XP Home machine.
Which I am responsible for. The result was that the registry was overwritten,
and the documents and settings folder was replaced. Trying to access the
documents and settings folder with explorer or power desk yielded an access
denied message. I used a file recovery utility (Active Undelete 5.0) to
recover the documents that were lost including outlook express .wab and .dbx
files and word and excel files.
While examining hundreds of lost and deleted folders on the hard drive,
I found that most of them contained a small file named AXEL.DAV. In this file
was the name Axel Davis. I also fouund remnants of some executables which
were probably malicious code that ran and later deleted themselves. A few had
names begining with 33WW and one was named run and hide. . I did a google
search on AXEL.DAV, and came up with a web page, axeldavis.com where the
writers claim to know what an AXEL.DAV file is but they won't say. They also
provide a copy of a google search page with links to a microsoft forum dated
in 2002 where a couple of people posted messages about their system being hit
by a virus which left hundreds of AXEL.DAV files on their machine.
Can anyone tell me if this was a virus or trojan, or if a hacker somehow
got through and took over the computer.

David H. Lipman

unread,
Nov 10, 2004, 6:21:58 PM11/10/04
to
1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt244.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

BitDefender:
http://www.bitdefender.com/scan/license.php

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

RAV
http://www.ravantivirus.com/scan/

Symantec:
http://security.symantec.com/

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com


* * * Please report your results ! * * *

Dave


"Teeekay" <Tee...@discussions.microsoft.com> wrote in message
news:25CDCBB2-E312-4AD9...@microsoft.com...

lady_Ice

unread,
Nov 27, 2004, 8:46:00 PM11/27/04
to
Hi Folks

Many thanks Dave for your info re axel dav.

axel dav- is the virus known as vbs_redlof.A

It nearly destroyed my pc... until I chanced upon this forum.. took Dave's
advise -- albeit I had to format the lot..and had to low level format--
then reformatted in fat 32-- then again in nfts-- then again a low level
format-

1776 html files infected..

other files as well-- -- now I don't know what to do re- the files up on
servers and whether they are infected..

If any of you are using hp -- my pc is 4 months old

Clean the Restore disks.

axel.dav.is in the restore disks.
hp-bin
hp-1386 --drivers

Much to my disgust sysclean.com found those when I re-installed windows.

Once again many thanks Dave

Lady_ice

fritsn

unread,
Dec 30, 2004, 5:44:55 AM12/30/04
to

Hello,

I had the same AXEL.DAV virus. I first tried to re-install windows
using the hp recovery partition, while keeping my user files. That
failed, referring to several AXEL.DAV files. After that I tried to
install Windows XP using a retail vesrion of Windows XP Home. That
failed as well.

Now I have a disk S.M.A.R.T. Status BAD error.

Could that be related to the AXEL.DAV virus?

Frits


--
fritsn
------------------------------------------------------------------------
fritsn's Profile: http://forums.tech-arena.com/member.php?userid=4202
View this thread: http://forums.tech-arena.com/showthread.php?t=16899
Tech-Arena, Largest Technology Forums in India for free I.T. Computer Support - http://forums.tech-arena.com

Malke

unread,
Dec 30, 2004, 8:43:48 AM12/30/04
to
fritsn wrote:

>
> Hello,
>
> I had the same AXEL.DAV virus. I first tried to re-install windows
> using the hp recovery partition, while keeping my user files. That
> failed, referring to several AXEL.DAV files. After that I tried to
> install Windows XP using a retail vesrion of Windows XP Home. That
> failed as well.
>
> Now I have a disk S.M.A.R.T. Status BAD error.
>
> Could that be related to the AXEL.DAV virus?
>

No. The S.M.A.R.T. monitoring is coming from the hard drive which
indicates a probable mechanical (hardware) failure. To determine the
drive's physical health, download a diagnostic utility from the drive
mftr. Usually you will make a bootable floppy with it. Boot with that,
and run a thorough test. If the drive fails, it will need to be
replaced. Check with HP tech support about how to do that and reinstall
Windows.

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"

wuz2blu

unread,
Jul 11, 2007, 7:34:50 PM7/11/07
to


For more info regarding this virus, check out the following pages:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS%5FREDLOF%2EA&VSect=Sn


--
wuz2blu
------------------------------------------------------------------------
wuz2blu's Profile: http://forums.techarena.in/member.php?userid=27841
View this thread: http://forums.techarena.in/showthread.php?t=16899

http://forums.techarena.in

etone

unread,
Jul 14, 2007, 12:30:23 AM7/14/07
to

I have a compaq (=HP) bought in by a customer not booting due to missing
DLLs, recovery using standard XPSP2 Home disc failed. Customer has
(had!) files (JPGs) on HDD he asked me save so booted using BartPE and
looked at C: using that explorer shell, all folders above C:\Windows
contain 1KB AXEL.DAT file and precious little else. C:\Windows appears
intact but is clearly corrupted, likewise the recovery partition.

Customer told me he attempted to use the recovery process after a
failed installation of a downloaded DVD app.

My (albeit technically untested and unproven) suspicion is that
AXEL.DAT infestation is a result of a malware infection specificly
targetting the HP (and/or Compaq) recovery partition processes; this
could lie dormant for months/years until the user encounters a problem
and attempts a recovery, whereupon the malware deletes all
docs/settings/program files and dumps itself in each folder.

If you are thinking "but surely HP would know about this and have some
information on it" please refer to comments elsewhere that they should
stick to printers.

As it could be a rootkit best tack would be delete all HDD partitions,
maybe use QTparted on live Linux distro such as Knoppix or Kubuntu to
be sure, merge them, format back to NTFS, recreate partitions as
desired, reinstall clean XP and use 2nd partition to hold Ghosted
backup of clean install. Best of luck.


--
etone
------------------------------------------------------------------------
etone's Profile: http://forums.techarena.in/member.php?userid=27958

sammons

unread,
Jun 9, 2008, 5:39:15 AM6/9/08
to

Axel Davis strikes again. I just got a client come in with a Compaq
Presario that had this virus. Won't boot claiming that there are DLL's
missing. In inspection on the harddrive, there were Axel.dav files
everywhere, and the personal data is all all gone. It does appear that
the client tried to do a sys recovery as the System looks relatively
clean. Tried to recover any deleted files and there were 0 deleted
files, which seems quite odd. The axel.dav files are all dated 5 Jan
06 which is some time ago, and one of them was marked as created on
27th feb 01. Virus scanners come up with nothing. so this virus looks
like a bit of a suicide bomber.

Looks like its a full system format and install from fresh XP home
discs

:o) Phil


--
sammons
------------------------------------------------------------------------
sammons's Profile: http://forums.techarena.in/member.php?userid=51263

0 new messages