SpyStrike 2.5 Log and recommendations?
| Author |
Message |
ObviousLoop
Joined: 11 Jan 2006
Posts: 5
|
 Post subject: SpyStrike 2.5 Log and recommendations? |
 |
|
Logfile of HijackThis v1.99.1
Scan saved at 10:24:40 PM, on 1/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\CTsvcCDA.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
D:\Program Files\Trend Micro\Internet Security\tmproxy.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Trend Micro\Internet Security\PccPfw.exe
D:\WINNT\system32\devldr32.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Trend Micro\Internet Security\pccguide.exe
D:\Program Files\Trend Micro\Internet Security\PCClient.exe
D:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Warez P2P Client\warez.exe
D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\Internet Security\PCCMAIN.EXE
D:\PROGRA~1\WINZIP\wzqkpick.exe
D:\Documents and Settings\Blasphemy\Local Settings\Temp\wzfb8d\HijackThis.exe
D:\WINNT\system32\NOTEPAD.EXE
O2 - BHO: RandomName - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - D:\WINNT\system32\hpEBC7.tmp (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Speed racer] D:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "D:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "D:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpywareStrike] D:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [warez] "D:\Program Files\Warez P2P Client\warez.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136006575468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136004880328
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - D:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - D:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - D:\Program Files\Trend Micro\Internet Security\tmproxy.exe |
|
Wed Jan 11, 2006 3:47 am
 |
|
 |
ObviousLoop
Joined: 11 Jan 2006
Posts: 5
|
| Post subject: |
|
|
also, I have follwed your prior drections GTO for removal of this pain in the arse prog. Unfortunately I don't use XP (2000 pro user) and niether do i use IE. When clicking tools, i do not find manage add ons. I also went thru and tried a manual removal of this prog by editing the registry but this thing is a tough bugger. So, with that being said, please help... |
|
Wed Jan 11, 2006 3:51 am
|
|
|
GTO
Joined: 15 Nov 2005
Posts: 1519
|
| Post subject: |
|
|
Hi, ObviousLoop. Welcome to 2-Spyware.com forums!
To get rid of the SpywareStrike infection please do the following:
1. Navigate to Start > Settings > Control Panel and launch the Add or remove programs tool. Wthin the list of installed software find SpywareStrike and uninstall it by clicking on Uninstall or Change/Remove buttons. If there is no SpywareStrike entry, open the D:\Program Files\SpywareStrike folder and run the uninst.exe file. It is the uninstaller.
2. Delete these directories:
D:\Program Files\SpywareStrike
D:\Documents and Settings\Blasphemy\Start Menu\Programs\SpywareStrike
3. Download the KillBox utility. Use this tool to delete the D:\WINNT\System32\netwrap.dll file (it it exists). You may need to restart your system into Safe Mode in order to be able to delete this file.
4. Use HijackThis to fix the following entries:
O2 - BHO: RandomName - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - D:\WINNT\system32\hpEBC7.tmp (file missing)
O3 - Toolbar: (no name) - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - (no file)
5. After you get done, run another HijackThis scan and post a fresh log here. |
|
Wed Jan 11, 2006 10:07 am
|
|
|
ObviousLoop
Joined: 11 Jan 2006
Posts: 5
|
| Post subject: No Luck |
|
|
Logfile of HijackThis v1.99.1
Scan saved at 3:24:37 PM, on 1/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\CTsvcCDA.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
D:\Program Files\Trend Micro\Internet Security\tmproxy.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Trend Micro\Internet Security\PccPfw.exe
D:\WINNT\system32\devldr32.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\WINNT\system32\mobsync.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Trend Micro\Internet Security\pccguide.exe
D:\Program Files\Trend Micro\Internet Security\PCClient.exe
D:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Warez P2P Client\warez.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\PROGRA~1\WINZIP\winzip32.exe
D:\Documents and Settings\Blasphemy\Local Settings\Temp\wz86e9\HijackThis.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Speed racer] D:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "D:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "D:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [warez] "D:\Program Files\Warez P2P Client\warez.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136006575468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136004880328
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - D:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - D:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - D:\Program Files\Trend Micro\Internet Security\tmproxy.exe
I followed step one, removed Spyware Strike, follwed step two and found neither of those directories, d/l'd killbox, ran it in safe mode but was unable to find netwrap.dll. What you see before you is the log and i still have my flashing red x in the corner telling me virus alert. Btw, thanks for welcoming me to 2-spyware.com |
|
Wed Jan 11, 2006 8:50 pm
|
|
|
GTO
Joined: 15 Nov 2005
Posts: 1519
|
| Post subject: |
|
|
Your HijackThis log looks clean to me. This means that there are some uncommon SpywareStrike components that keep reinstalling the parasite. I suppose that the wiatwain.dll file is causing this. Please do the following:
1. Enable displaying of hidden files. Read here how.
2. Open the D:\WINNT\System32 folder and search for wiatwain.dll and netwrap.dll.
Delete both these files. You may need to use KillBox or restart your system into Safe Mode to be able to do this. |
|
Thu Jan 12, 2006 9:30 am
|
|
|
ObviousLoop
Joined: 11 Jan 2006
Posts: 5
|
| Post subject: |
|
|
I have neither of those dll's on my system but spywarestrike is still there
This is getting to be a bit annoying, i'm gonna fart around with it for a couple hours and see what i can do, if all else fails, re-format and use my backups |
|
Thu Jan 12, 2006 7:39 pm
|
|
|
Zibrahead
Joined: 12 Jan 2006
Posts: 4
|
| Post subject: |
|
|
from what i have read from norton a trojan is also installed with spyaxe/spywarestrike and you have to remove that manually. i did it and poof spywaresstrike gone. Also run that smitrem prog in safe mode. |
|
Thu Jan 12, 2006 11:31 pm
|
|
|
ObviousLoop
Joined: 11 Jan 2006
Posts: 5
|
| Post subject: |
|
|
smitrem was run in safe mode and it seemed it worked, but as soon as i opened firefox, it was reloaded again, so there had to be some embedded files somewhere. I'm just relogging after a re-format. Anyhow, a bit of an update, one of the files responsible for loading spyware strike is a video codec (vcodec_ver 3.345.exe. Any of you that run across this, beware....
Thanks to all for there time,
Loop |
|
Fri Jan 13, 2006 1:40 am
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
Recommended software:
Spyware Doctor
 (91/100)
Spyware Doctor is a very powerful, but yet highly user-friendly spyware remover, made by PC Tools, reputable computer security experts. This product provides effective and easy-to-manage...
SUPERAntiSpyware
 (89/100)
SUPERAntiSpyware is a powerful, highly effective spyware remover introducing advanced parasite detection and removal features along with reliable real-time protection. The program is not...
CounterSpy
 (85/100)
CounterSpy is a powerful spyware remover based on revolutionary hybrid engine, which incorporates traditional anti-spyware and advanced antivirus engines. Such combination allows CounterSpy...
Malwarebytes Anti Malware
 (75/100)
There are loads of malware removers on the net today and most of them are lightweight applications, which usually means they’re fast and don’t have many features. One such...
Windows Defender
(75/100)
Windows Defender is a free anti-spyware program made by the leading software company to add native spyware protection to its most popular product - the Microsoft Windows operating...
Encyclopedia of parasites:
|
