|
Title: SpywareStrike
Type: Trojans
Remove SpywareStrike. Removal instructions
Also known as: Spyware strike, spywarestrike 2.5
Severity scale:
 (80 / 100)
Stay away from SpywareStrike, and if you happen to have it on your computer, use our manual removal instructions to get rid of it. Related files: mssearchnet.exe, nvctrl.exe, spywarestrike.exe, ss_setup.exe, netwrap.dll, replmap.dll, wiatwain.dll, hp[X].tmp SpywareStrike properties: • Shows commercial adverts • Connects itself to the internet • Hides from the user • Stays resident in background Automatic SpywareStrike removal: 
We are testing STOPzilla's efficiency at removing SpywareStrike
(2007-12-18 05:31:28)
We are testing Malwarebytes Anti Malware's efficiency at removing SpywareStrike
(2007-12-18 05:31:28)
We are testing Spyware Doctor's efficiency at removing SpywareStrike
(2007-12-18 05:31:28)
SpywareStrike manual removal:Kill processes:mssearchnet.exe, nvctrl.exe, spywarestrike.exe, ss_setup.exe Delete registry values: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpywareStrike HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27150F81-0877-42E9-AF13-55E5A3439A26} HKEY_CLASSES_ROOT\AppID\spywarestrike.exe HKEY_CLASSES_ROOT\Interface\{2C15CDEA-3EF4-4405-90B0-19A1389B36ED} HKEY_CLASSES_ROOT\Interface\{3115A433-3FA0-483B-AB01-2A61C951FE58} HKEY_CLASSES_ROOT\Interface\{51FEFA9C-1D5A-41C4-81FE-8C0FBE9254F0} HKEY_CLASSES_ROOT\Interface\{5CCC8D01-9F75-4F07-9ACF-DEB314176C79} HKEY_CLASSES_ROOT\Interface\{5E7BF614-960B-4A1F-9236-9EC01AC4C5E2} HKEY_CLASSES_ROOT\Interface\{66F0AC1C-DED5-4965-9E31-39788DF1B264} HKEY_CLASSES_ROOT\Interface\{849E056A-D67A-431E-9370-2275F26D39B5} HKEY_CLASSES_ROOT\Interface\{8B7AFBFD-631C-45BA-9145-F059EB58DD73} HKEY_CLASSES_ROOT\Interface\{AFEB8519-0B8B-4023-8C15-FFB17D5225F9} HKEY_CLASSES_ROOT\Interface\{BA9CC151-4581-438E-94AF-4C703201B7CA} HKEY_CLASSES_ROOT\Interface\{BC74C336-FF2C-40C9-AD4E-3772C208406B} HKEY_CLASSES_ROOT\Interface\{BDF00F24-A571-4392-95EC-04FDFF82A82C} HKEY_CLASSES_ROOT\Interface\{C4E953E6-770E-4F59-A5E3-43E9F0D682E2} HKEY_CLASSES_ROOT\Interface\{E0105E7C-D0C4-4DEA-AA21-B02F2960ECAF} HKEY_CLASSES_ROOT\Interface\{ED39CB7C-1BF6-429B-A275-F183B4A3EFCB} HKEY_CLASSES_ROOT\Interface\{F23AA637-31D5-4526-B5C6-9FF89E16202C} HKEY_CLASSES_ROOT\TypeLib\{C1A4C0C9-DBD0-493A-93F8-0B05EDC96224} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{70F17C8C-1744-41B6-9D07-575DB448DCC5} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\spywarestrike.exe HKEY_LOCAL_MACHINE\SOFTWARE\SpywareStrike HKEY_LOCAL_MACHINE\SOFTWARE\Licenses\{0A4AF3E9A644EE5C8} HKEY_LOCAL_MACHINE\SOFTWARE\Licenses\{IA4AF3E9A644EE5C8} HKEY_LOCAL_MACHINE\SOFTWARE\Licenses\{K7C0DB872A3F777C0} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareStrike Delete files: mssearchnet.exe, nvctrl.exe, spywarestrike.exe, ss_setup.exe, netwrap.dll, replmap.dll, wiatwain.dll, hp[X].tmp Delete directories: C:\Program Files\SpywareStrike C:\Documents and Settings\[Current User]\Start Menu\Programs\SpywareStrike 
Information added: 2006-01-06 15:44:26
Information updated: 2007-12-18 02:54:13 Additional resources related to SpywareStrike:Attention: If you know or you have a website or page about SpywareStrike removal, feel free to add a link to this list: add url |
Related news:
Similar parasites:
Related discussions:
|
FORUM:
HELP:
Spreading the knowledge:
It is very hard to fight Computer parasites alone in internet space. If you have a website we would be more than happy if you would help us to spread the knowledge about latest threats. You can help your
visitors to manage their Computer system manually without aditional expences. Knowledge is the power, we just need to spread it.
I got SQL errors when trying to post with slashed and lost my friggin post...fix that bug...URL encode this form.
Registrant:
Keramitsu LLC
David Alan Taylor (tailor.david@gmail.com)
321th Melburn Street
Seattle
Washington,98107
US
Tel. +207.9545521
Creation Date: 20-Dec-2005
Expiration Date: 20-Dec-2006
I had to delete the netwrap dot dll from the current users Local Settings Application Data directory not the system32 directory
thanks for the posting - I would not have fixed with out it
Also, how does this sucker work - I normally can use SysInternals process explorer to find and kill any unwanted process - I could not see it
http://groups.google.co.uk/group/microsoft.public.security.virus/browse_thread/thread/5d8c2050fe406dd7/a4540442586f8f5e?lnk=st&q=spywarestrike&rnum=2&hl=en
I had to get rid of the HKLMmicrosoftwindowscurre key. dont know what it was, but it had the same key number as the one in the HKLMmicrosoftwindowsexplorerbrowser explorer object.
In SAFE mode, command prompt mode, i did the following:
I had to delete all files in system32 that started with SA, as in SA1.exe, SA3.exe, etc
I had to walk the entire registry and remove any reference to spyware or striker.
I had to delete the file netwrap.dll in the system32 dir.
I had to delete any references to Striker in C:D&SUserapplication data
Also, I found out you cannot run "add/remove programs", Spyware Striker, because it actually loaded the program again.
I hope that flushes everything out....I should know in a few days for sure.
A "netwrap.dll" was found in the "windowssystem32" folder. This file seemed to be directly related to the flashing icon in the tray. There was another file "ld4FE3.tmp", which had a time stamp close to that of the "netwrap.dll".
The folder existed in the "program files" folder just as the other posts said.
Many thanks for this website and everyone who took the time to comment here after all the hard work. Thank you very much.
After removing the files from my system (see notes -by Guest 07/01/2006.23.01.26-), I went to the SpywareStriker.com website and started to install the free download.
The demo version of spywarestriker install its files at -C:Program FilesBulletProofSoft.comBPS Spyware & Adware Remover-. Not the -C:Program FilesSpywareStriker- folder we have all found with the virus.
I wonder if someone is trying to defame a company, or perhaps a company is trying to get some fame. Either way, it is unfortunate that so much time and energy is being wasted by people creating (and consequently) defending against virus.
Here you will see a folder called spywarestrike. Delete that and all the shortcuts within in.
Incidently the path to the startups may be different for different computers so you may have to find out where the automatic startups are for your comp. Best of luck...
One thing I did NOT do was use Add/Remove Programs to remove the Spyware Strike Program as i read earlier that all that does is reinstall the parasite - has that been confirmed true??
I also wanted to send out Special Thanks to everyone who conrtibuted below.
a small but simple program that worked in about two minutes after I spend 3 days trying with other things.
Good Luck
My infection did not have netwrap.dll but there was wiatwain.dll instead.
Thanks for all the help guys.
i have spent hours trying to kill this dam thing, & have used every program and guide out there to try to fix this issue. I Too could not stop the pop up or find the file netwrap.dll
THIS FILE SEEMS TO HAVE BEEN RENAMED TO wiatwain.dll
thank You so much to the poster who posted this info :)
2. by Guest. 10/01/2006. 15:01:35
netwrap.dll may have been renamed to wiatwain.dll
My infection did not have netwrap.dll but there was instead.
Thanks for all the help guys
Seems to have been the final thing to remove my infection
Any suggestions
hey i have the same problem. I managed to remove all the SpywareStriker and the pop-up in the right hand corner but now whenever i open an internet browser, instead of opening my homepage (optusnet) it opens a Security Centre thing telling me my copmy is being controlled by some random IP and shows all these Spyware/Malware stuff to dload and use to fight it. Of course theSpyware/Malware stuff doesnt work because i have to buy it.... Anyone know how to restore my browser?? the url it now re-directs to is www.uptodatesecurity.com
PLEASE HELP!
thanks to all the awesome people down below to.
Thanks for all the help!
I started out just deleting the listed keys, but then I wasnt sure I was supposed to, so I ran windows restore.
Thanks.
ps I never had the problem your talking about, so im not sure if my solution will work but its worth a try.
this is the most important file to delete and also the toughest.
SJ
Peter
But a restart did not delete it so im not sure what actually renamed it.
Again as previously posted this is the System tray part of the spyware.
Peter.
Is a trojan. regenerates itself???
What is putting it back after my antivirus (AVG) gets rid of it???
"rename wiatwain.dll to something else (i used aaaaaa to locate the file easily) and then restart and delete" this part seems to do the trick after Spyware doctor had taken care of everything.
or do it manually. my time is worth a lot more than $30 though.
Peter
JT Trusedell
PC Professional
Do This Kind Of Removal In Safe Mode!!!
After installation... all problems resolved... including the icon in the tray.
Sonny
Thanks to Guest 2201/2006.06:01:38 - very simple (and cheap) solution. Just remember to give the new account administrator status.
Now that my secondary objective for this trojan is seen to, I can now move onto my primary objective. Quite simply, I am going to track the dog down who is responsible for this crap and ensure he never does such a thing again. Can anyone help me with his name and home address, please.
6. by Guest. 22/01/2006. 06:01:38
all you have to do to get rid of the virus spywarestrike is open a new user account on your computer log on with that account go to start menu use find and locate wiatwain.dll in c:windows systems32 and delete it if that dosent work rename it and log on again and then delete it the key to doing this is opening a new user account and using that account and that will be the end of your problems
Had the same problem as others with mssearchnet.exe, nvctrl.exe and the trick of the new user account was of no value.
However, started in safe mode (F8 during start up) and was able to delete the files - no problems.
Try this and let me know how it goes.
when I attempted to delete the replmap file, my computer gave me an "access denied" error and would not let me delete it. I renamed it and still no luck deleting it. How can I delete that file?
Also, when I searched for the wiatwain.dll file, all I turned up were a few variants such as wiatwain.ds, Twain_32.dll, and other similiar variations. Should I delete the wiatwain.ds file or any of the "twain" variants? or are they all something completely different than wiatwain.dll?
*Fingers Crossed*
After again cleaning system, locking down with Spy..Doc.. stopped annoiances, and restarted in Safe Mode. However this file also loads now at the start up in SAFE MODE!, and therefore is NOT removable through the limited GUI interface. I Finally attained success in removing the cuprit file "replmap.dll" by restarting in "SAFE MODE with MS DOS Prompt" mode. Thank God I am an old enough techie to know DOS commands, they still come in handy.
The steps I used are:
Move to the culprits folder first, mine was in the Windowssystem32 directory.
Verify file location.
Delete file.
Verify removal.
Close MSDOS.
Reboot system.
DOS commands=
C: {Enter}
C:windowssystem32 {Enter}
dir repl*.dll {you should have another file that must be left alone show up here (Replace.exe)
del replmap.dll
dir replmap.dll {should yield a nothing result}
exit {Enter}
REBOOT System
I hope this can help someone else.
Allan D
so, i still cannot delete replmap.dll
thus the popup stays, and the spryware strike comes back.
please help!
so, trolling around i found that SmitRem has been updated and SHOULD clear this all up.
follow all normal procedures with smitRem, but before starting, delete the old copy of SmitRem (if u have) and get the new copy. then...
move to desktop, open folder, run "runthis.bat"
close all programs and follow prompts. then restart as normal
To remove the toolbar I downloaded Toolbar Cop at http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/Toolbarcop.shtm land that tool care of the rest.
They always come back.
Thanks for the help, Bullit.
Here are the DOS commands for all of you that dont remb
one it came up with a command promp type
C:
cd windows
cd system32
dir (make sure that replmap.dll listed scroll up to see and if so move on to next step)
dir repl*.dll (once again it should be listed there)
del replmap.dll
dir replmap.dll ( you now should get an error that no file was found)
exit
Reboot your comp and cross your fingers
Hope this helps if that doesnt work try going through all these comments and try something else... as you can see different things work for some and other things for others
Paul
Goos luck to anyone who has this pain in the ass bug.
ghcles
windows xp
start, run, "msconfig", boot.ini, check "/safeboot", click ok
once in safe mode click yes to proceed in safe mode.
in safe mode:
start, Program Files, Accessories, Command Prompt,
Prompt commands and order
1 - "cd C:WINDOWSsystem32"
2 - "del mssearchnet.exe"
3 - "del nvctrl.exe"
4 - "dir hp*.tmp"
if and hp[four digit].tmp comes up, do
5 - "del hp[four digit].tmp"
6 - "cd C:Program Files"
7 - "del spywarestrike"
8 - "y"
now go
start, run, msconfig, boot.ini, uncheck "/safemode", click ok.
now you should boot up in normal mode (if a windows disk checker comes up, just skip it)
go through your destop, program files and start bar and manually delete all of the spywarestrike
garbage
empty recycle bin and you are good.
hopes this helps - Joseph
Thanks so much as usual 2-spyware. Your legends as ever.
muchos gracias.
arg, im still not getting it! im kinda computer savvy, but this stuff is way over my head. anyone found an easy answer yet?
thanks
Baron
1st: I created an additional admin. account on win. XP
2nd: I booted in safe mode
3rd: I went to the C/WINDOWS/SYSTEM32 file and put all files (VIEW) in detail mode.
4th: I clicked modified date row and all newest files modified were on top.
5th: right click each file that u think was created right before the Spyware strike was installed and check the creation date.
6th: Delete all the files that were created on the date u believe the spyware program was installed.
7th: Ironically, I did this check on all the WINDOWS files (view mode: detail) , and low and behold I found the WIATWAIN.DLL file in the TWAIN folder in WINDOWS folder...not in SYSTEM 32 folder... I deleted that too (even though it said it was created back acouple of years ago..possibly it was modified by spyware program...so delete it)...
8th: Reboot computer ( i accidently deleted a windows xp crit. file so i had to reregister windows..no biggie)...anyways..just reboot computer..
9th: Log in under your own log in...
10th: I used in conjunction with the spydoctor program....Spybot ....
11th: It found the Spywware Strike program which wasnt operating on my system now (maybe deleting one of those dll files earlier).....
12th: have spybot delete it...
13th: Reboot once more to make sure everything is ok..
14th: should be able to log on internet without any pop ups or such...CONGRATS!!
15th: PS..u might want to run spybot once more to see if any thing is detected again...
btw... i did not see replmap.dll on any of my files.....maybe its not used on the newer Spyware strike program?
We will see if I am lucky in the next couple of days ; ;
Thanks, and good luck.
im still running some virus/spyware checkers at the moment, but i got the darn popup to go away. thanks to everybody here, i couldnt have done it without you all.
baron
BIG MISTAKE..it installed SpyFalcon >
http://www.bleepingcomputer.com/forums/topic43659.html
Post Comment: