SpyCrush Removal Guide

WHY DO YOU NEED TO GET RID OF SPYCRUSH?

SpyCrush is a corrupt anti-spyware program illegally installed to user computers by widely spread trojans and through exploits. This application is not only a weak spy ware remover, but also a clone of the infamous rogues.

Results of thorough tests we have conducted reveal that although the program does not produce false positives and really finds some malicious parasites, it cannot completely eliminate most prevalent infections, and therefore is definitely unable to protect user privacy and system security.

The program refuses to remove any parasites it finds and asks to register and purchase the full version.

WHAT INSTALLS SPYCRUSH WITHOUT YOUR KNOWLEDGE AND CONSENT?

SpyCrush is a trojan that displays an icon in the system tray. This icon shows a message saying that the compromised computer is infected with dangerous spyware parasites and asks the user to download and install a removal program, which actually is SpyCrush, the same named corrupt illegally distributed spyware remover. Once the user clicks on that message, the trojan opens a web site distributing SpyCrush. It may also attempt to download the application without asking for user permission. The trojan is able to change the Internet Explorer default home page, redirect the web browser to malicious web sites, download and install other parasites. SpyCrush automatically runs on every Windows startup.

ARE YOU INFECTED?

Your system is infected with SpyCrush if you can see any of the following symptoms:

a) There is a suspicious icon in the system tray. It might be a red shield with a white cross inside, a question mark or an icon similar to one of the Windows Update tool.

b) A suspicious icon in the system tray pops up a message saying that your computer is infected with dangerous parasites. It asks you to download and install a removal program, which actually is SpyCrush. This message usually contains the following text:

System alert!
System has detected a number of active spyware applications
that may impact the performance of your computer. Click the
icon to get rid of unwanted spyware by downloading an
up-to-date antispyware solution.

c) SpyCrush, a corrupt spyware remover is installed to your system. It runs on every Windows startup. The program’s main window is shown above.

d) Your Internet Explorer home page has changed and you cannot get it back. Now you get a warning page saying that spyware and viruses are detected on your PC and asking you to run a free scan in order to remove malware.

e) spycrush.exe, spycrush 3.1.exe or spycrush 3.2.exe process is running.

f) Your HijackThis log contains any of the following entries:

O4 – HKLM\..\Run: [SpyCrush] C:\Program Files\SpyCrush\spycrush.exe
O4 – HKLM\..\Run: [SpyCrush 3.1] C:\Program Files\SpyCrush 3.1\spycrush 3.1.exe
O4 – HKLM\..\Run: [SpyCrush 3.2] C:\Program Files\SpyCrush 3.2\spycrush 3.2.exe
O21 – SSODL: hemadynanometr – {6076d2b1-634c-4685-843b-f826045ea5dc} – %System%\syycum.dll
O22 – SharedTaskScheduler: damkjernite – {5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef} – %System%\ckimzeb.dll
O22 – SharedTaskScheduler: debugs – {c704547b-26c0-4222-a034-81653c07b494} – %System%\gsrnxgh.dll
O22 – SharedTaskScheduler: hellenophile – {6F396A67-F473-48C9-9950-636CE17E584E} – %System%\yesgnhr.dll

%System% is your default system directory, which usually is C:\WINDOWS\System for Windows 98 and Windows Me, C:\WINDOWS\System32 for Windows XP, and C:\WINNT\System32 for Windows 2000.

AUTOMATIC REMOVAL OF THE SPYCRUSH TROJAN

Removing the SpyCrush trojan along with the same named corrupt spyware remover automatically is easy. Just follow these steps:

1. Download PC Tools STOPzilla or Webroot Spy Sweeper. These programs are the most effective and popular spyware removers available.
2. Install the downloaded program to your system. Read STOPzilla and Spy Sweeper tutorials to learn more.
3. Update the installed anti-spyware.
4. Run full system scan.
5. Remove all the threats the application will find.

Please note that eliminating the parasites automatically might be a paid function, which is not available in the limited free version. Purchasing STOPzilla or Spy Sweeper makes these products fully functional also enabling built-in real-time protection.

MANUAL REMOVAL OF THE SPYCRUSH TROJAN

1. Download Pocket KillBox or KillBox utility.

2. Download the SmitFraudFix tool and unpack its files to a chosen folder.

3. Download the HijackThis program. Run a system scan, then fix the following entries (if present):

O4 – HKLM\..\Run: [SpyCrush] C:\Program Files\SpyCrush\spycrush.exe
O4 – HKLM\..\Run: [SpyCrush 3.1] C:\Program Files\SpyCrush 3.1\spycrush 3.1.exe
O4 – HKLM\..\Run: [SpyCrush 3.2] C:\Program Files\SpyCrush 3.2\spycrush 3.2.exe
O21 – SSODL: hemadynanometr – {6076d2b1-634c-4685-843b-f826045ea5dc} – %System%\syycum.dll
O22 – SharedTaskScheduler: damkjernite – {5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef} – %System%\ckimzeb.dll
O22 – SharedTaskScheduler: debugs – {c704547b-26c0-4222-a034-81653c07b494} – %System%\gsrnxgh.dll
O22 – SharedTaskScheduler: hellenophile – {6F396A67-F473-48C9-9950-636CE17E584E} – %System%\yesgnhr.dll

%System% is your default system directory, which usually is C:\WINDOWS\System for Windows 98 and Windows Me, C:\WINDOWS\System32 for Windows XP, and C:\WINNT\System32 for Windows 2000.

4. Now restart your system in Safe Mode. This step is very important!
Please note that you need to have the administrator’s privileges.

5. Once in Safe Mode, run the SmitFraudFix tool by executing the smitfraudfix.cmd file.
The official SmitFraudFix tutorial can be found here.

6. Then use either Pocket KillBox or KillBox to delete all the files from the list above present in your system.

Malicious files in C:\WINDOWS\System32 or C:\WINNT\System32:
gbjkog.dll
iauoi.dll

ALTERNATIVE SPYCRUSH MANUAL REMOVAL INSTRUCTIONS

If you cannot download or use the SmitFraudFix tool, please follow alternate manual removal instructions:

1. Download Pocket KillBox or KillBox utility.

2. Press Start > Settings, and open the Control Panel. Launch the Add or Remove Programs tool. In the list of installed software find the SpyCrush entry. Uninstall the corresponding program.

3. Download the HijackThis program. Run a system scan, then fix the following entries (if present):

O4 – HKLM\..\Run: [SpyCrush] C:\Program Files\SpyCrush\spycrush.exe
O4 – HKLM\..\Run: [SpyCrush 3.1] C:\Program Files\SpyCrush 3.1\spycrush 3.1.exe
O4 – HKLM\..\Run: [SpyCrush 3.2] C:\Program Files\SpyCrush 3.2\spycrush 3.2.exe
O21 – SSODL: hemadynanometr – {6076d2b1-634c-4685-843b-f826045ea5dc} – %System%\syycum.dll
O22 – SharedTaskScheduler: damkjernite – {5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef} – %System%\ckimzeb.dll
O22 – SharedTaskScheduler: debugs – {c704547b-26c0-4222-a034-81653c07b494} – %System%\gsrnxgh.dll
O22 – SharedTaskScheduler: hellenophile – {6F396A67-F473-48C9-9950-636CE17E584E} – %System%\yesgnhr.dll

%System% is your default system directory, which usually is C:\WINDOWS\System for Windows 98 and Windows Me, C:\WINDOWS\System32 for Windows XP, and C:\WINNT\System32 for Windows 2000.

4. Now restart your system in Safe Mode. This step is very important!
Please note that you need to have the administrator’s privileges.

5. Once in Safe Mode, use either Pocket KillBox or KillBox to delete all the files from the list above present in your system.

Malicious files in C:\WINDOWS\System32 or C:\WINNT\System32:
ckimzeb.dll
gbjkog.dll
gsrnxgh.dll
iauoi.dll
syycum.dll
yesgnhr.dll

Malicious files in C:\Program Files\SpyCrush:
spycrush.exe

Malicious files in C:\Program Files\SpyCrush 3.1:
spycrush 3.1.exe

Malicious files in C:\Program Files\SpyCrush 3.2:
spycrush 3.2.exe

6. Delete the following directories (if present):
C:\Program Files\SpyCrush
C:\Program Files\SpyCrush 3.1
C:\Program Files\SpyCrush 3.2


  • hyun

    the shield icon is there on taskbar but i could not find any of the malicious files (spycrush.exe or the .dlls). i cant even find any of the relevant register addresses. got any idea how to fix this?

  • GILL

    I have the same problem as Hyun^^^
    The fake spyware balloon is still popping up every 5 minutes or so. I have searched the entire reg list and ran command prompts and uninstall commands for all the files listed.
    What needs to be done now?

    Thanks

  • grant

    I used regedit to purge the garbage. It worked easily.
    Search the web for fixSC.reg which gives the keys to search for.
    I found it at http://download.bleepingcomputer.com/reg/FixSC.reg
    I only removed exactly matching keys, of which there were 4. Also,
    I search the registry for “spycru” and go rid of every key found.

    Then I searched the HD for “spycr” and found 2 hits, which were also deleted.
    A firefox symptom: the history list was disabled by spycrusher. I had to manually
    re-instate the switch in firefox options, after the malware was removed.

  • Ann

    I am having the same problem on my home computer as noted above. I am no expert but I have been sucessful before in removing spyware. Can you tell methe cost of purchasing your software to remove this thing automatically.
    thank you

  • jake

    Thanks a lot, it worked for me.

  • George

    I had same problem as Hyun and Gill.

    Solution was to download SmitfraudFix and run the smitfraudfix.cmd file as described above, while in SAFE mode. I think the other steps only need be done if you have acually installed the bogus Spycrusher program from their site. I seem to be OK now.

  • Losian

    I’m in the same boat as you guys. The fake balloon still pops up on my task bar even though the PC Doctor has removed all the malicious files from my system and I’ve personally have checked the registry to see if the malicious files are still there.

  • jwadie

    i got same problem as those guys ^^

  • melin

    I have the same results as the others; the icon is still visible, the paths in registry to be identified and deleted are not in the log. I ran SPYBOT search and destroy which removed it, but it came back 24 hours later.

  • shane gillis

    I never tried the manaul but I tried different spyware removal and still have the annoying icon.The only thing I do is hide the icon and it keeps it from popping up.

  • ppwok

    I have the same issue too – the damn thing won’t go away – I’m going to try to trick it into telling me where it is hiding – If I have any luck I will post the solution here!

  • Kevin

    k u system restore ur computer to the day before u got the spycrush then *TaDa* u removed it, but i dun think it works if u have the virus on ur computer too long i deleted after 5 minute LOL

  • Kevin

    I’m Not syre if everything is removed i tried to fin dsome regitry keys and stuff, but there not there, AND the shield going yellow to red i think, stopped! try it!

  • Gretos

    thanks it worked for me

Files
Software
Compare
Like us on Facebook