Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Please Help - Spyaxe/spywarestrike!

  • This topic is locked This topic is locked
5 replies to this topic

#1 phm


  • Members
  • 5 posts
  • Local time:07:40 AM

Posted 06 January 2006 - 11:18 AM

Greetings all:

I have been struggling with an infection of SpywareStrike (seems to be a variant of SpyAxe) on my computer since yesterday. I followed the instructions posted at http://www.bleepingcomputer.com/forums/t/36868/how-to-remove-spyaxe-and-svchostsdllwbeconmdll/
for SpyAxe removal and am still having the problem. My HijackThis log looks clean (to me), but I was wondering if somebody else could help me out. Here is some other pertinent information before posting my HijackThis log:

1. mssearchnet.exe does NOT exist on my PC anymore.
2. The only remaining "symptoms" that I have are:
a) "System Intrusion Detected" warning popping up from the Windows Update Globe in the System Tray.
:thumbsup: SpywareStrike is downloaded and installed about once every 30 minutes. It can be removed via Add/Remove Programs each time.
3. I've tried the instructions posted at the link above as well as CounterSpy, AluriaLite, Spyware Doctor, and Spyware Sweep (that one is in progress right now).
4. If I boot up in Safe Mode, the symptom is still present, however if I boot up in Safe Mode w/Command Prompt, the symptom is NOT present. Even if I boot up in Safe Mode with the network cable disconnected, the symptom IS present (although, of course, the downloads do not occur).

Here is my most current HijackThis log. I would be very grateful for any assistance that any kind soul here wishes to provide. Thanks in advance!


Logfile of HijackThis v1.99.1
Scan saved at 10:18:25, on 01/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Serv-U\Serv-U32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServAlert.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Matt Creek\Desktop\hijackthis2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Serv-U.lnk = C:\Program Files\Serv-U\Serv-U32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - IntelŪ Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Thanks again!

BC AdBot (Login to Remove)


#2 phm

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:40 AM

Posted 06 January 2006 - 11:27 PM


I found the following solution from another forum and it worked for me:

delete the file C:\Windows\System32\netwrap.dll

I had to boot up into "Safe Mode w/Command Prompt" in order to delete this file (using regular "Safe Mode" still gave me the "file is in use" error when trying to delete). Some other people apparently used a program called Killbox in order to delete the file, but I recommend my way, as it doesn't involve downloading any new programs.

I would, just to be sure, check the "last modified" time on the netwrap.dll file to make sure it's the right one. Mine was last modified right at the time I noticed the problems, which made me feel comfortable enough to delete the file. As soon as I did it and rebooted back into regular mode, no more annoying popup!

Good luck!

#3 RegK


  • Members
  • 1 posts
  • Local time:03:40 AM

Posted 07 January 2006 - 12:00 AM

I too am bedeviled by SpywareStrike/Spyaxe. Spyaxe first popped up on 12.28; the smitRem.exe found here took care of it. Until this p.m. Popped up again under the "SpywareStrike" label.

Found your solution, but I don't have your expertise. Once I get to the Safe Mode w/Command Promt screen... I'm lost. Could you please walk me through the steps necessary to reove the file you indicate.

Any help would be most appreciated.

#4 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,663 posts
  • Gender:Male
  • Local time:05:40 AM

Posted 07 January 2006 - 12:48 AM

RegK, please start your own topic and post your log. I appreciate phm's efforts but he is not a qualified member of the HJT Team, see the forum guidelines above. Every PC is different and you may or may not have more than one infection on your machine. In order for you to receive the best help we need to see a log from your machine to help you.

Please follow th instructions here:

phm, would you be so kind as to post another log. You may also have more that needs to be done. And please give a description of any other problems you may have.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan

#5 boschmann22


  • Members
  • 1 posts
  • Local time:06:40 AM

Posted 07 January 2006 - 01:12 AM

hi. i used bleeping computer to remove spyaxe from my computer and it worked great. i still have Spyware Strike, and i was hoping that someone could give me some steps in order to remove the file. Phm, how could i locate the file once in safe mode?
Any help would be appreciated.

#6 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,663 posts
  • Gender:Male
  • Local time:05:40 AM

Posted 07 January 2006 - 01:51 AM

This thread is now closed. Anyone with this problem, please post a HijackThis log in your own thread.

If you want to try to fix it on your own, ask questions here:

phm, if you want to look into this any further start another thread. You could still have something hidden.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users