Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spywarestriker Cannot Seem To Get Rid Of It


  • This topic is locked This topic is locked
3 replies to this topic

#1 capricorn

capricorn

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 24 January 2006 - 02:28 PM

Hello all,

I went through the folowing post on your website: www.bleepingcomputers.com/forums/topic17258.html.

I did everything in Method 1 of your instruction, and still cannot get rid of SpywareStriker. I did not try Method 2 because I am at my wits end in trying to remove this program

I wanted to post some of the logs that were created during my attempt to remove this spyware to see if any of you have any suggestions:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:08 AM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

****O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp58F7.tmp (file missing)[/u]
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
****O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
****O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
****O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
****O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
****O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {DB6D4758-0AC3-4B84-A239-D9D4B3F61A2E} - http://mediaplayer.walmart.com/installer/install.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

I only deleted the entries that have **** in front of the entries because I do not have a clue.

Here is the Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:51:47 PM, 1/24/2006
+ Report-Checksum: 1BF542AF

+ Scan result:

C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\cdgpcpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\cjajkjmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\Cookies\ratermtl@buycom.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\fbckcpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\gfldcpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\gfnmemmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\gjdkcpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\hbkbbimd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\jkjhdpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\mbkaolmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temporary Internet Files\Content.IE5\PQ0ABLME\gdnUS2218[1].exe -> Downloader.Small.ayl : Cleaned with backup
C:\Program Files\eaba\snci.exe -> Adware.PurityScan : Cleaned with backup
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll -> Spyware.MyWay : Cleaned with backup


::Report End

Finally, the panda activescan:


Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\ratermtl.ROLUSA.000\Favorites\Antivirus Test Online.url
Potentially unwanted tool:application/spywarestrike Not disinfected C:\PROGRAM FILES\SpywareStrike
Adware:adware/spywarestrike Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.MWLWS038\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.MWLWS038\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ratermtl.ROLUSA.000\Desktop\smitRem.exe[Process.exe]
Spyware:Spyware/Smitfraud Not disinfected C:\Documents and Settings\ratermtl.ROLUSA.000\Local Settings\Temp\SSLanguage.ini
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ratermtl.ROLUSA.000\My Documents\smitrem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ratermtl.ROLUSA.000\My Documents\smitrem\smitRem.exe[Process.exe]
Adware:Adware/SpywareStrike Not disinfected C:\Program Files\SpywareStrike\uninst.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-2136492297-1985379149-598688345-1419\Dc1.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-2136492297-1985379149-598688345-1419\Dc2\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Smitrem\smitRem\Process.exe
I could not find the autoclean check box - none of these things were cleaned!

Any help on getting this fixed would be appreciated.

Thanks ahead of time,
Jason

BC AdBot (Login to Remove)

 


#2 capricorn

capricorn
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 24 January 2006 - 04:18 PM

I KNOW EVERYONE IS BUSY, BUT PLEASE SOMEONE HELP!

Latest Highjackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 4:27:05 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6D4758-0AC3-4B84-A239-D9D4B3F61A2E} - http://mediaplayer.walmart.com/installer/install.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thanks,
Jason

Edited by capricorn, 24 January 2006 - 04:34 PM.


#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 PM

Posted 26 January 2006 - 04:05 PM

Hello Jason, I notice you were using a fix from April, you also gave me a bad link to look at the fix by adding a "s" but I fiqured it out. I only see the one item but would like to make sure all of Smitfraud is gone so I would appreciate it if you would run through this fix one more time. smitRem must be updated often to keep up with the hackers, so if you already have a copy, delete it and download it fresh. You may use the ewido you have, just update the scanner before you proceed, and follow all other instruction that reflect new versions of this trojan.

Download SmitRem.exe noahdfear to your Desktop.
From http://noahdfear.geekstogo.com/smitRem.exe
Double-click the smitRem.exe and it will extract the files to a smitRem folder on your Desktop.

Please download the trial version of ewido security suite. http://www.ewido.net/en/download/
Install ewido security suite and start the program from the icon on your desktop, then check for and download updates. Don't Run Yet.

Reboot to safe mode

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.


Open Ewido Security Suite
Click on scanner
Make sure the following boxes are checked before scanning:
Binder
Crypter
Archives
Click on Start Scan
Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report
Save the report to your desktop
In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info" if present.

Empty recycle bin.

Reboot Normal.

Download this file from the link to your desktop.
http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

Once it is finished your Zones should be reset.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection

Post a new HijackThis Log along with the logfile created by Ewido and the logfile created by smitrem (located at C:\smitfiles.txt).

Thanks...pskelley
BleepingComputer

Edited by pskelley, 26 January 2006 - 04:09 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 PM

Posted 04 February 2006 - 10:54 AM

There has been no response to this topic in over a week
This topic is closed

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users