Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Spysoldier / Spyware Knight Cleaning-resistant

  • Please log in to reply
4 replies to this topic

#1 Sokoudjou


  • Members
  • 5 posts
  • Local time:11:01 AM

Posted 21 April 2007 - 11:17 AM

Hello everyone -

So i have inherited a laptop with a malware infection. It advised on startup of being infected With Trojan.dloader via the system tray, and attempted to hijack my browser to get me to buy Spyware Knight and/or SpySoldier to fix the problem.

i do not know what activity prompted this. The machine was running Ad-Aware & AVG 7.1 at the time of infection in late 2006.

i disabled System Restore, updated definitions and ran both programs. Then booted into safe mode & ran both programs again - not much was found, but i quaranteed/deleted/cleaned whatever was there.

Then i uninstalled them both & switched to NOD32 & SpySweeper 5.3.1, downloaded full updates & discovered this thread which had a similar situation: http://www.bleepingcomputer.com/forums/t/80657/infected-with-trojandloaderlx-spyware-knight-etc/

So i downloaded SmitFraudFix, CCleaner 1.39 & Hijack This, booted into safe mode, and ran them. SmitFraudFix ran (i saved the log) and then the system rebooted itself without my intervention.

i then ran a full NOD32 virus scan, a full SpySweeper scan & CCleaner to clear files & clean the registry. SpySweeper found three adware elements: Antispyware soldier fakealert, comet cursor & fakealert fake infection, plus a system monitor called Tattletale.

i then rebooted into normal windows and found the popups to be gone, but i couldn't connect to Windows Update or sites like PandaVirus' online system scan. i checked the hosts file & it was clean. The system tray icon was gone, but i did occassionally get a browser semi-hijack, as it would send me to the SpySoldier sell page but it had no graphics. Clearly i had removed some of the infection but perhaps not everything.

So i ran Hijack This and got a report that looked fairly clean. i ran SmitFraudFix again in safe mode but no results. i still have access to my two SmitFraudFix logs & my HijackThis log.

i was at this point going to ask for help, but i saw your sticky on the Hijack this posting log - and wonder of wonders, i read it and decided to follow it first. But i cannot run the online virus scanners you recommend because my browser simply won't connect to those sites. It starts to, then simply terminates.

So, i delete the SpySweeper quarantine & run it one more time - all clean. Uninstall it, and install McAfee Stinger - nothing found.

So i move onto Spybot. Installed, updated & ran Spybot. Spybot comes up with 47 problems, including the following:

1. Adware.IEPageHelper
2. Avenue A, Inc.
3. ClickConsulting
4. ClientMan
5. Comet Cursors
6. CoolWWWSearch.008k
7. CoolWWWSearch.Aff.Winshow
8. CoolWWWSearch.Dreplace
9. CoolWWWSearch.GonnaSearch
10. CoolWWWSearch.Leftovers
11. Fraud.ProtectionBar
12. Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify
13. Microsoft.WindowsSecurityCenter.AntiVirusOverride
14. Microsoft.WindowsSecurityCenter.FirewallDisableNotify
15. Smitfraud-C (this i left alone)
16. SpySheriff
17. Vcodec.Intcodec
18. Win32.TrafficSol.c
19. Zlob.HomepageMonitor

i fix everything except SmitFraudFix, exit & run CCleaner, and then reboot into safe mode for a second Spybot run. i also noted that i ran my first HijackThis scan from the desktop, and that is a no-no, so i created a c:\HijackThis folder and put the .exe file in there for any future runs.

My second run with Spybot only turns up the 19 values in SmitFraudFix.C - i left them alone for now. Before exiting safe mode, i run a Hijack This scan and save the log, and reboot into normal windows hoping that the problems are gone.

However, i still cannot connect to my initial IE7 start page (runonce.aspx) or pages like Windows Update. i reckon i still can't access online virus scanning pages & their ilk too.

Can someone help me clean the remnants of this off this system?

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,530 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:10:01 AM

Posted 21 April 2007 - 11:06 PM

Run this,,let us know how you did
D'load update and scan preferably in Safe Mode


and CoolWebSearch shredder
Download stand-alone
version of CWShredder

Edited by boopme, 21 April 2007 - 11:11 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Sokoudjou

  • Topic Starter

  • Members
  • 5 posts
  • Local time:11:01 AM

Posted 22 April 2007 - 11:47 AM

OK, i have the laptop side by side with my desktop so i have access to security downloads, etc.

i downloaded, installed & updated Super AntiSpyware, then booted into safe mode and ran a full scan. It found 2 registry items left over from the Adware.SideStep.Toolbar & one infected Trojan.Downloader-Gen file at c:\windows\system32\winsub.xml

i quarantined all those things, and rebooted into safe mode again, and ran the CWS Shredder tool. Nothing was found. i then ran CCleaner and rebooted into normal windows, but my browser issues persist as far as not being able to connect to Windows Update.

Thanks for your help so far, Boopme.

#4 buddy215


  • Moderator
  • 13,411 posts
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:01 AM

Posted 22 April 2007 - 12:05 PM

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.

A little info:

http://www.scumware.com/apps/scumware.php/...plications/This is a growing family of trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.

The variants of this trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.

As a result the best prevention you have against CoolWebSearch is keeping up to date with the security patches and updates available from Microsoft.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Sokoudjou

  • Topic Starter

  • Members
  • 5 posts
  • Local time:11:01 AM

Posted 22 April 2007 - 01:27 PM

ok, posted the log at http://www.bleepingcomputer.com/forums/t/89691/spysoldier-spyware-knight-resistant-to-cleaning/

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users