Thread: Fighting Spy Strike and spyware popup
View Single Post
Old 01-07-2006, 10:18 AM   #1 (permalink)
ccpc
I helped the forums.
 
Join Date: Oct 2004
Posts: 33
OS: Win98SE


Fighting Spy Strike and spyware popup
Cleaning a friend's computer and having trouble.

The problem he noticed was with SpyAxe (pop-up notices in system tray), though I've found lots of other nasties too.
He routinely updates/runs Ad-Aware and AVG, less routinely SpyBot S&D, has Kerio Personal Firewall (cable connection), but he has a roommate who does not surf safely! (sigh) In fact, this is the same computer I was cleaning when I first came upon your forum over a year ago and got so much help from Kevin aka greyknight17. Thanks many times over for all I've found and learned here!! And of course TIA for help today...

I have done your "Five-Step Process" and then some:

-I have scanned (multiple times, Safe Mode and Normal) with SpyBot S&D, Ad-Aware (settings per Kevin at greyknight17.com), and AVG. Find and fix things every time.
-Removed SpyAxe and others via Add/Remove Programs
-Checked for and removed other folders via Windows Explorer
-Also used CWShredder, CleanUp, SmitRem, Ewido
-##Panda (still finding things), and TrendMicro HouseCall (found/fixed multiple problems)
-Still getting a pop-up in system tray saying "System Intrusion Detected"

Most recently:
(in Safe Mode logged in as Administrator)
-re-ran SmitRem and scanned w/ Ewido -> only SpywareStrike (SpyAxe) found - removed
-rescanned w/ SpyBot S&D -> WindowsActiveDesktop (removed)
-Ad-Aware -> nothing
-restart in Normal Mode -> system tray pop-up "System Intrusion Detected"

(Safe Mode logged in as user):
-re-ran SmitRem
-scanned w/ Ewido - **pop-up is present when logged in as user in Safe Mode (not when logged in as Admin), Ewido did not find spyaxe or similar (despite the pop-up being directly over the scan window! ;-)
-SpyBot S&D -> WindowsActiveDesktop (removed)
-AVG-> nothing

I am reluctant to do any more online scans as I just get more junk every time I go online. I have this computer at my home and am using a usb wireless adapter to my dsl router - have gone online only to get updates and try the Panda and TrendMicro scans as above. I have another computer here I have been downloading the programs to, burning them on a CD, and then transferring to the oh-so-sick computer to install.

I'm normally a Win98se user (don't laugh, it works) so not necessarily XP-proficient - should I be running these programs as the user as well as Admin? I started with logging into Safe Mode as Admin, but as noted above also tried logging in as the user...???

At latest Reboot Normal, the icon and pop-up "System Intrusion Detected" continues (also in Safe Mode logged on as User, or in Normal Mode, but not in Safe Mode logged on as Administrator) and Spyware Strike is back - shortcut on the Desktop, program folder, and listed in Add/Remove Programs.

(Not using selective startup)

Below are
--Panda scan see ## above for when it was done)
--smitfiles
--Ewido Log (same)

--HJT - done at this last normal boot *after* again removing SpyStrike via Add/Remove Programs and being sure program folder/ desktop icon are gone


HJT:
Logfile of HijackThis v1.99.1
Scan saved at 8:55:05 AM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\SS Tools\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redsox.com/
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hp4948.tmp (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SY4u] C:\documents and settings\will\local settings\temp\SY4u.exe
O4 - HKLM\..\Run: [Tn] C:\documents and settings\will\local settings\temp\Tn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Will\Application Data\eetu.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\SS Tools\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe


*************************
SMITFILES:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 01/06/2006
The current time is: 16:41:00.51

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

wbeconm.dll
1024 dir
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)



***************************

2nd Ewido log - safe mode, logged in as admin:

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o a n t i - m a l w a r e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



+ C r e a t e d o n : 8 : 3 6 : 3 7 P M , 1 / 6 / 2 0 0 6

+ R e p o r t - C h e c k s u m : B 6 4 1 A E 7 1



+ S c a n r e s u l t :



C : \ P r o g r a m F i l e s \ S p y w a r e S t r i k e \ S p y w a r e S t r i k e . e x e - > A d w a r e . S p y a x e : C l e a n e d w i t h b a c k u p





: : R e p o r t E n d


3rd Ewido log- safe mode, logged in as User:

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o a n t i - m a l w a r e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



+ C r e a t e d o n : 1 0 : 1 1 : 1 0 P M , 1 / 6 / 2 0 0 6

+ R e p o r t - C h e c k s u m : 9 D 7 7 6 2 9 3



+ S c a n r e s u l t :



H K U \ S - 1 - 5 - 2 1 - 2 6 9 5 0 7 2 6 4 2 - 2 5 0 1 9 5 4 5 3 5 - 3 6 4 6 1 8 1 6 5 6 - 1 0 0 6 \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x t \ S t a t s \ { 1 2 0 E 0 9 0 D - 9 1 3 6 - 4 B 7 8 - 8 2 5 8 - F 0 B 4 4 B 4 B D 2 A C } - > S p y w a r e . M a x s p e e d : C l e a n e d w i t h b a c k u p

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ e z S t u b \ e z S t u b . e x e - > A d w a r e . e Z u l a : C l e a n e d w i t h b a c k u p





: : R e p o r t E n d

*****************


Panda Active Scan:


Incident Status Location

Adware:adware/ezula Not disinfected C:\WINDOWS\SYSTEM32\ezStub3.dll
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\setup_incred_7.exe
Spyware:spyware/commonname Not disinfected C:\WINDOWS\SYSTEM32\winnet.ini
Dialer:dialer.b Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\EGAUTH.inf
Adware:adware/statblaster Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Will\Favorites\Antivirus Test Online.url
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/sidesearch Not disinfected C:\WINDOWS\sepsd.bin
Adware:adware/ncase Not disinfected C:\PROGRAM FILES\nCase
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows TaskAd
Spyware:spyware/apropos Not disinfected C:\Documents and Settings\Will\Application Data\POP!
Adware:adware/dyfuca Not disinfected C:\WINDOWS\STWSI
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Will\Cookies\will@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Will\Cookies\will@ads.pointroll[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Will\Cookies\will@tribalfusion[1].txt
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Will\Cookies\will@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Will\Cookies\will@ads.pointroll[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Will\Cookies\will@tribalfusion[1].txt
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Will\ezStub\ezStub.exe
Adware:Adware/EliteBar Not disinfected C:\EliteBar version 49.dll
Adware:Adware/EliteBar Not disinfected C:\EliteBar version 51.dll
Adware:Adware/WUpd Not disinfected C:\Program Files\Windows TaskAd\WinSched.exe
Adware:Adware/WUpd Not disinfected C:\RECYCLER\S-1-5-21-2695072642-2501954535-3646181656-500\Dc12\backup-20041008-115126-602.inf
Potentially unwanted tool:Application/Processor Not disinfected C:\SS Tools\SmitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SS Tools\Will 1-6-06\smitRem.exe[Process.exe]
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\blocklist.reg
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\ashton.inf
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/TopRebates Not disinfected C:\WINDOWS\iNetPal\ezTSetup.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biF.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biO.inf
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\silent48.exe
Adware:Adware/nCase Not disinfected C:\WINDOWS\SYSTEM32\ezStub3.dll
Adware:Adware/InstaFinder Not disinfected C:\WINDOWS\SYSTEM32\InstaFinder_inst245.exe
Adware:Adware/KeenValue Not disinfected C:\WINDOWS\SYSTEM32\setup_incred_7.exe
Virus:Trj/Downloader.GKO Disinfected C:\WINDOWS\uniwebassist.exe
**********************
ccpc is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here