Major spywar eprob 'Spywarestrike'

[houllier*]

I have this in my sys tray and it won't go, I've tried the following

Spybot
Ad-Aware
Counter Spy
Smitrem
Spyware doctor

All fails, keeps showing up, also messed up my whole desktop and icons etc

Ive searched Google but nothing I found removed it either.

Help pls.

[houllier*]

This is what I did specifically to get rid of it

Print out these instructions as we will need to shutdown every window that is open later in the fix.


Download smitRem.exe and save the file to your desktop.


Double click on smitRem.exe and then click on Start. When it is done, click on the OK button. You should now have a folder called smitRem on your desktop.


Next, please reboot your computer in SafeMode by doing the following:


Restart your computer


After hearing your computer beep once during startup, but before the Windows icon appears, press F8.


Instead of Windows loading as normal, a menu should appear


Select the first option, to run Windows in Safe Mode.


When your computer has started in safe mode and you see the desktop, close all open Windows.


Open the smitRem folder on your desktop and double click the RunThis.bat file to start the tool.


Follow the prompts on screen and wait for the tool to complete and disk cleanup to finish.


When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.


Reboot your computer back to normal mode.


Click on the Start button, then click on All Programs (or Programs), and then locate the SpywareStrike folder and right-click on it. Select the option to delete that folder.

That didn't work

This is what was in the txt file it done also

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 10/01/2006
The current time is: 21:32:39.29

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

SpywareStrike


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

msvol.tlb
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 700 'explorer.exe'
Killing PID 700 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

It says 'clean' but I still get the 'your computer is infected' msg in my taskbar.

All my icons have changed too and when I go and change them back to what they were the old icons aren't there anymore =\

[Kodiak]

http://www.infopackets.com/channels/...structions.htm


Here is what some are using and fixing the problem. They say it is a variant of spyaxe.

[houllier*]

Hi

Yes, Ive done all that, thats what I did to remove it but Im still getting the pop up in the sys tray which won't go.

[houllier*]

Ok, this is getting annoying, depsite running all the so called fixes it has somehow managed to come back and despite my spyware progs keep popping up with the prob and me 'cleaning' it nothing happens it still comes back, bloody spyware bastards, looks like I have to reformat as nothing has worked for the last 4 hours.

[Larommi]

If you are familiar with the registry you can try looking for a run command. Its possible you have a variant like was pointed out, and its executing itself on start up.

In XP check Hkey Local Machine \Software\Microsoft\Windows\CurrentVersion\Run.

HKey Current User \Software\Microsoft\Windows\CurrentVersion\Run.

You are looking for an unfamiliar program.

If you see something you are not sure what it is, you will be able to find a path to where that program is. Check it out...

If you are not sure what it is...export or copy the key to make sure you have a backup of it. Then delete it to make sure its not in the registry. Run your scans and reboot. Hopefully you can find it.



If you are not comfortable with the registry you can try running MSconfig from the runline and turn off any start up programs you are unsure of.

Good luck.

[houllier*]

Tried all that, Ive tried everything I have found on the net to try and get rid of it but nothing does and if I think it has it then comes back

My comp is also running slower now too

[Larommi]

I wonder if it disguised itself as a system file.

Do you get any kind of issues in safe mode?

[houllier*]

It shows up in safe mode too

[Larommi]

It shows up in safe mode too

Oooh, it buried itself good.

If it replaced a system exe a repair may get it. I wish I could help more but it sounds like you have done everything I would have.

[houllier*]

So even a format might not get it?

[Larommi]

Here is a link to symantec http://securityresponse.symantec.com...arestrike.html

You could manually remove the keys and rename the .dll's. to something you can remove later.

[houllier*]

How do I manually remove them?

[Larommi]

Follow the path to the keys outlined in the article and right click delete.

Just make sure you are deleting the proper key.

However, none of this will work untill you remove or rename all the files listed in the first part of the article.

[houllier*]

You mean the

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareStrike 2.5.lnk
%UserProfile%\Desktop\SpywareStrike.lnk

Stuff?

They will be hodden files then? I just remove the folder?

And how do I get access to the registry to remove the second lot of stuff like

HKEY_CLASSES_ROOT\AppID\SpywareStrike.EXE

?