Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions


MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.


Unread postby monkeymedics » January 6th, 2006, 2:45 pm

Hi guys, I have just found your site, (and read your rules) - hoping not to screw up)....

I have run spybot, adaware, macafee and still cannot get rid of this spywarestrike.. i am current running the A2

I am following the other thread with the guy with the similar problem so you may direct me to copy his actions...

however i thought i would post my log... incase you saw anything else that could be harmful...

(yesterday when i was hit by this problem, I could barely find a mention of SpywareStrike on the web - and all the info was dated 05,01,06 Today it seems to have spread further.....)

Ps feel free to critisize, the crap I have on there, this laptop runs like a one legged leper.... (apols to anyone olympic one legged leppers reading this)!

Logfile of HijackThis v1.99.1
Scan saved at 11:26:10, on 06/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Documents and Settings\personeluser\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\personeluser\Application Data\Mozilla\Profiles\default\t3m6zi8g.slt\prefs.js)
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hpC770.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [MSN Update] dllcon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {10000001-1001-1001-1000-000000000000} - file://C:\Program Files\Internet Explorer\YglwKv.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://uk.msnusers.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4866421958
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
User avatar
Active Member
Posts: 9
Joined: January 6th, 2006, 2:31 pm
Register to Remove

Unread postby Rogue » January 6th, 2006, 3:54 pm

Hi monkeymedics,
Welcome to the Malware Removal forums. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a MR Staff Member reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!

ninjaman2006 as this fixes are specific to each machine please post your HJT log in it's own topic and someone will help you.

User avatar
MRU Teacher Emeritus
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah

Thanks Rogue

Unread postby monkeymedics » January 6th, 2006, 4:50 pm

from what i have read on your "new to board" pages... is that i shouldnt run macafee and avast together as they can interfere with each other...

which should i dump ?

also should i disable the Xp sp2 firewall, and telus firewall (Canadian boardband and phone provider) and run a free one instead ?
User avatar
Active Member
Posts: 9
Joined: January 6th, 2006, 2:31 pm

Unread postby ChrisRLG » January 6th, 2006, 5:49 pm

This looks very new - so I may move this topic to a special room - you will still have access - but we will hopefully be able to get a few more experts working with it in more privacy.


You have a number of files that we would like copies of - to check out and play with.

1. Using Windows Explorer, go to . Locate the first file you want to zip.


2. Right click on the file and select "Send To" and "Compressed (zipped) Folder".

3. Then locate and right click on

C:\Program Files\Internet Explorer\YglwKv.exe

4. Select "Copy".

5. Right click on the compressed folder and select "Paste". The copied files will be compressed and pasted in.

6. Repeat steps 3. to 5. for the following files

C:\Program Files\SpywareStrike\SpywareStrike.exe (Plus any other files in that folder)

Note that the folder should have 3+ files in it if you found them all.

7. Right click on the zipped folder and select "Explore".

8. In "File" menu select "Add a Password". Enter the password infected and confirm the password.

9. Please email to cjwd-subAThostingatessex.com (Please replace the 'AT' with an '@' )

Please copy the following to the email and attach the zipped file(s) :

The password is "infected".
The thread is found here. http://www.malwareremoval.com/forum/viewtopic.php?t=6305

Paste it in the text field.

and send please.
Administrator Emeritus
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby noahdfear » January 6th, 2006, 6:05 pm

Hi monkeymedics,

Please open a blank notepad and copy the bolded text below, just as it
appears, then paste it into the blank notepad.

dir %windir%\system32 /a:-d /o:-d >files.txt

Close it, saving it to the drive root (Local Disk C:) as;

Filename: files.bat
Save As Type: All Files

Double click the file to run it. It will create files.txt, also in C:
Please copy the information in that log for all files dated in the past 30 days here. They will be at the top of the list.
User avatar
Visiting Expert
Visiting Expert
Posts: 49
Joined: September 25th, 2005, 5:30 am
Location: New Knoxville, OH. USA

Unread postby ChrisRLG » January 6th, 2006, 7:20 pm

Is getting to many to 'hide'

Have created a new room - just for the new infection.
Administrator Emeritus
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

hi guys !

Unread postby monkeymedics » January 6th, 2006, 7:39 pm

Jeez - how to make a guy feel like he is bleeding out of his nipples !!!

ok - sorry for the delay, will start working on your instructions right now....
User avatar
Active Member
Posts: 9
Joined: January 6th, 2006, 2:31 pm

cant find !

Unread postby monkeymedics » January 6th, 2006, 7:51 pm

the first file you were interested in cannot be found

it doesnt seem to be listed under windows explorer... /syst 32...

i also tried seaching for it using the seach on my startup using


could it be hidden or could one of my anti virus, maybe the A2 found it whilst it was running ???

will continue to work on others

thank you for all your help guys !
User avatar
Active Member
Posts: 9
Joined: January 6th, 2006, 2:31 pm


Unread postby monkeymedics » January 6th, 2006, 8:12 pm

I am having no luck in locating the next file either...

either by going through windows explorer, or cutting and pasting the C:\Program Files\Internet Explorer\YglwKv.exe to my searcher on my start menu.....

i am 99 % sure i am doing this right.....

however this second file name looks familiar and i think it might have got scrubbed by one of the earlier run applications....

i could reboot if you wish.... as this seems to restore itself very easily
User avatar
Active Member
Posts: 9
Joined: January 6th, 2006, 2:31 pm

Unread postby Nellie2 » January 6th, 2006, 8:19 pm

If you could reboot and search for the files before you run any applications that would be good, make sure you have hidden files viewable

Reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Could you also post the log that Noahdfear has requested here
User avatar
Administrator Emeritus
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK

Unread postby ChrisRLG » January 6th, 2006, 8:21 pm

Well we do need copies of the files - but we are not the only forum working on this, and copies of what we believe are all the files in the chain are with the experts now.

One sure method of removal is if you have a dual boot system, booting from the other drive would allow you to delete all the files etc with out problems (assuming they are both NTFS type systems Like win2k and winXP.)

I have copies myself, but my expertise is teaching not disecting malware.

When we have a fix (probably from noahdfear who wrote the spyaxe one) I will offer to do some testing for them, before we give to any victims.
Administrator Emeritus
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby monkeymedics » January 6th, 2006, 8:24 pm

i guess i will need a couple of minutes to turn off all my anti virus stuff so it doesnt start running upon reboot....

got a beer, got the kings of leon on the stereo.... and if i had an army helmet i would be wearing it ......

ps (would playing noughts and crosses really fast help) ????.... oh...
User avatar
Active Member
Posts: 9
Joined: January 6th, 2006, 2:31 pm

hmm.... sorry i am not being much help...

Unread postby monkeymedics » January 6th, 2006, 9:01 pm

i have rebooted..... but i think like someone else the A2 has got rid of the actual spywareStrike....

i can no longer find on my system
C:\Program Files\Internet Explorer\YglwKv.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe

however i still have my homepage hijacked... by the spywareStrike homepage and i have the intruction bubble going off like a dripping tap....

i will continue with the other instructions you guys have already given.....

let me know if there is anything else i can do....
User avatar
Active Member
Posts: 9
Joined: January 6th, 2006, 2:31 pm

Unread postby monkeymedics » January 6th, 2006, 9:05 pm

i can no longer open my notebook since i posted my hijack log to it.....

yes i have since rebooted..... hmmmm
User avatar
Active Member
Posts: 9
Joined: January 6th, 2006, 2:31 pm

Unread postby LDTate » January 6th, 2006, 9:08 pm

Do you mean NotePad?
If so, you can download NotePad from here: Get the correct version.
http://www.richardthelionhearted.com/?u ... earted.com
User avatar
WTT Teacher
WTT Teacher
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware