Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack this log- Spywarestrike? -please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack this log- Spywarestrike? -please help

Unread postby Chinadave » January 6th, 2006, 6:28 pm

First, the messages- that fake 'windows update' one- this one is headed 'System Intrusion Detected!' and points to fake spyware removal downloads. Also I get the 'new hardware detected' wizard appearing, and coming back after I cancel it- the hardware in question is 'unknown', and no hardware has been added.

I've run Adaware, AVG, Spybot, Trojanhunter, and finally Smitrem, and they get nothing. At first I thought the culprit was a program called 'Spywarestrike', which I deleted, but the problem continues. Below is my hijackthis log. Please help if you can!

Logfile of HijackThis v1.99.1
Scan saved at 22:03:44, on 06/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Windows\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Helen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\System32\hpF5EC.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://212.219.27.145/qp2.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37510.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD92476-0532-47B2-99D0-8DA0D3A2B54E}: Domain = scop.ac.uk
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\Windows\SYSTEM32\ZoneLabs\vsmon.exe
Chinadave
Active Member
 
Posts: 7
Joined: January 6th, 2006, 6:07 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » January 6th, 2006, 6:47 pm

Hi I have moved your topic to this special room for dealing with this new infection.

It looks like you have a new varient of spyaxe - or similar.

==============

You have a number of files that we would like copies of - to check out and play with.

1. Using Windows Explorer, go to . Locate the first file you want to zip.

C:\WINDOWS\System32\hpF5EC.tmp

2. Right click on the file and select "Send To" and "Compressed (zipped) Folder".

3. Then locate and right click on


C:\windows\system32\netwrap.dll

4. Select "Copy".

5. Right click on the compressed folder and select "Paste". The copied files will be compressed and pasted in.

Note that the folder should have 2 files in it if you found them all.

6. Right click on the zipped folder and select "Explore".

7. In "File" menu select "Add a Password". Enter the password infected and confirm the password.

8. Please email to cjwd-sub AT hostingatessex.com (Please replace the 'AT' with an '@' )

Please copy the following to the email and attach the zipped file(s) :

The password is "infected".
The thread is found here. http://www.malwareremoval.com/forum/viewtopic.php?t=6322

Paste it in the text field.

and send please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » January 6th, 2006, 7:20 pm

Is getting to many to 'hide'

Have created a new room - just for the new infection.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Chinadave » January 6th, 2006, 7:49 pm

Email sent... but the first file you asked for isn't there- it was recorded as (file missing). I just searched the hard disk and Iit's not on there..
Chinadave
Active Member
 
Posts: 7
Joined: January 6th, 2006, 6:07 pm

Unread postby ChrisRLG » January 6th, 2006, 7:58 pm

Thankyou file received safely.

I will pass to some experts to disect.

=======================

File netwrap.dll - uploaded to malware-research for those experts who wish to grab a copy. Was beaten by Mo - she had already got a copy uploaded.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Chinadave » January 7th, 2006, 7:03 am

Ta very much. I may have jumped the gun a little- I followed links to TC's advice to someone else, and deleted netwrap.dll before startup using Hijack This. The fake 'security warning' is now gone, but the 'Found New Hardware Wizard' still appears a few times, saying it will help me install files for 'unknown'. I haven't seen this problem in other people's posts- but I don't think I'm adding hardware in my sleep or anything...

PS Have you ever considered the direct approach? The work you guys do is great, but maybe you could use your hi-tech skills to track down the people that make this stuff and kick them until they promise to stop.
Chinadave
Active Member
 
Posts: 7
Joined: January 6th, 2006, 6:07 pm

Unread postby Chinadave » January 7th, 2006, 7:09 am

Also, having followed the first part of TC's advice (deleting netwrap.dll), oddly I can't open that forum page now, so I can't read the second part. I guess there's a moral there, but if anyone could copy and paste it here so I can check that it applies to me that'd be great.
Chinadave
Active Member
 
Posts: 7
Joined: January 6th, 2006, 6:07 pm

Unread postby ChrisRLG » January 7th, 2006, 7:15 am

Chinadave wrote:PS Have you ever considered the direct approach? The work you guys do is great, but maybe you could use your hi-tech skills to track down the people that make this stuff and kick them until they promise to stop.


Some forums do provide a means to 'have a go' at the suppliers of this malware.

BUT, they also leave themslefves open to legal process from the people they target.

Often the people who push this, are not the providers of the 'software' but affiliates who get commissions for getting people to buy.

The best advise I can give is to read up on two sites.

Spyware Warrior. - Its rogue anti-malware lists.
http://www.spywarewarrior.com/

and Carma.
http://www.carmainc.org/

Both can be found from the ASAP Member list at the top of the forum.

This post by Nick (one of our Teachers) - is also worth considering.
http://malwareremoval.com/plog/index.ph ... 5&blogId=3

The owners and main admins of this site are UK based, so dealing with legal issues in the US is not easy for us. We have therefore left this to other sites within the ASAP network.

Our prime aim is to provide a University to train those who help on those ASAP (and other) forums, assisting victims of all malware. The rooms and activity you can see at MWR are only a tenth of what goes on within the University hidden rooms.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Chinadave » January 7th, 2006, 7:30 am

Maybe I'll have to wait until the courts outlaw general nastiness then...

Has anyone else you know of got the 'found new hardware' message? It acts just like it does when something random is plugged into the computer- it also claims to find some when I run 'Add Hardware' in control panel. Having got rid of netwrap, I'm running anti-spyware programs again to try to get anything obvious that's been introduced...
Chinadave
Active Member
 
Posts: 7
Joined: January 6th, 2006, 6:07 pm

Unread postby ChrisRLG » January 7th, 2006, 8:07 am

No - no one has reported that.

BTW we ( have found one of the websites that is installing this malware - we will not be providing a link - but all those with access to the hidden malware reseach can pick up the link in the spywarestike topic. Copies of the installer are also available for download.

I will install that tonight in a VPC window - so I can play :)
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby LDTate » January 7th, 2006, 10:18 am

Chinadave wrote:Also, having followed the first part of TC's advice (deleting netwrap.dll), oddly I can't open that forum page now, so I can't read the second part. I guess there's a moral there, but if anyone could copy and paste it here so I can check that it applies to me that'd be great.
Are you're saying you're not able to open the TomCoyote forum? Not sure what you mean by second part?
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby Chinadave » January 7th, 2006, 12:37 pm

Don't worry, that was an internet connection issue I think- I can get to it now. My computer looks to be clean now, except for the whole new hardware thing.
Chinadave
Active Member
 
Posts: 7
Joined: January 6th, 2006, 6:07 pm

Unread postby ChrisRLG » January 7th, 2006, 6:57 pm

The expert has come up with the latest fix for this. Please visit this site
which has complete with simple instructions and pictures to help remove SpyAxe/Spywarestrike from your computer.

http://malwareremoval.com/plog/index.ph ... 8&blogId=3

Follow the instructions in Nick's site, then scan once more with HijackThis and paste the log to this thread.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » January 15th, 2006, 4:09 pm

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 300 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware