Help needed with last traces of Spyware Strike

Byron172Byron172 Adelaide, South Australia Member
edited February 2006 in Spyware & Virus Removal
Hi there,
Tomorrow morning (about 14 hours from now) I will be attempting to remove the last traces of Spyware Strike from a friends computer. I have already run SmitRem tool and deleted wiatwain.dll (using command prompt in safe mode). I was wondering if anyone could assist with any further advice from here as his system is still running slow and I believe I probably haven't totally destroyed the little sucker.
Task manager is now functioning and the annoying message from the taskbar has gone, however I may need some help with HijackThis Log Files etc.
I have app/exe files on disk for Adaware SE (latest edition), Killbox, Ewido, SpywareBlaster, Spyware Doctor, Shortcut to Live PandaScan, Hijack This and Microsoft Anti Spyware (beta version).
Any advice or assistance will be much appreciated.
Cheers,
B

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited February 2006
    The best thing for you to do would be to post an hijackthis log. Without seeing what is going on makes it a little difficult to just say "do this" or "do that."
  • Byron172Byron172 Adelaide, South Australia Member
    edited February 2006
    Unfortunately plans changed so I won't get to his computer til early next week. When I get a HJTL file I will post details, thanks for the quick reply.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited February 2006
    We be here :D.
  • Byron172Byron172 Adelaide, South Australia Member
    edited February 2006
    Hi Crunchie,
    I have managed to get an HJTL file from my mates computer and was just wondering if you (or anyone else) would be happy to have a look for me.
    I have recently been tackling "Spyware Strike" and I'm hoping I've removed all traces, your opinion would be greatly appreciated:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:40:08 PM, on 2/4/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    D:\PROGRA~1\avgamsvr.exe
    D:\PROGRA~1\avgupsvc.exe
    D:\PROGRA~1\avgemc.exe
    C:\WINNT\system32\Brmfrmps.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\WINNT\System32\pctspk.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    D:\PROGRA~1\avgcc.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\iRiver\HSeries\iHPDetect.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Documents and Settings\Mark\Desktop\Spyware Removers\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swellnet.com.au/loc_report.php?region_id=19&state_id=4
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
    O4 - HKCU\..\Run: [adobemgr] C:\WINNT\system32\adobemgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.billingnow.com
    O15 - Trusted Zone: http://*.reliablestats.com
    O15 - Trusted Zone: http://*.winantispyware.com
    O15 - Trusted Zone: http://*.winnanny.com
    O15 - Trusted Zone: http://*.winsoftware.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138328641618
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\avgemc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
    O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited February 2006
    The following are the only ones I would remove.

    ===============

    Scan with HiJackThis, then check(tick) the following, if present:


    O15 - Trusted Zone: http://*.billingnow.com
    O15 - Trusted Zone: http://*.reliablestats.com
    O15 - Trusted Zone: http://*.winantispyware.com
    O15 - Trusted Zone: http://*.winnanny.com
    O15 - Trusted Zone: http://*.winsoftware.com


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============

    What problems are being experienced on the PC?
  • Byron172Byron172 Adelaide, South Australia Member
    edited February 2006
    Hi Crunchie,
    Thanks for examining the Log File for me. I have gone ahead and deleted the files as you suggested.
    The PC has not been experiencing any specific problems since I removed the Spyware Strike trojan, I just wanted to be completely sure I had got the little sucker. The system has been a little slower ever since I removed the malware but this is probably to do with the extra software I have installed in the process. I really appreciate your time and effort on this one.
    Do you think all is good from here?
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited February 2006
    If you are concerned, you can run silent runners to see if there is anything that hijackthis missed?

    Go here and download then run Silent Runners.vbs. It generates a log. Please post the information back in this thread.
    If you have a script blocking program, please allow the file to run. It is not malicious.
Sign In or Register to comment.