SpywareStrike

What do you mean by...
"6. edit c:\windows\system32\drivers\etc\hosts to add the line "127.0.0.1 spywarestrike.com" (this will prevent the piece that I could not get rid of from automatically downloading the software again and again)"

I have a file in the etc folder called hosts with no extension. Do you mean just rename it to hosts 127.0.0.1 spyware strike.com ?

I been trying to remove SPYAXE since January 3, 2006. I tried spybot, adaware, and Microsoft antispyware. Nothing worked. I went and did searches and using "SPYAXE and Removal". I did what each site had posted and still couldnt get rid of it. Then another error came up called SPYWARESTRIKER or something like that. After hours and hours of looking through files I finally found the installers to SPYAXE and the SPYWARESTRIKER in C:\windows\temp. I rearranged the icons in the temp folder and saw what I had installed on the January 3. I deleted everything and now the popups and SPYAXE is gone.

Spyware doctor gets rid of it but trouble is you gotto buy it lol

This was the most irritating thing that I've ever had to remove from my computer. That stupid bubble that popped up in the tray nonstop pissed me off so much. I finally removed it after many failed attempts (deleting registry entrys, system restore, virus scan etc. etc.) it was pretty simple in the end, if you want to find out how paypal 5 dollars to [email protected]...

Just kidding, download ewido security suite at:
http://www.ewido.net/en/download/ update it and run a full scan. When it asks if you want to clean the first file, check the box in the lower left corner that says 'Perform action with all infections' then choose clean and click OK.

Triedto do this " 3. Delete the file netwrap.dll from the \windows\system32 directory." ,but it was in use by another program. Logged on as another user where spyware strike did not show and deleted the dll file. changed back to the user that was infected and no longer saw that annoying bubble.

[b]Please read these instructions carefully and print them out! Be sure to follow ALL instructions![/b]

Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Download SmitRem.exe ďż˝ noahdfear from one of these sites to your Desktop.
http://www.downloads.subratam.org/smitRem.exe

Double-click the [b]smitRem.exe[/b] and it will extract the files to a smitRem folder on your Desktop.

Please download the trial version of [URL=http://www.ewido.net/en/download/]ewido anti-malware 3.5[/URL]. Install ewido anti-malware 3.5 and start the program from the icon on your desktop, then check for and download updates. [B]Don't Run Yet.[/B]

Reboot to [B]safe mode[/B]

Next, please reboot your computer in [b]Safe Mode[/b] by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press [b]F8.[/b]
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in [b]Safe Mode.[/b]

logon to your user account.
Open the smitfraud folder, then double click the [B]RunThis.bat[/B] file to start the tool. Follow the prompts on screen. When the tool completes:

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a [B]Check[/B] in the box on the left side on these:
[B]
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
[/B]

Close [B]ALL [/B]windows and browsers [B]except[/B] HijackThis and click [B]"Fix checked"[/B]

Open Ewido Security Suite[LIST]
[*]Then please run Ewido, click on the Scanner run a [b]full scan [/b]and let [*]it clean everything it finds.
[*]Once the scan has completed, there will be a button located on the bottom [*]of the screen named
[*]Click Save report
[*]Save the report to your desktop
[/LIST]

In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info" if present.

You should be clean of the infection now.

I have also found that a file called sa22.exe is part of the stuff that spywarestrike installs.
Also look for a directories called crystalysmedia (with associated program h91746.exe); apperently installed by spywarestrike.
I also noticed the website popentertain coming up while spywarstrike was running.
I have also found contacts to two websites
66.117.37.7
and 85.255.113.214 where a program gdnus2296.exe gets installed. I don't allow the running of any programs but this one apperently did run anyways.
Norton AV also found ibbenpmd.exe (a dialer).

I have just used ewido and it almost worked. It got rid of evrything except the anoying pop up.
I re-started my computer and loged in on another username (which was not infected) and deleted the netwrap.dll file and everything called spywarestrike.
Fingers crossed it has worked!

Earl, he means open the "hosts" file using WordPad and adding that line. The "hosts" file is a text file, like config.sys or other files that are used by various programs that read them... they don't have the .txt or .doc on the end, but if you double click a file with no extension in Windows it will open a dialog box that offers you a range of possible programs to open the miscellaneous file with. In this case use a text editing program, and be sure to use the "Save" command, not "Save As..." because it needs to be saved in the same file format with the same name. (At the most simple level you can use the C:\WINDOWS\system32\edit.com program to edit them.) Do not rename the file, just add a line of text inside it.

I've been trying to get rid of SpywareStrike all night now. The info here has been helpful but more info is needed. What someone needs to do is set up a "quarantined" computer (swap in an alternate HD to boot with if you have any old 10 GB drives lying around) with a program that logs all file and registry changes (or compares all changes from one point in time against a past point in time), then run SpywareStrike and observe all changes it makes and what net activity it does... then we'll have a better idea about what it's doing.

Hey... if you're told to to pay $49.99 with a credit card by the software, can't the place the money goes and who uses that money be traced? Follow the money.

I have a file directly linked to this SpyStrike crap, it's called mssearchnet it has a yield sign logo, i believe its the program that downloads the stupid malware after you delete parts of it. It's located in C:\WINDOWS\System32\mssearchnet (Just go down to the M section in the folder since it's alphabeticaly ordered and look for the Yield sign) I haven't figured out how to remove it yet, Ewido detects it but cannot remove it. The program starts runing right on startup, and cannot be trminated because it automaticaly starts up when u end it. I'v tryed cuting and whiping it from memory but that doesnt work either... if you figure out how to get rid of it plz post to others. Im formating my HD now it was rescently formated soo might as well do it again theres nothing on it.

This is how I got rid of infection and the flashing red "virus alert" icon.

1) Got Webroot Spy sweeper, whcih got rid of all the dodgy exe file from the windows regietry. Guess you can do it manuelly buy folowing the step above.

2) The flashing icon.
It seems to work through windows media player and aniti spyware software an't get rid of it. What I did was uninstall Media player 10, restore the system to back before infection. And then reinstall Media player. It worked perfectly.

Becareful about restoring the system if you new to it as you might lose some files or programs.

I tried to add the line to the host file. Hit Save as told but told I couldn't save it, then the save as dialog boxes opens.

I deleted mssearchnet file last night and STILL get spywarestrike reinstalled again and again, still get the popup, can't check my msn email accept in safe mode, block the spywarestrike.com website, still get it as my home page. I'm going freakin' crazy with this thing. Nothing is working. :(

Ah i have found a way to remove this shit quickly, get ewido anti-malware (i dono the link u can google it) and install then update and scan
remove everything it detects.

then download spybot search and destroy of downoald.com and run that puppy. It finds all those hidden files that dont seem to wana go away when we delete them. Then it should say some problems need to be fixed after restarting ur system. Click allow spybot to run after system restart. This will make the spybot run before ur windows explorer is loaded and any of those psky programs start. Spybot deletes all that crap and youre clean!!!

I have Windows 2k and when i go onto safe mode to delete netwrap.dll it says the file is in use? how am I supposed to delete it now? all that is left, is the icon on the toolbar

Honestly, this whole situation is outrageous. Computers running Windows are becoming more of a liability than a benefit to people. Business is being slowed down, people are being suckered for money and personal information, losing time on work projects, school, etc.

What has to happen is that legislation needs to be passed in the United States to force Microsoft to allow serious changes to it's Windows operating system to make it safer the way UNIX operating systems are safer. In fact, an independent group of programmers should be paid to do this work because Microsoft can not be trusted to do it themselves, they are incompetent and and have a philosophical approach to programming and software development that is seriously flawed. If Microsoft will not accept this than they should be fined for billions of dollars in damages and forced to comply.

Corporations, the government, and individuals have been put at risk because Microsoft's operating Systems are fundamentally insecure.

Free Updates/Patches for ALL Microsoft Operating Systems (Windows 3.1 thought XP and beyond) must be available right away to deal with things like the media file security flaw (remember when code could be executed in e-mail messages because they could contain Visual Basic scripts? Was Microsoft INSANE? Now we have the same problem with WMF files - a problem that could have been predicted. Microsoft is fundamentally incompetent. They should not be trusted with the technological security of the nation, let alone the world.

People also need to know that Microsoft Internet Explorer is FUNDAMENTALLY UNSAFE for web browsing. Using "Mozilla Firefox" for we browsing is so much safer than ever using "Microsoft Internet Explorer" it biggles the mind. Kids and adults are using computers at home and surfing the web with Internet Explorer instead of Mozilla Firefox and their computer is very quickly infected with spyware, adware, loaded up with "menu bars" that claim to offer useful services but are in fact malicious or at least of dubious value. Porn, solicitations for Credit Card information, etc is soon all over the computer... it is absolutely outrageous.

Those of us who appreciate big business can still see that this is a liability and a problem... just like spam, malware/adware/etc companies may claim they are "entrepreneurial" but they are really simply dishonest and taking advantage of Microsoft's insecure Operating System and applications.

This has to stop. Contact your senator, congressman, or state representative and ask them to put a bill before congress to hold Microsoft completely responsible for all of this.

Nothing is STILL working. I've tried ewido. I've tried spybot 1.4, I've tried Norton. I've deleted mssearchnet.exe. I've deleted all references to spywarestrike in the registry. I've done all of these things in regular mode AND in Safe mode, and I still have the annoying pop-up, I still have the hijacked web browser, and I still get spywarestrike automatically reinstalled on my computer. I'm happy for those of you who have been able to get rid of this thing, because it's still making ME crazy.

Removal of Spyware Strike

-----

Run ewido (fully updated), run Spybot search and destroy.
Change settings in Spybot to run a scan at startup.

-------

It seems to have ffectively rmoved all components of Spyware Strike

----

MNO

Stop annoying popup balloons until removed...
This won't remove anything, but will stop the annoying balloon popup in the meantime...

Go to the following address:
http://www.petri.co.il/disable_balloon_tips_in_windows_xp.htm
(you might want to re-enable the popups after you have removed the nasty)

I was also able to remove SpywareStrike yesterday by using te ewido software Posted in this forum by:

Quote962000 at January 7, 2006 08:15 PM

using the 14 days free trial

Great relief!

I have spystrike and am trying to get rid of it...I ran Hijack this and did not find any entries left that mention spystrike; I did find one suspicious entry and would like to know if anyone reconizes it...here it is:
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

The file netwrap.dll seemed to be the key to my spywarestrike popup. I couldn't delete it in safe or normal mode, so I moved it to the desktop and after a couple of tries I got it to delete...no more popup. Not sure I got shed of all associated files, but so far so good. Thanks to all who posted fixes...I got suggestions from my antivirus provider, but nothing that worked...it was only through the user communities like this that I got real help. THANKS!

If you boot in Safe Mode and try to delete "netwrap.dll", it may say it will not allow you to delete it.. but then just right-click on it (the .dll file) and select "cut" in the popup window and then right click on the desktop (where there are no windows or icons) and select "paste" and the file will be moved out of the system32 folder and onto the desktop. It worked for me anyway. This got rid of the annoying popup message completely. (I had already run the SpywareStrike uninstaller, and then gone into regedit and removed every registry entry that mentioned SpywareStrike, and then rebooted in safe mode before it installed itself again). Then finally I ran ewido (http://www.ewido.net/en/download/) to give it a final kick in the ass.

Spyware Doctor (http://www.pctools.com/spyware-doctor/) is a good program but doesn't seem to completely remove the Spyware Strike trojan yet. Same thing with Symantec's Norton Utilities. Norton does seem to notice something wrong sometimes, but it can't or simply won't remove it. (Both Norton and Spyware Doctor DO seem to know about SpyAxe... just not SpywareStrike yet.)

Some of the information people gave above was confusing. While I did see "netwrap.dll", I never noticed "mssearchnet.exe", "sa22.exe", "h91746.exe", "gdnus2296.exe", "ibbenpmd.exe" or any suspicious files in any "Temp" directories. (Norton did however report that one of my Java related files was an unremovable source of a Adware downloader infection). Perhaps Norton had already removed those files I never found. I was wondering if this means that SpywareStrike does many different things to throw people off, or if people are confusing it with SpyAxe, or if it's misinformation.

The Temp directory thing may only count at a certian point in the infection process... same with the other stuff. There does seem to be a point where you seemingly remove everything and then you end up infected all over again after rebooting, unless you have blocked SpywareStrike from doing anymore downloading, and removed "netwrap.dll".

I seemed to have removed it but cant get rid of the pop up, anyone help?> I dont have the netwrap.dll file in my sys32 folder.

soma compound buy soma 1 http://yasamohuel.goldenelf.com/soma/aura_soma.html cheap generic soma buy soma http://yasamohuel.goldenelf.com/soma/soma_music.html and .... akane soma gallery akane soma purchase soma online http://yasamohuel.goldenelf.com/soma/woman_abuse.html soma medicine soma seed http://yasamohuel.goldenelf.com/soma/buying_online_soma.html soma cod generic soma and phentermine http://yasamohuel.goldenelf.com/soma/soma_smashing_pumpkins.html .Thanks.

I got rid of all but the vastly annoying pop-up bubble, but did NOT have netwrap.dll on my machine. Instead removing c:\windows\system32\wiatwain.dll seemed to do the trick -- so far anyway.

I too have the icon on my task bar. Seem to have cleaned out all the files, BUT that icon - flashing between a globe and a white x in a red circle. I can't get rid of it!!!
Each of the files listed on this page have been removed...still that freakin' icon!

Two types of People in the World, F**kers and Fixers. A Big Warm Respect to the Fixers.
That was the most annoying thing ive ever on my computer. Shouldnt that be illegal its like a protection racket. Pay us or we destroy your property.......... I think we should all take them to court get thier company disqualified and its staff all backrupted blacklisted banned bruised and busted.
One thing with the whole removal process.
Somewhere in registry ...
Local Machine - software/microsoft/windows/currentver/policies/explorer/run.....

There was three keys (before i used anytools)
Well two keys i cant remeber they looked bent pointing to the spyware nonsense i deleted them, the other was i dunno, but went to the kernal file i deleted that key too.......

For the files I use killbox made and free thanks to Option^Explicit. In safe mode it deletes any thing even if your not allowed. You can find it on google. Could be handy for Wiatwain.dll..Or the alternative netwrap.dll makes the silly icon.

SmitRem.exe ďż˝ noahdfear. This program does not mess about, it works in secs. But you will still have the annoying flashing icon. You got to delete the Wiatwain.dll or the others people mentioned....

But for my internet explorer that is 6, when it approaches windows update home page it gets told to upgrade to 6. I wonder if that was the other, the third key i deleted in reg with the kernal value.
Just some wounds left from the nasty spyware.
Ill get over it thanks for all your help.
Happy New Year to you all.

User

I want to thank everyone that added to this thread. I was battling the Spywarestriker and SpyAxe for four days before finding this web site. I did the following, and it worked.

1. I downloaded the ewido anti-malware software and ran a full system scan.
2. I downloaded the SmitRem software, extracted it, and ran it in Safe mode.

Since I had been fighting it for so long, I was convinced that the offending spyware would still be present. But, I was extremely happy when I rebooted. All of the spyware was gone.

Again, thank you for the advice and help...

Cliff

ok i spent liek 20 hours figuring this out, its a bitch thanx everyone, there is actually a solution... anyways what worked for me was using ewido antimalware, then spy bot search and destroy, then set spybot search and destroy to start upon restart. after this i deleted all the spyware strike files i could find and uninstalled it, next i downloaded killbox to delete files that cannot be deleted unless you use it and in safe mode ( it suggested anyways ) then when in safe mode find the files in the c drive/windows/system32/mssearchnet.exe , netwrap.dll 9 (i think its spelled netrap???), and also what gets rid of that nasty pop up baloon on the task bar Wiatwain.dll. when using kill box just select for it to delete upon restart. this all should work, ive wasted so much time figuring this out and i dont want anyone else to have to suffer. i hate the fuckers that made this shit, so much for homework. anyways good luck :D

i have netrap.dll, not netwrap.dll. should i get rid of this file or leave it where it is?

I got rid of netwrap.dll by booting up in safemode (command prompt) and using DOS command manually deleted it from the system32 folder. Then I started Windows again and did a system restore back to January 5th, the day before I contracted the trojan. Everything is working fine now. Microsoft just updated their antispyware and my computer did a scan tonight and found SpyWareStriker AND Spyaxe again but they were in the restore folders. MS Antispyware says it quarantined the files and so I deleted them. I am not going to take any chances so I am going to delete the restore folders, also.

Shit... I've got the yellow yield sign on one side of my taskbar, the red circle with a white x in the middle of it on the other... and both basically keep telling me that my computer belongs to terrorists... not in so many words, but essentially. Spywarestrike 2.5 keeps reinstalling itself as well.. Who the fuck would pay somebody that shot them maliciously to take the bullet out?

Anyway... I have adaware and spybot.... that's it... I'm kind of a computer numbnut... can anybody help me out? Thanks, Andrew

found a couple new unmentioned culprits....

mscornet

mssearchnet (has a yield sign logo)

they both appeared when my cpu was infected.

just a solution for the flashing icon without reailly taking it of, right click in the icon place choosee propriety,personelise and mask the virus alert, it will just disapaer from ur eyes but will stil be there

this thing blows stop using Internet Explorer use firefox and deny c:/program files/internet explorer/iexplorer.exe with a software restriction policy in the local security mmc all i can say that stopped this thing from reinstalling itself over and over (stupid hijackers) as well as since i set the security policy i havnt gotten any malware / spywae since especially since i stopped using IE which has more holes than swiss cheese

RIGHT GOOD PEOPLE I HAVE BEEN AFTER THESE BATURDS WGO CREATED THIS VIRUS AND I HAVE FIANLY FOUND THEM WE MAY NOT BE ABLE TO STOP THEM SPREADING IT BUT LETS MAKE THERE LIVES A MISERY,ABUSE THEM ON THERE SITE HERE IT IS....
http://www.nospywaresoft.com/contacts.php?sid=1marlrkckqpc3l9qqu2kavrk52

THERE U GO ...

MANY THANKS

gARY

my name is nate,
all i did was a systems retore one day back and all signs of spy stike are gone. someone tell me it cant be that easy?????

I *think* I've got rid of the latest variant (February 2, 2006) running the trial version of Prevx1. God, I hope so. Tried everything else; nothing worked; then ran this and no pop-ups, no nothing after I restarted.

if anybody is interested in joining a Class Action Lawsuit regarding this very illegal virus, please contact [email protected]

A client I just removed this for has contacted his lawyer, they just need some more information and people before they can start. It will probably be multi-national, as the affected company spans the US and Canada, and the law firm is capable of performing in both countries.

That's right, blame all of this on Microsoft.

Cuz certainly it can't be the fault of emotionally retarded, psychologically bankrupt maggots who write this code and then send it out to disrupt life as we know it for sick and pathetic kicks of sorts.

God knows it cannot be their fault that we all have to stop our day, lose valuable information, even more valuable time sitting around searching the net for help on getting our computers to function normally again.

Anyone who would write code so hell-bent on disrupting and HARMING other people's lives, businesses and cause such misery are not the intellectuals they imagine themselves to be, they are clearly by all accounts, all definitions, psychologically damaged, pubescent retards regardless of their age, IQ or ability to write a code string, they are seriously emotionally bankupt maggots of the earth.

I think they should be tracked down and their fingers snipped off with wire cutters so the next code they write will have to be done with their elbows.

People who think it's Microsoft's fault that morons like the psychological retards that write these code infect our computers are the same people so lost, so departed from any sense of right or wrong believe it is the bank's fault it was robbed, because they left the vault unlocked.

I told my son when he was a child, if you walk down the street and see the bank door open, nobody around and bags of money sitting in the floor... IS IT YOUR MONEY? NO! But believe it or not, there are emotionally scarred nitwits that somehow RATIONALIZE that if the door is open, it must mean everything inside is theirs.

The same stupidy allows some to think because Microsoft has holes in their security, that gives MAGGOTS a right to invade and destroy.

NO! Hopefully unless your mothers were gutter tramps with no sense of right and wrong. HOPEFULLY they taught you the difference between RIGHT AND WRONG and NOTHING makes sending out spyware, malware RIGHT. NOTHING makes it right to cause so many people so much misery, regardless of how many doors were left open or how many insecurities software may have.

It's not Microsoft's fault MAGGOTS ARE MAGGOTS, it's the MAGGOT'S FAULT!!!

Hello
My husband turned on the computer and sure enough. Hijacked homepage and fake alerts.
I got rid of everything but the ballon by running Hijackthis.

Don't forget to undo system restore first.

1. Going into My Computer,Folders, and clicking on Show Hidden Files, then apply to All Folders.

.2 Then I ran a scan with Hijack This. It gives you a log that you can save.

3.Since I do not know which file is good or bad,(hijackthis offers to fix it, but I did not know which files from the list to fix) I then cut and pasted this log into the free log analyzer at http://www.hijackthis.de/index.php#anl ---- it shows you right away which file is safe or bad.

4. Went back to the Hijack Scan and deleted the ones numbered though some were stubborn, but eventually deleted in safemode.

Files like: BHO,Extra button,protocol, DPF-- I don't quite remember the fullnames, but the came up on the hijack this log and I deleted them there with the fix button.

5. I put the computer into safe mode and then I went and deleted the bad files that the analyzer showed:

Windows/System 32: nvctrl.exe,msssearchnet.exe, hpcf85.tmp(the nastiest and hardest one for me to remove)

6.Rebooted out of safe mode, put the files back to hidden, put on system restore.

NOw I just have to figure out how to get rid of the annoying balloon as I do not have any of the files talked about.

Dawn