CastleCops® - SpywareStrike, a clone SpyAxe blackhole

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Spyware: SpywareStrike, a clone SpyAxe blackhole

Hassle

2006 is a year that just gets better and better. Various agencies are reporting a 'new' threat called SpywareStrike. Certainly CastleCops is seeing this threat emerge in forum posts (see further below for links).

SpywareStrike appears to be a clone, or re-brand, of the infamous SpyAxe. SpyAxe, and now SpywareStrike are both listed in the Rogue Spyware List. Here is a family resemblance. In fact if you want the application to 'remove' anything, including only cookies, you'll need to purchase it for $49.50. Obviously we suggest you stay away!

A search on Google for 'spywarestrike' only returns the website: http://www.spywarestrike.com/. However at CastleCops we have some reports and logs of this new infection:

This is the following startup (O4) item:

O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h

Follow our removal instructions here (by our Security Expert and Microsoft MVP negster22) for SpyAxe. it includes SpywareStrike because they are both part of the smitfraud group of rogue anti-spyware programs.

Snapshot of the SpywareStrike homepage which also offers a free PC scan. Don't do it! Spread the word!

[click to enlarge]

[Removal]:
Look to this procedure written by negster22. noahdfear maintains a program called smitRem.exe that removes the whole smitfraud family, of which SpywareStrike is targeted. Download the program for removal here (view here).

Posted on Saturday, 07 January 2006 @ 16:43:44 UTC by Paul (23099 reads)
[ Trackback ]

"Spyware: SpywareStrike, a clone SpyAxe blackhole" | Login/Create an Account | 4 comments | Search

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: SpywareStrike, a clone SpyAxe blackhole (Score: 1)
by nickstor on Friday, 13 January 2006 @ 13:01:52 UTC
(User Info | Send a Message)

I'm having some difficulty getting rid of Spyware Strike.
Although a novice and dealing with such issues, I have followed the directions methodically and have failed 3 times.

I downloaded and installed the smithRem.exe, rebooted in safe mode, ran the runThis.bat file, followed with an updated run of ewido, then adaware, and finally panda's online. All of these find problems and seem to deal with it but the spyware strike program continues to reappear in the program files and the ballon is still incessantly popping up from the bottom toolbar. I have also searched for some of the files mentioned here: http://wiki.castlecops.com/SpyAxe_Removal and have found none of them in my system32 file, although because it continues to reappear, I do find a spyware strike folder in my program files.

Included below are my most recent hijackthis log file, followed by my smithfiles.txt. I accidentally deleted my ewido quarantined files but they included all those mentioned in the smithRem fix.

Any help or assistance in this matter would be VERY greatly appreciated. I have spent a few days working on this already and am starting to get a little frustrated! Please let me know if there is anything else I can do tthat I have somehow missed or failed to provide to facilitate assistance.
Thanks!
nxc

Logfile of HijackThis v1.99.1
Scan saved at 8:52:34 AM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32CTsvcCDA.EXE
C:Program Filesewido anti-malwareewidoctrl.exe
C:Program Filesewido anti-malwareewidoguard.exe
C:Program FilesNetwork AssociatesCommon FrameworkFrameworkService.exe
C:Program FilesNetwork AssociatesVirusScanMcshield.exe
C:Program FilesNetwork AssociatesVirusScanVsTskMgr.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSSystem32svchost.exe
C:Program FilesNetwork AssociatesVirusScanSHSTAT.EXE
C:Program FilesNetwork AssociatesCommon FrameworkUpdaterUI.exe
C:Program FilesCommon FilesNetwork AssociatesTalkBackTBMon.exe
C:Program FilesWinampwinampa.exe
C:Program FilesAdobeDistillrAcrotray.exe
C:Program FilesJavajre1.5.0_06injusched.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb05.exe
C:WINDOWSsystem32hphmon04.exe
C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesKitcoKcastKcast.exe
C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnf.exe
D:CreativeMediaSourceDetectorCTDetect.exe
C:WINDOWSsystem32HPHipm11.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesNetwork AssociatesVirusScanSCAN32.EXE
C:Documents and SettingsNickDesktopHijackThis1991.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://yahoo.sbc.com/dsl
O4 - HKLM..Run: [ShStatEXE] C:Program FilesNetwork AssociatesVirusScanSHSTAT.EXE /STANDALONE
O4 - HKLM..Run: [McAfeeUpdaterUI] C:Program FilesNetwork AssociatesCommon FrameworkUpdaterUI.exe /StartedFromRunKey
O4 - HKLM..Run: [Network Associates Error Reporting Service] C:Program FilesCommon FilesNetwork AssociatesTalkBackTBMon.exe
O4 - HKLM..Run: [WinampAgent] C:Program FilesWinampwinampa.exe
O4 - HKLM..Run: [Acrobat Assistant 7.0] C:Program FilesAdobeDistillrAcrotray.exe
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Ru

Read the rest of this comment...

Re: SpywareStrike, a clone SpyAxe blackhole (Score: 1)
by ang402 on Wednesday, 01 February 2006 @ 09:54:22 UTC
(User Info | Send a Message)

i'm not particularly good when it comes to getting rid of things like this, i'd had a few of my friends try and get rid of the program for me and no luck whatsoever until i found this site. The program to fix it is easy to use and it took about 5 minutes to get rid of the program completeley from my laptop so thanks to negster22 for saving my computer!

Re: SpywareStrike, a clone SpyAxe blackhole (Score: 1)
by theteamtec on Monday, 20 March 2006 @ 05:11:19 UTC
(User Info | Send a Message)

Detailed removal instructions available here:
http://www.spywarestrike.net/
Along with a cool story as to how I helped over 3000 people get rid of this parasite from their system.

Re: SpywareStrike, a clone SpyAxe blackhole (Score: 1)
by theteamtec on Monday, 20 March 2006 @ 05:13:32 UTC
(User Info | Send a Message)

Detailed removal instructions available here:
http://www.spywarestrike.net/ [www.spywarestrike.net]
Along with a cool story as to how I helped over 3000 people get rid of this parasite from their system.

	Login

	Nickname Password Security Code: Type Security Code: Usage signifies AUP acceptance · New User? · Click here to create a registered account.

	Related Links

	· del.icio.us! · digg it! · reddit! · TrackBack (0) · PHP HomePage · Microsoft · HotScripts · Google Search Engine · W3 Consortium · More about Hassle · News by Paul Most read story about Hassle: SpywareStrike, a clone SpyAxe blackhole

	Article Rating

	Average Score: 4.14 Votes: 7 Please take a second and vote for this article:

	Options

	Printer Friendly Page


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 110ppm 0.241s (0.03s) Making cybercriminals unhappy since 2002*