System Intrusion Detected! (SpyWarestrike)

[Unregistered]

Hi,

In my system-tray I have a annoying messageballoon:

System Intrusion Detected!
Dangerous infection was detected on your PC
The system will now download and install most efficient antimalware program to prevent data loss and your private information theft.
Click here to protect your computer from the biggest malware threats.

When clicking on the balloon, SpyWarestrike is installed. Right clicking on the balloon or the tray-icon opens a webpage with www.spywarestrike.com. I have no clue on how to remove the message or the tray-icon. Spywarestrike can be removed, but it will reinstall after clicking on the balloon and the annoying message will not go away.

Here is my hijackthis log:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 20:24:13, on 7-1-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvp2pmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\LAUNCH~1\QtZiAcer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\Dit.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
C:\WINDOWS\DitExp.exe
C:\Documents and Settings\P.Massolt\Bureaublad\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.kennisnet.nl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [PCMCIA Resource Monitor] nvp2pmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZiAcer.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093509785359
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.rug.nl/_definition/shared/xopus/docs/msxml4install/msxml4.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I've tried Smitfraudremover, didn't work. I've tried the smitfraudfix, didn't work either. Here's the first rapport of smitfraudfix:

Code:

SmitFraudFix v2.11

Rapport fait à 20:20:07,06 le za 07-01-2006
Executé à partir de C:\Documents and Settings\P.Massolt\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\Documents and Settings\P.Massolt\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Recherche Menu Démarrer


»»»»»»»»»»»»»»»»»»»»»»»» Recherche Bureau


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\Program Files 


»»»»»»»»»»»»»»»»»»»»»»»» Recherche présence de clés corrompues


»»»»»»»»»»»»»»»»»»»»»»»» Recherche éléments du bureau
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
 

»»»»»»»»»»»»»»»»»»»»»»»» Recherche Sharedtaskscheduler

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorie‰n"
"{C1A2FDA2-1A5B-2A8F-F3A2-B22DA1A3C41D}"="NetWrap for Windows"

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin du rapport

does anyone have any idea on how to remove this annoying message?

[Ruby]

Welcome to HijackThis.de @ Guest
It seems that you have got a new Variant of Smitfraud on your system which we don't know untill now. So we need your help to find out more about it.

Make sure you set windows to see the hidden files and folders.

Please load the following unknown files

F:\WINDOWS\System32\dmins.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe

1. ->up to Upload malicious software.
2. ->up to ST-Adware-Upload

If you need a zip-tool we suggest zipgenius (It is free).

Scan these files with Virustotal and Jotti

C:\PROGRA~1\LAUNCH~1\QtZiAcer.EXE
C:\Program Files\SpywareStrike\SpywareStrike.exe

Please make us know if you succeeded in uploading the files to both the URLs
and make us know every result of the Online Scan by copy&paste.

[Unregistered]

Hi,

I've uploaded Spywarsestrike.exe to both suggested sites, I couldn't find dmins.exe on my computer.
The online scanners gave the following results:
For SpywareStrike, VirusTotal:

Code:

Antivirus	Version	Update	Result
AntiVir	6.33.0.75	01.06.2006	no virus found
Avast	4.6.695.0	01.06.2006	no virus found
AVG	718	01.06.2006	Adware SpyAxe
Avira	6.33.0.75	01.06.2006	no virus found
BitDefender	7.2	01.08.2006	no virus found
CAT-QuickHeal	8.00	01.05.2006	no virus found
ClamAV	devel-20051123	01.06.2006	no virus found
DrWeb	4.33	01.07.2006	no virus found
eTrust-Iris	7.1.194.0	01.06.2006	no virus found
eTrust-Vet	12.4.1.0	01.06.2006	no virus found
Ewido	3.5	01.07.2006	Adware.Spyaxe
Fortinet	2.54.0.0	01.07.2006	no virus found
F-Prot	3.16c	01.07.2006	no virus found
Ikarus	0.2.59.0	01.05.2006	no virus found
Kaspersky	4.0.2.24	01.08.2006	no virus found
McAfee	4669	01.06.2006	no virus found
NOD32v2	1.1356	01.08.2006	Win32/Adware.SpyAxe
Norman	5.70.10	01.06.2006	no virus found
Panda	9.0.0.4	01.08.2006	Suspicious file
Sophos	4.01.0	01.07.2006	no virus found
Symantec	8.0	01.08.2006	no virus found
TheHacker	5.9.2.069	01.06.2006	no virus found
UNA	1.83	01.06.2006	no virus found
VBA32	3.10.5	01.06.2006	Application.Win32.Adware.SpyAxe

and with Jotti:

Code:

Antivirus	Version	Update	Result
AntiVir	6.33.0.75	01.06.2006	no virus found
Avast	4.6.695.0	01.06.2006	no virus found
AVG	718	01.06.2006	Adware SpyAxe
Avira	6.33.0.75	01.06.2006	no virus found
BitDefender	7.2	01.08.2006	no virus found
CAT-QuickHeal	8.00	01.05.2006	no virus found
ClamAV	devel-20051123	01.06.2006	no virus found
DrWeb	4.33	01.07.2006	no virus found
eTrust-Iris	7.1.194.0	01.06.2006	no virus found
eTrust-Vet	12.4.1.0	01.06.2006	no virus found
Ewido	3.5	01.07.2006	Adware.Spyaxe
Fortinet	2.54.0.0	01.07.2006	no virus found
F-Prot	3.16c	01.07.2006	no virus found
Ikarus	0.2.59.0	01.05.2006	no virus found
Kaspersky	4.0.2.24	01.08.2006	no virus found
McAfee	4669	01.06.2006	no virus found
NOD32v2	1.1356	01.08.2006	Win32/Adware.SpyAxe
Norman	5.70.10	01.06.2006	no virus found
Panda	9.0.0.4	01.08.2006	Suspicious file
Sophos	4.01.0	01.07.2006	no virus found
Symantec	8.0	01.08.2006	no virus found
TheHacker	5.9.2.069	01.06.2006	no virus found
UNA	1.83	01.06.2006	no virus found
VBA32	3.10.5	01.06.2006	Application.Win32.Adware.SpyAxe

for QTZiAcer.exe, Jotti and VirusTotal couldn't find anything.

greetings,
Joost

[joost]

(I've registered with this board)

I'm also running two virusscanners on my computer, AVG and Norton. Both scanners couldn't find anything.

[Ruby]

Hello Joost

I'm also running two virusscanners on my computer, AVG and Norton. Both scanners couldn't find anything.

It's very dangerous to run two AntiVirus at the same time on a system: they can make it crash. Please stop one of these two programs. And it's not at all surprising as AV-Programs can't detect new malware. As no one knows anything about it, there are no signatures for that malware, so every Antivirus will tell you that everything is allright. That's why we analyse new unknown files.

Back again on this post:

1
Please load up this file:

C:\Program Files\SpywareStrike\SpywareStrike.exe

to this URL: http://siri.urz.free.fr/upload/

2
Please take a visit to a German Website:

Copy the 4 textfiles, which you will get of your system, by using
http://virus-protect.net/bat/datFind.bat
-> load it down and install it to your desktop.
(you will get 4 Logfiles, in case of c:\windows\system32, we need to have only the last 30 days.)

Paste them to your Thread.
You may want to have a look to the pictures to understand what I mean.

[joost]

what german website do you mean? I can't find a link..

I have two virusscanners running only to make sure there are no known virusses on my system that give the annoying message. Normally I have only one. I shall remove one, thanks for the advice.

It may take a while for the uploading of the files. The 'infected' computer is at my parents' home, it will take two weeks before I get there again.

I'll keep you informed!

[Ruby]

Ok .. thank you @ Joost
We wait for your answer.