Adware Report: SpywareStrike
Thought you were safe because you've innoculated your computer against SpyAxe? Think again. A new program called SpywareStrike has been created with a similar nefarious purpose: to invade your PC and pester you into paying a $49.99 "removal fee".
Want even more bad news? If you were infected with SpyAxe and manually removed it, you now probably have SpywareStrike installed on your computer.
Just like SpyAxe, this program will invade your computer through the zlob trojan (and possibly others), popping up frequent alerts to "upgrade". If you take the bait, you'll pay $49.99 for a program that does nothing to protect you against spyware, and even opens up additional security holes on your PC.
SpywareStrike is located at the URL of the same name. The website was created on December 20th, 2005 and the marketing is identical to that of SpyAxe, down to the logo. SpywareStrike can be installed via trojan horse, direct download from the site, or is left behind after manually disabling SpyAxe. It has a different signature than SpyAxe, so SpyAxe removal tools are ineffective against it.
SpyAxe and SpywareStrike are just two of over 100 reported malware programs based on the latest Microsoft security flaw.
If you have any information about the makers of SpyAxe or SpywareStrike, please contact us. Click here to read what we've discovered so far.
Update: Jan 23, 2006
A new version of SpywareStrike has been identified. This version is more difficult to manually remove and is not currently being detected by any antispyware program. Aluria Antispyware has reported that they intend to push an update to remove this version by January 30th, 2006. We have not yet received word from other antispyware vendors about this threat.
Update: Jan 30th, 2006
The makers of this scourgeware are still at it. It appears that a third variant of Spyware Strike is now on the loose, more sophisticated than the previous versions. This version will create hidden WAN network connections (for tunnelling through firewalls, presumably), install a 900# dialer (beware if you have a modem), install a trojan horse, and includes very sophisticated routines that will completely regenerate the software should an incomplete manual removal be attempted.
Automated SpywareStrike Removal
Aluria Antispyware and Spyware Doctor are the only products that we know of which can automatically disable and remove the first two versions of SpywareStrike. Ewido and Microsoft Antispyware appear to remove parts of it, but many readers are reporting that the alert popups remain with these tools. No tool is yet available that will remove the latest version (Jan 30, 2006)
Manual SpywareStrike Removal Instructions
WARNING: The following fixes were recommended by readers and I have not tested them. This information is provided on an "as-is" basis only, and I make no guarantees. Anytime you manually alter system settings, you run the risk of damaging your operating system and rendering your computer inoperable.
Please note that SpywareStrike is closely related to SpyAxe, and when SpyAxe is manually deleted a new trojan is installed. It is quite possible that SpywareStrike does the same, so following this procedure may expose you to other malware.
Method #1
This was the first removal method we discovered, but it will probably not work with the latest version of Spyware Strike. Even with the first version, some readers report that the flashing red alerts remain running with this technique.
1. Search and delete all references to "SpywareStrike" in registry. Note that youll find a reference to a file called "C:\Documents and Settings\\Local Settings\Temp\~nsf.temp\Au__.exe" or something similar.
2. Delete the file referenced above
3. Go to c:\program files\spyware strike and run the uninstall utility
4. go to task manager and kill the process spywarestrike.exe
5. Delete c:\program files\spyware strike
6. edit c:\windows\system32\drivers\etc\hosts to add the line "127.0.0.1 spywarestrike.com" (this will prevent the piece that I could not get rid of from automatically downloading the software again and again)
Thanks to Jason Burroughs for this fix.
Method #2
A simpler solution, but more likely to leave behind hidden trojans, etc. This method is highly unlikely to work with the latest versions.
1. Boot computer into safe mode.
2. Uninstall SpywareStrike using the SpywareStrike uninstall utility.
3. Delete the file netwrap.dll from the \windows\system32 directory.
Method #3
If SpywareStrike reappears after trying the previous methods...
1. Boot computer into safe mode.
2. Delete the file mssearchnet.exe from the \windows\system32 directory.
Method #4
Another method that has worked for some readers but not others is to use a combination of tools:
1. Download SmitRem at www.downloads.subratam.org/smitRem.exe
2. Reboot into safe mode and run SmitRem. Check "Delete at Reboot".
3. Immediately run a full scan with your favorite spyware remover to remove incidental trojans and dialers that may have been installed.
Method #5: New Versions of Spyware Strike (updated Jan 30, 2006)
Two new versions of Spyware Strike are on the loose, and the above instructions aren't working for a lot of people. There are some other things to try, but I should warn you that these instructions are *not* for the faint-of-heart. If you don't know what you are doing, then you should definitely just wait for the next update of Aluria Antispyware or Spy Doctor, as both tools seem to be doing a decent job of keeping up with the new releases.
As you can probably tell from the instructions below, the latest version is infinitely more sophisticated than the prior ones. Spyware Strike may be the CoolWebSearch of 2006.
1. Look for new WAN network adapters named IIRC. These were installed by SpywareStrike and are probably how it manages to tunnel through any firewall software.
2. Backup and then remove the following files in the infected user's documents and settings folder:
\UserData\8R4F2NQZ with file oWindowsUpdate[1].xml
\UserData\AH0N2NIN with file oWindowsUpdate[1].xml
\UserData\O1UTE7EV no files
\UserData\OBY9QTQ1 no files
3. Delete registry entry: HKEY_USERS\S-1-5-21-175XXXXXXX-XXXXXX_Classes\Software\Windows\CurrentVersio
n\Deployment\SideBySide\2.0 (and sub-entries)
4. Rename the normal user account, reboot, and then rename it back to the original name.
This has been reported to successfully disable those stubborn alert windows.
All articles and reviews are copyright 2004, Gooroo, Inc. All Rights Reserved.
Adware Report (https://AdwareReport.com) delivers objective news and reviews about the best and the worst spyware removal products.