1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

SpyQuake Help

Discussion in 'Windows XP' started by titanania, Jul 10, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. titanania

    titanania Thread Starter

    Joined:
    Feb 10, 2005
    Messages:
    1,398
    Hey Tech Guys,

    I am running an HP Pavilion (finally) (see http://forums.techguy.org/windows-nt-2000-xp/479309-xp-bootup-screwup-7.html) and as soon as thething started up SpyQuake took over. I've uninstalled and deleted the programs and its buddies to no avail. Shutting down the Windows Messenger didn't even stop it. I'm tearing my hair out at this point.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:40:31 PM, on 7/10/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\dcomcfg.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\System32\atmclk.exe
    C:\Documents and Settings\Ann\My Documents\hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\System32\hp100.tmp
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Ibfgx] C:\PROGRA~1\COMMON~1\ECURIT~1\IXPLOR~1.EXE
    O20 - AppInit_DLLs: fast.dll
    O20 - Winlogon Notify: ddcbxxv - C:\WINDOWS\SYSTEM32\ddcbxxv.dll
    O20 - Winlogon Notify: wintzs32 - C:\WINDOWS\SYSTEM32\wintzs32.dll
    O21 - SSODL: furnariidae - {89e4aaba-3b21-49b3-b922-8ca35193c68e} - C:\WINDOWS\System32\zlara.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    Thanks in advance!
     
  2. Old Rich

    Old Rich

    Joined:
    Jan 17, 2003
    Messages:
    10,254
    Holy smokes . . no Service packs? ? ? . . no antivirus . . you are a glutton for punishment!
     
  3. prunejuice

    prunejuice

    Joined:
    Apr 2, 2002
    Messages:
    3,432
    All the anti-spyware in the world wont save an unpatched OS, ultimately.

    Start by installing Service Pack 1.
     
  4. titanania

    titanania Thread Starter

    Joined:
    Feb 10, 2005
    Messages:
    1,398
    Ok, I just installed XP yesterday I mean comm on

    The Internet is too laggy and inetrnittent for me to DL anything.

    Don't get onto just for not getting support. This stupid program didn't give me any time....read before jumping to conclusions.....

    Does this site look like a legit fix to any1?
    http://www.spywareremove.com/removeSpyQuake.html
     
  5. titanania

    titanania Thread Starter

    Joined:
    Feb 10, 2005
    Messages:
    1,398
    And I do to have AV.... Ewido!
     
  6. Old Rich

    Old Rich

    Joined:
    Jan 17, 2003
    Messages:
    10,254
    Ewido is not an antivirus . . it's a antispyware . . You can download SP2 here to burn to a cd and install once you get the bug killed . . then load an antivirus and turn on the SP2 firewall before going onine

    I'm not very good with chasing bugs , , someone will be along who is . .
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hello :)

    You should get AVG first: http://free.grisoft.com/doc/1
    You do need an active AV program.
    __________________________________________________________________________


    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  8. titanania

    titanania Thread Starter

    Joined:
    Feb 10, 2005
    Messages:
    1,398
    Yay Cheeseball is here to save the day.... I'm beginning to folo ur instructions now
     
  9. titanania

    titanania Thread Starter

    Joined:
    Feb 10, 2005
    Messages:
    1,398
    Heres the report this looks bad

    SmitFraudFix v2.69

    Scan done at 20:24:29.67, Mon 07/10/2006
    Run from C:\Documents and Settings\Ann\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\atmclk.exe FOUND !
    C:\WINDOWS\system32\dcomcfg.exe FOUND !
    C:\WINDOWS\system32\hp???.tmp FOUND !
    C:\WINDOWS\system32\hp????.tmp FOUND !
    C:\WINDOWS\system32\ld???.tmp FOUND !
    C:\WINDOWS\system32\ld????.tmp FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\regperf.exe FOUND !
    C:\WINDOWS\system32\simpole.tlb FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\zlara.dll FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ann\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ann\FAVORI~1

    C:\DOCUME~1\Ann\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
     
  11. ODIN 0ERO

    ODIN 0ERO Guest



    actualy EWIDO is an ANTI SPYWARE AND ANTI TROJAN REMOVER...
     
  12. Old Rich

    Old Rich

    Joined:
    Jan 17, 2003
    Messages:
    10,254
    but NOT an antivirus
     
  13. titanania

    titanania Thread Starter

    Joined:
    Feb 10, 2005
    Messages:
    1,398
    Well, I've run the fix and the copmp. is now running smoothly. I have actually logged in from this comp instead of using a flash drive to transfer the text files this time so let me know if I have a keylogger still and need to reset my password.

    Heres the log results:
    SmitFraudFix v2.69

    Scan done at 16:55:53.55, Tue 07/11/2006
    Run from C:\Documents and Settings\Ann\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINDOWS\System32\zlara.dll -> Missing File


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\dcomcfg.exe Deleted
    C:\WINDOWS\system32\hp???.tmp Deleted
    C:\WINDOWS\system32\ld???.tmp Deleted
    C:\WINDOWS\system32\ot.ico Deleted
    C:\WINDOWS\system32\regperf.exe Deleted
    C:\WINDOWS\system32\simpole.tlb Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\WINDOWS\system32\ts.ico Deleted
    C:\WINDOWS\system32\1024\ Deleted
    C:\DOCUME~1\Ann\FAVORI~1\Antivirus Test Online.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  14. Old Rich

    Old Rich

    Joined:
    Jan 17, 2003
    Messages:
    10,254
    Once you are clean, be sure to upgrade to SP2 and install an antivirus so this does not continue to happen to you
     
  15. ODIN 0ERO

    ODIN 0ERO Guest

    install one of the two best antimalware[anti virus,anti trojan,anti spyware,anti worm] programs....


    AVAST OR NOD32...


    they are the two best antimalware tools..
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/482141

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice