Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Spyware Quake - Please Help

  • Please log in to reply
8 replies to this topic

#1 Robsta


  • Members
  • 6 posts
  • Local time:05:20 AM

Posted 25 April 2006 - 08:43 AM

I have followed many guides as to how to remove this little blighter and seem to have removed all the files listed. However, I still have the little icon (g/wheelchair, r/stop sign) in my task bar.

I have looked through the task manager with no avail as to how it still runs and through msconfig with no luck. Have I missed something? I think I have checked all process names correlate to something I know should be on the system (I think?).

I've tried using AVG (latest update), ewido (w/out update due to lack of Interweb connection), Cleanup, Xoftspy, eTrust (w/out update)

I remember before from being a coder that there are ways of hiding applications from the task manager. I also downloaded a couple of applications to try and find the b**tard.

My first tool was an Hwnd finder... It revealed the following responses:

Taskbar Icon
parent: 65632 [0x10060
topparent: 262204 [0x4003c]
processid: 0x0000030x (explorer.exe again)
thread: 0x00000324

Popup window:
parent: 65680 [0x10090]
topparent: 65680 [0x10090]
process id: 0x0000030c (c:\windows\explorer.exe
thread id0x000001b8

I then used a tool called SysTree++ to compare the process Id's to those of running processes as the tool seems to show a much larger list. This was to no avail!
Through frustration I started closing running processes until one of the final 3 "blue screen"'ed me, as expected.

I have included the Hijack this log but cant figure out for the life of me how this little f**ker is hiding still?

Please let me know of my next plan of action, and also if anything else abnormal is running?

Thanx in advance,


I have manually moved msn messenger as we arent supposed to have it on computers at work. Its now inside C:\WINDOWS\ime\chsime\msmger\ so this abnormality may be ignored!

O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpB4F6.tmp (file missing)
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141217865813
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141217858092
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://neocol.webex.com/client/v_mywebex-t...bex/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\WINDOWS\ime\chsime\msmger\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\System32\LMabcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

Edited by Robsta, 25 April 2006 - 08:46 AM.

BC AdBot (Login to Remove)


#2 Herk


  • Members
  • 1,609 posts
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:12:20 AM

Posted 25 April 2006 - 09:27 AM

Have you followed all the steps for removal here? There are new variants. If you can't update Ewido, can you get updates on another computer and copy them over?
Oops, they don't seem to be posting separate updates anymore. That could be a problem.

Have you run a rootkit detector?


Rootkit Revealer

As for hijack logs, they need to be posted in the hijack forum. It is incumbent on me to ask you to read this first.

Edited by Herk, 25 April 2006 - 09:29 AM.

#3 Robsta

  • Topic Starter

  • Members
  • 6 posts
  • Local time:05:20 AM

Posted 26 April 2006 - 08:52 AM

Have run through everything you asked for and posted HERE!

Hope this extra info helps?

Edited by Robsta, 26 April 2006 - 08:53 AM.

#4 rigel



  • Members
  • 12,944 posts
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:20 AM

Posted 26 April 2006 - 11:32 AM


If the canned fix didn't work, please do this:

I need to get an export of the files being started via the SharedTaskScheduler registry key.

Please download the following file and save it to your desktop:


Once it has downloaded, please double-click on the file, which should now be on your desktop. When the program is finished, it will create a text file on your desktop called getsts.txt and open it in notepad.

Please post the contents of this notepad as a reply to this topic.

The contents will be evaluated for a new fix.

Thanks and good luck,


"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

#5 Grinler


    Lawrence Abrams

  • Admin
  • 43,640 posts
  • Gender:Male
  • Location:USA
  • Local time:12:20 AM

Posted 26 April 2006 - 07:55 PM

Also I am pretty sure this file:


is legit. But submit to www.virustotal.com and tell us the results.

#6 Wolfnadrid


  • Members
  • 9 posts
  • Local time:09:20 PM

Posted 27 April 2006 - 01:42 AM

Try the steps i just posted into thread http://www.bleepingcomputer.com/forums/t/50869/spyfalcona-new-version-perhaps/
some nice little steps I've created from spending 3 days cleaning customer's computers w/ seemingly unstopable SpyQuake/SpyFalcon.


"I don't work here, I just pretend"

I spend all 8 hour of my work day fixing other stupid humans computer problems... do you really think I wanna fix your computer?... ohh free stuff for it, well why didn't you say so!

#7 Robsta

  • Topic Starter

  • Members
  • 6 posts
  • Local time:05:20 AM

Posted 27 April 2006 - 04:43 AM

OK... Here goes guys...

***Scheduled Tasks:

(HKLM) {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader => %SystemRoot%\System32\browseui.dll

(HKLM) {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon => %SystemRoot%\System32\browseui.dll

(HKCU) {EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E} - SivuWare => C:\WINDOWS\system32\sivudro.dll


I managed to successfully rename this whilst the "application" is running, does this imply that this is not the problem file?

I will still post up to the site you mentioned...:


Am currently adding the 3 registry files and booting to safe mode to delete those files (my infected machine is not currently connected to InterWeb)

#8 Robsta

  • Topic Starter

  • Members
  • 6 posts
  • Local time:05:20 AM

Posted 27 April 2006 - 06:19 AM

Quick Update...

***VirusTotal Results:

Complete scanning result of "psqlpwd.dll", received in VirusTotal at 04.27.2006, 12:55:07 (CET).<p>

<table border="0" cellpadding="0" cellspacing="0" width="100%">
<thead><tr><td>Antivirus</td><td>Version</td><td align="center">Update</td><td>Result</td></tr></thead>

<tr><td>AntiVir</td><td></td><td align="center">04.20.2006</td><td class="negativo">no virus found</td></tr><tr><td>Avast</td><td>4.6.695.0</td><td align="center">04.26.2006</td><td class="negativo">no virus found</td></tr><tr><td>AVG</td><td>386</td><td align="center">04.26.2006</td><td class="negativo">no virus found</td></tr><tr><td>Avira</td><td></td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>BitDefender</td><td>7.2</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>CAT-QuickHeal</td><td>8.00</td><td align="center">04.26.2006</td><td class="negativo">no virus found</td></tr><tr><td>ClamAV</td><td>devel-20060202</td><td align="center">04.26.2006</td><td class="negativo">no virus found</td></tr><tr><td>DrWeb</td><td> 4.33</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>eTrust-InoculateIT</td><td>23.71.140</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>eTrust-Vet</td><td>12.4.2181</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>Ewido</td><td>3.5</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>Fortinet</td><td></td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>F-Prot</td><td>3.16c</td><td align="center">04.26.2006</td><td class="negativo">no virus found</td></tr><tr><td>Ikarus</td><td></td><td align="center">04.26.2006</td><td class="negativo">no virus found</td></tr><tr><td>Kaspersky</td><td></td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>McAfee</td><td>4749</td><td align="center">04.26.2006</td><td class="negativo">no virus found</td></tr><tr><td>Microsoft</td><td>1.1372</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>NOD32v2</td><td>1.1509</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>Norman</td><td>5.90.17</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>Panda</td><td></td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>Sophos</td><td>4.05.0</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>Symantec</td><td>8.0</td><td align="center">04.27.2006</td><td class="negativo">no virus found</td></tr><tr><td>TheHacker</td><td></td><td align="center">04.25.2006</td><td class="negativo">no virus found</td></tr><tr><td>UNA</td><td>1.83</td><td align="center">04.26.2006</td><td class="negativo">no virus found</td></tr><tr><td>VBA32</td><td>3.11.0</td><td align="center">04.26.2006</td><td class="negativo">no virus found</td></tr></tbody></table>

Just in case html doesnt show... All scanners found no virus.


Put the delete information in a batch file and the only "core" file it deleted was sivudro.dll. It also deleted a few files from the temp folder but these appeared to be VMWare files and 4 labelled Perflib_Perfdata_***.dat

Registry changes were put in place too.

After rebooting, my Biometric finger print reader did not work, but virus appears to have gone.

I then renamed the file psqlpwd.dll.bak (that I renamed earlier) back removing the .bak, then rebooted.

Et voila... Not only has the virus gone but my fingerprint reader works again

SIVUDRO.DLL = Appears to be virus.
PSQLPWD.DLL = Appears to be IBM Biometrics Library.

Thanx for all the help guys

#9 Grinler


    Lawrence Abrams

  • Admin
  • 43,640 posts
  • Gender:Male
  • Location:USA
  • Local time:12:20 AM

Posted 27 April 2006 - 03:46 PM

SIVUDRO.DLL is definitely part of spywarequake. The removal guide here addresses that file.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users