Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Quake


  • This topic is locked This topic is locked
3 replies to this topic

#1 ochaye

ochaye

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 01 May 2006 - 09:11 AM

I have the same problem as Oneiron had with SpywareQuake on my computer. When I started IE the homepage was hijacked and the same very annoying icon appeared in my taskbar. The icon switches between being a green wheelchair and a red circle with a line through... and every now and then a message appears saying:
Your computer is infected!
Critical System Error!
System detected virus activities.
They may cause critical system
failure. Please, use antimalware
Software to clean and protect your
system from parasite programs.
Click here to get all available software

My system is Windows 2000 whereas I think Oneiron's system is XP and so I am not sure if I should follow the same steps (I suspect not but don't know)

I ran Norton antivirus, Spybot and Adware and did a registry search on Quake and removed items. The home page is ok but the icon and message remain.

I ran BitDefender Online Scanner

For infected files the log was

Statistics

Time
02:33:05

Files
370908

Folders
2349

Boot Sectors
2

Archives
8579

Packed Files
49194




Results

Identified Viruses
8

Infected Files
16

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
15




Engines Info

Virus Definitions
371592

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)=>lzma_nsis0001
Infected with: Virtool.MediaInject.A

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)=>lzma_nsis0001
Disinfection failed

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)=>lzma_nsis0001
Deleted

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)
Update failed

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)=>lzma_nsis0003
Infected with: Virtool.MediaInject.A

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)=>lzma_nsis0003
Disinfection failed

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)=>lzma_nsis0003
Deleted

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)
Update failed

C:\mnft.exe
Infected with: Trojan.Spy.Delf.AR

C:\mnft.exe
Disinfection failed

C:\mnft.exe
Deleted

C:\WINNT\inf\cnb.inf
Infected with: Trojan.Spy.Delf.AR

C:\WINNT\inf\cnb.inf
Disinfection failed

C:\WINNT\inf\cnb.inf
Deleted

C:\WINNT\inf\conjb.exe
Infected with: Trojan.HackTool.XScan.23

C:\WINNT\inf\conjb.exe
Disinfection failed

C:\WINNT\inf\conjb.exe
Deleted

C:\WINNT\inf\nrc.exe
Infected with: Virtool.Hidrun.A

C:\WINNT\inf\nrc.exe
Disinfection failed

C:\WINNT\inf\nrc.exe
Deleted

C:\WINNT\inf\plugin\070-ntpass.xpn
Detected with: Application.Xscan.2.3

C:\WINNT\inf\plugin\070-ntpass.xpn
Disinfection failed

C:\WINNT\inf\plugin\070-ntpass.xpn
Deleted

C:\WINNT\inf\ptf.inf
Infected with: Trojan.Spy.Delf.AR

C:\WINNT\inf\ptf.inf
Disinfection failed

C:\WINNT\inf\ptf.inf
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)=>cnb.inf
Infected with: Trojan.Spy.Delf.AR

C:\WINNT\infr.exe=>(RAR Sfx o)=>cnb.inf
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>cnb.inf
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>conjb.exe
Infected with: Trojan.HackTool.XScan.23

C:\WINNT\infr.exe=>(RAR Sfx o)=>conjb.exe
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>conjb.exe
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>nrc.exe
Infected with: Virtool.Hidrun.A

C:\WINNT\infr.exe=>(RAR Sfx o)=>nrc.exe
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>nrc.exe
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>ptf.inf
Infected with: Trojan.Spy.Delf.AR

C:\WINNT\infr.exe=>(RAR Sfx o)=>ptf.inf
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>ptf.inf
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>plugin\070-ntpass.xpn
Detected with: Application.Xscan.2.3

C:\WINNT\infr.exe=>(RAR Sfx o)=>plugin\070-ntpass.xpn
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>plugin\070-ntpass.xpn
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\system32\unwise.exe
Infected with: Trojan.Downloader.Turown.I

C:\WINNT\system32\unwise.exe
Disinfection failed

C:\WINNT\system32\unwise.exe
Deleted

C:\WINNT\system32\xenadot.dll
Infected with: Trojan.Fakealert.CE

C:\WINNT\system32\xenadot.dll
Disinfection failed

C:\WINNT\system32\xenadot.dll
Delete failed

C:\WINNT\tqp.exe=>(NSIS o)=>bzip2_nsis0001
Infected with: Trojan.Winad.K

C:\WINNT\tqp.exe=>(NSIS o)=>bzip2_nsis0001
Disinfection failed

C:\WINNT\tqp.exe=>(NSIS o)=>bzip2_nsis0001
Deleted

C:\WINNT\tqp.exe=>(NSIS o)
Update failed

any help I would really appreciate

BC AdBot (Login to Remove)

 


m

#2 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 01 May 2006 - 12:13 PM

Hello

In case it helps, the following is the HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 3:11:41 AM, on 2/05/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\AAAA\Local Settings\Temp\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINNT\system32\hp562C.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

#3 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 06 May 2006 - 07:48 AM

For anyone with this problem, just follow the Spyware removal guide.
I did and removed SpywareQuake (I think).
Thanks very much Grinler for the guidance!!

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 06 May 2006 - 08:04 AM

Hello and welcome to the forum. Good job locating and using the fix Grinler provided :thumbsup: I would now be directing you to it. Just a little cosmetic work to do.

1) HJT must have it's own folder and you are running from a TEMP. I prefer here: C:\HJT\JijackThis.exe. If you need more instructions, use these: http://russelltexas.com/malware/createhjtfolder.htm

2) You have two powerful programs that will block the HJT we need to make, you will probably need to turn them off until you are done.
WinPatrol: right click the running icon , and exit.
TeaTimer: http://russelltexas.com/malware/teatimer.htm

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINNT\system32\hp562C.tmp (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

(if you clean Prefetch yourself, you can pass over this, if not, read and follow the directions)

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

If you don't have a good cleaner, use this free one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Since your HJT log contained only those two lines of clutter and was clean of malware, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

If all is running well, there is no need to post again unless you wish to, safe surfing.

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users