Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Spyware Quake won't go away. (hijack log done)

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Spyware Quake won't go away. (hijack log done)

Old 03-27-06, 04:40 AM
  #1  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Oct 2003
Location: Seattle, WA
Posts: 9,565
Likes: 0
Received 0 Likes on 0 Posts
Spyware Quake won't go away. (hijack log done)

Help...

Logfile of HijackThis v1.99.1
Scan saved at 1:27:12 AM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131129371468
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = arena.local
O17 - HKLM\Software\..\Telephony: DomainName = arena.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = arena.local
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


Something called Spyware Quake 2.0 keeps popping up.

I have followed the steps in the spyware thread as best I can..

System restore turned off.

Ran Spybot - keeps finding vcodec and "fixes" when I restart - but it comes up again almost immediately. Located in c/win/system32/ncompnt.tlb

Ran AdAware - didn't find anything

Ran BitDefender - it couldn't delete c/win/system32/ldF695.tmp and stickrep.dll

Deleted both temps - file hpodvd09 wouldn't delete (program in use)

Ran Online Trojan Scan - came up with nothing.

Any help/info would be much appreciated!
Old 03-27-06, 12:48 PM
  #2  
DVD Talk Limited Edition
 
Join Date: Feb 2002
Location: On the penis chair
Posts: 5,169
Likes: 0
Received 0 Likes on 0 Posts
Check and fix this:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Let me know if the problem still persist.

The Bit Defender part is harmless but the file is missing. I think it should be all right if you don't want to remove it.

Last edited by eedoon; 03-27-06 at 12:50 PM.
Old 03-27-06, 01:06 PM
  #3  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Oct 2003
Location: Seattle, WA
Posts: 9,565
Likes: 0
Received 0 Likes on 0 Posts
OK, problem is still there. This one is not being removed though:

O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)

edit: Do I still want System Restore off when I fix these? (it's currently on)

Last edited by Artman; 03-27-06 at 01:15 PM.
Old 03-27-06, 01:40 PM
  #4  
DVD Talk Limited Edition
 
Join Date: Feb 2002
Location: On the penis chair
Posts: 5,169
Likes: 0
Received 0 Likes on 0 Posts
Yes you should turn it off.

Check whether SpywareQuake.exe is running on the Task Manager.

Also, check if the deleted key reappear. A scan on safe mode should help.
Old 03-27-06, 01:53 PM
  #5  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Oct 2003
Location: Seattle, WA
Posts: 9,565
Likes: 0
Received 0 Likes on 0 Posts
OK, restore off.

Deleted files are still off (except for 02 which was never deleted) - do I want to delete the backup files for them?

Is the task manager the menubar at the bottom? If so, SpywareQuake isn't there - just the flashing virus alert.

Also I keep getting this popup:

C:\Windows\temp\h91746.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0dbe IP: 01d4 OP:63 68 65 2f 31 Choose 'Close' to terminate the application.

Last edited by Artman; 03-27-06 at 01:58 PM.
Old 03-27-06, 02:18 PM
  #6  
DVD Talk Limited Edition
 
Join Date: Feb 2002
Location: On the penis chair
Posts: 5,169
Likes: 0
Received 0 Likes on 0 Posts
Task Manager is the thing that appear when you press Ctrl + Alt + Del. Check the processes tabs and see if the suspected file is running.

The key that didn't get removed seems to be one of the culprit.

Try deleting stickrep.dll and see how it turns out. It should be on the system32 folder.

Read this for more information.
Old 03-27-06, 02:26 PM
  #7  
DVD Talk Limited Edition
 
Join Date: Feb 2002
Location: On the penis chair
Posts: 5,169
Likes: 0
Received 0 Likes on 0 Posts
About the h91746.exe, it's a trojan virus. This link should provide you enough information:

http://www.sophos.com/support/disinfection/dial.html
Old 03-27-06, 02:59 PM
  #8  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Oct 2003
Location: Seattle, WA
Posts: 9,565
Likes: 0
Received 0 Likes on 0 Posts
Can't remove stickrep.dll - Access is denied. Make sure the file is not currently in use...

The date and time for that file match what is the suspected timeframe too.

Not sure which file I should look for in Processes, here's what I got:



Thanks for that link - I'll look into it later tonight after work.
Old 03-27-06, 03:30 PM
  #9  
DVD Talk Limited Edition
 
Join Date: Feb 2002
Location: On the penis chair
Posts: 5,169
Likes: 0
Received 0 Likes on 0 Posts
Try deleting it under safe mode.

I should have pointed out that Spyware Quake and the h91746.exe is two different problem, although there are possibility that the .exe file download the other one.

Anyway, I've read a few other method to remove the h91746.exe trojan on the web, and this seems to be the simpliest method:
http://www.pchelpforum.com/fixed-hij...lp-trojan.html
Old 03-29-06, 02:21 AM
  #10  
Senior Member
 
Join Date: Sep 1999
Location: Rochester, NY
Posts: 923
Likes: 0
Received 0 Likes on 0 Posts
i have gotten this twice in the past few days.

In Safe Mode

Delete stickrep.dll in the windows system32 folder.

Delete the spyware quake folder

After rebooting in normal mode run Spybot and Ad Aware.
Old 03-30-06, 01:54 PM
  #11  
DVD Talk Limited Edition
 
Join Date: Feb 2002
Location: On the penis chair
Posts: 5,169
Likes: 0
Received 0 Likes on 0 Posts
How does everything turn up?
Old 03-30-06, 10:02 PM
  #12  
DVD Talk Ultimate Edition
 
Join Date: Dec 2001
Location: Carrollton, Ga
Posts: 4,809
Likes: 0
Received 0 Likes on 0 Posts
Try this guide to remove SpywareQuake. A bastard program that ruined my computer to the point that even after I removed SpywareQuake, I had to reformat and do a clean install.

http://www.geekstogo.com/forum/How_t...e-t104439.html
Old 03-30-06, 10:49 PM
  #13  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Oct 2003
Location: Seattle, WA
Posts: 9,565
Likes: 0
Received 0 Likes on 0 Posts
Sorry I've just now had time to get to this...

Curiously, when I rebooted in Safe Mode the stickrep file was gone. I deleted the program (again) and am now in normal mode - so far so good. Also reran Spybot which picked up the usual vcodec file(s) and fixed it w/out having to restart.

I really appreciate your help guys and will keep those links bookmarked should this thing rear it's ugly head again.

Thanks again.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.