Member Panel

PraiseJah

And my brother thanks you!

joe5

You and youre brother are welcome ofcourse , but im afraid its not gone yet.
This infection you have keeps changing and needs updated removal instructions all the time lately.

Note:
Even if you do not find some of the files mentioned or you do not see SpywareQuake in Add/Remove programs or the folder for it, just
continue with ALL steps thru to the end.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixquake.reg and then click save. it to your Desktop. We will use it later
after a reboot into safe mode.

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}"=-
"{35A88E51-B53D-43E9-B8A7-75D4C31B4676}"=-
"{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}"=-
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"=-
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"=-
"{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"=-
"{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"=-
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"=-
"{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SpywareQuake"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SpyFalcon"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run]
"dcomcfg.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SpywareQuake.com]

[-HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7A932ED2-1737-4AB8-B84D-C71779958551}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objecta\{7A932ED2-1737-4AB8-B84D-C71779958551}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A932ED 2-1737-4AB8-B84D-C71779958551}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5C7051 0-5A01-B2A5-CF84-D6DC13859967}]

[-HKEY_CLASSES_ROOT\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}]
[-HKEY_CLASSES_ROOT\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}]
[-HKEY_CLASSES_ROOT\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}]
[-HKEY_CLASSES_ROOT\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}]
[-HKEY_CLASSES_ROOT\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0}]
[-HKEY_CLASSES_ROOT\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}]
[-HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}]
[-HKEY_CLASSES_ROOT\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}]

Now download smitRem.exe written by noahdfear and save the file to your Desktop. Double click on the smitRem.exe file and click the Start button to extract it to its own folder named SmitRem on the desktop.
(this should be the default selection). Do not run anything else related to the program yet!

Now you will need to print or save these instructions locally (to a text file on your Desktop) for later reference. This is necessary
because you must not have any browers open and must not connect to the internet while following the below steps. Now disconnect your cable to the internet (physically unplug it).

After saving the instructions, reboot into Safe mode
Now once in safe mode, goto Add/Remove programs and uninstall Spyware Quake and/or SpyFalcon (if they are found).

Now double-click on the fixquake.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to
the Desktop) and when it prompts to Add in to the registry, say yes.

Run Windows Explorer by right clicking Start & Select Explore
Navigate to your %System32% folder C:\Windows\system32 )or C:\Winnt\system32 depending on how/which OS you have installed.)
Look for the following files based upon where you have Windows installed:

%System32%\dxmpp.dll
%System32%\ginuerep.dll
%System32%\stickrep.dll
%System32%\__delete_on_reboot__stickrep.dll
%System32%\suprox.dll
%System32%\xenadot.dll
%System32%\sivudro.dll
%System32%\twain32.dll
%System32%\dvdcap.dll
%System32%\reglogs.dll
When you locate the files, right click on them and select Rename. Change the dll extension to DDD. For example: rename[
COLOR=purple] xenadot.dll[/color] to xenadot.DDD We will fully delete the files later.

Now open the smitRem folder on your Deskop, double click on it to access the folder, then double click the RunThis.bat file to start
the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. If you cannot get RunThis
.bat to work in safe mode, REBOOT into normal mode (with no internet connection) and repeat the above step from the point of booting in safe
mode.

The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg;
Local Disk C: or partition where your operating system is installed. Upload this file later after reboot. Now reboot your system into normal mode.

Now after reboot relocate the DLL files we renamed with a DDD extension in the above step and delete them. If you have a problem deleting these files, try rebooting one more time into safe mode and attempt another deletion. If it still does not delete, make sure you tell us later. Also delete the below files and folders if found:

C:\Program Files\AdwareSheriff
C:\Program Files\Spyware Quake
C:\Program Files\SpywareQuake.com
C:\Program Files\SpyFalcon
C:\Windows\System\1024 (or C:\Winnt\System\1024 )
%System32%\1024
%System32%\dcomcfg.exe
%System32%\atmclk.exe
%System32%\dfrgsrv.exe
%System32%\hp????.tmp ( where ???? is any 4 random characters)
%System32%\mssearchnet.exe
%System32%\nvctrl.exe
%System32%\ot.ico
%System32%\simpole.tlb
%System32%\stdole3.tlb
C:\Documents and Settings\[Current User Account]\Start Menu\Programs\SpywareQuake <---- where [Current User
Account] is the actual user account name you are logged into.

Reconnect your cable to the internet.
Now attach your smitfiles.txt log and a new Hijackthis log.

PraiseJah

Ok, I went in and tried to do all of the steps but I failed to find any of those DLL files. I looked myself and then I tried using the search and neither came up with anything. Then the other files you said to delete I found these ones.

%System32%\atmclk.exe

%System32%\simpole.tlb

%System32%\stdole3.tlb

Those 3 were deleted, but I also found this one but couldnt get rid of it.

%System32%\dcomcfg.exe

joe5

Hmm.. i still dont see a firewall , AV , or sp2. What i do see is that you already have a new infection on there again.

First please run Smitfraud , see link and instructions here:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Then boot in safemode and fix these with hjt if still present:

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp6419.tmp
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

Do a search for these files and delete them:

ibm00000.exe
ibm00001.dll
ibm00001.exe
ibm00002.dll
tmp.tmp

After that reboot , and do a Panda scan here:

http://www.pandasoftware.com/products/activescan

And post the log from that , plus a new hjt log.

PraiseJah

Ok, I had an AV in here before but I think my brother got rid of it cause he didnt realize it was an AV. But now I only need the SP2 which I'm going to get right after this. Anyway, I looked for those files and these were the results.

ibm00000.exe - couldnt find
ibm00001.dll - cant delete
ibm00001.exe - deleted
ibm00002.dll - cant delete
tmp.tmp - couldnt find

And now I get this message when I turn on the computer that says "Windows cannot find "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search."

And here are my logs. I dont know if you wanted the activscan one but there it is.

ladygreenwitch

Hey Guys,

@PJ,

you know better than to come here without your PC updated, no AV AND no Firewall!!! We taught you better than that.

Now here is the thing. You know that we care, and you know that we are here to help, but if you don't take the lessons to heart, you make us frustrated. So, if your brother is causing problems, create a profile for him that is limited so he can't. Make sure that he cannot log on using the Administrative User accounts.

If you come back with other infections, and you haven't taken the proper security measures, I will email your mom, and restrict you from the computer for two weeks. AND I AM NOT KIDDING!! I will also ask that no one from the Security Team help you if you do not have the proper (and you have been trained, alot!) software in place. I hope that I am making myself clear.

OK, to attempt to delete those files that will not delete, try it in Safe Mode. Post back if they still will not delete. If they do, get that other stuff in place, and post back to show us that you have done it. OK?

Tell your mom "Hi" from me.

Looking forward to your reply,

TTFN

LGW

PraiseJah

Ok, I feel that I must clear my good name here because I think you may have misunderstood what is going on here. This is not my computer, it is my brothers computer. My computer is in my room with allllll the little programs I need on it. You are correct, you taught me better then that. My computer now is never without those programs and in fact I have been going around installing them on my friends and families computers too. So, here is what is actually going on here.

1. I saw that his computer was infected and posted on here, I realized that he didn't have the stuff and so I started downloading it and said that in the post. I forgot the Firewall and didn't get the SP2 because I didn't know the web site to download it manually and 2 when I asked Joe where it was he said "But first lets get rid of the malware on there." the key word there being "first".

2. I then did what Joe said to do and later was told I didn't have an AV on that computer but that is because my brother got rid of it not knowing what it was, his computer is running out of space and so hes been getting rid of things.

3. I have downloaded all the things I need except SP2 because like I said, Joe said to get rid of that stuff first, if I knew that first did not mean to wait till the infection was gone I would have gotten it right then.

So, I plead not guilty to the charges brought against me and throw myself at the mercy of the court. :-P

Tristen (aka PJ)

P.S. My mom says hi :-)

Member Panel

Sponsors and Ads

Noticeboard