0

Ok I'm at a loss here had spyware quake, and removed it using smitfraudfix, ewido, ATF-Cleaner, spyware doctor, ad-awareSE, and AVG. But, I still have virus alert icon flashing at bottom. It is not the one whith green wheelchair. It flashes between red circle slash, and blue-white question mark (help) icon. It pops up same message as the one with the wheelchair though. Have been going through every thread I can find and trying everything in them to no avail.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:30:11 PM, on 6/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - {F7C418F8-FC4A-D0C7-69AC-F05D44B412C1} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Default"
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworld.com/java/ezmed/ezmed.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128478860513
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/bounce/install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77C7DBD4-B508-4F27-ADF3-708198A6E320}: NameServer = 205.152.37.23 205.152.132.23
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\dvdplay.dll C:\WINDOWS\System32\wowexec.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Thanks
Subaculture

1
Contributor
2
Replies
3
Views
11 Years
Discussion Span
Last Post by subaculture
0

Ok did some updating while waiting here is new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:03:39 PM, on 6/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - {F7C418F8-FC4A-D0C7-69AC-F05D44B412C1} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Default"
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{77C7DBD4-B508-4F27-ADF3-708198A6E320}: NameServer = 205.152.37.23 205.152.132.23
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\dvdplay.dll C:\WINDOWS\System32\wowexec.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Subaculture

0

Never mind got rid of it using these instructions:

Automated Removal Instructions:

1. Print out these instructions as we will need to close every window that is open later in the fix.

2. Download roguescanfix_setup.exe from here:

roguescanfix_setup.exe

Confirm that the file roguescanfix_setup.exe now resides on your desktop.

3. Double-click on the roguescanfix_setup.exe file found on your desktop.

4. Select your language from the drop down menu and then press the OK button.

5. Now press the Next button.

6. Select the option that says I accept the agreement and press the Next button

7. Press the Next button again.

8. Now click on the Install button.

9. The installation program will start installing RogueScanFix into C:\Program Files\Roguescanfix and then display a new screen. At the next screen, leave the checkmark in the Launch RogueScanFix and press the Finish button.

10. RogueScanFix will automatically be started and you will be presented with the Credits screen. At this screen press the spacebar and you will be presented with a menu. Press the number 1 on your keyboard and press enter. At the next screen simply press the spacebar on your computer to start the removal process.

Note: Please note that when the program starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet.

When the program starts, your desktop will disappear, which is normal, so please do not be concerned. It will then start the SpywareQuake uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpywareQuake.

When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. Close this by press ing the Exit button. If there a notepad open called task.txt, you can close that as well. Now continue to Step 11.

If there were more files that needed to be deleted, the program will prompt you to reboot your computer. Press the Yes button and allow the computer to reboot. When you are back at the desktop, close the task.txt notepad if it is open, and proceed to Step 11.

11. Go to this page and click on the smitRem Download Link link to download smitRem.exe. When downloading smitRem.exe save it to your desktop. You will now see an icon on your desktop that looks like the one below.


12. Double-click on the smitRem.exe file. You will now see a screen similar to the one below.


Click on the Start button and the program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem.

13. Next, please reboot your computer into Safe Mode by doing the following:

1. Restart your computer

2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

5. When you are at the logon prompt, log in as an Administrator

14. When your computer has started in safe mode and you see the desktop.

15. Close all open Windows.

16. Open the smitRem folder on your desktop and the contents of the folder will be similar to the image below.

Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.

17. When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process.

If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller.

Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue.

When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program as shown by the image below.

This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop.

18. When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.

19. Reboot your computer back to normal mode.

20. Perform an onlinescan with Panda: Panda Online

1. Once you are on the Panda site click the Scan your PC button

2. A new window will open...click the Check Now button

3. Enter your Country

4. Enter your State/Province

5. Enter your e-mail address and click send

6. Select either Home User or Company

7. Click the big Scan Now button

8. If it wants to install an ActiveX component allow it

9. It will start downloading the files it requires for the scan (Note: It may take a few minutes)

10. When download is complete, click on Local Disks to start the scan


Your computer should now be free of the SpywareQuake infection. If you are still receiving taskbar security warnings stating that you are infected open C:\Program Files\RoguesScanFix\task.txt and paste the contents of that log into a new topic in the HijackThis Logs Analysis or the Am i Infected forums and someone will advise you as to your next step. When posting the topic please also mention that you have already done the steps in this guide.

If you are still having problems with other spyware or malware after removing SpywareQuake, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Manual Removal Instructions:

1. Print out these instructions as we will need to close every window that is open later in the fix.

2. Download FixSQ.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

FixSQ.reg Download Link

Confirm that the file FixSQ.reg now resides on your desktop as we will need it later.

3. Go to this page and click on the smitRem Download Link link to download smitRem.exe. When downloading smitRem.exe save it to your desktop. You will now see an icon on your desktop that looks like the one below.


4. Double-click on the smitRem.exe file. You will now see a screen similar to the one below.


Click on the Start button and the program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem.

5. Go to your desktop and double click on the FixSQ.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.

6. Click on the Start button and then select the Run option.

7. In the Open: field type c:\windows\system32 and then press the OK button.

8. When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option.

9. Now scroll through the list of files and find stickrep.dll
1. If you can not see the stickrep.dll file, click on the Tools menu and select Folder Options.
2. Click on the View tab.
3. Under the Hidden files and folders category select Show hidden files and folders.
4. Uncheck Hide protected operating system files.
5. Press Apply and then OK.
6. If you still can not see the file, then undo these changes and skip to step 11.

10. Right-click on stickrep.dll and select rename. Rename the file to stickrep.dll.bad.

Look for the file suprox.dll and rename the file to suprox.dll.bad.

Look for the file xenadot.dll and rename the file to xenadot.dll.bad.

L ook for the file sivudro.dll and rename the file to sivudro.dll.bad.

Look for the file dvdcap.dll and rename the file to dvdcap.dll.bad.

Look for the file autodisc32.dll and rename the file to autodisc32.dll.bad.

Look for the file wfkduei.dll and rename the file to wfkduei.dll.bad.

Look for the file yhbdupd.dll and rename the file to yhbdupd.dll.bad.

Look for the file imfdfcj.dll and rename the file to imfdfcj.dll.bad.

Look for the file hvnwm.dll and rename the file to hvnwm.dll.bad.

Look for the file ywbicim.dll and rename the file to ywbicim.dll.bad.

Look for the file vhywj.dll and rename the file to vhywj.dll.bad.

Look for the file yfysupa.dll and rename the file to yfysupa.dlll.bad.

Look for the file ornzq.dll and rename the file to ornzq.dll.bad.

Look for the file sxbbx.dll.dll and rename the file to sxbbx.dll.dlll.bad.

Look for the file ucbrrt.dll and rename the file to ucbrrt.dlll.bad.

Look for the file acvgxw.dll.dll and rename the file to acvgxw.dll.dlll.bad.

Look for the file icima.dll and rename the file to icima.dlll.bad.

Look for the file dnefhw.dll and rename the file to dnefhw.dll.bad.

Look for the file posem.dll and rename the file to posem.dll.bad.

Look for the file ofcukiz.dll and rename the file to ofcukiz.dll.bad.

Look for the file hzclqhc.dll and rename the file to hzclqhc.dll.bad.

Look for the file qrucmr.dll and rename the file to qrucmr.dll.bad.

Look for the file erxbx.dll and rename the file to erxbx.dll.bad.

Look for the file lwpfwjb.dll and rename the file to lwpfwjb.dll.bad.

Look for the file rmzdzx.dll and rename the file to rmzdzx.dll.bad.

Note: Please rename any of the above files that you may find. If you do not find any of these files, then you should post a note about it in the Am I Infected? forum.

11. After you rename the file, you can close the System32 folder window.

12. Next, please reboot your computer into Safe Mode by doing the following:

1. Restart your computer

2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

5. When you are at the logon prompt, log in as a user with administrator privileges or one that has permission to delete files in the C:\Windows folder.

13. When your computer has started in safe mode and you see the desktop.

14. Click on the Start Menu

15. Click on the Control Panel option.

16. Double-click on the Add or Remove Programs icon.

17. Find the entry for SpywareQuake and double-click on it. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks.

18. When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.

19. Delete the following files and folders (Do not be concerned if this folder does not exist):

C:\Windows\System32\stickrep.dll.bad
C:\Windows\System32\suprox.dll.bad
C:\Windows\System32\xenadot.dll.bad
C:\WINDOWS\system32\sivudro.dll.bad
C:\Windows\System32\autodisc32.dll.bad
C:\Windows\System32\yhbdupd.dll
C:\Windows\System32\imfdfcj.dll
C:\Windows\System32\hvnwm.dll
C:\Windows\System32\wfkduei.dll
C:\Windows\System32\ywbicim.dll
C:\Windows\Systen32\yfysupa.dll
C:\Windows\System32\vhywj.dll
C:\Windows\System32\asxbbx.dll
C:\Windows\System32\ucbrrt.dll
C:\Windows\System32\acvgxw.dll
C:\Windows\System32\ofcukiz.dll
C:\Windows\System32\dnefhw.dll
C:\Windows\System32\ornzq.dll
C:\Windows\System32\icima.dll
C:\Windows\System32\posem.dll
C:\Windows\System32\hzclqhc.dll
C:\Windows\System32\erxbx.dll
C:\Windows\System32\qrucmr.dll
C:\Windows\System32\lwpfwjb.dll
C:\Windows\System32\rmzdzx.dll
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\dfrgsrv.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\Program Files\SpywareQuake\

20. Close all open Windows.

21. Open the smitRem folder on your desktop and the contents of the folder will be similar to the image below.

Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.

22. When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process.

If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller.

Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue.

When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program as shown by the image below.

This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop.

23. When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.

24. Reboot your computer back to normal mode.


Subaculture

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.