Spyware Quake plus more

By koolan
Aug 6, 2006
Topic Status:
Not open for further replies.
  1. Yesterday I picked up Spyware Quake, which i think i took care of but it left some residuals. ismon.exe and ishost.exe and several other things I've never seen before like javaw.exe which, according to a few sites, is not malicious but it's also never popped up before, win2a.tmp.exe. In addition, it seems to randomly open Internet Explorer (which I don't use) but the window is hidden. Here's the log.

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    Your system is infected with some real nasties.

    Download and run these three tools. Follow the instructions for each tool.

    Tool1. Tool2. Tool3.

    Post a fresh HJT log into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of koolan only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You must run the three tools. Post a fresh HJT log, only after you`ve run the tools.

    The tools will kill most of the infections you have.

    Regards Howard :)
  4. koolan

    koolan Newcomer, in training Topic Starter

    Look2Me-Destroyer would say it would reopen in 1 minute and never reopen, but here is the updated log after using the other two tools. :p I also just found Toolbar888 and Yazzle by Oin in my add remove programs list but haven't removed them yet.
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Ok, we`ve got rid of some of your nasties. However you still have a whole lot more that needs to be got rid of.

    Download the Pocket Killbox programme from HERE. Extract it, but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programme in your control panel and uninstall anything to do with(if there).

    ??pPatch The two question marks can be any random letter or number etc.

    ToolBar888

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dd8da8b4.exe
    n?tepad.exe Again the question mark can be any random letter/number.
    javaw.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {BB67EE85-7C48-20C6-4E56-2A10E6247FC6} - C:\WINDOWS\system32\lqzu.dll (file missing)

    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll

    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll

    O4 - HKLM\..\Run: [dd8da8b4.exe] C:\WINDOWS\system32\dd8da8b4.exe

    O4 - HKCU\..\Run: [dd8da8b4.exe] C:\Documents and Settings\Ryan\Local Settings\Application Data\dd8da8b4.exe

    O4 - HKCU\..\Run: [Snet] "C:\DOCUME~1\Ryan\MYDOCU~1\FNTS~1\javaw.exe" -vt yazb

    O4 - HKCU\..\Run: [Udovj] C:\Program Files\??pPatch\n?tepad.exe

    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

    O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll.dll C:\WINDOWS\system32\notepad.dll

    O20 - Winlogon Notify: winrid32 - C:\WINDOWS\SYSTEM32\winrid32.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\??pPatch
    C:\Documents and Settings\Ryan\Local Settings\Application Data\dd8da8b4.exe
    C:\WINDOWS\system32\dd8da8b4.exe
    C:\Program Files\ToolBar888

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into kill box.

    C:\WINDOWS\SYSTEM32\winrid32.dll
    C:\WINDOWS\system32\notepad.dll
    C:\WINDOWS\system32\rundll.dll

    Once your system has rebooted, turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of koolan only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. koolan

    koolan Newcomer, in training Topic Starter

    Killbox could not delete any of those dlls. Something called Yazzle by OIN remains in the add remove programs list. Here is updated log.
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Try this.

    Download Brute Force Uninstaller http://www.merijn.org/files/bfu.zip and unzip it to it’s own folder (c:\BFU).

    Right click on this link http://metallica.geekstogo.com/EGDACCESS.bfu and choose 'Save As' (or 'Save Target As) in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU).

    Start the Brute Force Uninstaller by double clicking BFU.exe

    In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
    Press execute and let it do its job.

    Wait for the complete script execution box to popup and press OK.
    Press exit to terminate the BFU program.

    Once that's done, post a fresh HJT log.

    Regards Howard :)
  8. koolan

    koolan Newcomer, in training Topic Starter

    I did that. Here's the new log.
  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Damn the nasty entries are still there.

    Try This.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll.dll C:\WINDOWS\system32\notepad.dll

    O20 - Winlogon Notify: winrid32 - C:\WINDOWS\SYSTEM32\winrid32.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\SYSTEM32\winrid32.dll
    C:\WINDOWS\system32\rundll.dll
    C:\WINDOWS\system32\notepad.dll

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :)

    This thread is for the use of koolan only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    I`ve just been reading back trough this thread and noticed you said you had an entry for Yazzle in your add remove programme. I`d like you to uninstall it. Then, delete any reference for Yazzel you find on your system.

    Regards Howard :)
  11. koolan

    koolan Newcomer, in training Topic Starter

    The two entries in HJT were successfully removed, however i got this message upon fixing them:

    "An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll.dll C:\WINDOWS\system32\notepad.dll)
    Error #5 - Invalid procedure call or argument

    Please email me at merijn@spywareinfo.com, reporting the following:
    * What you were trying to fix when the error occurred, if applicable
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 5.01.2600
    MSIE version: 6.0.2900.2180
    HijackThis version: 1.99.1

    This message has been copied to your clipboard.
    Click OK to continue the rest of the scan."

    As for the dlls, I got an error message when trying to delete winrid32.dll saying access denied, rundll.dll was not there although there was rundll32.exe, and notepad.dll was not there although notepad.exe was. In addition, I saw a file called nslookup.exe in the system32 folder. Here is a fresh HJT. As you can see, O20 - Winlogon Notify: winrid32 - C:\WINDOWS\SYSTEM32\winrid32.dll is now back.
     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    This sure is one hell of a stubborn mother to get rid of.

    I`m not sure what the error message means, I`ve never seen that before. Maybe it`s a bug in HJT?

    My main concern is that nasty entry in your HJT log is still there.

    Did you uninstall Yazzle from add remove programmes? If not you should do so.

    Dowan load and run the Look2Medestroyer.exe from HERE. Run it as per the instructions. However, if it doesn`t reopen after 1 minute, please be patient and wait for at least 5 minutes.

    I`d also like you to download and run teh vundofix tool from HERE. This is not the same vundo removal tool you used before.

    Double-click VundoFix.exe to run it.
    * Put a check next to Run VundoFix as a task.
    * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
    * Select “[7b]Add More Files?” from the menu that comes up. This will open a new VundoFix window.
    In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\winrid32.dll
    Click the “Add Files” button.
    Click the "Close Window" button.
    Click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.

    Post a fresh HJT log and let me know the outcome.

    Regards Howard :)
  13. koolan

    koolan Newcomer, in training Topic Starter

    I can tell you that after all the various fixes we've done so far my system is booting much faster, lol. Look2Me-Destroyer worked this time. Nothing came up in the little window but it did not give me a message saying no infected files were found so I clicked remove and it appeared to remove something. Vundo gave me a message saying no infections were found. Here is the Look2Me log and an updated HJT.
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Nope, the nasty is still there.

    I`m running out of things to try here. I`ve not come across this particular infection before. Maybe it`s some kind of new variant or something.

    Please tell me if you uninstalled Yazzle.

    Try this.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply.

    when it reboots, post a fresh HJT log.

    Regards Howard :)
  15. koolan

    koolan Newcomer, in training Topic Starter

    Yes, I did uninstall the Yaz by Oin thing. I may end up formatting eventually even though i did like a month ago. I'll try what you said and post the results in a bit.
  16. koolan

    koolan Newcomer, in training Topic Starter

    When the cmd prompt closed it asked me if i wanted to create avenger.txt. I said yes but the file is blank. Here is the new log.
  17. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Damn, it`s still there.

    Go HERE and follow the instructions for Ewido.

    Once done, post the Ewido log and a fresh HJT log.

    Regards Howard :)
  18. koolan

    koolan Newcomer, in training Topic Starter

    Used the program. It found quite a few things which were quarantined and then removed.
     
  19. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You`re not using any antivirus software or firewall.

    Download the free AVG antivirus programme and the free Zonealarm firewall from HERE and HERE.

    Install Zonealarm, followed by AVG. reboot your system the required number of times and run the AVG updates.

    Boot into safe mode and turn system restore off.

    Run a full system scan with AVG and delete anything it finds.

    Boot into normal mode and turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of koolan only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  20. koolan

    koolan Newcomer, in training Topic Starter

    I think it may have worked! In the HJT it says the file is not found. Here it is.
  21. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    That`s fantastic news.

    Have HJT fix these two entries.

    O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab

    O20 - Winlogon Notify: winrid32 - winrid32.dll (file missing)

    Other than that, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of koolan only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  22. koolan

    koolan Newcomer, in training Topic Starter

    For safety's sake, here's another HJT. Also, is there anyway of preventing ctfmon from running? I've read it's non-essential (though I don't know for sure) and I believe it's conflicting with an anti-cheat program used by some games called Punkbuster. Also, an S&SD search today found more smitfraud which i had it fix. Thank you so much for all your help.
  23. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    If you want to stop ctfmon from running, that`s not a problem.

    Have HJT fix the following entries.

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab

    Your HJT log is still clean.

    Regards Howard :)

    This thread is for the use of koolan only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  24. koolan

    koolan Newcomer, in training Topic Starter

    Cool thank you. Can I also do that for ZCfgSvc.exe, iTunesHelper, ProNoMgr.exe?
  25. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Yes, yes and yes lol.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)


    This thread is for the use of koolan only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.