Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SpywareQuake 2.0 and related systray icon 2

Status
Not open for further replies.
JoeBio

JoeBio

Technical User
Mar 25, 2006
2
US
I read all about another user on this forum having a similar problem as myself (titled "flashing virus alert in systray"). The other user complained of a blinking icon on his systray and a balloon message popping up informing him that his PC was infected and he should "click here" to install software to remove it.

My problem is very similar except my icon blinks back and forth between a green "handicapped" sign and a red circle with a slash through it. When I hover the mouse over it it reads "Virus Alert!" As well as the icon, every few minutes I receive a message reading, "Your computer is infected! Critical System Error! System detected virus activities. They may cause critical system failure. Please, use antim alware software to clean and protect your system from parasite program s. Click here to get all available software." -- Typos were intentional as that is how the message reads.

At the same time as I this icon/message, a program popped up called SpywareQuake 2.0 that claims to have scanned my computer and detected spyware and viruses and if I "click here" I can purchase the full version of the software to remove it.

I've tried uninstalling the program from the Add/Remove programs but every time I reboot, it's back. I've run Symantec AntiVirus, Ad-aware, Spybot, Spysweeper, Ewido, HiJack This, SmitRem, one of Microsoft's online scans, Panda's online 'Activescan' program, and everything else relevant on the other thread.

An interesting sidenote is that the offending programs run during safe mode, too.

Any thoughts?
 
Sort by date Sort by votes
Run all of those in safe mode plus this one.


Then load in normal mode ,run hijackthis and then post the log. Also after running the scans in safe mode and then restarting into normal, disable system restore and reenable it to clean it out. Also reccomend this online scanner.


There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
That's Winfixer or Winfixer 2005. I hit that one again (I have hit it more times than I want to count). People just keep getting it.

This also should take care of it:

Webroot spysweeper Trial:

Download it here:


Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Hope that helps,

Erik
 
Upvote 0 Downvote
I had this over the weekend, hijack this does not show anything, I finally downloaded spydoctor from pctools and paid the 30 bucks for a year subscription and it got rid of it plus a bunch of stuff that the others (ewido, norton..) missed.
I also downloaded Webroot Spysweeper trial, it won't remove anything unless you purchase it.
 
Upvote 0 Downvote
Did you download the Spysweeper trial from the following url?:


This is a 14 day full functional trial. It will work, I use it all the time. If you are going to Spysweeper's webpage you may be getting the one that won't allow you to remove without paying.

Hope that helps,

Erik
 
Upvote 0 Downvote
Try the other url that I posted. That should do the trick.

Update the defs and do a sweep.
 
Upvote 0 Downvote
Your latest post lead me in the right direction and that did the trick, Erik. I must have gotten infected the same day the program was released because now I'm able to find all kinds of suggestions online about how to remove it.


Thanks everyone!
 
Upvote 0 Downvote
I must have encountered a new flavor of this malware. I ended up with the same balloon on the System Tray, but could not remove it with the methods described here. With ALOT (2 days) of digging, I found a new source.

The problem was caused by the file C:\WINDOWS\SYSTEM32\xenadot.dll. This was loaded under explorer as a thread. I used most excellent tool "ProcessExplorer" to kill the explorer.exe thread linked to the xenadot.dll and the window when away. Once the window is closed, then I just renamed the dll and rebooted. There is still some trash in the registry that points to the DLL, but at least the problem is gone.

I wanted to post this to get the new xenadot.dll "on the record" in case the problem haunts another soul.
 
Upvote 0 Downvote
I have the exact same problem, have run various removal programs, none of which worked, although my homepage no longer defaults to their website. I just have the tray icon with the red box warning popping up all the time. I downloaded Process Explorer but cannot find xenadot.dll, and I have no idea how to get rid of this thing. Any ideas? Thankyou.
 
Upvote 0 Downvote
You are probably dealing with another .dll that the malware is using. It's not going to be the same exact name. Something different. Use Hijack This to find it and get rid of it.

Regards.
 
Upvote 0 Downvote
I had the same sysptom - the last after doing everything I could to remove such a mess of malware it was more like cancerware. (The nvctrl.exe, mssearchnet.exe crud). I did not find xenadot.dll. I found sivudro.dll simply because it was the only dll that had been modified within one day. I changed its name. I can't say that's what did it, because I had done so many other things and was foggy and confused. But when I rebooted, the item in the notification area was gone. Please advise if anyone knows anything about sivudro.dll. I won't be embarrassed if it's really essential. I'm just glad to be back in operation.
 
Upvote 0 Downvote
You need to get rid of the stuff in the registry as well...from Symantec about SpywareQuake 2.0.....

4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.

Click Start > Run.
Type regedit

Then click OK.

Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"SpywareQuake" = "%ProgramFiles%\SpywareQuake\SpywareQuake.exe /h"


Navigate to and delete the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{5B55C4E3-C179-BA0B-B4FD-F2DB862D6202}
HKEY_CLASSES_ROOT\Interface\{189518DF-7EBA-4D31-A7E1-73B5BB60E8D5}
HKEY_CLASSES_ROOT\Interface\{23D627FE-3F02-44CF-9EE1-7B9E44BD9E13}
HKEY_CLASSES_ROOT\Interface\{43CFEFBE-8AE4-400E-BBE4-A2B61BB140FB}
HKEY_CLASSES_ROOT\Interface\{5790B963-23C5-43C1-BCF5-01C9B5A3E44E}
HKEY_CLASSES_ROOT\Interface\{5D42DDF4-81EB-4668-9951-819A1D5BEFC8}
HKEY_CLASSES_ROOT\Interface\{76D06077-D5D3-40CA-B32D-6A67A7FF3F06}
HKEY_CLASSES_ROOT\Interface\{86C7E6C3-EC47-44E5-AA08-EE0D0A25895F}
HKEY_CLASSES_ROOT\Interface\{9283DAC1-43F5-4580-BF86-841F22AF2335}
HKEY_CLASSES_ROOT\Interface\{AE90CAFC-09D4-47F0-9E11-CE621C424F08}
HKEY_CLASSES_ROOT\Interface\{BA397E39-F67F-423F-BC6E-65939450093A}
HKEY_CLASSES_ROOT\Interface\{BEC8A83D-01D4-4F15-B8A9-4B4AB24253A7}
HKEY_CLASSES_ROOT\Interface\{C4EEDC19-992D-409A-B323-ED57D511AFA5}
HKEY_CLASSES_ROOT\Interface\{DD90F677-D205-4F70-9014-659614AABCB2}
HKEY_CLASSES_ROOT\Interface\{E3DF91F3-F24F-441E-9001-D61F36024322}
HKEY_CLASSES_ROOT\Interface\{F459EADB-5903-48D5-864C-2B7B46AB1424}
HKEY_CLASSES_ROOT\Interface\{FC4EDF66-0547-4F1A-AE96-7CFCAD711C90}
HKEY_CLASSES_ROOT\TypeLib\{661173EE-FA31-4769-97D4-B556B5D09BDA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpywareQuake.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareQuake
HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake


Exit the Registry Editor.


Best regards.

Erik
 
Upvote 0 Downvote
PS - this thing was popping up in the notification area in safe mode. How?
 
Upvote 0 Downvote
If anyone CANNOT boot in safe mode like me (I don't have administrator privileges for my corporate laptop and I am traveling at the moment, so I couldn't solve this with an IT person), gernt's suggestion was the most helpful.

I scanned my computer with Symantec Antivirus, SpySweeper, Ad-Aware, CounterSpy, and Panda's ActiveScan. They actually got rid of most of the problem (including the xenadot.dll), but the annoying pop up kept appearing. I just tried renaming sivudro.dll and restarted my computer and the pop up is gone.

I also checked my registry as erikhertzel recommended and all traces of the malware seem to have been removed.

PS I know messing with DLLs is a bad idea, but I was just absolutely sick of the pop up and it seems nothing else happened by renaming this DLL. If anyone knows of other files that need to be removed (or registry entries), please post it here.
 
Upvote 0 Downvote
Download hijack this from the link below.Please do this. Click here:


to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.



SpywareQuake Program

If you can't boot to safe mode run the yools in normla mode, you really should have admin roghts to make sure the fixes work!

1. Print out these instructions as we will need to close every window
that is open later in the fix.

2. Download the appropriate Roguescanfix depending on your language from
here:

Roguescanfix.exe (English version)



Roguescanfix.exe (Dutch version)



Confirm that the file Roguescanfix.exe now resides on your desktop.


3. Double-click on the roguescanfix.exe file found on your desktop and
then press the Install button. The file will create a folder on your
desktop called roguescanfix.

4. Double-click on the roguescanfix folder and then double-click on
Run.bat. Please note that when the Run.bat starts it will download a
program from the Internet that it needs to use during the cleanup. If your
firewall gives an alert about this, please allow the download.exe or
run.bat program to access the Internet.When you start the Run.bat program
your desktop will disappear which is normal so you do not need to be
concerned. It will then start the SpywareQuake uninstallation program.
When that program starts, click on the Uninstall button. When it has
finished uninstalling, you can then press the OK button to finish the
uninstalling of SpywareQuake

When this program is finished, and it was able to delete all the files,
you will see a small prompt that says Completed script execution. Simply
press the OK button. It will then open the Brute Force Uninstaller program. You can simply press the Exit button and continue to Step 5.

If there were more files that needed to be deleted, the program will
prompt you to reboot your computer. Press the Yes button and allow the
computer to reboot. When you are back at the desktop, proceed to Step 5.




* Click here to download smitRem.zip.



* Save the file to your desktop.
* Unzip smitRem.zip to extract the two files it contains.
* Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


* Click here to download ATF Cleaner by Atribune and save it to your desktop.



* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.



* Download the trial version of Ewido Security Suite.



* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.



* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.





* Click here for info on how to boot to safe mode if you don't already
know how.




* Now copy these instructions to notepad and save them to your desktop.
You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps
in safe mode:



Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Go to add/remove programs in your control panel and uninstall (if there):

SpyFalcon

***if the computer asks for you to let it reboot DO NOT allow it.

Go to your desktop and double click on the FixSF.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.

Navigate to the following files/folders and delete these (if there):
C :\Windows\System32\dxmpp.dll
C:\Windows\System32\ginuerep.dll
C:\Program Files\SpyFalcon


run hijack this and fix the tmp file if there!

Something like this!


O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hp6A30.tmp



* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop



* Go to Control Panel > Internet Options. Click on the Programs tab
then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click
the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you
should see an entry checked called something like "Security info" or similar.
If it is there, select that entry and click the "Delete" button. Click OK
then Apply and OK.


* Restart back into Windows normally now.



* Run ActiveScan online virus scan here



When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs and
the contents of smitfiles.txt from the smitRem folder


Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
oops, ignore the stuff for spyfalcon, I meant to edit that part out!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Many thanks to "rjrlist"! Following your advice, I was able to get rid of the flashing icon in the systray by removing twain32.dll.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
Police: Do as we say and not as we do! 1
Replies
4
Views
130
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
205
DrB0b
DrB0b
kjv1611
  • Locked
  • Question
POS Malware Infections Detection and Protection
Replies
0
Views
102
kjv1611
kjv1611
Kjonnnn
  • Locked
  • Question
Virus and Code 31 connection Has
Replies
4
Views
127
Kjonnnn
Kjonnnn
nconick
  • Locked
  • Question
SEP 12.5 and Avaya Aura Contact Center 6.2 exceptions, etc.
Replies
0
Views
83
nconick
nconick

Part and Inventory Search

Sponsor

Back
Top