marquess Posted March 25, 2006 Share Posted March 25, 2006 I have picked up the above virus, and have spent the last three hours trying to get rid of it! Ran Norton's twice in the Safe Mode, with system monitors off. First time round, unable to Quaratine, then Unable to Delete! Ran it twice more, qurantined it, and then ran it again and it says that it is not there, but it still is. The annoying thing is that, it keeps bringing up some Spyware Quake, software, that keeps reinstalling itself on my computer and in addition, the home page for the browser automatically sets itself to blank. Can anyone recommend any free software that will get rid of this virus, or recommend some other alternative. According to the net, the virus has only been around for about a week! Help greatly appreciated! Link to comment Share on other sites More sharing options...
Thaising Posted March 25, 2006 Share Posted March 25, 2006 I have picked up the above virus, and have spent the last three hours trying to get rid of it! Ran Norton's twice in the Safe Mode, with system monitors off. First time round, unable to Quaratine, then Unable to Delete! Ran it twice more, qurantined it, and then ran it again and it says that it is not there, but it still is. The annoying thing is that, it keeps bringing up some Spyware Quake, software, that keeps reinstalling itself on my computer and in addition, the home page for the browser automatically sets itself to blank. Can anyone recommend any free software that will get rid of this virus, or recommend some other alternative. According to the net, the virus has only been around for about a week! Help greatly appreciated! Have you try adaware or spybot search & destroy antispyware, it may show something that can remove it. You may use online free virus scan by Panda activescan or Norton free virus scan http://www.pandasoftware.com/activescan/ac....asp?Language=2 http://security.symantec.com/sscv6/vc_abou...QAMUJBJI&bhcp=1 I'm no expert at pc but hope it may help a little bit. Link to comment Share on other sites More sharing options...
JohnC Posted March 25, 2006 Share Posted March 25, 2006 Try downloading Avast that has a boot scan facility, I have found this picks up most trojans as it runs before windows kicks in. You can download the free version from www.avast.com/. Let me know if this works, they also have another programme for trojan worms only. Link to comment Share on other sites More sharing options...
marquess Posted March 25, 2006 Author Share Posted March 25, 2006 I seem to have managed to get rid of the virus, by downloading Ewido Malware remover. Which seems to have done the trick. Though I have not been able to remove the SpyQuake software, it just seems to keep coming back. Despite me having used Norton's and the Add/Remove facility on the control panel, to remove it several times. Any suggestions as to how to remove that permanently? Also is it possible to back up the Windows Updates, just incase I need to do a complete scrub? Link to comment Share on other sites More sharing options...
giulio Posted March 25, 2006 Share Posted March 25, 2006 hi marquess,try to use ewido antimalware here www.ewido.net a2squared free(search with google) and change antivirus,nod32 is free trial 1 months and is fantastaic,after can decide if you buy or not,but is completely different from norton,efficient job,silent and so much light if the problem persiste post your log of hijackthis ciao Link to comment Share on other sites More sharing options...
rishi Posted March 25, 2006 Share Posted March 25, 2006 Once you've got rid of this problem, you might spare a few thoughts on why you got the problem in the first place. You obviously don't have any decent, daily updated firewall, virus/spyware 'on-the-fly-detector' installed. There're several such things around. My recomandation goes for "Zonealarm Security Suite". I honestly don't know wether it is any better than what others might swear to, but it has kept my machinery safe and sound for years. Link to comment Share on other sites More sharing options...
JSixpack Posted March 26, 2006 Share Posted March 26, 2006 Though I have not been able to remove the SpyQuake software, it just seems to keep coming back. Also is it possible to back up the Windows Updates, just incase I need to do a complete scrub? Will you kindly skip the italics and color? It's annoying and might tempt me to give you bad advice that would result in an immediate, unconditional, uninterruptible reformat of your hard drive. OK, first, turn off System Restore and then clean up your computer using something like Ccleaner: http://www.ccleaner.com/downloadbin.asp?f=1 Also delete whatever's in c:\windows\prefetch\ Then try finding out what the SpyQuake process is using Process Explorer: http://www.sysinternals.com/Utilities/ProcessExplorer.html if you see what process it is, then kill it and try to delete its files. See what all is starting up on your computer with Autoruns: http://www.sysinternals.com/Utilities/Autoruns.html Pay attention to the SharedTaskScheduler in the explorer section; you can find a list of baddies here: http://castlecops.com/O22.html I would just disable my Task Scheduler too, in services.msc. Use autoruns to stop any questionable process etc. from starting up. You can check startup programs here: http://castlecops.com/StartupList.html As for your updates, you've already installed your them, so you can't save them. No matter; if you have to reinstall Windows, just reinstall all the updates at once with autopatcher: http://www.autopatcher.com/ (careful to get the flavor appropriate for you) But it's almost NEVER necessary to reinstall Windows. If all else fails, as a poster said, run HijackThis and post the log in one of the forums specializing in interpreting such logs. Link to comment Share on other sites More sharing options...
stumonster Posted March 26, 2006 Share Posted March 26, 2006 marquess - you have been around here long enough - turn off the blue and the pretty font - its <deleted> to read. this site will give you the info on what the trojan has done to your system http://www.symantec.com/avcenter/venc/data...jan.zlob.i.html use your preferred anti virus when it says to use an anti virus and stop using internet explorer - firefox does not expose you to so much of this <deleted> and is a much more efficient browser when you learn to use its tabs. last week I had a machine brought to me with an insidious worm - bronstab - it took me a good 4-6 hours to remove as it would auto shutdown the machine if it detected certain conditions and it rewrote the etc/hosts file every 1 - 10 mins. Link to comment Share on other sites More sharing options...
Artisan Posted March 26, 2006 Share Posted March 26, 2006 marquess - you have been around here long enough - turn off the blue and the pretty font - its <deleted> to read. Thanks to JSixpack and Stumonster with their comments about the font and colour that "Marquess" uses. It's not necessary and it is a bugger to read......'irritating' is the word. Link to comment Share on other sites More sharing options...
marquess Posted March 27, 2006 Author Share Posted March 27, 2006 Does anyone know if it is possible to buy a a genuine copy of Panda anti viral/Spyware in either Zeer, or IT Square, if so how much should one pay for it? Link to comment Share on other sites More sharing options...
francois Posted March 27, 2006 Share Posted March 27, 2006 hi' I noticed that some mention highjackthis, probably the only soft that can help you here, did you go to any antivirus site, and get a "cleaner' for this sh*t? and if I were you, I would go for Bit Defender home edition version 9, the best! francois Link to comment Share on other sites More sharing options...
marquess Posted March 27, 2006 Author Share Posted March 27, 2006 Whilst I can delete it again and again and do all the virus scans that I like with various software. The problem is stopping it from coming back! I'm not an expert with it comes to messing around with the registery. I have downloaded JV16 Power tool, which can do all sorts of things to the registery, but have yet to locate the the Spyware Quake in the registry. Which seems to me to be the only way to permanently get rid of it! Everyone beware on this one, it is a damned nuisance. My profound thanks to everyone for their help and comments so far. I will try the Hijack thing now, though to be honest I am growing wearying of this thing. So Francios, you don't think much of Panda then? Link to comment Share on other sites More sharing options...
giulio Posted March 27, 2006 Share Posted March 27, 2006 http://www.merijn.org/files/hijackthis.zip here you can download the last version of hijackthis unzip the folder in some directory non temporany document e settings it's ok open the program and click in scan and save log copy and paste thre log inside the forum here,so maybe somebody can help you be careful what you fix,better search the process in the web before fix!!! is not antispyware or antivirus can recognize some process in background that giv to your pc problem and can fix it after fix the malware process,better use regsseeker and ccleaner for clean registry and pc goodluck and if you have some problem,post here before fix somethings! ciao Link to comment Share on other sites More sharing options...
h5n1 Posted March 28, 2006 Share Posted March 28, 2006 JSixpack basically has this nut. try symantec and macaffe for specific removal tool may exist for trojans delete all unecc programs and dump internet cahe and do sys clean up download: spybot and adaware incl updates or do online - run them both download: basic but decent registry cleaner (i dont know where the problem exists file or reg). do not edit the reg yourself. reboot in safe and run spyware progs again if you can access online internet go to trend-micro and run house call. i would not recommend you do anything with your registry (!) except running a very basic program on it. Link to comment Share on other sites More sharing options...
francois Posted March 28, 2006 Share Posted March 28, 2006 hi' is your system restore turned off on all drives? and as everyone said highjackthis! and stop to use IE francois Link to comment Share on other sites More sharing options...
h5n1 Posted March 28, 2006 Share Posted March 28, 2006 FIX4SURE http://securityresponse.symantec.com/avcen...jan.zlob.i.html Link to comment Share on other sites More sharing options...
marquess Posted March 28, 2006 Author Share Posted March 28, 2006 I think that I might have goten rid of using Web Root Spy Sweeper, it took about 4 hours to do an indepth thorough scan. I have an annoying thing that occasionally flashes on the tool, bar saying that your computer might be affected. But the Spyware Quake seems to have gone! Once again thanks to everyone for their help help on this. One last question, has anyone purchased the Panda Titanium anti virus and anti spyware in Thailand? If so how and where for a genuine copy? Link to comment Share on other sites More sharing options...
frodo Posted March 28, 2006 Share Posted March 28, 2006 I was able to get a legal copy of Panda A/V Titanium for 800baht at Future Park, Rangsit. It was at the IT store (top floor) above Central. I've also seen Panda at the book store in Rangsit Tesco-Lotus (across from Future Park). Hope this helps. FR Link to comment Share on other sites More sharing options...
marquess Posted March 29, 2006 Author Share Posted March 29, 2006 Thanks for the information Frodo! I am still having problems with that pest, so here is the log from my Hijack scan> Perhaps someone better versed in these matters, could tell me that needs to be removed? Logfile of HijackThis v1.99.1 Scan saved at 8:52:06 AM, on 3/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE C:\WINDOWS\system32\S3tray2.exe C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe C:\WINDOWS\system32\wfxsnt40.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Martyn\Local Settings\Temporary Internet Files\Content.IE5\Q9EZS7WP\hijackthis[1]\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-gb/srchasst/srchasst.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.142.97.102:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local> O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing) O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe" O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [sysikg] c:\windows\system32\sysikg.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: NaturalColorLoad.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {A5DC33CE-214B-4C26-8596-8A45456C9EB8} - http://activex.microsoft.com/objects/ocget.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{915689FD-CB08-4AD6-8F25-E75C71F22220}: NameServer = 203.144.207.49 203.144.207.29 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe Link to comment Share on other sites More sharing options...
francois Posted March 29, 2006 Share Posted March 29, 2006 Thanks for the information Frodo! I am still having problems with that pest, so here is the log from my Hijack scan> Perhaps someone better versed in these matters, could tell me that needs to be removed?Logfile of HijackThis v1.99.1 Scan saved at 8:52:06 AM, on 3/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE C:\WINDOWS\system32\S3tray2.exe C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe C:\WINDOWS\system32\wfxsnt40.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Martyn\Local Settings\Temporary Internet Files\Content.IE5\Q9EZS7WP\hijackthis[1]\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-gb/srchasst/srchasst.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.142.97.102:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local> O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing) O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe" O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [sysikg] c:\windows\system32\sysikg.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: NaturalColorLoad.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {A5DC33CE-214B-4C26-8596-8A45456C9EB8} - http://activex.microsoft.com/objects/ocget.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{915689FD-CB08-4AD6-8F25-E75C71F22220}: NameServer = 203.144.207.49 203.144.207.29 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe hi' first you don't need 2 antivirus, especialy wth norton! you need to choose one or the other! you can disable : java_jushed on sartup, go to control panel and in the java menu uncheck " check for update". same for real player disable the update thing in the tolls menu/update. this will be 2 less to load. then uninstall spysweeper, it's useless and might be interfering in some other protection programs! and from some source spysweeper could be a spyware by itself then one line tells me that you must have an incorrect entry in the registry: this one : http://activex.microsoft.com/objects/ocget.dll O17 - O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) you should not have : activex.microsoft, and this could some part of a malware ... this seems supect to me, but I could be wrong ... anyway, do as I said,and then reboot! and then get the tool for this pest here : trojan zlob remover take a look at the page download the tool and run it as indicated on the symantec site francois hoping that it will help a bit Link to comment Share on other sites More sharing options...
JSixpack Posted March 30, 2006 Share Posted March 30, 2006 I dunno what this is: O4 - HKLM\..\Run: [sysikg] c:\windows\system32\sysikg.exe I suggest you at least remove it from your startup programs and see if that makes any difference. As for the flashing tray icon, sounds like you have a variant of the smitfraud infection. The tool for removing that is this: http://www.bleepingcomputer.com/files/smitRem.php. In fact, even though your multiple virus proggies have eliminated most of the problem already, nevertheless it couldn't hurt to follow all the instructions for dealing specifically with SpywareQuake that you find here: http://www.bleepingcomputer.com/forums/topic47826.html which is a a site I just happened to run across today, otherwise of course I would have mentioned it earlier. It gives helpful instructions for using the smitRem tool. Some forms of the "infected" tray icon start via the SharedTaskScheduler, this registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler and you can get at that key safely and conveniently in the explorer tab of the autoruns program I pointed you to earlier. I suggest you stick to one good antivir and get rid of the others. In particular all that Norton stuff has just got to go. Ad-aware, Spybot S&D, and one antivir should be all you need in the way of scanners. For prevention, I suggest you use Spywareblaster and/or Hosts Secure. The latter you can find here: http://www.mvps.org/winhelp2002/hosts.htm. These help prevent the ads/popups that tempt you to install spyware in the first place. Link to comment Share on other sites More sharing options...
marquess Posted March 30, 2006 Author Share Posted March 30, 2006 I dunno what this is:O4 - HKLM\..\Run: [sysikg] c:\windows\system32\sysikg.exe I suggest you at least remove it from your startup programs and see if that makes any difference. As for the flashing tray icon, sounds like you have a variant of the smitfraud infection. The tool for removing that is this: http://www.bleepingcomputer.com/files/smitRem.php. In fact, even though your multiple virus proggies have eliminated most of the problem already, nevertheless it couldn't hurt to follow all the instructions for dealing specifically with SpywareQuake that you find here: http://www.bleepingcomputer.com/forums/topic47826.html which is a a site I just happened to run across today, otherwise of course I would have mentioned it earlier. It gives helpful instructions for using the smitRem tool. Some forms of the "infected" tray icon start via the SharedTaskScheduler, this registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler and you can get at that key safely and conveniently in the explorer tab of the autoruns program I pointed you to earlier. I suggest you stick to one good antivir and get rid of the others. In particular all that Norton stuff has just got to go. Ad-aware, Spybot S&D, and one antivir should be all you need in the way of scanners. For prevention, I suggest you use Spywareblaster and/or Hosts Secure. The latter you can find here: http://www.mvps.org/winhelp2002/hosts.htm. These help prevent the ads/popups that tempt you to install spyware in the first place. Thanks! This seems to have worked, though rather strenuous to get rid of. Anyone see Spyquake Ware come up, AVOID IT LIKE THE PLAGUE! Link to comment Share on other sites More sharing options...
giulio Posted March 30, 2006 Share Posted March 30, 2006 O4 - HKLM\..\Run: [sysikg] c:\windows\system32\sysikg.exe unknown process in the web,and sospicious because stay in system32 so search in your pc yhis file show all hidden file,and upload this sysikg.exe here http://virusscan.jotti.org/ and later here and control the results http://www.virustotal.com/flash/index_en.html i think proxywai is good for some reasons,but is not to safe and secure and then,off course,francois say well about 2 antivirus very heavy like norton and panda cannot stay together,throw away norton and use panda because have also firewall good luck Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now