Spyware Quake+antim alware in system tray

Run the below scanner inplace of Panda and attach the Ewido log

Running Ewido Anti-Malware

Afterwards also attach a new HJT log too since your first one appears to be from before the READ ME was run. Make sure you have first completed ALL steps in the READ ME (accept Panda).

​

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O20 - Winlogon Notify: winxcx32 - winxcx32.dll (file missing)
After clicking Fix, exit HJT.
Now reboot your PC once so we can be sure it is gone. And now from normal boot mode, post a new HJT log.

Make sure you tell me how things are working now.

 

Does Spyware Quake appear in Add/Remove programs?
If so, can you uninstall it?

What does

mean?

 

Okay from now on do not uninstall it on your own! Only follow my steps.

Run the steps in the below link and attach the requested log to your next message:

Using GetRunKey

Also do the below!

• Now download smitRem.exe written by noahdfear and save the file to your Desktop.
• Double click on the smitRem.exe file to extract it to it's own folder on the desktop. (this should be the default selection). Do not run the program yet! You just need to click the Start button which will extract the files to the SmitRem folder on your Desktop.
• Now you will need to print or save these instructions locally (to a text file on your Desktop) for later reference. This is necessary because you must not have any browers open and must not connect to the internet while following the below steps.
• Now disconnect your cable to the internet (physically unplug it).
• After saving the instructions, reboot into Safe mode
• Now once in safe mode, goto Add/Remove programs and uninstall Spyware Quake.
• Run Windows Explorer by right clicking Start & Select Explore
• Navigate to C:\Windows\system32
• Look for the following two files dxmpp.dll and/or ginuerep.dll in the system32 folder and right click on them and select delete. If they will not delete now. We will retry later. However these may not even be found since you have a different form of this malware.
• Now open the smitRem folder on your Deskop, double click on it to access the folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
• The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg; Local Disk C: or partition where your operating system is installed. Upload this file later after reboot.
• Now reboot your system into normal mode.
• If you had any problems deleting the dxmpp.dll and/or ginuerep.dll files, try it again now.
• Also delete this folder if found: C:\Program Files\Spyware Quake
• Reconnect your cable to the internet.
• Now attached your smitfiles.txt log to a message and provide information about the steps above and what your current status is with Spyware Quake .
• Also attach a current HijackThis log.

 

The below item bothers me. Does it mean anything to you:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

The Smitfraud family of malware (which includes Spyware Quake) does use the sharedtaskscheduler registry key to store their garbage. But valid stuff goes in this key too.

Does it have anything to do with http://www.usb-ware.com/ or http://www.datastoragedrive.com/dvdburner/usbdvdburner/

 

Yes run Smitrem exactly as indicated with no connection to the internet and in safe mode.

I'm leaning towards that registry key being malware but I'm not positive yet. So let's see what the above finds. It will show this registry key because it shows all entries in that key whether good or bad. But I want to see if it finds anything else.

 

Okay new procedure to follow.

First, make sure you have followed the steps in this link: How to view hidden, system files & folders!

Now copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixquake.reg and then click save. it to your Desktop. We will use it later after a reboot into safe mode.

• Now download smitRem.exe written by noahdfear and save the file to your Desktop.
• Double click on the smitRem.exe file to extract it to it's own folder on the desktop. (this should be the default selection). Do not run the program yet! You just need to click the Start button which will extract the files to the SmitRem folder on your Desktop.
• Now you will need to print or save these instructions locally (to a text file on your Desktop) for later reference. This is necessary because you must not have any browers open and must not connect to the internet while following the below steps.
• Now disconnect your cable to the internet (physically unplug it).
• After saving the instructions, reboot into Safe mode
• Now once in safe mode, goto Add/Remove programs and uninstall Spyware Quake.
• Now double-click on the fixquake.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
• Run Windows Explorer by right clicking Start & Select Explore
• Navigate to C:\Windows\system32
• Look for the following two files C:\WINDOWS\system32\stickrep.dll in the system32 folder and right click on it and select rename. Change the name to stickrep.DDD
• Now open the smitRem folder on your Deskop, double click on it to access the folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
• The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg; Local Disk C: or partition where your operating system is installed. Upload this file later after reboot.
• Now reboot your system into normal mode.
• Also delete this folder if found: C:\Program Files\Spyware Quake
• Reconnect your cable to the internet.
• Now attached your smitfiles.txt log to a message and provide information about the steps above and what your current status is with Spyware Quake .
• Also attach a current HijackThis log.

 

Well it looks like my suspicion was correct about the USB Ware line.

Your logs are clean now. I would now suggest you delete the file that we renamed. However I would appreciate it if you could put the file into a ZIP and upload it here as an attachment first. Then you can delete it.

Note: I now added detection of this to my GetRunKey.bat script. New version has been uploaded to the link you downloaded the tool from earlier.

 

Thanks! I just added a new sticky cleaning procedure for it too.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!