SpywareQuake won’t go away. PLEASE HELP!

Welcome to Majorgeeks!

I'm going to put a modified version of the SpywareQuake procedure below. It will contain some new registry patch info and another file to look for and delete. Please re-run the whole process again from beginning to end. Make sure to redownload the registry patch since it has changes. Do not skip any steps.

First, make sure you have followed the steps in this link: How to view hidden, system files & folders!

NOTE: Even if you do not find some of the files mentioned or you do not see SpywareQuake in Add/Remove programs or the folder for it, just continue with ALL steps thru to the end.

Now copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixquake.reg and then click save. it to your Desktop. We will use it later after a reboot into safe mode.

• Now download smitRem.exe written by noahdfear and save the file to your Desktop.
• Double click on the smitRem.exe file and click the Start button to extract it to its own folder named SmitRem on the desktop. (this should be the default selection). Do not run anything else related to the program yet!
• Now you will need to print or save these instructions locally (to a text file on your Desktop) for later reference. This is necessary because you must not have any browers open and must not connect to the internet while following the below steps.
• Now disconnect your cable to the internet (physically unplug it).
• After saving the instructions, reboot into Safe mode
• Now once in safe mode, goto Add/Remove programs and uninstall Spyware Quake.
• Now double-click on the fixquake.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
• Run Windows Explorer by right clicking Start & Select Explore
• Navigate to C:\Windows\system32 )or C:\Winnt\system32 depending on how/which OS you have installed.)
• Look for the following files based upon where you have Windows installed:
  • C:\WINDOWS\system32\stickrep.dll (or C:\Winnt\system32\stickrep.dll )
  • C:\WINDOWS\system32\suprox.dll (or C:\Winnt\system32\suprox.dll )
  • C:\WINDOWS\system32\xenadot.dll (or C:\Winnt\system32\xenadot.dll)
  • C:\WINDOWS\System32\sivudro.dll (or C:\Winnt\system32\sivudro.dll )
• When you locate the files, right click on them and select Rename. Change the dll extension to DDD. For example: rename xenadot.dll to xenadot.DDD We will fully delete the files later.
• Now open the smitRem folder on your Deskop, double click on it to access the folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. If you cannot get RunThis.bat to work in safe mode, REBOOT into normal mode (with no internet connection) and repeat the above step from the point of booting in safe mode.
• The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg; Local Disk C: or partition where your operating system is installed. Upload this file later after reboot.
• Now reboot your system into normal mode.
• Now after reboot relocate the files we renamed above and delete them. Thus delete any of these stickrep.DDD, suprox.DDD, xenadot.DDD, or sivudro.dll If you have a problem deleting these files, try rebooting one more time into safe mode and attempt another deletion. If it still does not delete, make sure you tell us later.
• Also delete the below files and folders if found:
  • C:\Program Files\Spyware Quake
  • C:\Windows\System\1024
  • C:\Windows\System32\1024 (or C:\Winnt\System32\1024 )
  • C:\Windows\System32\dfrgsrv.exe (or C:\Winnt\System32\dfrgsrv.exe)
  • C:\Windows\System32\mssearchnet.exe (or C:\Winnt\System32\mssearchnet.exe)
  • C:\Windows\System32\nvctrl.exe (or C:\Winnt\System32\nvctrl.exe )
  • C:\Documents and Settings\[Current User Account]\Start Menu\Programs\SpywareQuake <---- where [Current User Account] is the actual user account name you are logged into.
• Reconnect your cable to the internet.
• Now attach your smitfiles.txt log to a message and provide information about the steps above and what your current status is with Spyware Quake . If you need help attaching files see: HOW TO: Attach Items To Your Post

 

You can post those other logs as soon as you have them, but the new SpywareQuake procedure will have to be run to fix problems with it.

 

As per the directions in step 3 of the READ & RUN ME, yo must not use mutliple antivirus applications. You have PC Tools AV and Symantec installed. You must decide which you prefer and uninstall the other. Do this now before continuing with the below.

You have a few minor things to cleanup.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
After clicking Fix, exit HJT.:

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

 

I don't understand your message? Everything I gave you thus far needs to be done including uninstall one of the antivirus programs and posting a follow up HijackThis log.

 

Please ask again tommorow, Chaslang is away today. As for the log, name it something random, ie kjhkjn.log or save it as a text file.

 

I got back early!

If you still cannot upload your NEW HJT log as an attachment then just copy & paste it inline and I will attach it for you. Make sure all of message # 7 has been completed first.

 

Not according to your HijackThis log. You still have both Symantec and PC Tools antivirus applications running. You must uninstall one of them.

Also all of the below are still in your log:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)

Looks to me like all of your problems with uploading your HijackThis log are because you did not get a new log. You appear to have uploaded the same log as in message # 5. You need to make sure you did what is in message # 7 and then get a NEW HJT log to upload.

Are Spyware Doctor or CounterSpy paid versions or are they free trials?

 

Okay uninstall Sypware Doctor and CounterSpy too! Then attach a new HJT log.

You keyboard problems may be due to missing drivers for your hardware. Is you PC a standard keyboard or something special (like wireless or anything else special). I doubt that this is a malware problem.

 

Yes you can delete those folders yourself.

We do not want HijackThis logs from safe mode.

Note that you still never followed step 7 of the READ & RUN ME to install HijackThis properly. However, we don't need to use it anymore since your log is clean. You should however get it installed properly for possible future use.

Then I doubt it requires one unless maybe it is a USB keyboard.


Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

The decision to use SP2 is yours. It is more secure but you can stick with SP1a if SP2 has given you problems. Following ALL the other guidelines while using SP1a should still keep you pretty secure. I have several PCs where I do exactly this and I have no problems with malware. The real security issues start and end with the user (or users) of the PC.

I would suggest posting in the Hardware Forum about your USB keyboard not working in safe mode or another suggestion would be to ask Dell. But it still sounds like some kind of driver that is required is not loaded in safe mode.