[3shadows]

Hello All =)

I first want to say thank you to whomever made this website. It has given me a huge resource to start with in my current battle against these #$%^ things

To give you a quick background on my computer, I have always run Avast! 4 antivirus, Windows Defender Beta 2, Spyware Blaster, and Ad-Aware SE Personal 1.06 as my main defense lines - with Avast and Defender always kept up to date and on active resident status.

On Saturday morning I was surfin’ the web and got nailed. Several alerts from avast came up really quick (i think there were 3-4) and two were quarantined, while one was an abort connection. Well, by the time I got through them SpywareQuake decided to install on my machine without any consent.

So, after cussing up a storm, I calmed down and ran some of my utilities. Surprisingly, they seemed not to pick anything up, except for Windows Defender which picked up Zolob and something else minor. It said it deleted it. I then found this site after searching for a way to remove SpywareQuake. I followed the posts on the "manual removal" of "SpywareQuake" After following this, and deleting everything it said except for stickrep.dll (because it wouldn’t let me delete it), I finished by running all of my utilities, as well as installing SpyBot S&D and running it after updating. Finally, I scheduled a boot-time scan with Avast! and it found nothing. Well, I restarted and bing-bang-boom the crap was back including the Zolob Virus. At this point I realized what I had was really nasty.

At that time I searched the forums for Zolob and got reports for "Zlob" and "Zlob.h", along with finding the forum post were member GTO talks about using the Pocket KillBox to get rid of “stickrep.dll� Long story short, I followed the manual delete directions for Zlob, Zlob.h, and SpywareQuake to the T – including using Killbox to get rid of stickrep.dll.

I thought I had it as the little system tray annoying thing from SpywareQuake was gone. I was wrong. Today upon starting my computer that freaking annoying system tray thing came back up, but I unplugged my network cable before anything downloaded.

I decided to run Defender again and low and behold the Zolob it said it deleted was still there. I hit delete, restarted, and ran it again – there Zolob was again.

So, I used my other clean computer for research on this site and found this post:

http://www.2-spyware.com/forum/topic437.html

I followed the instructions exactly as posted, and it seems to have worked. My 4 reports are as follows:

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 6:25:27 PM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA\NETWOR~1\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
P:\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
P:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
P:\Eraser\eraser.exe
C:\Program Files\iPod\bin\iPodService.exe
P:\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
U:\Utilities\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] P:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "P:\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] P:\Eraser\eraser.exe -hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = P:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = P:\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - P:\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\PROGRA~1\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\PROGRA~1\NVIDIA\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\PROGRA~1\NVIDIA\NETWOR~1\bin\nSvcLog.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

smitRem:

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 03/27/2006
The current time is: 16:58:46.20

Running from
C:\Documents and Settings\Sparky\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\!KillBox\stickrep.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

Antivirus Test Online.url

~~~ system32 folder ~~~

ld****.tmp

~~~ Icons in System32 ~~~

ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 848 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\!KillBox\stickrep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!


Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:22:06 PM, 3/27/2006
+ Report-Checksum: 544842D4

+ Scan result:

HKU\S-1-5-21-1715567821-1547161642-839522115-1003\Software\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Adware.SpywareQuake : Cleaned with backup

HKU\S-1-5-21-1715567821-1547161642-839522115-1003_Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Adware.SpywareQuake : Cleaned with backup

[828] C:\!KillBox\stickrep.dll -> Trojan.Agent.qf : Cleaned with backup

C:\!KillBox\stickrep.dll -> Trojan.Agent.qf : Cleaned with backup

C:\WINDOWS\system32\dfrgsrv.exe -> Downloader.Zlob.jl : Cleaned with backup

::Report End

Panda ActiveScan:

Incident Status Location
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sparky\Desktop\smitRem\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sparky\Desktop\smitRem.exe[Process.exe]


IS THERE ANYTHING ELSE I NEED TO DO FOLKS?

ALSO – my resident scanner on Avast! keeps picking up the documented false positive for the Panda ActiveScan file. Is there a way to delete this file since I am done with the Pandascan?

Thank you – esp to anyone who has to read all this!!
_________________
--

Cheers, 3shadows

[1972vet]

You can either instruct Avast to ignore the file, or you can open Internet Options and click the Settings button under "Temporary Internet Files".
Then click the View Objects tab. Scroll down the list and locate the Active X "Downloaded
Program" file for Panda Active Scan. You can identify it by right clicking on the file and
selecting "Properties". In the CodeBase at the bottom it will tell you that it is from Panda.
Once you locate it, right click on it and select "remove".
Reboot.

[1972vet]

By the way, your log looks clean.

[3shadows]

I seem to be running clean as of all day today (knock on wood).

Is there any reason for me to have to worry about damage to my system? I am wondering if I need to do a full zero of the drive and re-install windows to avoid other infections, or if "cleaning" it was sufficient. Is there such a thing as "fully" cleaning an infection?

The reason I ask is I just recently did a full rebuild of my OS/system and i make images of my system for backup via Ghost or Ture Image. I dont want to waste the time and DVDs to back up a system that is going to be "buggy" or have corrupt files, etc. Thank you Vet for all the help!
_________________
--

Cheers, 3shadows

[1972vet]

Not to worry. The log looks fine. A few things you can do:
Install the following freeware programs:
SpywareGuard -- http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster -- http://www.javacoolsoftware.com/spywareblaster.html

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.
If you do not have a firewall, here are a couple freeware firewalls you can install:
Kerio Personal Firewall -- http://www.sunbelt-software.com/Kerio-download.cfm
Zone Alarm -- http://www.zonelabs.com/store/content/comp...ctry=US&lang=en

Stay updated with the most recent Windows patches using
http://update.microsoft.com/windowsupdate/...t.aspx?ln=en-us

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox from http://www.mozilla.org

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run Ccleaner often
http://www.ccleaner.com/ccdownload.asp
or Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup") and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files

Finally, there is an article with some additional insight titled
"So how did I get infected in the first place?"
You can find that article at http://forums.spywareinfo.com/index.php?showtopic=60955
Happy Surfing!

[3shadows]

Except for SpywareGuard, and Zone Alarm which I just put up after this, I have always done everything you put here - that is why I was so baffled on how easily this thing infected me. I update religiously with everything, including windows.

Thank you so much Vet for your help.

My last concern (hopefully) involves this log entry which keeps showing up in my Zone Alarm log. It would pop up as a wndow until I checked the "Dont alert me everytime" box:

"ACCESS,2006/03/29,17:56:26 -8:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 15258).,N/A,N/A"

There are numerous ones, each entry is the same except each time the port number increases by one. It started with port 14976 and is now up to port 15317 with some port numbers skipped here and there. Is this entry a sign of something wrong, or a normal process?

Thank you!

-3shadows
_________________
--

Cheers, 3shadows

[1972vet]

Generic Host Process should have access. Your Zone Alarm program control configuration for Generic Host Process should look like this:
Access Server
Check check check X

With your Ewido Security Suite, you should scan and delete what it finds. Otherwise, the Generic Host Process accessing the internet from your computer is normal.

Regards,
Disabled Vet

[3shadows]

I noticed that Ewido was a 14 day trial period - at which point it will revert to the "freeware" version of the program.

What am I loosing with the Pro version in 14 days? Is the freeware version still capable of scanning and removing threats?

Thank you.
_________________
--

Cheers, 3shadows

[1972vet]

All you loose is the real time protection. You can always use it for just an on demand scanner. I do and it's great.