There exists an annoying icon in the taskbar. Upon rollover, it shows "Virus Alert!" and upon clicking, it displays a little pop-up telling me my computer is infected. Upon clicking the pop-up, xxx.spywarequake.com is displayed. Any ideas on removing this thing?


Logfile of HijackThis v1.99.1
Scan saved at 2:39:19 AM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AppleCDEject.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1152037583\ee\AOLSoftware.exe
C:\WINDOWS\system32\81b00c91.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\aol\1152037583\ee\aim6.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Karl\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O4 - HKLM\..\Run: [AppleCdEject] C:\WINDOWS\system32\AppleCDEject.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152037583\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [81b00c91.exe] C:\WINDOWS\system32\81b00c91.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [81b00c91.exe] C:\Documents and Settings\Karl\Local Settings\Application Data\81b00c91.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: pmnlkhi - C:\WINDOWS\
O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: furnariidae - {89e4aaba-3b21-49b3-b922-8ca35193c68e} - C:\WINDOWS\system32\zlara.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



Need anything else, let me know plz!

Hello Karl and welcome to the forum. Since you are seeing spywarequake, follow these directions.
http://forums.spybot.info/showthread.php?t=4015
Post those three logs in this same topic and I will be notified. Looks like you have other infections also, you may want to keep this computer offline as much as possible until it is clean, these infections do attract others.

Thanks...pskelley
Safer Networking Forums

Hey, thanks for your help. Here are those text files:

SmitFraudFix v2.68b

Scan done at 23:18:16.28, Sun 07/09/2006
Run from C:\Documents and Settings\Karl\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\zlara.dll -> Missing File


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\KARL\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:45:41 PM 7/9/2006

+ Scan result:



C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP7\A0000536.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP8\A0000723.OCX -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP8\A0000998.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP8\A0002014.DLL -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP8\A0002017.EXE -> Downloader.Zlob.ww : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP12\A0003352.tlb -> Downloader.Zlob.xj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP7\A0000540.tlb -> Downloader.Zlob.xj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP8\A0001001.tlb -> Downloader.Zlob.xj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP8\A0001010.tlb -> Downloader.Zlob.xj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP8\A0002016.EXE -> Downloader.Zlob.xj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP8\A0002015.EXE -> Downloader.Zlob.xk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2B17CDB7-0B69-4CA7-911E-3A3EC2CCCDF1}\RP16\A0003752.DLL -> Not-A-Virus.Hoax.Win32.Renos.dw : Cleaned.


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 12:04:53 AM, on 7/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AppleCDEject.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1152037583\ee\AOLSoftware.exe
C:\WINDOWS\system32\81b00c91.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
c:\program files\common files\aol\1152037583\ee\aim6.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Karl\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AppleCdEject] C:\WINDOWS\system32\AppleCDEject.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152037583\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [81b00c91.exe] C:\WINDOWS\system32\81b00c91.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [81b00c91.exe] C:\Documents and Settings\Karl\Local Settings\Application Data\81b00c91.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: pmnlkhi - C:\WINDOWS\
O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



The taskbar virus appears to be gone after going through those scans. Thanks very much!

Thanks for returning the information, we have more work to do. You have a lot of bad stuff in System Restore and we will clean that out later, just don't use it or that junk will be back on the computer.

1) Java just updated again, because some real nasties are getting on the computer this way, you want to update:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) Do you own SpySweeper? Turn it off when you run this fix, it may block us:
Open the program
On the left, click: Options, then > Program Options
Uncheck: Load at windows startup
Again on the left click: Shields and uncheck all items there.
Uncheck: Home Page Shield
Uncheck: Automatically restore default without notification

3) Let's disable ewido also: turn off the real time protection until you are finished.

4) Open Start > Control Panel > Add Remove programs. If you see anything you know does not belong there, uninstall it. If you are not sure, let me know and I will look.

5) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [81b00c91.exe] C:\WINDOWS\system32\81b00c91.exe
O4 - HKCU\..\Run: [81b00c91.exe] C:\Documents and Settings\Karl\Local Settings\Application Data\81b00c91.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O20 - Winlogon Notify: pmnlkhi - C:\WINDOWS\
O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

Search in your C:\WINDOWS\ and C:\WINDOWS\System32\ folders for these: pmnlkhi & winjyp32 if they are there delete the file.

C:\WINDOWS\system32\81b00c91.exe <<< file

C:\Documents and Settings\Karl\Local Settings\Application Data\81b00c91.exe <<< file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

8) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post a new HJT log alone with any comments you think will help. Let me know how the computer is running now.

Thanks...Phil

Karl7, still with us?

This topic is closed due to lack of a response.

If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.