dzienki :)
wywalilem klucze z rejestru tak jak w tym faq i nie mam tego badziewia :)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{E2CA7CD1–1AD9–F1C4–3D2A–DC1A33E7AF9D}" = "USB Ware"
–> {HKCU...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\stickrep.dll" [null data]

Ok jeszcze cos jest

Więc taki fix

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"wininet.dll"=–

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareQuake"=–

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{E2CA7CD1–1AD9–F1C4–3D2A–DC1A33E7AF9D}"=–

plik najlepiej załatw killbox–em

Tu taj masz dodatkowe info jak usunąć wraz z narzędziem http://www.2–spyware.com/remove–spywarequake.html

usuwalem go niejednokrotnie
i z dodaj/usun i z program files... zawsze powraca
a tamte wpisy [ jak zobaczylem wyniki ] juz wczesniej usunalem

i dalej jest to dziadostwo... tak to jest miec siore na kompie..

a wlasnie pragne dodac ze w trybie awaryjnym tez aktywne jest to cos :| [ zonk ]

No cos widac

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"wininet.dll" = "dfrgsrv.exe" [null data]
"SpywareQuake" = "C:\Program Files\SpywareQuake\SpywareQuake.exe /h" ["SpywareQuake.com"]

więc zrób takiego fix–a

Otwórz notatnik i wklej to

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"wininet.dll"=–

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareQuake"=–

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.

Usun katalog na czerwono. Zobacz w dodaj usuń programy czy jest program SpywareQuake

Uźyłes narzędzia Smitrem oczym pisał Bobi

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"


Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"wininet.dll" = "dfrgsrv.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Ad–watch" = ""C:\Program Files\Lavasoft\Ad–aware 6\Ad–watch.exe"" ["Lavasoft Sweden"]
"SpywareQuake" = "C:\Program Files\SpywareQuake\SpywareQuake.exe /h" ["SpywareQuake.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "Catalyst Context Menu extension"
–> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{ABC70703–32AF–11d4–90C4–D483A70F4825}" = "CMenuExtender"
–> {HKLM...CLSID} = "CMenuExtender"
\InProcServer32\(Default) = "C:\WINDOWS\BricoPacks\Vista Inspirat\iColorFolder\CMExt.dll" ["Revenger inc."]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{32020A01–506E–484D–A2A8–BE3CF17601C3}" = "AlcoholShellEx"
–> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{ED65AC21–B24F–11d3–BA80–00C0CA16AA37}" = "Siemens Device"
–> {HKLM...CLSID} = "Siemens Device"
\InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC22–B24F–11d3–BA80–00C0CA16AA37}" = "Siemens Device ContextMenuHandler"
–> {HKLM...CLSID} = "Siemens Device ContextMenuHandler"
\InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC23–B24F–11d3–BA80–00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"
–> {HKLM...CLSID} = "Siemens Device PropertySheetHandler"
\InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{0E6C58A9–F592–4862–B35F–CA45E24003B3}" = "CloneCD"
–> {HKLM...CLSID} = "CloneCD Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{E2CA7CD1–1AD9–F1C4–3D2A–DC1A33E7AF9D}" = "USB Ware"
–> {HKCU...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\stickrep.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5–5146–11D5–A672–00B0D022E945}"
–> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
CMenuExtender\(Default) = "{ABC70703–32AF–11d4–90C4–D483A70F4825}"
–> {HKLM...CLSID} = "CMenuExtender"
\InProcServer32\(Default) = "C:\WINDOWS\BricoPacks\Vista Inspirat\iColorFolder\CMExt.dll" ["Revenger inc."]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\DevilishBunny\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Startup items in "DevilishBunny" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

C:\Documents and Settings\DevilishBunny\Menu Start\Programy\Autostart
"Y'z ToolBar" –> shortcut to: "C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe" ["Y'z@Home"]


Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05


Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31–CC5A–4E2E–BF3B–96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493–0000–0000–C000–000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25–18CC–41C8–B9BE–3C9C571A8263}\
"ButtonText" = "Badanie"


Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]


Print Monitors:
–––––––––––––––

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 99 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 13 seconds.
–––––––––– (total run time: 140 seconds)

Daj loga z Silent Runners>

ściągnij na dysk> odpal> wybierz "no" dzięki czemy otrzymamy pełny log> czekaj cierpliwie aź program zakończy prace nad generowaniem loga, pojawi się komunikat DONE !

ewido mialem :/
nie widzi go..
a reszty zaraz probuje

do damiancore :)
http://www.free–web–browsers.com/support/remove–spywarequake.shtml
hmm :P a czytales cos na temat tego programu, ktory zekomo to usuwa :P poczytaj :)

damiancore:

Tego śmiecia wykrywqa chyba SpyAxe, albo SpywareStrike

I co z tego, skoro te programy same w sobie są śmieciami :wink:
h4l0g3n, uźyj maluteńkiego narzedzia SmitRem, link znajdziesz na forum.
Nie zaszkodzi teź zapuscić Ewido, wielu uźywa i z tego co widzę chwalą sobie.
Nie widac skad ten SpywareQuake startuje, moźe Silent Runners to pokaźe?

http://www.free–web–browsers.com/support/remove–spywarequake.shtml
http://forums.techguy.org/security/452667–solved–spyware–quake.html


Instalowałeś VCodec?? Usuń, z rejestru, autostartu, usług...

Tego śmiecia wykrywqa chyba SpyAxe, albo SpywareStrike

czy jestem pewien ? – tak
wyswietlaja mi sie bajery typu : your computer is infected
wlancza sie progz o nazwie spyware quake
kolo godziny mam ikonke ktora miga i co jakis czas pokazuje sie ten txt o zainfekowanym kompie
a przy starcie systemu – spyware quake..

a tu log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lavasoft\Ad–aware 6\Ad–watch.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DevilishBunny\Pulpit\hijackthis\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: (no name) – {5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB} – (no file)
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [Ad–watch] "C:\Program Files\Lavasoft\Ad–aware 6\Ad–watch.exe"
O4 – Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 – Extra context menu item: Pobierz z &BitSpirit – E:\Program Files\BitSpirit\bsurl.htm
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 – Trusted Zone: http://www.mks.com.pl
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140188959984
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://www.mks.com.pl/skaner/SkanerOnline.cab
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\system32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\system32\CTsvcCDA.exe