Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Remove Spywarequaked And Spywarequake (removal Instructions)


  • Please log in to reply
36 replies to this topic

#1 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 25 March 2006 - 12:53 PM


How to remove SpywareQuaked and SpywareQuake (Removal Instructions)

What this program does: SpywareQuaked and SpywareQuake is a anti-spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version. The program is generally installed by a Trojan that automatically downloads and installs the program. An image of the program is below:
 

SpywareQuake Program
If you are infected with this program you will receive warnings in your task bar stating that you are infected with spyware and to run its special anti-spyware tool. This tool turns out to be the commercial version of SpywareQuake and SpywareQuaked. These warnings are fake and are a goad to have you buy the commercial version of this software. This version is slightly different than the previous variants (SpywareStrike, SpyAxe, SpyFalcon, etc) in that the alerts do not look like Windows Security Alerts but are rather a square that appears from your taskbar. An example of this alert is below:

SpywareQuake Fake Alert

Tools Needed for this fix: Symptoms in a HijackThis Log:

O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
O4 - HKLM\..\Run: [SpyQuake2.com] C:\Program Files\SpyQuake2.com\Spy-Quake2.exe /h
O4 - HKLM\..\Run: [SpywareQuaked] C:\Program Files\SpywareQuaked\SpywareQuaked.exe /h

Add/Remove Programs control panel entry:
SpywareQuake
SpywareQuake 2.0
SpywareQuake 2.1
SpyQuake2.com 2.3

SpywareQuaked 2.4 Guide Updates: 07/03/06 - Revised guide to include information on the new version SpyQuake2.com 2.3. Updated image, symptoms, and Add/Remove Programs entry of Spyware Quake to reflect new version as well
11/18/07 - Guide updated to include the new (?) variant SpywareQuaked



Choose the removal method you would like to use:
Automated Removal Instructions for SpywareQuaked and SpywareQuake:
  1. Print out these instructions as we will need to close every window that is open later in the fix.

  2. Download SmitfraudFix.exe from here and save it to your desktop:

    SmitFraudFix.exe

    Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:



  3. Next, please reboot your computer into Safe Mode by doing the following:

    1. Restart your computer

    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

    3. Instead of Windows loading as normal, a menu should appear

    4. Select the first option, to run Windows in Safe Mode.

    5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.

  4. When your computer has started in safe mode, and you see the desktop, close all open Windows.

  5. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below:



  6. When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

  7. You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).



  8. The program will start cleaning your computer and go through a series of cleanup processes. When SmitFraudFix is done, it will automatically start the Disk Cleanup program as shown by the image below.





    This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 11.

  9. When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.
  10. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
  11. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.
Your computer should now be free of the SpywareQuaked and SpywareQuake infections. If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log


Manual Removal Instructions for SpywareQuaked and SpywareQuake:

These steps may appear to be long and daunting. They are, though, quite easy to do and consist of so many steps only because I have written them in an extremely detailed manner.
  1. Print out these instructions as we will need to close every window that is open later in the fix.

  2. Download FixSQ.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

    FixSQ.reg Download Link

    Confirm that the file FixSQ.reg now resides on your desktop as we will need it later.

  3. Download SmitfraudFix.exe from here and save it to your desktop:

    SmitFraudFix.exe

    Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:



  4. Go to your desktop and double click on the FixSQ.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.

  5. Click on the Start button and then select the Run option.

  6. In the Open: field type c:\windows\system32 and then press the OK button.

  7. When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option.

  8. We now need to make it so you can see hidden files.
    1. Click on the Tools menu and select Folder Options.
    2. Click on the View tab.
    3. Under the Hidden files and folders category select Show hidden files and folders.
    4. Uncheck Hide protected operating system files.
    5. Press Apply and then OK.
    6. If you still can not see the file, then undo these changes and skip to step 11.

  9. Scroll through the list of files in this folder and look for stickrep.dll. Right-click on stickrep.dll and select rename. Rename the file to stickrep.dll.bad.

    Look for the file qgjpaw.dll and rename the file to qgjpaw.dll.bad

    Look for the file suprox.dll and rename the file to suprox.dll.bad

    Look for the file xenadot.dll and rename the file to xenadot.dll.bad

    L ook for the file sivudro.dll and rename the file to sivudro.dll.bad.

    Look for the file dvdcap.dll and rename the file to dvdcap.dll.bad.

    Look for the file autodisc32.dll and rename the file to autodisc32.dll.bad.
    Look for the file wfkduei.dll and rename the file to wfkduei.dll.bad.
    Look for the file yhbdupd.dll and rename the file to yhbdupd.dll.bad.
    Look for the file imfdfcj.dll and rename the file to imfdfcj.dll.bad. Look for the file hvnwm.dll and rename the file to hvnwm.dll.bad. Look for the file ywbicim.dll and rename the file to ywbicim.dll.bad. Look for the file vhywj.dll and rename the file to vhywj.dll.bad. Look for the file yfysupa.dll and rename the file to yfysupa.dlll.bad. Look for the file ornzq.dll and rename the file to ornzq.dll.bad.

    Look for the file sxbbx.dll.dll and rename the file to sxbbx.dll.dlll.bad. Look for the file ucbrrt.dll and rename the file to ucbrrt.dlll.bad. Look for the file acvgxw.dll.dll and rename the file to acvgxw.dll.dlll.bad. Look for the file icima.dll and rename the file to icima.dlll.bad. Look for the file dnefhw.dll and rename the file to dnefhw.dll.bad. Look for the file posem.dll and rename the file to posem.dll.bad. Look for the file ofcukiz.dll and rename the file to ofcukiz.dll.bad. Look for the file hzclqhc.dll and rename the file to hzclqhc.dll.bad. Look for the file qrucmr.dll and rename the file to qrucmr.dll.bad. Look for the file erxbx.dll and rename the file to erxbx.dll.bad. Look for the file lwpfwjb.dll and rename the file to lwpfwjb.dll.bad. Look for the file rmzdzx.dll and rename the file to rmzdzx.dll.bad. Look for the file xuefh.dll and rename the file to xuefh.dll.bad. Look for the file yvvdj.dll and rename the file to yvvdj.dll.bad. Look for the file oybgrql.dll and rename the file to oybgrql.dll.bad. Look for the file viwpzla.dll and rename the file to viwpzla.dll.bad. Look for the file hvcycg.dll and rename the file to hvcycg.dll.bad. Look for the file guxxa.dll and rename the file to guxxa.dll.dll.bad. Look for the file tnvocyn.dll and rename the file to tnvocyn.dll.dll.bad. Look for the file kkqfb.dll and rename the file to kkqfb.dll.bad. Look for the file bpvcou.dll and rename the file to bpvcou.dll.bad. Look for the file zlara.dll and rename the file to zlara.bad. Look for the file vpxnk.dll and rename the file to vpxnk.dll.bad. Look for the file jevtxpg.dll and rename the file to jevtxpg.dll.bad. Look for the file gvfsc.dll and rename the file to gvfsc.dll.bad. Look for the file ipztub.dll and rename the file to ipztub.dll.bad. Look for the file yephk.dll and rename the file to yephk.dll.bad. Look for the file mzoeut.dll and rename the file to mzoeut.dll.bad. Look for the file pmnqguh.dll and rename the file to pmnqguh.dll.bad. Look for the file urroxtl.dll and rename the file to urroxtl.dll.bad. Look for the file viruxz.dll and rename the file to viruxz.dll.bad. Look for the file onofub.dll and rename the file to onofub.dll.bad. Look for the file fjdcy.dll and rename the file to fjdcy.dll.bad. Look for the file vwlummc.dll and rename the file to vwlummc.dll.bad. Look for the file fhmfes.dll and rename the file to fhmfes.dll.bad. Look for the file kfhrvq.dll and rename the file to kfhrvq.dll.bad. Look for the file yosdjh.dll and rename the file to yosdjh.dll.bad. Look for the file jpqet.dll and rename the file to jpqet.dll.bad.

    Note: Please rename any of the above files that you may find. If you do not find any of these files, then you should post a note about it in the Am I Infected? forum.
  10. After you rename the file, you can close the System32 folder window.

  11. Next, please reboot your computer into Safe Mode by doing the following:

    1. Restart your computer

    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

    3. Instead of Windows loading as normal, a menu should appear

    4. Select the first option, to run Windows in Safe Mode.

    5. When you are at the logon prompt, log in as the same user which you had done the previous steps.

  12. When your computer has started in safe mode and you see the desktop, click on the Start Menu button.

  13. Click on the Control Panel option.

  14. Double-click on the Add or Remove Programs icon.

  15. Find the entry for SpywareQuake, SpyQuake2.com 2.3, and SpywareQuaked 2.4 and double-click on them to uninstall them if found. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks.

  16. When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.

  17. Delete the following files and folders (Do not be concerned if a folder does not exist):

    C:\Windows\System32\stickrep.dll.bad
    C:\Windows\System32\suprox.dll.bad

    C:\Windows\System32\xenadot.dll.bad
    C:\Windows\system32\sivudro.dll.bad
    C:\Windows\System32\autodisc32.dll.bad
    C:\Windows\System32\yhbdupd.dll.bad
    C:\Windows\System32\imfdfcj.dll.bad C:\Windows\System32\hvnwm.dll.bad C:\Windows\System32\wfkduei.dll.bad C:\Windows\System32\ywbicim.dll.bad C:\Windows\Systen32\yfysupa.dll.bad C:\Windows\System32\vhywj.dll.bad C:\Windows\System32\asxbbx.dll.bad C:\Windows\System32\ucbrrt.dll.bad C:\Windows\System32\acvgxw.dll.bad C:\Windows\System32\ofcukiz.dll.bad C:\Windows\System32\dnefhw.dll.bad C:\Windows\System32\ornzq.dll.bad C:\Windows\System32\icima.dll.bad C:\Windows\System32\posem.dll.bad C:\Windows\System32\hzclqhc.dll.bad C:\Windows\System32\erxbx.dll.bad C:\Windows\System32\qrucmr.dll.bad C:\Windows\System32\lwpfwjb.dll.bad C:\Windows\System32\rmzdzx.dll.bad C:\Windows\System32\jpqet.dll.bad C:\WindowsS\system32\xuefh.dll.bad C:\Windows\System32\yvvdj.dll.bad C:\Windows\System32\oybgrql.dll.bad C:\Windows\system32\viwpzla.dll.bad C:\Windows\System32\hvcycg.dll.bad C:\Windows\System32\guxxa.dll.bad C:\Windows\System32\tnvocyn.dll.bad C:\Windows\System32\kkqfb.dll.bad C:\Windows\System32\bpvcou.dll.bad C:\Windows\System32\zlara.dll.bad C:\Windows\System32\vpxnk.dll.bad C:\Windows\System32\gvfsc.dll.bad C:\Windows\System32\jevtxpg.dll.bad C:\Windows\System32\ipztub.dll.bad C:\Windows\System32\yephk.dll.bad C:\Windows\System32\mzoeut.dll.bad C:\Windows\System32\pmnqguh.dll.bad C:\Windows\System32\onofub.dll.bad C:\Windows\system32\kfhrvq.dll.bad C:\Windows\System32\urroxtl.dll.bad C:\Windows\System32\viruxz.dll.bad C:\Windows\System32\fjdcy.dll.bad C:\Windows\System32\vwlummc.dll.bad C:\Windows\System32\fhmfes.dll.bad C:\Windows\System32\yosdjh.dll.bad C:\Windows\System32\nvctrl.exe
    C:\Windows\System32\dfrgsrv.exe
    C:\Windows\System32\mssearchnet.exe
    C:\Windows\System32\qgjpaw.dll.bad
    C:\Program Files\SpyQuake2.com\
    C:\Program Files\SpywareQuake\
    C:\Program Files\SpywareQuaked\

  18. Close all open Windows.

  19. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below:


  20. When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

  21. You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).



  22. The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below.





    This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 25.

  23. When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.
  24. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.

  25. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log to see what files were found, and when you are done, close the Notepad screen.

  26. We next perform an online scan with Panda to find any possible inactive remnants from this infection: Panda Online

    1. Once you are on the Panda site click the Scan your PC button

    2. A new window will open...click the Check Now button

    3. Enter your Country

    4. Enter your State/Province

    5. Enter your e-mail address and click send

    6. Select either Home User or Company

    7. Click the big Scan Now button

    8. If it wants to install an ActiveX component allow it

    9. It will start downloading the files it requires for the scan (Note: It may take a few minutes)

    10. When download is complete, click on Local Disks to start the scan

  27. When the online scan has been completed, let it remove what it finds, and then you can close Internet Explorer.
Your computer should now be free of the SpywareQuaked and SpywareQuake infection. If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log


This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 25 March 2006 - 12:55 PM

Current infection dll is c:\windows\system32\stickrep.dll.

Thanks Miekiemoes and Flrman1 for the malware info/regfile.

#3 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 27 March 2006 - 04:32 PM

Update...added instructions for using an automated removal tool, roguescanfix, by Beamerke.

#4 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 15 April 2006 - 05:07 PM

Fix updated to include removal of the new file that issues the fake alerts. This file is :

C:\WINDOWS\system32\suprox.dll

#5 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 18 April 2006 - 02:33 PM

Once again, a new variant has been discovered thanks to Mark (Flrman1).

The new infection file is: C:\Windows\System32\xenadot.dll

Removal instructions have been updated.

#6 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 23 April 2006 - 09:11 PM

Guide updated to remove the new variant.

This new file is : C:\WINDOWS\system32\sivudro.dll

#7 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 03 May 2006 - 04:41 PM

Guide updated to remove the new variant.

This new file is : C:\WINDOWS\system32\dvdcap.dll

#8 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 10 May 2006 - 12:01 PM

Guide updated to reflect new instructions for RogueScanFix.

#9 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 12 May 2006 - 12:38 PM

Updated guide to reflect the latest SpywareQuake infector:

C:\WINDOWS\System32\autodisc32.dll

#10 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 19 May 2006 - 11:21 PM

Updated the instructions to include instructions on what to do if the removal tool does not remove SpywareQuake automatically.

#11 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 26 May 2006 - 10:49 AM

Updated for the latest variant:

C:\\WINDOWS\\system32\\wfkduei.dll

#12 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 30 May 2006 - 09:53 AM

Guide updated for new variants:

C:\Windows\System32\yhbdupd.dll
C:\Windows\System32\imfdfcj.dll
C:\Windows\System32\hvnwm.dll

#13 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 31 May 2006 - 09:33 PM

Updated for new variant:

C:\Windows\System32\ywbicim.dll

#14 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 02 June 2006 - 03:37 PM

Updated for the two new variants:

C:\Windows\System32\vhywj.dll
C:\Windows\System32\yfysupa.dll

#15 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 07 June 2006 - 02:31 PM

Various updates in the past few days.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users