Security news and information

If it wasn’t enough with all of the SpywareQuake variant being released, it looks like we now have a new SpyFalcon variant. This dll, C:\Windows\System32\twain32.dll, when loaded will issue fake security alerts on your taskbar. If you click on them, they will install SpyFalcon 2.0 on to your computer.

Twain32.dll is loaded via the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}”=”Twain”

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@=”C:\WINDOWS\system32\twain32.dll”

The SpyFalcon removal instructions have been updated for this variant.

Tags: No Tags

Once again, a new variant of SpywareQuake infector has been released.  You would think they would just give up by now and move on to the next incarnation of their scamware. This time the file used is C:\Windows\System32\sivudro.dll.

Sivudro.dll is loaded via the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}”=”SivuWare“

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32]
@=”C:\WINDOWS\system32\sivudro.dll”

The SpywareQuake removal instructions have been updated for this variant.

Tags: No Tags

The makers of SpywareQuake seem to be on a roll this week.  We find one variant and they release another.  This time the file used is C:\Windows\System32\xenadot.dll.

Xenadot.dll is loaded via the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}”=”XenaDot Software”

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}\InProcServer32]
@=”C:\WINDOWS\system32\xenadot.dll”

The SpywareQuake removal instructions have been updated for this variant.

Tags: No Tags

SpywareQuake, a rogue antispyware application, now uses a new file to issue its fake security alerts. This file is C:\Windows\System32\suprox.dll and when loaded issues fake security alerts on your taskbar stating that you are infected. When you click on the alert it downloads and installes SpywareQuake and attempts to scare you into purchasing it.

The suprox.dll file is loaded via the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}”=”USB Mouse Driver”

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}\InProcServer32]
@=”C:\WINDOWS\system32\suprox.dll”

For removal instructions please see this guide:

How to remove SpywareQuake

Tags: No Tags

The second tuesday of every month is Microsoft’s patch tuesday.  It is on this day that they release any security updates that may have been discovered the previous month.  This month’s patch Tuesday is a doozy though.  It contains 2 Windows security patches, 1 IE update that contains fixes for multiple problems, an Outlook Express update, and an update to the Microsoft Frontpage Extensions.

It is advised that everyone who runs Windows immediately install these patches.  These patches can be installed via Autmatic Updates, if it’s configured on your computer, or by going to Windows Update.

Tags: No Tags