Security news and information

Two new SpywareQuake variants found today: C:\Windows\System32\yfysupa.dll and C:\Windows\System32\vhywj.dll.

Reg keys for both files are as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{cbb430e6-5b1b-474a-9d7e-160d4fe74bea}”=”feld”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{cbb430e6-5b1b-474a-9d7e-160d4fe74bea}\InProcServer32]
@=”C:\\WINDOWS\\system32\\yfysupa.dll”

And

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{a0aa3e4b-31cb-4ea2-9049-22b7f5b65edb}”=”fumarases”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{a0aa3e4b-31cb-4ea2-9049-22b7f5b65edb}\InProcServer32]
@=”C:\\WINDOWS\\System32\\vhywj.dll”

The SpywareQuake removal instructions have been updated for this varian

Tags: No Tags

New SpywareQuake variant found today as well: C:\Windows\System32\ywbicim.dll.

Reg keys for C:\Windows\System32\ywbicim.dll:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{6c69e319-0d03-47da-997a-36586cbc53b3}”=”fortread”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{6c69e319-0d03-47da-997a-36586cbc53b3}\InProcServer32]
@=”C:\\WINDOWS\\system32\\ywbicim.dll”

The SpywareQuake removal instructions have been updated for this variant.

Tags: No Tags

This week the people who write SpyFalcon have instead focused on bringing out some new variants for SpywareQuake. As always the SpywareQuake removal instructions have been updated for these variants.
Reg keys for C:\Windows\System32\yhbdupd.dll:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{aea3d2df-2b2c-4d7b-81a0-d975c6dc088e}”=”alongshore”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{aea3d2df-2b2c-4d7b-81a0-d975c6dc088e}\InProcServer32]
@=”C:\\WINDOWS\\System32\\yhbdupd.dll”

Reg keys for C:\Windows\System32\imfdfcj.dll:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{e5b1e382-817e-4b74-8a96-ec78751e6acf}”=”incatenate”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{e5b1e382-817e-4b74-8a96-ec78751e6acf}\InProcServer32]
@=”C:\\WINDOWS\\system32\\imfdfcj.dll”

Reg keys for C:\Windows\System32\hvnwm.dll:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{62eb0924-19d2-4226-b4b9-8ad1f70904c1}”=”bronchovascular”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32]
@=”C:\\WINDOWS\\system32\\hvnwm.dll”

Tags: No Tags

What a surprise… another variant of SpywareQuake was released. This time the file used is C:\Windows\System32\dvdcap.dll.

Dvdcap.dll is loaded via the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}”=”CD-DVD Device”

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}\InProcServer32]
@=”C:\WINDOWS\system32\dvdcap.dlll”

The SpywareQuake removal instructions have been updated for this variant.

Tags: No Tags

Once again, a new variant of SpywareQuake infector has been released.  You would think they would just give up by now and move on to the next incarnation of their scamware. This time the file used is C:\Windows\System32\sivudro.dll.

Sivudro.dll is loaded via the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}”=”SivuWare“

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32]
@=”C:\WINDOWS\system32\sivudro.dll”

The SpywareQuake removal instructions have been updated for this variant.

Tags: No Tags

The makers of SpywareQuake seem to be on a roll this week.  We find one variant and they release another.  This time the file used is C:\Windows\System32\xenadot.dll.

Xenadot.dll is loaded via the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}”=”XenaDot Software”

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}\InProcServer32]
@=”C:\WINDOWS\system32\xenadot.dll”

The SpywareQuake removal instructions have been updated for this variant.

Tags: No Tags

SpywareQuake, a rogue antispyware application, now uses a new file to issue its fake security alerts. This file is C:\Windows\System32\suprox.dll and when loaded issues fake security alerts on your taskbar stating that you are infected. When you click on the alert it downloads and installes SpywareQuake and attempts to scare you into purchasing it.

The suprox.dll file is loaded via the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}”=”USB Mouse Driver”

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}\InProcServer32]
@=”C:\WINDOWS\system32\suprox.dll”

For removal instructions please see this guide:

How to remove SpywareQuake

Tags: No Tags

Remember the wide spread infections of SpyAxe, SpyFalcon, and SpywareStrike?  Now there is a new rogue-antispyware application out from the same developers called SpywareQuake.  SpywareQuake uses the same method of installing a Trojan, c:\windows\system32\stickrep.dll, on your comptuer that issues fake security alerts as a fear tactic to make you purchase their commercial version of the program SpywareQuake.

This is a scam!  No other way to put it.  If you are infected with this application do not be tricked into purchasing the full version.  Instead you follow the instructions we have put together on removing the infection for free.  The removal guide can be found below:

How to remove spywarequake

Tags: No Tags