Spyware Confidential

Larry Dignan, Jason Perlow, Tom Steinert-Threlkeld
Home / News & Blogs / Spyware Confidential

SpywareQuake - newest rogue, replacing SpyFalcon and SpyAxe

By | March 25, 2006, 2:13pm PST

Since I first heard about SpywareQuake, late yesterday afternoon, less than 24 hours ago, I’ve seen dozens of complaints about it already. SpywareQuake is being installed without notice or consent, hijacks the desktop and pops up a warning from the system tray that the machine is infected with spyware. It scans and reports that it found spyware in the machine and then demands payment to remove the so-called spyware. You can see a screenshot of SpywareQuake at SunbeltBLOG here.

If you find this blog post and are wondering about SpywareQuake, whether you should buy it, the answer is NO. It’s a rogue and a rip-off! It is installed by and with spyware and contains malware to prevent you from removing it. It’s another variant of the SmitFraud infection.

Right now none of the antivirus or anti-spyware programs that I’m aware of will detect and remove SpywareQuake.  The offending file that resists removal and causes reinfection appears to be C:\Windows\System32\stickrep.dll.

Several people in the anti-spyware community have posted tutorials on removing SpywareQuake. BleepingComputer.com tutorial here. Nick’s Computer Security blog’s SpyFalcon removal instructons have been updated to include SpywareQuake. One use commented that after following the instructions and renaming the file stickrep.dll to something else, he was rid of SpywareQuake.

Who is behind this rogue application? The domain whois information shows this:

Domain Name: SPYWAREQUAKE.COM

Registrant:
SafeSurf LLC
Kevin Gerad kevin.gerad (at) gmail.com
U-12 Gamma Commercial Complex # 47 Rizal Highway cor. Manila
Olongapo City
null,98101
PH
Tel. +201.6753332

Creation Date: 27-Nov-2005
Expiration Date: 27-Nov-2006

Domain servers in listed order:
dns2.spywarequake.info
dns1.spywarequake.info

Whois.sc is showing spywarequake.com as not active but dnsstuff.com is able to ping the domain. The IP address is 216.255.188.98, which belongs to InterCage (formerly known as Atrivo).  More information about InterCage/Atrivo in my post about ISPs hosting spyware. Tracert to spywarequake.com and to spywarequake.info show the upstream provider as nLayer: 

69.22.143.6 AS4436 AS-NLAYER  ge1-2.hr1.sfo1.us.nlayer.net.

On a side note, I recently sent an email to InterCage’s abuse reporting address, and to the owner, Emil Kacpersky, regarding blog comment spam to this blog and have not received any reply.

I’d recommend putting the domains spywarequake.com and spywarequake.info in the Internet Explorer restricted site zone, or blocking it in the hosts file or firewall, along with the IP address 216.255.188.98.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Spyware Confidential”

Topics

Biography

Suzi Turner is webmaster and owner of SpywareWarrior.com, a comprehensive site that includes a spyware help forum, spyware blog and reviews of anti-spyware software by noted spyware expert Eric L. Howes. Suzi became angry about spyware in 2002 after being infected by a drive-by-download of a browser hijacker and unwanted adware/spyware and decided to help others in the same predicament. In April 2005, Microsoft awarded Suzi its MVP (Most Valued Professional) Award in recognition of her work to help internet users protect their privacy by removing and preventing spyware. Suzi is also a nurse for a national disability management company.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
9
Comments
Add Your Opinion

Join the conversation!

Just In

RE: SpywareQuake - newest rogue, replacing SpyFalcon and SpyAxe
mrgoldstien 21st Mar 2011
Great advice guys! Spyware quake has been a total disaster for my laptop. I found a site called spyware help center and spoke to them they have a tool free number and the walked me through getting it off my computer. In case some else needs their help he is the site address http://www.spywarehelpcenter.com
View in thread
0 Votes
+ -
manual removal instructions
ugnius 26th Mar 2006
here are the latest manual removal instructions collected from HJT logs:
http://www.2-spyware.com/remove-spywarequake.html
0 Votes
+ -
Familiar Source
Arnie Vios 30th Mar 2006
The quoted source for SpywareQuake seems to be the SAME source for SpyAxe.
0 Votes
+ -
New Ad-Aware Definition includes SpywareQuake
Arnie Vios 3rd Apr 2006
Lavasoft just released an update to Ad-Aware:

Ad-Aware SE1R102 03.04.2006

which includes SpywareQuake as a new definition.
0 Votes
+ -
I was infected with this malitious program
micro0gr3 4th Apr 2006
After having the spywarequake on my computer I downloaded as many as fifteen programs to finally find one that would remove the we beasty SpyCatcher found the problems and did in fact romove them from the computer
0 Votes
+ -
SpywareQuake removal procedures
gabesa 5th May 2006
I have been infected with this Adware for quite sometime until I search and found a simple removal procedures. This might help you remove SpywareQuake on your computer:

http://www.precisesecurity.com/adware-spy/aws-spywarequake.htm
0 Votes
+ -
New SpywareQuake Variant?
FordJenn2 9th May 2006
We have seen this piece of cr*ap more than a dozen times in the past week in our service center. SpywareQuake is a new variant of the SpyFalcon and SpySherriff infections. I think a new variant has been released because all of a sudden customers started reporting that our free online removal tutorial stopped working. It seems that three new files have been appearing on the hard drives we have looked at. The files are all located in the System32 folder and they are msvcp71.dll, msvcr71.dll, and stdole3.tlb.

We have updated our tutorial at http://www.schrockinnovations.com/removespywarequake.php to include these files, and now it seems to be working again. If anyone knows about a completely automated (and free) tool to remove this, post about it because it would save me a boatload of time.

Sincerely,

Thor Schrock
Schrock Innovations, Inc.
http://www.schrockinnovations.com
866-496-8772
0 Votes
+ -
SpywareQuake
bodavis6 19th Jun 2006
I had spywarequake on my computer. It installed a total of 3 viruses.

I discovered a non removable virus in a file called xuefh.dll (Which I was unable to delete) in my C:\windows\system32 directory.

Then I renamed the file to xuefh.dll.vir. I rebooted my computer went into command prompt and deleted the virus infected file.

The icon in the system tray went away, and the system message with it.

Thanks,

Bo Davis
0 Votes
+ -
Nick's site--Do NOT use
OneMadChick 30th Jun 2006
You have listed in your blog Nick's site, and I do not recommend that anyone uses it since the site has adware in it.
0 Votes
+ -
RE: SpywareQuake - newest rogue, replacing SpyFalcon and SpyAxe
mrgoldstien 21st Mar 2011
Great advice guys! Spyware quake has been a total disaster for my laptop. I found a site called spyware help center and spoke to them they have a tool free number and the walked me through getting it off my computer. In case some else needs their help he is the site address http://www.spywarehelpcenter.com

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix