SpywareQuake - newest rogue, replacing SpyFalcon and SpyAxe

SpywareQuake - newest rogue, replacing SpyFalcon and SpyAxe

Summary: Since I first heard about SpywareQuake, late yesterday afternoon, less than 24 hours ago, I've seen dozens of complaints about it already. SpywareQuake is being installed without notice or consent, hijacks the desktop and pops up a warning from the system tray that the machine is infected with spyware.

SHARE:
TOPICS: Malware
9

Since I first heard about SpywareQuake, late yesterday afternoon, less than 24 hours ago, I've seen dozens of complaints about it already. SpywareQuake is being installed without notice or consent, hijacks the desktop and pops up a warning from the system tray that the machine is infected with spyware. It scans and reports that it found spyware in the machine and then demands payment to remove the so-called spyware. You can see a screenshot of SpywareQuake at SunbeltBLOG here.

If you find this blog post and are wondering about SpywareQuake, whether you should buy it, the answer is NO. It's a rogue and a rip-off! It is installed by and with spyware and contains malware to prevent you from removing it. It's another variant of the SmitFraud infection.

Right now none of the antivirus or anti-spyware programs that I'm aware of will detect and remove SpywareQuake.  The offending file that resists removal and causes reinfection appears to be C:\Windows\System32\stickrep.dll.

Several people in the anti-spyware community have posted tutorials on removing SpywareQuake. BleepingComputer.com tutorial here. Nick's Computer Security blog's SpyFalcon removal instructons have been updated to include SpywareQuake. One use commented that after following the instructions and renaming the file stickrep.dll to something else, he was rid of SpywareQuake.

Who is behind this rogue application? The domain whois information shows this:

Domain Name: SPYWAREQUAKE.COM

Registrant:
SafeSurf LLC
Kevin Gerad kevin.gerad (at) gmail.com
U-12 Gamma Commercial Complex # 47 Rizal Highway cor. Manila
Olongapo City
null,98101
PH
Tel. +201.6753332

Creation Date: 27-Nov-2005
Expiration Date: 27-Nov-2006

Domain servers in listed order:
dns2.spywarequake.info
dns1.spywarequake.info

Whois.sc is showing spywarequake.com as not active but dnsstuff.com is able to ping the domain. The IP address is 216.255.188.98, which belongs to InterCage (formerly known as Atrivo).  More information about InterCage/Atrivo in my post about ISPs hosting spyware. Tracert to spywarequake.com and to spywarequake.info show the upstream provider as nLayer: 

69.22.143.6 AS4436 AS-NLAYER  ge1-2.hr1.sfo1.us.nlayer.net.

On a side note, I recently sent an email to InterCage's abuse reporting address, and to the owner, Emil Kacpersky, regarding blog comment spam to this blog and have not received any reply.

I'd recommend putting the domains spywarequake.com and spywarequake.info in the Internet Explorer restricted site zone, or blocking it in the hosts file or firewall, along with the IP address 216.255.188.98.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • manual removal instructions

    here are the latest manual removal instructions collected from HJT logs:
    http://www.2-spyware.com/remove-spywarequake.html
    ugnius
  • Familiar Source

    The quoted source for SpywareQuake seems to be the SAME source for SpyAxe.
    Arnie Vios
  • New Ad-Aware Definition includes SpywareQuake

    Lavasoft just released an update to Ad-Aware:

    Ad-Aware SE1R102 03.04.2006

    which includes SpywareQuake as a new definition.
    Arnie Vios
  • I was infected with this malitious program

    After having the spywarequake on my computer I downloaded as many as fifteen programs to finally find one that would remove the we beasty SpyCatcher found the problems and did in fact romove them from the computer
    micro0gr3
  • SpywareQuake removal procedures

    I have been infected with this Adware for quite sometime until I search and found a simple removal procedures. This might help you remove SpywareQuake on your computer:

    http://www.precisesecurity.com/adware-spy/aws-spywarequake.htm
    gabesa
  • New SpywareQuake Variant?

    We have seen this piece of cr*ap more than a dozen times in the past week in our service center. SpywareQuake is a new variant of the SpyFalcon and SpySherriff infections. I think a new variant has been released because all of a sudden customers started reporting that our free online removal tutorial stopped working. It seems that three new files have been appearing on the hard drives we have looked at. The files are all located in the System32 folder and they are msvcp71.dll, msvcr71.dll, and stdole3.tlb.

    We have updated our tutorial at [url=http://www.schrockinnovations.com/removespywarequake.php]http://www.schrockinnovations.com/removespywarequake.php[/url] to include these files, and now it seems to be working again. If anyone knows about a completely automated (and free) tool to remove this, post about it because it would save me a boatload of time.

    Sincerely,

    Thor Schrock
    Schrock Innovations, Inc.
    [url=http://www.schrockinnovations.com]http://www.schrockinnovations.com[/url]
    866-496-8772
    FordJenn2
  • SpywareQuake

    I had spywarequake on my computer. It installed a total of 3 viruses.

    I discovered a non removable virus in a file called xuefh.dll (Which I was unable to delete) in my C:\windows\system32 directory.

    Then I renamed the file to xuefh.dll.vir. I rebooted my computer went into command prompt and deleted the virus infected file.

    The icon in the system tray went away, and the system message with it.

    Thanks,

    Bo Davis
    bodavis6
  • Nick's site--Do NOT use

    You have listed in your blog Nick's site, and I do not recommend that anyone uses it since the site has adware in it.
    OneMadChick
  • RE: SpywareQuake - newest rogue, replacing SpyFalcon and SpyAxe

    Great advice guys! Spyware quake has been a total disaster for my laptop. I found a site called spyware help center and spoke to them they have a tool free number and the walked me through getting it off my computer. In case some else needs their help he is the site address http://www.spywarehelpcenter.com
    mrgoldstien