How To Remove SpywareQuake!
Trogan
London, UK
This guide will show you how to identify and remove SpywareQuake! - please note that this guide will be updated as more information is available.
SpywareQuake is a anti-spyware program that is known to issue fake warning messages on your computer, in order to manipulate you into buying the full program. SpywareQuake is installed by a trojan that downloads and installs the program onto your computer automatically. An image of the SpywareQuake is below:
You will recieve a warning message in your task bar, if you are infected by this program. The warnings are an attempt for you to purchase the program. The alerts for SpywareQuake are slightly different than previos variants (SpyAxe, SpywareStrike and SpyFalcon) in that the alerts do not look like Windows Security alerts but are rather a square that appears from your taskbar. The alert looks like this:
The following entry in HijackThis will show that SpywareQuake is on your computer:
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
There are two removal methods (Automatic and Manual) that can be used to remove SpywareQuake. The automatic removal method is a bit easier. If those instructions do not work, try the manual method.
Automatic Removal Method
1. Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
2. Download the right Roguescanfix.exe file depending on your language and save the file to your desktop.
Roguescanfix.exe (English version)
Roguescanfix.exe (Dutch version)
3. Double-click on the roguescanfix.exe file found on your desktop and then press the Install button. The file will create a folder on your desktop called roguescanfix.
4. Double-click on the roguescanfix folder and then double-click on Run.bat. Please note that when the Run.bat starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet.
When you start the Run.bat program your desktop will disappear which is normal so you do not need to be concerned. It will then start the SpywareQuake uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpywareQuake.
When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. You can simply press the Exit button and continue below.
If there were more files that needed to be deleted, the program will prompt you to reboot your computer. Press the Yes button and allow the computer to reboot. When you are back at the desktop, proceed below.
5. Next, download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
6. Please reboot your computer in SafeMode by doing the following:
7. Once in Safe Mode, make sure that you close ALL programs and windows. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Looking at the log should show that the infection has gone
8. Reboot back into Normal Mode
9. Run an onlinescan with Panda ActiveScan
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes save the report to a convenient location.
You should now be free of SpywareQuake. If you require help with the removal of SpywareQuake or to check your HJT log, then please start your own thread in the Spyware/Virus/Trojan Forum and post the logs from SmitRem.exe, Panda and a new HijackThis log.
Manual Removal Method
1. Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
2. Download FixSQ.reg by right clicking here and selecting "Save Target As..." for Internet Explorer or "Save Link As..." for Firefox. Save the file to your desktop!
3. Download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
4. Go to the FixSF.reg file that you downloaded just now. Double-click the file and when it asks if you would like to merge the information, press the Yes button and then the OK button.
5. Click on the Start button and then select the Run option.
6. In the Open: field type c:\windows\system32 and then press the OK button.
7. When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option.
8. Scroll through the list of files and find stickrep.dll. If you can't see stickrep.dll, do the following:
9. Right-click on stickrep.dll and select rename. Rename the file to stickrep.dll.bad.
If the file stickrep.dll does not exist, look for the file suprox.dll and rename the file to suprox.dll.bad.
If the file suprox.dll does not exist, look for the file xenadot.dll and rename the file to xenadot.dll.bad.
If the file xenadot.dll does not exist, look for the file sivudro.dll and rename the file to sivudro.dll.bad.
10. After you rename the file, you can close the System32 folder window.
11. Please reboot your computer in SafeMode by doing the following:
12. Once in Safe Mode, go into Add/Remove Programs in Control Panel and look for SpywareQuake. If you find it, select the uninstall option and follow the prompts to uninstall it. Do not restart the computer if you are told to.
13. Find and Delete the following Files and Folders. (Do not worry if the SpywareQuake Folder is not found)
C:\Windows\System32\stickrep.dll.bad << this file
C:\Windows\System32\suprox.dll.bad << this file
C:\Windows\System32\xenadot.dll.bad << this file
C:\WINDOWS\system32\sivudro.dll.bad << this file
C:\WINDOWS\System32\nvctrl.exe << this file
C:\WINDOWS\System32\dfrgsrv.exe << this file
C:\WINDOWS\System32\mssearchnet.exe << this file
C:\Program Files\SpywareQuake << this folder
14. Close ALL programs and windows. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Looking at the log should show that the infection has gone
15. Reboot back into Normal Mode
16. Run an onlinescan with Panda ActiveScan
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes save the report to a convenient location.
You should now be free of SpywareQuake. If you require help with the removal of SpywareQuake or to check your HJT log, then please start your own thread in the Spyware/Virus/Trojan Forum and post the logs from SmitRem.exe, Panda and a new HijackThis log.
SpywareQuake is a anti-spyware program that is known to issue fake warning messages on your computer, in order to manipulate you into buying the full program. SpywareQuake is installed by a trojan that downloads and installs the program onto your computer automatically. An image of the SpywareQuake is below:
You will recieve a warning message in your task bar, if you are infected by this program. The warnings are an attempt for you to purchase the program. The alerts for SpywareQuake are slightly different than previos variants (SpyAxe, SpywareStrike and SpyFalcon) in that the alerts do not look like Windows Security alerts but are rather a square that appears from your taskbar. The alert looks like this:
The following entry in HijackThis will show that SpywareQuake is on your computer:
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
There are two removal methods (Automatic and Manual) that can be used to remove SpywareQuake. The automatic removal method is a bit easier. If those instructions do not work, try the manual method.
Automatic Removal Method
1. Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
2. Download the right Roguescanfix.exe file depending on your language and save the file to your desktop.
Roguescanfix.exe (English version)
Roguescanfix.exe (Dutch version)
3. Double-click on the roguescanfix.exe file found on your desktop and then press the Install button. The file will create a folder on your desktop called roguescanfix.
4. Double-click on the roguescanfix folder and then double-click on Run.bat. Please note that when the Run.bat starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet.
When you start the Run.bat program your desktop will disappear which is normal so you do not need to be concerned. It will then start the SpywareQuake uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpywareQuake.
When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. You can simply press the Exit button and continue below.
If there were more files that needed to be deleted, the program will prompt you to reboot your computer. Press the Yes button and allow the computer to reboot. When you are back at the desktop, proceed below.
5. Next, download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
6. Please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- Log in as Administrator
7. Once in Safe Mode, make sure that you close ALL programs and windows. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Looking at the log should show that the infection has gone
8. Reboot back into Normal Mode
9. Run an onlinescan with Panda ActiveScan
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes save the report to a convenient location.
You should now be free of SpywareQuake. If you require help with the removal of SpywareQuake or to check your HJT log, then please start your own thread in the Spyware/Virus/Trojan Forum and post the logs from SmitRem.exe, Panda and a new HijackThis log.
Manual Removal Method
1. Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
2. Download FixSQ.reg by right clicking here and selecting "Save Target As..." for Internet Explorer or "Save Link As..." for Firefox. Save the file to your desktop!
3. Download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
4. Go to the FixSF.reg file that you downloaded just now. Double-click the file and when it asks if you would like to merge the information, press the Yes button and then the OK button.
5. Click on the Start button and then select the Run option.
6. In the Open: field type c:\windows\system32 and then press the OK button.
7. When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option.
8. Scroll through the list of files and find stickrep.dll. If you can't see stickrep.dll, do the following:
- Click the Tools menu, and then click Folder Options.
- Click the View tab.
- Clear "Hide file extensions for known file types."
- Under the "Hidden files and folders", select "Show hidden files and folders."
- Clear "Hide protected operating system files."
- Click Apply, and then click OK
9. Right-click on stickrep.dll and select rename. Rename the file to stickrep.dll.bad.
If the file stickrep.dll does not exist, look for the file suprox.dll and rename the file to suprox.dll.bad.
If the file suprox.dll does not exist, look for the file xenadot.dll and rename the file to xenadot.dll.bad.
If the file xenadot.dll does not exist, look for the file sivudro.dll and rename the file to sivudro.dll.bad.
10. After you rename the file, you can close the System32 folder window.
11. Please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- Log in as Administrator
12. Once in Safe Mode, go into Add/Remove Programs in Control Panel and look for SpywareQuake. If you find it, select the uninstall option and follow the prompts to uninstall it. Do not restart the computer if you are told to.
13. Find and Delete the following Files and Folders. (Do not worry if the SpywareQuake Folder is not found)
C:\Windows\System32\stickrep.dll.bad << this file
C:\Windows\System32\suprox.dll.bad << this file
C:\Windows\System32\xenadot.dll.bad << this file
C:\WINDOWS\system32\sivudro.dll.bad << this file
C:\WINDOWS\System32\nvctrl.exe << this file
C:\WINDOWS\System32\dfrgsrv.exe << this file
C:\WINDOWS\System32\mssearchnet.exe << this file
C:\Program Files\SpywareQuake << this folder
14. Close ALL programs and windows. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Looking at the log should show that the infection has gone
15. Reboot back into Normal Mode
16. Run an onlinescan with Panda ActiveScan
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes save the report to a convenient location.
You should now be free of SpywareQuake. If you require help with the removal of SpywareQuake or to check your HJT log, then please start your own thread in the Spyware/Virus/Trojan Forum and post the logs from SmitRem.exe, Panda and a new HijackThis log.
0
This discussion has been closed.