Friday
2008-12-01, 10:26
The following instructions have been created to help you to get rid of "SpywareQuake" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
trojan
Description:
Official demoversion appears to install normally but finds a lot of false positives, most likely intentional to make user buy the full product.
Stealthinstall version gets installed with Vcodec/ Zlob, also capable of reinstall via winlogon hijack and viruswarning popup.
Supposed Functionality:
Supposed to be an antispyware software.
Privacy Statement:
irrelevant
Removal Instructions:
Desktop:
Important: There are more desktop links that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Start Menu:
Important: There are more start menu items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Quicklaunch area:
Important: There are more quicklaunch items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "SpyQuake2.com".
Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "SpywareQuake".
Products that have a key or property named "SpyQuake2.com".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\<$REGMATCH0>\uninst.exe".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\blacklist.txt".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\ref.dat".
The file at "<$SYSDIR>\stickrep.dll".
The file at "<$SYSDIR>\dfrgsrv.exe".
The file at "<$WINDIR>\dfrgsrv.exe".
The file at "<$SYSDIR>\stickrep.dll".
The file at "<$SYSDIR>\1024\ld14F2.tmp".
A file with an unknown location named "dfrgsrv.exe".
A file with an unknown location named "SpywareQuakeInstaller.exe".
A file with an unknown location named "SpywareQuakeInstaller.exe".
A file with an unknown location named "SpywareQuakeInstaller.exe".
The file at "<$SYSDIR>\vwlummc.dll".
The file at "<$SYSDIR>\mzoeut.dll".
The file at "<$SYSDIR>\mzoeut.dll".
The file at "<$SYSDIR>\mzoeut.dll".
A file with an unknown location named "SpywareQuakeInstaller.exe".
The file at "<$SYSDIR>\ismon.exe".
A file with an unknown location named "ishost.exe".
A file with an unknown location named "ismon.exe".
Make sure you set your file manager to display hidden and system files. If SpywareQuake uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMS>\<$REGMATCH0>".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>".
Make sure you set your file manager to display hidden and system files. If SpywareQuake uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}" at "HKEY_CURRENT_USER\Software\Classes\CLSID\".
Delete the registry key "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5B55C4E3-C179-BA0B-B4FD-F2DB862D6202}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{189518DF-7EBA-4D31-A7E1-73B5BB60E8D5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{23D627FE-3F02-44CF-9EE1-7B9E44BD9E13}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{43CFEFBE-8AE4-400E-BBE4-A2B61BB140FB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5790B963-23C5-43C1-BCF5-01C9B5A3E44E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5D42DDF4-81EB-4668-9951-819A1D5BEFC8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{76D06077-D5D3-40CA-B32D-6A67A7FF3F06}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{86C7E6C3-EC47-44E5-AA08-EE0D0A25895F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9283DAC1-43F5-4580-BF86-841F22AF2335}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AE90CAFC-09D4-47F0-9E11-CE621C424F08}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BA397E39-F67F-423F-BC6E-65939450093A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BEC8A83D-01D4-4F15-B8A9-4B4AB24253A7}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C4EEDC19-992D-409A-B323-ED57D511AFA5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DD90F677-D205-4F70-9014-659614AABCB2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E3DF91F3-F24F-441E-9001-D61F36024322}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F459EADB-5903-48D5-864C-2B7B46AB1424}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FC4EDF66-0547-4F1A-AE96-7CFCAD711C90}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{661173EE-FA31-4769-97D4-B556B5D09BDA}" at "HKEY_CLASSES_ROOT\TypeLib\".
Remove "dfrgsrv.exe" from registry value "wininet.dll" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\".
Delete the registry key "{7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "hubbsi" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
Delete the registry value "hubbsi" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry key "{2DD8D482-8F1C-4180-AA8E-9D5819E5F2EA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{411F83B1-A0EC-4155-AF99-0137F5EFB270}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4E3645AF-7A81-4F83-9B8C-1E4F930D873F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{61032A65-2371-4C89-B5BB-DF73090FB5EA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{66189AF2-7726-46E8-8628-0F95AB854792}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7A2F6251-6C99-4DA5-9827-954EB45DCB82}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{82C6C396-DD7B-4CE5-B668-C0087D1F3A1F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{853E0D78-F4C2-47CB-A3F5-A774DA60DFCD}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{94786C47-EB3F-4BD5-A66B-0D49E2C90541}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9989A9BC-9828-467E-AF06-E3B279E6E97B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B2B3702A-5425-489E-A3AF-EDCCAFEBA019}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C1C56112-2B2E-4D3C-8CFC-7E10C77FACEF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D01D4AAB-22C5-427F-A941-C4B65A3D8A23}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DDB0D689-FAE0-4165-9F7C-877602F9DD66}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E5AD5BD5-C710-45E0-ABD3-E770FE85DAE8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EB5CA3AF-26C1-467B-9A55-2820E0451AAB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5E05EA9F-1EA7-4D0B-A09B-D5E29EC758B9}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "cholecyst" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
Delete the registry value "cholecyst" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
If SpywareQuake uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
trojan
Description:
Official demoversion appears to install normally but finds a lot of false positives, most likely intentional to make user buy the full product.
Stealthinstall version gets installed with Vcodec/ Zlob, also capable of reinstall via winlogon hijack and viruswarning popup.
Supposed Functionality:
Supposed to be an antispyware software.
Privacy Statement:
irrelevant
Removal Instructions:
Desktop:
Important: There are more desktop links that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Start Menu:
Important: There are more start menu items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Quicklaunch area:
Important: There are more quicklaunch items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "SpyQuake2.com".
Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "SpywareQuake".
Products that have a key or property named "SpyQuake2.com".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\<$REGMATCH0>\uninst.exe".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\blacklist.txt".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\ref.dat".
The file at "<$SYSDIR>\stickrep.dll".
The file at "<$SYSDIR>\dfrgsrv.exe".
The file at "<$WINDIR>\dfrgsrv.exe".
The file at "<$SYSDIR>\stickrep.dll".
The file at "<$SYSDIR>\1024\ld14F2.tmp".
A file with an unknown location named "dfrgsrv.exe".
A file with an unknown location named "SpywareQuakeInstaller.exe".
A file with an unknown location named "SpywareQuakeInstaller.exe".
A file with an unknown location named "SpywareQuakeInstaller.exe".
The file at "<$SYSDIR>\vwlummc.dll".
The file at "<$SYSDIR>\mzoeut.dll".
The file at "<$SYSDIR>\mzoeut.dll".
The file at "<$SYSDIR>\mzoeut.dll".
A file with an unknown location named "SpywareQuakeInstaller.exe".
The file at "<$SYSDIR>\ismon.exe".
A file with an unknown location named "ishost.exe".
A file with an unknown location named "ismon.exe".
Make sure you set your file manager to display hidden and system files. If SpywareQuake uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMS>\<$REGMATCH0>".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>".
Make sure you set your file manager to display hidden and system files. If SpywareQuake uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}" at "HKEY_CURRENT_USER\Software\Classes\CLSID\".
Delete the registry key "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5B55C4E3-C179-BA0B-B4FD-F2DB862D6202}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{189518DF-7EBA-4D31-A7E1-73B5BB60E8D5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{23D627FE-3F02-44CF-9EE1-7B9E44BD9E13}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{43CFEFBE-8AE4-400E-BBE4-A2B61BB140FB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5790B963-23C5-43C1-BCF5-01C9B5A3E44E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5D42DDF4-81EB-4668-9951-819A1D5BEFC8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{76D06077-D5D3-40CA-B32D-6A67A7FF3F06}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{86C7E6C3-EC47-44E5-AA08-EE0D0A25895F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9283DAC1-43F5-4580-BF86-841F22AF2335}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AE90CAFC-09D4-47F0-9E11-CE621C424F08}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BA397E39-F67F-423F-BC6E-65939450093A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BEC8A83D-01D4-4F15-B8A9-4B4AB24253A7}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C4EEDC19-992D-409A-B323-ED57D511AFA5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DD90F677-D205-4F70-9014-659614AABCB2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E3DF91F3-F24F-441E-9001-D61F36024322}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F459EADB-5903-48D5-864C-2B7B46AB1424}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FC4EDF66-0547-4F1A-AE96-7CFCAD711C90}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{661173EE-FA31-4769-97D4-B556B5D09BDA}" at "HKEY_CLASSES_ROOT\TypeLib\".
Remove "dfrgsrv.exe" from registry value "wininet.dll" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\".
Delete the registry key "{7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "hubbsi" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
Delete the registry value "hubbsi" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry key "{2DD8D482-8F1C-4180-AA8E-9D5819E5F2EA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{411F83B1-A0EC-4155-AF99-0137F5EFB270}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4E3645AF-7A81-4F83-9B8C-1E4F930D873F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{61032A65-2371-4C89-B5BB-DF73090FB5EA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{66189AF2-7726-46E8-8628-0F95AB854792}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7A2F6251-6C99-4DA5-9827-954EB45DCB82}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{82C6C396-DD7B-4CE5-B668-C0087D1F3A1F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{853E0D78-F4C2-47CB-A3F5-A774DA60DFCD}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{94786C47-EB3F-4BD5-A66B-0D49E2C90541}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9989A9BC-9828-467E-AF06-E3B279E6E97B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B2B3702A-5425-489E-A3AF-EDCCAFEBA019}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C1C56112-2B2E-4D3C-8CFC-7E10C77FACEF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D01D4AAB-22C5-427F-A941-C4B65A3D8A23}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DDB0D689-FAE0-4165-9F7C-877602F9DD66}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E5AD5BD5-C710-45E0-ABD3-E770FE85DAE8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EB5CA3AF-26C1-467B-9A55-2820E0451AAB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5E05EA9F-1EA7-4D0B-A09B-D5E29EC758B9}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "cholecyst" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
Delete the registry value "cholecyst" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
If SpywareQuake uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.