*Improved* SpywareQuake removal procedure

Discussion in 'Malware Help (A Specialist Will Reply)' started by JonF, Dec 1, 2006.

  1. JonF

    JonF Private E-2

    I ran across SpywareQuake for the first time the other day, and succeeded in killing it using an amalgam of the instructions found here (SpywareQuake & SpyFalcon Removal Procedure) and elsewhere (SpywareQuake Removal Instructions and How to remove SpywareQuake and SpyQuake2.com. Many thanks to all. All the sites gave basically the same procedure, but the lists of files to look for differed slightly; and they were not alphabetical; and, even if they were alphabetical, it's a major PITA to look for them individually.

    So I condensed the file name lists from the three sites, ordered them alphabetically, and wrote a pair of command files to process them. (The command files require Windows 2000 or XP, and the renamer adds ".badboy" to the end of the extension). I'll insert them below.

    My file lists and batch files do not delete:

    • C:\Windows\gxxxxxxx.dll (where xxxxxxx is any number of random numbers. There could be many of these files)
    • C:\Documents and Settings\[Current User Account]\Start Menu\Programs\SpywareQuake
    • C:\Documents and Settings\[Current User Account]\Start Menu\Programs\Trust Cleaner
    • C:\Documents and Settings\[Current User Account]\Desktop\Cleaner.lnk Trust
    • C:\Documents and Settings\[Current User Account]\Local Settings\Application Data\TitanShield
    • C:\Documents and Settings\[Current User Account]\Local Settings\Temp\wschtm35.dll
    • C:\Documents and Settings\[Current User Account]\Application Data\Microsoft\Internet Explorer\Quick Launch\TitanShield Antispyware.lnk
    • C:\Documents and Settings\[Current User Account]\Start Menu\Programs\TitanShield Antispyware
    • C:\Documents and Settings\[Current User Account]\Start Menu\Programs\titanshield.lnk
    • C:\Documents and Settings\[Current User Account]\Desktop\TitanShield Antispyware.lnk
    • C:\Documents and Settings\[Current User Account]\Local Settings\Temp <--- delete all files in this folder. Windows will block deletion of a few. This is normal.
    In each of the above lines replace the [Current User Account] text with the actual user account name you are logged into.

    OK. Delete.txt, the list of files to delete:
    Code:
    %WINDIR%\System32\0mcamcap.exe
%WINDIR%\System32\1024
%WINDIR%\System32\a.exe
%WINDIR%\System32\acvgxw.dll
%WINDIR%\System32\appmagr.dll
%WINDIR%\System32\asxbbx.dll
%WINDIR%\System32\atmclk.exe
%WINDIR%\System32\autodisc32.dll
%WINDIR%\System32\barseek.dll
%WINDIR%\System32\biasfardihuy.dll
%WINDIR%\System32\birdasfihuy32.dll
%WINDIR%\System32\bpvcou.dll
%WINDIR%\System32\dcom_14.dll
%WINDIR%\System32\dcom_15.dll
%WINDIR%\System32\dcom_20.dll
%WINDIR%\System32\dcom_21.dll
%WINDIR%\System32\dcomcfg.exe
%WINDIR%\System32\dfrgsrv.exe
%WINDIR%\System32\dnefhw.dll
%WINDIR%\System32\dxole32.exe
%WINDIR%\System32\dxvwbdds.exe
%WINDIR%\System32\dxvwpwks.exe
%WINDIR%\System32\ekvrlfzz.exe
%WINDIR%\System32\erxbx.dll
%WINDIR%\System32\fhmfes.dll
%WINDIR%\System32\fjdcy.dll
%WINDIR%\System32\guxxa.dll
%WINDIR%\System32\gvfsc.dll
%WINDIR%\System32\hp???.tmp
%WINDIR%\System32\hp????.tmp
%WINDIR%\System32\hvcycg.dll
%WINDIR%\System32\hvnwm.dll
%WINDIR%\System32\hzclqhc.dll
%WINDIR%\System32\icima.dll
%WINDIR%\System32\imfdfcj.dll
%WINDIR%\System32\ipztub.dll
%WINDIR%\System32\ishost.exe
%WINDIR%\System32\ismini.exe
%WINDIR%\System32\ismon.exe
%WINDIR%\System32\isnotify.exe
%WINDIR%\System32\issearch.exe
%WINDIR%\System32\ixt0.dll
%WINDIR%\System32\ixt1.dll
%WINDIR%\System32\jevtxpg.dll
%WINDIR%\System32\jpqet.dll
%WINDIR%\system32\kfhrvq.dll
%WINDIR%\System32\kkqfb.dll
%WINDIR%\System32\ld??? .tmp
%WINDIR%\System32\ld???? .tmp
%WINDIR%\System32\lwpfwjb.dll
%WINDIR%\System32\main.exe
%WINDIR%\System32\mssearchnet.exe
%WINDIR%\System32\msvol.tlb
%WINDIR%\System32\mzoeut.dll
%WINDIR%\System32\ncompat.tlb
%WINDIR%\System32\nvctrl.exe
%WINDIR%\System32\ofcukiz.dll
%WINDIR%\System32\onofub.dll
%WINDIR%\System32\ornzq.dll
%WINDIR%\System32\ot.ico
%WINDIR%\System32\oybgrql.dll
%WINDIR%\System32\pmnqguh.dll
%WINDIR%\System32\posem.dll
%WINDIR%\System32\qrucmr.dll
%WINDIR%\System32\regperf.exe
%WINDIR%\System32\rmzdzx.dll
%WINDIR%\System32\runsrv32.dll
%WINDIR%\System32\runsrv32.exe
%WINDIR%\System32\shdocvn.dll
%WINDIR%\System32\simpole.tlb
%WINDIR%\System32\stdole3.tlb
%WINDIR%\System32\susp.exe
%WINDIR%\System32\svcnt32.exe
%WINDIR%\System32\TheMatrixHasYou.exe
%WINDIR%\System32\tnvocyn.dll
%WINDIR%\System32\ts.ico
%WINDIR%\System32\ucbrrt.dll
%WINDIR%\System32\urroxtl.dll
%WINDIR%\System32\users32.exe
%WINDIR%\System32\vhywj.dll
%WINDIR%\System32\viruxz.dll
%WINDIR%\system32\viwpzla.dll
%WINDIR%\System32\vpxnk.dll
%WINDIR%\System32\vwlummc.dll
%WINDIR%\System32\wfkduei.dll
%WINDIR%\System32\xuefh.dll
%WINDIR%\System32\yephk.dll
%WINDIR%\System32\yhbdupd.dll
%WINDIR%\System32\yosdjh.dll
%WINDIR%\System32\yvvdj.dll
%WINDIR%\System32\ywbicim.dll
%WINDIR%\System32\zlara.dll
%WINDIR%\System32\yfysupa.dll
c:\Program Files\IntCodec\iesplugin.dll
c:\Program Files\IntCodec\iesuninst.exe
c:\Program Files\IntCodec\isaddon.dll
c:\Program Files\IntCodec\isamini.exe
c:\Program Files\IntCodec\isamonitor.exe
c:\Program Files\IntCodec\isauninst.exe
c:\Program Files\IntCodec\pmmon.exe
c:\Program Files\IntCodec\pmsngr.exe
c:\Program Files\IntCodec\pmuninst.exe
c:\Program Files\PCODEC\iesplugin.dll
c:\Program Files\PCODEC\iesuninst.exe
c:\Program Files\PCODEC\isaddon.dll
c:\Program Files\PCODEC\isamini.exe
c:\Program Files\PCODEC\isamonitor.exe
c:\Program Files\PCODEC\isauninst.exe
c:\Program Files\PCODEC\pmmon.exe
c:\Program Files\PCODEC\pmsngr.exe
c:\Program Files\PCODEC\pmuninst.exe
    Delete_files.cmd:
    Code:
    @echo off

:: Windows 2000/XP CMD file to delete all the files listed, one
:: per line, in the file Delete.txt in the same directory as this
:: batch file.  Filenames in Delete.txt should be fully qualified
:: patnames WITHOUT any quotation marks around them.  They may contain
:: wildcards.

:: You may want to redirect the output to a log file.

setlocal ENABLEEXTENSIONS

FOR /F "usebackq delims=" %%F IN ("%~dp0Delete.txt") DO call :DO_DELETE "%%F"
goto :EXIT

:DO_DELETE
if not exist %1 goto :EOF
del %1
echo Found and deleted %1 !!
goto :EOF

:EXIT
endlocal

:EOF
    Rename.txt, the list of files in the %WINDIR%\System32\ directory to rename :
    Code:
    __delete_on_reboot__stickrep.dll
acvgxw.dll
acvgxw.dll.dll
adobepnl.dll
appmagr.dll
asxbbx.dll
autodisc32.dll
bolnyz.dll
bpvcou.dll
cfgmngr32.dll
clsemixer.dll
dnefhw.dll
dvdcap.dll
dxmpp.dll
erxbx.dll
fhmfes.dll
fjdcy.dll
fyhhxw.dll
ginuerep.dll
guxxa.dll
gvfsc.dll
higjxe.dll
htey.dll
hvcycg.dll
hvnwm.dll
hzclqhc.dll
icima.dll
imfdfcj.dll
ipztub.dll
iqzv.dll
jevtxpg.dll
jpqet.dll
kfhrvq.dll
kkqfb.dll
lwpfwjb.dll
mzoeut.dll
oerucu.dll
ofcukiz.dll
onofub.dll
oqipt.dll
ornzq.dll
oybgrql.dll
pmnqguh.dll
posem.dll
qrucmr.dll
reglogs.dll
rmzdzx.dll
sbnudh.dll
sivudro.dll
stickrep.dll
suprox.dll
sxbbx.dll
sxbbx.dll.dll
tnvocyn.dll
twain32.dll
ucbrrt.dll
ulztc.dll
urroxtl.dll
vhywj.dll
viruxz.dll
viwpzla.dll
vjeojhvro.dll
vpxnk.dll
vwlummc.dll
wfkduei.dll
wschtm35.dll
xenadot.dll
xuefh.dll
yephk.dll
yfysupa.dll
yhbdupd.dll
yosdjh.dll
yvvdj.dll
ywbicim.dll
zlara.dll
    Rename_files.cmd (this one is set up to rename by default, but can also delete if you are booted from a CD or some such):
    Code:
    @echo off

:: Windows 2000/XP CMD file to rename or delete all the files listed,
:: one per line, in the file Rename.txt in the same directory as this
:: batch file.  The files are deleted or renamed from a specified drive
:: and directory, usually drive C and directory \Windows\System32
:: respectively. Filenames in Rename.txt should be filenames alone,
:: without path information, and WITHOUT any quotation marks around
:: them.  They may contain wildcards.

:: You may want to redirect the output to a log file.

:: Usage:

:: Rename_files Windows_Drive Windows_System32_Directory [delete]

:: Windows_Drive = the drive letter, for example C

:: Windows_System32_Directory = the directory, for example
::                              Windows\System32

:: delete (optional): if this is present (case sensitive), the
:: files are deleted instead of being renamed.  This is for use
:: when booted from another drive, for example a BartPE CD.  In
:: such a case it's not necessaary to rename the files, they can
:: just be deleted.

setlocal ENABLEEXTENSIONS

::---------------------------------------------------------
:: Check on our parameters

if not "%1"=="" goto :GOT_DRIVE
echo Usage:
echo .
echo Rename_files Windows_Drive Windows_System32_Directory [delete]
echo For example:
echo Rename_Files C Windows\System32
pause
goto :EXIT

:GOT_DRIVE

if not "%2"=="" goto :GOT_DIR
echo Usage:
echo .
echo Rename_files Windows_Drive Windows_System32_Directory [delete]
echo For example:
echo Rename_Files C Windows\System32
pause
goto "EXIT

:GOT_DIR

%1:
cd \
cd %2

::--------------------------------------------------------------
:: Check if we are going to delete the files

if "%3"=="delete" goto DELETE_FILES

::--------------------------------------------------------------
:: This section entered if we are going to rename the files

FOR /F "usebackq delims=" %%F IN ("%~dp0Rename.txt") DO call :DO_RENAME "%%F"
goto :EXIT

:DO_RENAME
if not exist %1 goto :EOF
echo Found and renamed %1 !!
ren %1 %1%.badboy
goto :EOF

::--------------------------------------------------------------
:: This section entered if we are going to delete the files

:DELETE_FILES
FOR /F "usebackq delims=" %%F IN ("%~dp0Rename.txt") DO call :DO_DELETE "%%F"
goto :EXIT

:DO_DELETE
if not exist %1 goto :EOF
echo Found and deleted %1 !!
del "%1"
goto :EOF

::--------------------------------------------------------------

:EXIT
endlocal

:EOF
     
    JonF, Dec 1, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks but I actually stopped updating the procedure because the new tools that are out take care of it. The below is the easiest fix right now. I have kept the original procedure around because many people recognize that name but do not recognize things like Zlob, SmitFraud or any of the other names these infections are commonly referred to or related too. And even running it like it is with the current version of SmitRem, fixes most of the form automatically since SmitRem constantly updates. There was a time when I was constanly updating the procedure 3 to 5 time a week that my additional steps were way ahead of where the tools like SmitRem and SmitFraudFix were out. But being so busy in the forums has kept me from staying current of those procedures. Note your rename procedure hard coded C Windows\System32 in some spots. You cannot assume drive c and you cannot assume \windows. You should use %windir%\system32 and you don't need to ask for the the drive or folder. The environment variables like %systemdrive% and %windir% can be used.


    Here is the current easiest fix which cleans almost everything and at definitely makes any final manual cleanup a snap.


    ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!!

     
    Last edited: Dec 1, 2006
    chaslang, Dec 1, 2006
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds