Spyfalcon...a New Version Perhaps

OK I'm no pro, but I ain't (too) dumb neither. The reason I say no too dumb is that I got a spyfalcon yesterday morning while looking for a free game code. it acted quite a lot like spyquake, with the annoying little popup and redirecting my homepage.

Anyway I tried all the good scanners and such listed on the 'preparation guide' page.

first thing is man, I thought I kept my PC fairly clean but there was some major crap on my PC.

Anyway the real nasty one was the SpyFalcon...I tried many methods including the one involving the SmitRem file but no luck.



Finally BitDefender caught the files and was able to delete some of them, all were contained in the system32 folder (winXP), here's the part of the log:
:\WINDOWS\system32\dcomcfg.exe


Infected with: Trojan.Downloader.Zlob.MJ

C:\WINDOWS\system32\dcomcfg.exe


Disinfection failed

C:\WINDOWS\system32\dcomcfg.exe


Delete failed

C:\WINDOWS\system32\hp5A74.tmp


Infected with: Trojan.Downloader.Zlob.MJ

C:\WINDOWS\system32\hp5A74.tmp


Deleted

C:\WINDOWS\system32\hp6D40.tmp


Infected with: Trojan.Downloader.Zlob.MJ

C:\WINDOWS\system32\hp6D40.tmp


Disinfection failed

C:\WINDOWS\system32\hp6D40.tmp


Delete failed

C:\WINDOWS\system32\regperf.exe


Infected with: BehavesLike:Win32.ExplorerHijack

C:\WINDOWS\system32\regperf.exe


Disinfection failed

C:\WINDOWS\system32\regperf.exe


Deleted

C:\WINDOWS\system32\simpole.tlb


Infected with: Trojan.Downloader.Zlob.MJ

C:\WINDOWS\system32\simpole.tlb


Deleted

C:\WINDOWS\system32\twain32.dll


Infected with: Trojan.Renos.E

C:\WINDOWS\system32\twain32.dll


Disinfection failed

C:\WINDOWS\system32\twain32.dll


Delete failed






Anywho's this may or may not be useful, thought I would share

..boy that was a sucky infection

If the self-help guide did not work and you still have malware on your system, I suggest you read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, not here, for assistance by the HJT Team Experts.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have not been replied as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

All the rest of the explanations don't work. This will blast SpyFalcon (and it deserves it too).

http://www.martijnc.be/tools/roguescanfix.exe

No safe mode, no nothing...it just nukes this devil...goodby wheelchair.

Hey all... long time utilizer of these forums support information and finally have something to contribute...

Have formulated a fix for what does appears to be this variant for SpyFalcon and SpyQuake.

NEW symptom changes: systray icon flashes between accessibility options wheelchair icon and a red slash, message presented in systray is identical to original SpywareQuake and homepage is redirected to safetydefender.com

Successful steps taken to remove said infection below:

Download the following registry alteration files http://www.f-secure.com/tools/f-spyaxe.reg, and http://www.bleepingcomputer.com/files/reg/FixSF.reg and http://www.bleepingcomputer.com/files/reg/FixSQ.reg.

Download Smitrem tool from http://www.bleepingcomputer.com/files/smitRem.php and extract file onto desktop.
reboot system into safemode WITHOUT networking support (new variant I've seen pops up in safemode w/ Networking now)
run/merge 3 .reg files listed above
run smitrem tool and allow it to run course and automated launch of disk cleanup
open command prompt and run the following commands ignoring any 'file not found' messages (forced and quiet delete are the flags that I've added to del command):
del /F /Q C:\Windows\System32\stickrep.dll
del /F /Q C:\Windows\System32\suprox.dll
del /F /Q C:\windows\System32\xenadot.dll
del /F /Q C:\windows\System32\sivudro.dll
del /F /Q C:\WINDOWS\System32\nvctrl.exe
del /F /Q C:\WINDOWS\System32\dfrgsrv.exe
del /F /Q C:\WINDOWS\System32\mssearchnet.exe
del /F /Q C:\windows\System32\dcomcfge.exe
del /F /Q C:\windows\system32\hp*.tmp
del /F /Q C:\windows\system32\twain32.dll
del /F /Q C:\windows\system32\regperf*.*
del /F /Q C:\windows\system32\simpole*.*
del /F /Q C:\WINDOWS\system32\dcomcfg.exe
del /F /Q C :\Windows\System32\dxmpp.dll
del /F /Q C:\Windows\System32\ginuerep.dll
del /F /Q /S C:\windows\temp\*.*
Reset Homepage in Internet Options from Control Panel
Empty recycling bin and run disk cleanup wizard
Restart computer normally

I've had success w/ this method when the standard SF/SQ fixes are not removing the infection after rebooting.

(99% of this is from posts by Grinler and his guide: http://www.bleepingcomputer.com/forums/t/47826/how-to-remove-spywarequaked-and-spywarequake-removal-instructions/ I just added a bunch more deletes to check for most known variants of the SF/SQ family for redundancy)

Cheers!