Preliminary reports are showing that Ewido can remove the SpyFalcon rogue antispyware app we have discussed in previous entries. I infected myself and ran Ewido in normal mode. It removed almost all the files and registry keys, while leaving the dxmpp.dll in memory. Once the computer was rebooted, though, the infection was then gone.
Good job on a quick response Ewido.
Ewido can be found here:
The creators of SpyAxe and SpywareStrike have struck again..this time with a a clone called SpyFalcon. This rogue antispyware product uses exploits to infect you with their program and a dll that issues fake security alerts. This is all to trick you into purchasing the full retail version of their product for the bargain price of $49.50 (Reduced from 79.95..arent they generous?)
Do not be tricked and be fooled into purchasing this software. These products are using scare tactics in order to push you into buying this software. Anything they report to you are outright lies.
For this particular infection, the file that is being used to issue the fake security alerts is %System%\dxmpp.dll.
I have put together a guide for removing this infection here:
How To Remove Spyfalcon And Dxmpp.dll
Sites that are known to push this software are:
spyfalcon.com
spyfalconupdate.com
updateyourwindows.com
It is advised that you immediately add these domains to both your IE restricted sites and to your HOSTS file so that you can not inadvertantly go to them.
The Spyaxe.com, SpyFalcon.com, Spyfalconupdate.com, and updateyourwindows.com domains are all registered to:
SunShine Ltd
David Taylor (david.alant@gmail.com)
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154
Whether that information is real or not is left to be seen.
The sites IP addresses are all registed with the following information:
inetnum: 195.225.176.0 - 195.225.179.255
netname: NETCATHOST
descr: NetcatHosting
country: UA
admin-c: VS1142-RIPE
tech-c: VS1142-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: NETCATHOST-MNT
mnt-routes: NETCATHOST-MNT
source: RIPE # Filtered
remarks: ****************************************
remarks: * Abuse contacts: abuse@netcathost.com *
remarks: ****************************************
person: Vsevolod Stetsinsky
address: 01110, Ukraine, Kiev, 20l Solomenskaya street. room 206.
phone: +38 050 6226676
e-mail: vs@netcathost.com
nic-hdl: VS1142-RIPE
source: RIPE # Filtered
They currently are offering SpyFalcon from 6 different ip addresses. Information about them are as follows:
dl2.spyfalcon.com
206.161.124.98
dl4.spyfalcon.com
207.226.162.34
dl9.spyfalcon.com
207.226.172.178
Reverses to spywarestrike.com
dl10.spyfalcon.com
209.8.60.69
Reverses to: spyfalconsupport.com
dl3.spyfalcon.com
69.31.81.82
dl5.spyfalcon.com
69.31.131.82
Reverses to: spyaxesupport.com
Domain Name: PILOSOFT.COM
Administrative Contact, Technical Contact:
Pilosoft, Inc. Whois Privacy and Spam Prevention by Whois Source
55 Broad St, 3rd Floor
New York, NY 10004
US
9174078664 fax: 999-999-9999
Please feel free to complain to the ISP about these people. Hopefully with enough complaints they will close the accounts. Reality is that $$$$ talk..so they probably wont.
Security news and information