Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems From Spyfalcon


  • Please log in to reply
6 replies to this topic

#1 theaandg

theaandg

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 25 February 2006 - 10:38 PM

I recently was infected with Spyfalcon right after my antivirus subscription expired

Now I keep receiving pop ups through a spyware program I downloaded called Prevx 1

It stops something from trying to load up, but continually displays the following message

Files keep accumulating in the C:\windows\temp folder that look like this

win40.tmp

and this type of file in some form or fashion is always running in my system processes

win12E.tmp.exe

Please help!!!!


Event Information:
===================
Date: 2/25/2006
Time: 7:24:25 PM
Type: EVENT
Source: WKCOM
Category: PROCESS EXECUTION ALERT


Extended Event Information:
============================
<table width=100% border=0 cellspacing=0 cellpadding=0>

<td width=20%>Date/Time
<td width=80%>2/25/2006 - 7:24:25 PM


Event
Windows NT Logon Application tried to start


Response
Blocked



Process
C:\WINDOWS\SYSTEM32\WINLOGON.EXE


Parent
C:\WINDOWS\SYSTEM32\SMSS.EXE



File Name
C:\WINDOWS\TEMP\WIN23.TMP.EXE


Access Flag(s)
[0x0] NONE


Create Status
[0x0] SUPERSEDE




System Information:
============================
System : Microsoft Windows XP Professional Service Pack 2 (Build 2600)
ComputerIdentifier: AT/AT COMPATIBLE
BiosVersion : A M I - 6000401
CPUName: Intel® Pentium® 4 CPU 2.80GHz
CPUVendor: GenuineIntel
CPUIdent: x86 Family 15 Model 3 Stepping 4
MemUsage : 42%
MemPhysicalTotal: 1072934912 (1023 MB)
MemPhysicalAvail: 613793792 (585 MB)
MemTotalAvail : 2582433792 (2462 MB)
MemPageAvail : 2207485952 (2105 MB)
MemPageAvail : 2147352576 (2047 MB)
ullAvailExtendedVirtual : 2113908736 (2015 MB)

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:43 PM

Posted 25 February 2006 - 11:11 PM

theaandg,
I've split off your HJT log from your post here, and moved it to the "HijackThis Logs and Analysis" forum.
That is the proper forum for it.
Here's a link to your log:
theaandg's HJT log

NOTE:
Please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.


winlogon.exe and smss.exe are legitimate Windows system files.

I've never heard of Prevx 1.
Could you provide a link to where you got this program from?
I'd like to check it out.

Edited by tg1911, 25 February 2006 - 11:12 PM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 theaandg

theaandg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 25 February 2006 - 11:21 PM

I got it right here

http://front.prevx.com/

It works ok, but I continually get pop ups, that it has blocked such and such service from starting, always in the c:\windows\temp folder

and then it says parent file, smss.exe

I definitely know this is a windows service, but somehow it seems like this virus/spyware/malware, whatever...attaches itself to the smss.exe service

I found this anti-spyware removal way after I already had initial problems with spyfalcon

When I googled this adware program

Adware.Dollarrevenue

It came up with prevx1

Thanks for your help

#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:43 PM

Posted 26 February 2006 - 12:08 AM

I'm wondering if these are false positives.
Do you use any other spyware/malware scanners, and if so, which ones?
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#5 theaandg

theaandg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 26 February 2006 - 12:25 AM

I use spybot S&D, Panda Titanium, spysweeper, ewido and they all detect a dialer.trojan

I do not believe they are false postives, as there are sometimes over 10 different processes labeled

win(number & letter).tmp.exe in my running processes

But I will gladly do whatever you suggest

#6 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:43 PM

Posted 26 February 2006 - 12:32 AM

I would post a HijackThis log for examination, just to be sure.
Better safe than sorry. :thumbsup:
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#7 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:43 PM

Posted 26 February 2006 - 01:01 AM

Sorry, theaandg.
I forgot I already moved your HJT log, that you previously posted, to the proper forum.
I left a link to it in post #2 above.

Just be sure to follow the information I put in the "NOTE".

Good luck.

Edited by tg1911, 26 February 2006 - 01:04 AM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users