Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Spy Falcon - New Variant?

  • Please log in to reply
1 reply to this topic

#1 tantryl


  • Members
  • 31 posts
  • Local time:02:02 AM

Posted 12 March 2006 - 11:07 PM

I've used the Grinler fix as posted here: http://www.bleepingcomputer.com/forums/t/43659/how-to-remove-spyfalcon-removal-instructions/

It does give temporary relief - after performing all steps including the final virus scan it seems as if the problem has gone. Back in normal mode with no sign of Spy Falcon, Panda scan shows nothing and neither do Ad-Aware, Spybot S&D, or Ewido.

Windows Defender/AntiSpyware does show a "Zolob" registry entry for running wininet.dll which I know is related to the various smitfraud bits & pieces. Defender removes it but it will show up again if you restart the machine and scan again.

From the Grinler fix Panda should be fixing this problem, but it sees nothing wrong with wininet.dll. I've replaced wininet.dll with an XP CD expanded copy but that hasn't helped.

I can only assume that something else is creating the wininet.dll reference and causing the program to re-download.

Hijackthis log is clean (I look at many HJT logs). I can post it if you really really want, but you won't find anything.

But SF will re-appear about 24-48 hours later, after visiting no websites at all (as mentioned, it is re-downloading, I've seen netstat -a connections to various websites known to be affiliated with these smitfraud scams).

Ideas? Things I can upload for analysis?

BC AdBot (Login to Remove)



#2 tantryl

  • Topic Starter

  • Members
  • 31 posts
  • Local time:02:02 AM

Posted 14 March 2006 - 08:22 PM

Okay, the thing that seems to be redownloading SF is that Zolob fella I mentioned earlier.

In the form of a temp file (.tmp) in c:\windows\system32.

Have deleted it in safe mode along with the dlls suggested in the guide but it regenerates as well. Argh.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users