Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyfalcon Related Problem


  • This topic is locked This topic is locked
6 replies to this topic

#1 Bazzer

Bazzer

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 31 March 2006 - 02:55 AM

Hi, I have followed the steps outlined on the preparation guide from "grinler" except I was unable to download Housecall, Panda & Bit defender. It seems to have something to do with Sevice Pack 2 & Activex controls???

I have cloened with Ad-aware, Spybot, AVG free ware & I managed to MacAfee AVERT Stinger.

The Problem.

After running all the Virus /Spyware programs it appears there is no bad stuff left ---- except a message appears on the bottom right of the screen to say my computer is infected and I have to download programs also there has been a small red flashing indicator on top of the accesabilty icon in the bottom "toolbar".

I've also had a problem when Explorer the opening page has been changed to "about.blank" I might have fixed this??

Hope I've done this OK.

PS I think Spyware quake has something to do with the mesage at the bottom of the screen

Thank Bazzer

Logfile of HijackThis v1.99.1
Scan saved at 7:38:20 p.m., on 31/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\IDU\iptray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
C:\Program Files\Intel\IDU\IDUServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = netscape.com
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127465274078
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3A986BC-D339-4BE6-ACFD-E1E5504C5F18}: NameServer = 202.180.64.2 202.180.64.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6DC58FE-B92F-42E6-8A0A-AFD835843A0F}: NameServer = 202.27.184.3
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper Lite.lnk (Diskeeper) - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
O23 - Service: Intel® Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Edited by Bazzer, 31 March 2006 - 03:27 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 31 March 2006 - 05:08 AM

Hello Bazzer,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

1. Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

2. Please download ewido security suite; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

3. Download roguescanfix.exe to your desktop.
Doubleclick roguescanfix.exe to install.
This will create a new folder on your desktop called roguescanfix.
Do not use this yet!

4. Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8.
A menu should come up where you will be given the option to enter Safe Mode.

5. Open the smitRem folder, then double click the RunThis.bat file to start the tool.
Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

6. Clean your IE cookies and cache:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
7. Run Ewido anti-malware:
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
    • NOTE: During some scans with ewido it is finding cases of false positives.
      # This means you will need to step through the process of cleaning files one-by-one.
      # If ewido detects a file you KNOW to be legitimate, select none as the action.
      # DO NOT select "Perform action on all infections"
      # If you are unsure of any entry found select none for now.
  • When the scan finishes, click on "Save Report". This will create a text file. Save it to your Desktop.
8. Go to Start > Control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

9. Reboot back into Windows, normal mode.

10. Open the roguescanfix folder and click: Run.bat
This tool needs internet connection so it can download an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
Let the tool perform its job.
The icons will disappear temporarely from your desktop, and reappear. This is normal.
Wait until the message Completed script execution is displayed, and click OK.
Click Exit to close down bfu.
Finally: click OK to start the Spyfalcon and/or Spywarequake uninstaller, and click uninstall.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES.

11. Post the contents of C:\smitfiles.txt and the Ewido Log by using Add Reply,
as well as a new HijackThis log.

Greetings,
BMThor

Edited by BMThor, 03 April 2006 - 04:53 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Bazzer

Bazzer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 03 April 2006 - 03:19 AM

BMThor thanks a lot I'm fairly sure that everything unwanted has gone. All went as described until the 10th step, I didn't get the prompts re un instal spyquake etc. I'll send the two logs as asked for in step 10.. Once again Thankyou This site is an incredable resource and its nice to know the the good guys are out there fighting evil!




Rookie problem---------How do I send the files?

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 03 April 2006 - 04:57 AM

Hello Bazzer,

Rookie problem---------How do I send the files?


Open de logs in Notepad, copy the content en paste them in your reply,
using the "Add Reply" button.

You can paste them all at once. :thumbsup:

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Bazzer

Bazzer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 07 April 2006 - 02:29 AM

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:35:05 a.m., 2/04/2006
+ Report-Checksum: 8E3135DA

+ Scan result:

HKU\S-1-5-21-1390067357-1500820517-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpywareQuake -> Adware.SpywareQuake : Cleaned with backup
HKU\S-1-5-21-1390067357-1500820517-682003330-1003\Software\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D} -> Spyware.SpyFalcon : Cleaned with backup
HKU\S-1-5-21-1390067357-1500820517-682003330-1003\Software\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Adware.SpywareQuake : Cleaned with backup
HKU\S-1-5-21-1390067357-1500820517-682003330-1003_Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D} -> Spyware.SpyFalcon : Cleaned with backup
HKU\S-1-5-21-1390067357-1500820517-682003330-1003_Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Adware.SpywareQuake : Cleaned with backup
[1984] C:\WINDOWS\system32\stickrep.dll -> Trojan.Agent.qf : Cleaned with backup
C:\Program Files\SpywareQuake -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\blacklist.txt -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\ignored.lst -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Lang -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Lang\English.ini -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Logs -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\msvcp71.dll -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\msvcr71.dll -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Quarantine -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\ref.dat -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\SpywareQuake.exe -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\SpywareQuake.url -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\sq.ini -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\uninst.exe -> Adware.SpywareQuake : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\ginuerep.dll -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\stickrep.dll -> Trojan.Small : Cleaned with backup

smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 02/04/2006
The current time is: 9:05:56.15

Running from
C:\Documents and Settings\Owner\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\stickrep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 728 'explorer.exe'
Killing PID 728 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\stickrep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 08 April 2006 - 04:57 AM

Hello Bazzer,

Can you post a fresh HijackThis log for final checkup please?

Are you experiencing anymore problems?

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:17 PM

Posted 29 April 2006 - 06:06 AM

Since your problem is solved, and due to lack of final feedback, this topic will be closed.

If you need this topic reopened, please email the moderating team -
be sure to include the address of the thread and the name you posted under.


BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users