Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyfalcon...a New Version Perhaps


  • Please log in to reply
3 replies to this topic

#1 Appel

Appel

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 26 April 2006 - 05:41 PM

OK I'm no pro, but I ain't (too) dumb neither. The reason I say no too dumb is that I got a spyfalcon yesterday morning while looking for a free game code. it acted quite a lot like spyquake, with the annoying little popup and redirecting my homepage.

Anyway I tried all the good scanners and such listed on the 'preparation guide' page.

first thing is man, I thought I kept my PC fairly clean but there was some major crap on my PC.

Anyway the real nasty one was the SpyFalcon...I tried many methods including the one involving the SmitRem file but no luck.



Finally BitDefender caught the files and was able to delete some of them, all were contained in the system32 folder (winXP), here's the part of the log:
:\WINDOWS\system32\dcomcfg.exe


Infected with: Trojan.Downloader.Zlob.MJ

C:\WINDOWS\system32\dcomcfg.exe


Disinfection failed

C:\WINDOWS\system32\dcomcfg.exe


Delete failed

C:\WINDOWS\system32\hp5A74.tmp


Infected with: Trojan.Downloader.Zlob.MJ

C:\WINDOWS\system32\hp5A74.tmp


Deleted

C:\WINDOWS\system32\hp6D40.tmp


Infected with: Trojan.Downloader.Zlob.MJ

C:\WINDOWS\system32\hp6D40.tmp


Disinfection failed

C:\WINDOWS\system32\hp6D40.tmp


Delete failed

C:\WINDOWS\system32\regperf.exe


Infected with: BehavesLike:Win32.ExplorerHijack

C:\WINDOWS\system32\regperf.exe


Disinfection failed

C:\WINDOWS\system32\regperf.exe


Deleted

C:\WINDOWS\system32\simpole.tlb


Infected with: Trojan.Downloader.Zlob.MJ

C:\WINDOWS\system32\simpole.tlb


Deleted

C:\WINDOWS\system32\twain32.dll


Infected with: Trojan.Renos.E

C:\WINDOWS\system32\twain32.dll


Disinfection failed

C:\WINDOWS\system32\twain32.dll


Delete failed






Anywho's this may or may not be useful, thought I would share :thumbsup:

..boy that was a sucky infection :flowers:

Edited by Appel, 26 April 2006 - 06:20 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,558 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:57 PM

Posted 26 April 2006 - 07:54 PM

If the self-help guide did not work and you still have malware on your system, I suggest you read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, not here, for assistance by the HJT Team Experts.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have not been replied as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Guest_clkgable_*

Guest_clkgable_*

  • Guests
  • OFFLINE
  •  

Posted 26 April 2006 - 10:05 PM

All the rest of the explanations don't work. This will blast SpyFalcon (and it deserves it too).

http://www.martijnc.be/tools/roguescanfix.exe

No safe mode, no nothing...it just nukes this devil...goodby wheelchair.

#4 Wolfnadrid

Wolfnadrid

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 27 April 2006 - 01:11 AM

Hey all... long time utilizer of these forums support information and finally have something to contribute...

Have formulated a fix for what does appears to be this variant for SpyFalcon and SpyQuake.

NEW symptom changes: systray icon flashes between accessibility options wheelchair icon and a red slash, message presented in systray is identical to original SpywareQuake and homepage is redirected to safetydefender.com

Successful steps taken to remove said infection below:

Download the following registry alteration files http://www.f-secure.com/tools/f-spyaxe.reg, and http://www.bleepingcomputer.com/files/reg/FixSF.reg and http://www.bleepingcomputer.com/files/reg/FixSQ.reg.

Download Smitrem tool from http://www.bleepingcomputer.com/files/smitRem.php and extract file onto desktop.
reboot system into safemode WITHOUT networking support (new variant I've seen pops up in safemode w/ Networking now)
run/merge 3 .reg files listed above
run smitrem tool and allow it to run course and automated launch of disk cleanup
open command prompt and run the following commands ignoring any 'file not found' messages (forced and quiet delete are the flags that I've added to del command):
del /F /Q C:\Windows\System32\stickrep.dll
del /F /Q C:\Windows\System32\suprox.dll
del /F /Q C:\windows\System32\xenadot.dll
del /F /Q C:\windows\System32\sivudro.dll
del /F /Q C:\WINDOWS\System32\nvctrl.exe
del /F /Q C:\WINDOWS\System32\dfrgsrv.exe
del /F /Q C:\WINDOWS\System32\mssearchnet.exe
del /F /Q C:\windows\System32\dcomcfge.exe
del /F /Q C:\windows\system32\hp*.tmp
del /F /Q C:\windows\system32\twain32.dll
del /F /Q C:\windows\system32\regperf*.*
del /F /Q C:\windows\system32\simpole*.*
del /F /Q C:\WINDOWS\system32\dcomcfg.exe
del /F /Q C :\Windows\System32\dxmpp.dll
del /F /Q C:\Windows\System32\ginuerep.dll
del /F /Q /S C:\windows\temp\*.*
Reset Homepage in Internet Options from Control Panel
Empty recycling bin and run disk cleanup wizard
Restart computer normally

I've had success w/ this method when the standard SF/SQ fixes are not removing the infection after rebooting.

(99% of this is from posts by Grinler and his guide: http://www.bleepingcomputer.com/forums/t/47826/how-to-remove-spywarequaked-and-spywarequake-removal-instructions/ I just added a bunch more deletes to check for most known variants of the SF/SQ family for redundancy)

Cheers! :thumbsup:

Edited by Wolfnadrid, 27 April 2006 - 02:33 AM.

--------------------------------------------------------------------------------------------------------------------------------

"I don't work here, I just pretend"

I spend all 8 hour of my work day fixing other stupid humans computer problems... do you really think I wanna fix your computer?... ohh free stuff for it, well why didn't you say so!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users