PDA

View Full Version : SpywareFalcon removal



user00265
2006-05-18, 07:38
This is what I gathered following some instructions, and posted it here for some (hopefully) help.

EWIDO:
-------------------------------------------------------------------------------------------------
ewido anti-malware - Scan report
-------------------------------------------------------------------------------------------------

+ Created on: 11:55:27 PM, 5/17/2006
+ Report-Checksum: 57A72142

+ Scan result:

[284] C:\WINDOWS\system32\winpsa32.dll -> Trojan.Agent.qt : Cleaned with backup
[1696] C:\WINDOWS\system32\fyhhxw.dll -> Trojan.Fakealert : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Elisamuel Resto\Application Data\Mozilla\Firefox\Profiles\1xxkba6d.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Elisamuel Resto\Application Data\Mozilla\Firefox\Profiles\1xxkba6d.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Elisamuel Resto\Application Data\Mozilla\Firefox\Profiles\1xxkba6d.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Elisamuel Resto\Application Data\Mozilla\Firefox\Profiles\1xxkba6d.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Elisamuel Resto\Application Data\Mozilla\Firefox\Profiles\1xxkba6d.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Elisamuel Resto\Application Data\Mozilla\Firefox\Profiles\1xxkba6d.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Elisamuel Resto\Application Data\Mozilla\Firefox\Profiles\1xxkba6d.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Elisamuel Resto\Local Settings\Application Data\5b32c1b2.exe -> Downloader.Tiny.bw : Cleaned with backup
C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\system32\5b32c1b2.exe -> Downloader.Tiny.bw : Cleaned with backup
C:\WINDOWS\system32\fyhhxw.dll -> Trojan.Fakealert : Cleaned with backup
C:\WINDOWS\system32\regperf.exe -> Trojan.Spambot : Cleaned with backup
C:\WINDOWS\system32\winpsa32.dll -> Trojan.Agent.qt : Cleaned with backup


::Report End

user00265
2006-05-18, 07:40
Panda Active Scan:
-------------------------------------------------------------------------------------------------
Incident Status Location

Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Adware:adware/emediacodec Not disinfected c:\windows\system32\ld818F.tmp
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Adware:adware/spywarequake Not disinfected c:\windows\system32\1024\ld803E.tmp
Adware:adware/yazzlesudoku Not disinfected c:\program files\Yazzle Sudoku

user00265
2006-05-18, 07:42
SpyBot S&D Log (http://web.prtc.net/~eresto/spybot_log.txt)

user00265
2006-05-18, 07:44
Logfile of HijackThis v1.99.1
Scan saved at 12:14:26 AM, on 5/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\PROGRA~1\Grisoft\AVG\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp83C8.tmp (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [XPize Reloader] C:\WINDOWS\XPize\XPizeReloader.exe /S
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146284059031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146284146843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03B2262B-9B90-498B-AC80-FDDD9EF09087}: NameServer = 196.28.61.145,196.28.61.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{03B2262B-9B90-498B-AC80-FDDD9EF09087}: NameServer = 196.28.61.145,196.28.61.161
O17 - HKLM\System\CS2\Services\Tcpip\..\{03B2262B-9B90-498B-AC80-FDDD9EF09087}: NameServer = 196.28.61.145,196.28.61.161
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

CalamityJane
2006-05-21, 02:58
Hi, you've bumped this thread with your replies so many times it looked as if this was a topic already getting help.

Did you run the SmitfraudFix tool in the instructions?.
http://forums.spybot.info/showthread.php?t=4015

If not here it is again:
1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

2. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)


Reboot into Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)


Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.


Please post back with the log requested (rapport.txt) and a fresh HijackThis log. I'll be happy to review all for you :)

user00265
2006-05-21, 03:16
Sorry for that, but the board kept complaining that my message was too large, so I had to do it like that.

I looked at the system's registry and found it loaded as a explorer module, I deleted the file from my system32 folder and removed the registry key. Ewido and the rest came out clean, and the spyware is officially gone as of two days ago.

Thanks for your reply nonetheless. :bigthumb:

CalamityJane
2006-05-22, 04:00
Ok! Glad you were able to get it resolved. :bigthumb:

I'll go ahead and close & archive this thread now. If you should need it reopened for any reason, please feel free to send me PM :)