removing vcodec found by spybot
- Thread starter mark w
- Start date
Hi,
All has seemed ok but just now a strange thing happened, I got a message up on the screen from norton antivirus saying it had detected spyfalcon, i clicked on the remove option and it appeared to work, the too logs from norton are here:
Source: C:\WINDOWS\system32\ginuerep.dll,Action taken: Detected
and then:
Source: Manual Scanner
Risk category: Security risk
Overall Risk Impact: Low
Performance: Low
Privacy: Low
Removal: Low
Stealth: Low
Click for more information about this risk : SpyFalcon
Action taken: Detected
Description: Possibly affected areas:
20 Files:
C:\WINDOWS\system32\ginuerep.dll
C:\Documents and Settings\MARK\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyFalcon 2.0.lnk
C:\Documents and Settings\MARK\Desktop\SpyFalcon.lnk
C:\Documents and Settings\MARK\Local Settings\Temp\SFLanguage.ini
C:\Documents and Settings\MARK\Start Menu\SpyFalcon 2.0.lnk
C:\Program Files\SpyFalcon\Lang\English.ini
C:\Program Files\SpyFalcon\blacklist.txt
C:\Program Files\SpyFalcon\msvcp71.dll
C:\Program Files\SpyFalcon\msvcr71.dll
C:\Program Files\SpyFalcon\SpyFalcon.url
C:\Program Files\SpyFalcon\syg.db
C:\Program Files\SpyFalcon\uninst.exe
C:\Documents and Settings\MARK\Start Menu\Programs\SpyFalcon\SpyFalcon 2.0 Website.lnk
C:\Documents and Settings\MARK\Start Menu\Programs\SpyFalcon\SpyFalcon 2.0.lnk
C:\Documents and Settings\MARK\Start Menu\Programs\SpyFalcon\Uninstall SpyFalcon 2.0.lnk
C:\Program Files\SpyFalcon\Lang
C:\Program Files\SpyFalcon\Logs
C:\Program Files\SpyFalcon\Quarantine
C:\Program Files\SpyFalcon
C:\Documents and Settings\MARK\Start Menu\Programs\SpyFalcon
22 Registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpyFalcon
HKEY_CLASSES_ROOT\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}
HKEY_CLASSES_ROOT\Interface\{001501E7-C970-4CB1-9740-E055BF3DDFD6}
HKEY_CLASSES_ROOT\Interface\{0FBBBC44-296D-4A2F-AF45-BE1EE387F569}
HKEY_CLASSES_ROOT\Interface\{163469FD-6009-48E2-AD8C-47BB2E0D88BE}
HKEY_CLASSES_ROOT\Interface\{1694E5C6-9E1F-4C3B-B79A-828C2FC40003}
HKEY_CLASSES_ROOT\Interface\{200BD3A6-A02B-4BAC-A364-A9D8017E3C4E}
HKEY_CLASSES_ROOT\Interface\{20C59F9F-33CB-4B1B-AFB6-B710DB845709}
HKEY_CLASSES_ROOT\Interface\{23D80835-4A3A-4572-9F5F-3F24A7A28AE5}
HKEY_CLASSES_ROOT\Interface\{255CDDA3-576B-44C9-B944-46EAC18D5D6F}
HKEY_CLASSES_ROOT\Interface\{3261F690-1CA4-4839-928B-F4F898B74EB7}
HKEY_CLASSES_ROOT\Interface\{37B9988B-1997-41F4-A832-DAE42CC3F7C2}
HKEY_CLASSES_ROOT\Interface\{5B861FB8-903C-4996-B1D3-E9A86ED4BBCF}
HKEY_CLASSES_ROOT\Interface\{6876543E-DA55-4F90-9CD2-5ED380D9516C}
HKEY_CLASSES_ROOT\Interface\{701E8C3A-7910-4CCD-A9F8-7B9A5F5B3947}
HKEY_CLASSES_ROOT\Interface\{850300D6-D53B-4720-9372-6D31B85537E1}
HKEY_CLASSES_ROOT\Interface\{8C803228-BD61-4744-8B79-949E3F512DDC}
HKEY_CLASSES_ROOT\Interface\{B7C685F0-1804-4382-A8EF-17D33DF97069}
HKEY_CLASSES_ROOT\TypeLib\{244B730E-D899-4E38-9428-03D1143242E0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpyFalcon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyFalcon
HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon
1 Additional areas:
Unknown
I am now really paranoid and worried that this threat is still lurking on my computer somewhere ??
can u tell me if i am right to be worried or not, and if so why did i get this message from norton ?
Regards Mark
All has seemed ok but just now a strange thing happened, I got a message up on the screen from norton antivirus saying it had detected spyfalcon, i clicked on the remove option and it appeared to work, the too logs from norton are here:
Source: C:\WINDOWS\system32\ginuerep.dll,Action taken: Detected
and then:
Source: Manual Scanner
Risk category: Security risk
Overall Risk Impact: Low
Performance: Low
Privacy: Low
Removal: Low
Stealth: Low
Click for more information about this risk : SpyFalcon
Action taken: Detected
Description: Possibly affected areas:
20 Files:
C:\WINDOWS\system32\ginuerep.dll
C:\Documents and Settings\MARK\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyFalcon 2.0.lnk
C:\Documents and Settings\MARK\Desktop\SpyFalcon.lnk
C:\Documents and Settings\MARK\Local Settings\Temp\SFLanguage.ini
C:\Documents and Settings\MARK\Start Menu\SpyFalcon 2.0.lnk
C:\Program Files\SpyFalcon\Lang\English.ini
C:\Program Files\SpyFalcon\blacklist.txt
C:\Program Files\SpyFalcon\msvcp71.dll
C:\Program Files\SpyFalcon\msvcr71.dll
C:\Program Files\SpyFalcon\SpyFalcon.url
C:\Program Files\SpyFalcon\syg.db
C:\Program Files\SpyFalcon\uninst.exe
C:\Documents and Settings\MARK\Start Menu\Programs\SpyFalcon\SpyFalcon 2.0 Website.lnk
C:\Documents and Settings\MARK\Start Menu\Programs\SpyFalcon\SpyFalcon 2.0.lnk
C:\Documents and Settings\MARK\Start Menu\Programs\SpyFalcon\Uninstall SpyFalcon 2.0.lnk
C:\Program Files\SpyFalcon\Lang
C:\Program Files\SpyFalcon\Logs
C:\Program Files\SpyFalcon\Quarantine
C:\Program Files\SpyFalcon
C:\Documents and Settings\MARK\Start Menu\Programs\SpyFalcon
22 Registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpyFalcon
HKEY_CLASSES_ROOT\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}
HKEY_CLASSES_ROOT\Interface\{001501E7-C970-4CB1-9740-E055BF3DDFD6}
HKEY_CLASSES_ROOT\Interface\{0FBBBC44-296D-4A2F-AF45-BE1EE387F569}
HKEY_CLASSES_ROOT\Interface\{163469FD-6009-48E2-AD8C-47BB2E0D88BE}
HKEY_CLASSES_ROOT\Interface\{1694E5C6-9E1F-4C3B-B79A-828C2FC40003}
HKEY_CLASSES_ROOT\Interface\{200BD3A6-A02B-4BAC-A364-A9D8017E3C4E}
HKEY_CLASSES_ROOT\Interface\{20C59F9F-33CB-4B1B-AFB6-B710DB845709}
HKEY_CLASSES_ROOT\Interface\{23D80835-4A3A-4572-9F5F-3F24A7A28AE5}
HKEY_CLASSES_ROOT\Interface\{255CDDA3-576B-44C9-B944-46EAC18D5D6F}
HKEY_CLASSES_ROOT\Interface\{3261F690-1CA4-4839-928B-F4F898B74EB7}
HKEY_CLASSES_ROOT\Interface\{37B9988B-1997-41F4-A832-DAE42CC3F7C2}
HKEY_CLASSES_ROOT\Interface\{5B861FB8-903C-4996-B1D3-E9A86ED4BBCF}
HKEY_CLASSES_ROOT\Interface\{6876543E-DA55-4F90-9CD2-5ED380D9516C}
HKEY_CLASSES_ROOT\Interface\{701E8C3A-7910-4CCD-A9F8-7B9A5F5B3947}
HKEY_CLASSES_ROOT\Interface\{850300D6-D53B-4720-9372-6D31B85537E1}
HKEY_CLASSES_ROOT\Interface\{8C803228-BD61-4744-8B79-949E3F512DDC}
HKEY_CLASSES_ROOT\Interface\{B7C685F0-1804-4382-A8EF-17D33DF97069}
HKEY_CLASSES_ROOT\TypeLib\{244B730E-D899-4E38-9428-03D1143242E0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpyFalcon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyFalcon
HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon
1 Additional areas:
Unknown
I am now really paranoid and worried that this threat is still lurking on my computer somewhere ??
can u tell me if i am right to be worried or not, and if so why did i get this message from norton ?
Regards Mark
LonnyRJones
Security Expert-Emeritus
Hi
Run Smitrem again while the pc is in safe mode
this time though also run that registry file and a full scan with your antivirus program
http://forums.spybot.info/showpost.php?p=15870&postcount=17
when finished restart back to normal and post the c:\smitfiles.txt (again)
Run Smitrem again while the pc is in safe mode
this time though also run that registry file and a full scan with your antivirus program
http://forums.spybot.info/showpost.php?p=15870&postcount=17
when finished restart back to normal and post the c:\smitfiles.txt (again)
Ok,
Here's what I did:
1. Restarted in safe mode
2. Run full virus scan with norton 2006 (this found nothing)
3. Run SmitRem
4. rebooted in normal mode, came straight here to post this.
Here is the SmitRem log:
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: 21/03/2006
The current time is: 10:38:30.16
Running from
C:\smitrem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 772 'explorer.exe'
Killing PID 772 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
Here's what I did:
1. Restarted in safe mode
2. Run full virus scan with norton 2006 (this found nothing)
3. Run SmitRem
4. rebooted in normal mode, came straight here to post this.
Here is the SmitRem log:
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: 21/03/2006
The current time is: 10:38:30.16
Running from
C:\smitrem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 772 'explorer.exe'
Killing PID 772 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
LonnyRJones
Security Expert-Emeritus
Delete these files and folder is they exist
C :\Windows\System32\dxmpp.dll
C:\Windows\System32\ginuerep.dll
C:\Program Files\SpyFalcon\
Were any present ?
Keep an eye out to see if any return over the next few days
Let us know of any problems
C :\Windows\System32\dxmpp.dll
C:\Windows\System32\ginuerep.dll
C:\Program Files\SpyFalcon\
Were any present ?
Keep an eye out to see if any return over the next few days
Let us know of any problems
