Help, Virus alert - spyfalcon

P

pest

Joined
May 6, 2006
Messages
1
Reaction score
0
Have a flashing handicap/varning sign in system tray.... with a dialogbox - your computer is infected flashing... tried various remedies from the net... none works.

Have run Hijackthis after reading previous threads here... (not from safe mode)

Logfile of HijackThis v1.99.1
Scan saved at 01:08:31, on 2006-05-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\AVENGINE.EXE
c:\program\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\psimsvc.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\SRVLOAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\PERSTE~1\MINADO~1\ASEMBL~1\fast.exe
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe
C:\Documents and Settings\Per Stenqvist\Mina dokument\??stem32\n?lookup.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\apvxdwin.exe
C:\Program\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe
C:\Documents and Settings\Per Stenqvist\Skrivbord\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {5A4CC6EC-7526-02DB-7AF5-2087E187BAB6} - C:\WINDOWS\system32\ybr.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O2 - BHO: (no name) - {5A4CC6EC-7526-02DB-7AF5-2087E187BAB6} - C:\WINDOWS\system32\ybr.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp1DDA.tmp (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Toolbar Suite\TB\02.05.0000.1105\sv-se\msntb.dll (file missing)
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxOne] C:\Program\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Utse] "C:\DOCUME~1\PERSTE~1\MINADO~1\ASEMBL~1\fast.exe" -vt yazr
O4 - HKCU\..\Run: [Agkp] C:\Documents and Settings\Per Stenqvist\Mina dokument\??stem32\n?lookup.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program\MSN Toolbar Suite\TB\02.05.0000.1105\sv-se\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\MSN Toolbar Suite\TAB\02.05.0000.1105\sv-se\msntabres.dll/229?4a4416f6bfeb404ab5847e58e9f85e0
O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\MSN Toolbar Suite\TAB\02.05.0000.1105\sv-se\msntabres.dll/230?4a4416f6bfeb404ab5847e58e9f85e0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Keep my net clean.org - {F12F48EE-7575-4a05-8957-E207557670C8} - C:\Program\Keep my Net Clean.org\kmnc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/se/win/QuickTimeFullInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program\Panda Software\Panda Platinum 2006 Internet Security\psimsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
 
Please use the removal instructions as in the thread HERE - it does work, just make sure you follow the instructions to the letter :thumb:

Afterwards re-post your HijackThis log.
 
Removing Spy Falcon and Spyware Quake

Hi Pest

I had similar problems with Spy Falcon and Spyware Quake. These seemd to ignore the fact my antivirus and adaware are updated.

A friend recommended Prevx1 to me. This sorted Spy Falcon and Spyware Quake plus something alled Trojan.MitGlieder.GB.

If you want to try it you can find it here:

http://www.prevx.com

I am currently running the 60 day free trial and it is a really cool program. Makes me wonder what Adaware is doing?
 
EveryOneKnows said:
Hi Pest

I had similar problems with Spy Falcon and Spyware Quake. These seemd to ignore the fact my antivirus and adaware are updated.

A friend recommended Prevx1 to me. This sorted Spy Falcon and Spyware Quake plus something alled Trojan.MitGlieder.GB.

If you want to try it you can find it here:

http://www.prevx.com

I am currently running the 60 day free trial and it is a really cool program. Makes me wonder what Adaware is doing?
Click to expand...
Why? ... is Adaware a Trojan Scanner? ... does "your" Av detect Trojans as well as viruses, if not, I'd be giving them the boot too, sonny.

Mitglieder.GB does not have its own means of propagation, and therefore has to be distributed manually ... in other words, you invited the bugger in the first place. ;)

Thanks for the link though ... looks interesting and "British" made, err I think. :)
 
Remove SpyFalcon

I work in a computer repair shop in Lincoln, Nebraska and we have seen a sudden up tick in the number of people infected with a new variant of the SpyFalcon spyware infection. While the basic infection is the same, there are a few new files to worry about.



We have a free removal tutorial posted at http://www.schrockinnovations.com/removespyfalcon.php, but suddenly people started reporting that upon restarting their computers they were becoming reinfected. We have since found that two additional files are being installed now that were not before. We updated the fixsf.zip removal tool in the tutorial to include these files.



Good luck and please post back here and let us know if you have any problems getting it removed.



http://www.schrockinnovations.com

http://www.thorschrock.com
 
Check out the clean up on Prevx1

Hey Guys

I have been reviewing this thread. I just tried the lates update of Prevx1 v.1.2.0.38 http://www.prevx.com . They said it has a new clean up feature. You need to see it. It really is awesome.

Totally blitzed SpywareQuake and SpyFalcon on my sister's PC, no safe mode, one reboot totally gone!

See what you think.
 
Thanks for giving us the heads up again - been reading about it over at the CastleCops forums, and it seems to be worth a try with its 28 day free trial :thumb:
 
Back
Top