Spyfalcon infected???help needed.

Discussion in 'Windows - Virus and spyware problems' started by ibanez7, May 20, 2006.

  1. ibanez7

    ibanez7 Member

    Joined:
    May 20, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Hello!
    I believe i'm infected with Spyfalcon and may need the Smitfraudfix.I did some scans all in safe mode.Here are the logs.

    ewido scan:
    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 6:38:51 AM, 5/20/2006
    + Report-Checksum: B1765CE6

    + Scan result:

    :mozilla.13:C:\Documents and Settings\nanook\Application Data\Mozilla\Firefox\Profiles\l0sku99d.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.14:C:\Documents and Settings\nanook\Application Data\Mozilla\Firefox\Profiles\l0sku99d.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\nanook\Application Data\Mozilla\Firefox\Profiles\l0sku99d.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.16:C:\Documents and Settings\nanook\Application Data\Mozilla\Firefox\Profiles\l0sku99d.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup


    ::Report End
    i ran spybot and lavasoft adaware and both have taken stuff out.Then back in normal mode.

    Panda active scan:
    Incident Status Location

    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\nanook\Application Data\Mozilla\Firefox\Profiles\l0sku99d.default\cookies.txt[.as-us.falkag.net/]
    Potentially unwanted tool:Application/Processor

    hijackthis i took a scan of uninstall files:

    µTorrent
    Adobe Acrobat 5.0
    AnalogX Vocal Remover
    ArcSoft PhotoBase 3
    ArcSoft PhotoStudio 5
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Canon CanoScan Toolbox 4.1
    CanoScan LiDE20,30 Manual
    CleanUp!
    C-Media WDM Audio Driver
    Cool Edit Pro 2.1
    ewido anti-malware
    GSM 1.2.3.0
    Hex Workshop v4.23
    HijackThis 1.99.1
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows XP (KB896344)
    IncrediMail Xe
    J2SE Runtime Environment 5.0 Update 6
    Labtec WebCam
    Lavasoft VX2 Cleaner
    Macromedia Flash Player 8
    MailWasher Pro
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft .NET Framework 2.0
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Picture It! Photo 7.0
    Microsoft Streets and Trips 2002
    Microsoft Word 2002
    Microsoft Works 2003 Setup Launcher
    Microsoft Works 7.0
    Microsoft Works Suite Add-in for Microsoft Word
    Mozilla Firefox (1.5.0.3)
    MSN Messenger 7.5
    Nero 7 Ultra Edition
    nLite 1.0 RC8
    NOD32 antivirus system
    NOD32 FiX v2.1
    OmniPage SE
    PCI SoftV92 Modem
    PhishGuard
    RealPlayer 7 Basic
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913433)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Skype (BETA)
    Sound Blaster Live!
    Sunbelt Kerio Personal Firewall
    The Ultimate Troubleshooter
    Uninstall Startup Inspector
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Windows Defender
    Windows Defender Signatures
    Windows Installer 3.1 (KB893803)
    Windows Media Connect
    Windows Media Format Runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 10
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2

    Then a scan with hijackthis (safemode)
    µTorrent
    Adobe Acrobat 5.0
    AnalogX Vocal Remover
    ArcSoft PhotoBase 3
    ArcSoft PhotoStudio 5
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Canon CanoScan Toolbox 4.1
    CanoScan LiDE20,30 Manual
    CleanUp!
    C-Media WDM Audio Driver
    Cool Edit Pro 2.1
    ewido anti-malware
    GSM 1.2.3.0
    Hex Workshop v4.23
    HijackThis 1.99.1
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows XP (KB896344)
    IncrediMail Xe
    J2SE Runtime Environment 5.0 Update 6
    Labtec WebCam
    Lavasoft VX2 Cleaner
    Macromedia Flash Player 8
    MailWasher Pro
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft .NET Framework 2.0
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Picture It! Photo 7.0
    Microsoft Streets and Trips 2002
    Microsoft Word 2002
    Microsoft Works 2003 Setup Launcher
    Microsoft Works 7.0
    Microsoft Works Suite Add-in for Microsoft Word
    Mozilla Firefox (1.5.0.3)
    MSN Messenger 7.5
    Nero 7 Ultra Edition
    nLite 1.0 RC8
    NOD32 antivirus system
    NOD32 FiX v2.1
    OmniPage SE
    PCI SoftV92 Modem
    PhishGuard
    RealPlayer 7 Basic
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913433)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Skype (BETA)
    Sound Blaster Live!
    Sunbelt Kerio Personal Firewall
    The Ultimate Troubleshooter
    Uninstall Startup Inspector
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Windows Defender
    Windows Defender Signatures
    Windows Installer 3.1 (KB893803)
    Windows Media Connect
    Windows Media Format Runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 10
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2

    Logfile of HijackThis v1.99.1(safemode)
    Scan saved at 11:21:39 PM, on 5/19/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    E:\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PhishGuard.lnk = C:\Program Files\PhishGuard\PhishGuard.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147515133718
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - E:\kerio firewall\Personal Firewall 4\kpf4ss.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

    NOTE:I also noticed that everytime i go into safe mode and do the CWShredder it always finds and removes CWS.Msconfig.Then i i go back into normal mode and run it again it's gone.If i restart in normal mode it doesn't come back unless i go back into safe mode then i find it again.Does this mean that it's just getting a false positive on that?
    Thank you very much for all the help.

    Note: everytime i try to download the Smitfraudfix from anywhere my antivirus Nod32 tells me that it's infected with a virus and won't let me extract the file in order to try to use that fix.Is there anything i can do?or somwhere to get a clean one?.I tried a google search and have tried 3 different downloads and always get that command to terminate with nod32.
     
  2. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    (Some antiviruses, like nod32 recognises smitfraudfix's process.exe as a malware. It is not malware, it is a program that stops processes)

    Then un-plug internet cable. Then disable Nod32.

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Save this textfile to your desktop.

    Then enable Nod32. Re-plug your internet cable.

    Post the contents of this smitfraudfix textfile to here.

    Post a HijackThis log to here (this time, take it in the normal mode)
     
  3. ibanez7

    ibanez7 Member

    Joined:
    May 20, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Thanks for your help. Here are the 2 scans requested.

    SmitFraudFix v2.45

    Scan done at 15:23:47.84, Sat 05/20/2006
    Run from C:\Documents and Settings\nanook\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\nanook\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\nanook\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End




    Logfile of HijackThis v1.99.1
    Scan saved at 3:29:00 PM, on 5/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    E:\kerio firewall\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Eset\nod32krn.exe
    E:\kerio firewall\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    E:\kerio firewall\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Eset\nod32kui.exe
    E:\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - E:\kerio firewall\Personal Firewall 4\kpf4ss.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    Again thank you very much!!!
     
  4. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    You're looking clean :) Are you still having problems?
     
  5. ibanez7

    ibanez7 Member

    Joined:
    May 20, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    No all is running great here.Thank you very much for your time and help .Cheers.!!!
     
  6. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    You're welcome :)
     
  7. inoeos

    inoeos Member

    Joined:
    May 21, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    11
    Hello JaPK
    I think i have the same problem as Ibanez7.Iam infected with a virus from spyfalcon i have run Adaware, Spybot, xoftspy and blueyonders pc guard, some of these programs have founnd them ( i think ) and quarantined them. but it keeps coming back and hijacking my home page. It has also left an annoying icon with it.I would be most gratful if you could help me but bear in mind iam a real novice with computers
     
  8. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi inoeos.

    Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Post the contents of this textfile to here.

    (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

    Then post a HijackThis log to here, instructions ->
    http://forums.afterdawn.com/thread_view.cfm/263784
    (steps 3-5)

    So post a HijackThis log and a smitfraudfix log to here and we'll get you cleaned.
     

Share This Page