Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SpyFalcon Problem


  • Please log in to reply

#1
MFAgosto

MFAgosto

    New Member

  • Member
  • Pip
  • 3 posts
I followed all your instructions to get rid of the SpyFalcon but I still see the "Virus threat" on the taskbar, even though I followed all the steps, and I'm not sure if it was fully removed. Below appear the reports that I got from the diferrent programs.


This is the HiKack This LOG

Logfile of HijackThis v1.99.1
Scan saved at 7:37:02 PM, on 4/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security 2005\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security 2005\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\User\My Documents\My Received Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beautinet.com
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpD6.tmp
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://www.iicm.edu/.../vivo/vvweb.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security 2005\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security 2005\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security 2005\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



This is the Panda Scan report:


Incident Status Location

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Sexsuche Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\User\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\User\Cookies\[email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\Desktop\smitRem.exe[smitRem/Process.exe]
Adware:adware/securityerror Not disinfected C:\Documents and Settings\User\Favorites\Antivirus Test Online.url
Potentially unwanted tool:Application/Altnet Not disinfected C:\Documents and Settings\User\Local Settings\Temp\asmfiles.cab
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\Documents and Settings\User\Local Settings\Temp\p2psetup.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\4JSB0RAJ\smitRem[1].exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\altnetuninstall.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\asm.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\asmend.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\asmps.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Points Manager\Points Manager.exe
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll
Spyware:spyware/web3000 Not disinfected C:\WINDOWS\hh.ico
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32a.sys
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
Potentially unwanted tool:Application/P2PNetworking



An these are the contents of the smitfiles.txt


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 04/25/2006
The current time is: 18:28:56.62

Running from
C:\Documents and Settings\User\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!


THANKS FOR YOUR HELP. I HOPE YOU CAN HELP ME.
  • 0

Advertisements


#2
MFAgosto

MFAgosto

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I WAS READING ANOTHER POST AND I SAW THAT THE PROBLEM WAS RELATED TO THE SAME I HAVE, SO I DOWNLOADED THE SmitFraud AND HERE IS THE LOG...just in case...



SmitFraudFix v2.34

Scan done at 20:24:55.40, Tue 04/25/2006
Run from C:\Documents and Settings\User\My Documents\Personal-MFA\www.GeekstoGo.com\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\hp????.tmp FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User\FAVORI~1

C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



THANKS A LOT AGAIN, HOPE TO HEAR FROM YOU SOON
  • 0

#3
MFAgosto

MFAgosto

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
THIS IS THE REPORT AFTER THE CLEAN IN SmitFraud...I'm not sure if it's OK but I'm still having the problem that my HOMEPAGE APPEARS THE MESSAGE that "Your private info is collected by [email protected]"


SmitFraudFix v2.34

Scan done at 20:30:16.34, Tue 04/25/2006
Run from C:\Documents and Settings\User\My Documents\Personal-MFA\www.GeekstoGo.com\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

Problem while deleting C:\WINDOWS\system32\hp????.tmp
C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\hp????.tmp Deleted

»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
agrarianmonk

agrarianmonk

    Visiting Staff

  • Member
  • PipPipPip
  • 753 posts
Hi,

can you post a new hijackthis log for to review?

thanks,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP