opera936

I did removed spyfalcon with spyware doctor, but the popup in the taskmenu still pops up saying that my pc is infected with viruses. i even tried to remove it using the manual method, but the things that were supposed to be in the registry weren't there and the dll weren't in the dictorary they were supposed to be in. By the way i have the spyfalcon installer on my desktop if it is necessary for me to install it again inorder to remove it. following is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:32 PM, on 5/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\AVWLPSTA.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Opera\Opera.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\Tom.TOM-BYKJNBIV1YE\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://VeryCD.265.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: VeryCD Search Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll
O2 - BHO: VeryCD³¬¼¶ËÑË÷ - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll
O3 - Toolbar: VeryCD³¬¼¶ËÑË÷ - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - (no file)
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AVWLPSTA.EXE] AVWLPSTA.EXE START
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [YOKAssiant] Rundll32.exe C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll,Y OKAssiant
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: VeryCD³¬¼¶ËÑË÷ - C:\PROGRA~1\YOK.com\SUPERS~1\yoksch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
O16 - DPF: {53AF6E02-F18F-4228-AC13-3E79773FBE50} (CMCBooter Object) - http://download.mysee.com/plugin/booter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1141922977281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145624686765
O17 - HKLM\System\CCS\Services\Tcpip\..\{974052FD-77B4-4B41-B4CD-C7F725F4A6F9}: NameServer = 71.243.0.12 68.237.161.12
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

used info from http://forums.afterdawn.com/thread_view.cfm/302491
any help would be appreciated.

Computer Genius

Here are my finds:


C:\WINDOWS\system32\AVWLPSTA.EXE - Unknown
C:\Program Files\BitComet\BitComet.exe - Unknown
R3 - URLSearchHook: VeryCD Search Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll - Possibly nasty
O4 - HKLM\..\Run: [AVWLPSTA.EXE] AVWLPSTA.EXE START - Possibly nasty
O4 - HKLM\..\Run: [YOKAssiant] Rundll32.exe C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll,Y OKAssiant - Unknown
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html - Nasty
O8 - Extra context menu item: VeryCD³¬¼¶ËÑË÷ - C:\PROGRA~1\YOK.com\SUPERS~1\yoksch.htm - Possibly nasty
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll - Possibly nasty
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) - Possibly nasty
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab - Possibly nasty
O16 - DPF: {53AF6E02-F18F-4228-AC13-3E79773FBE50} (CMCBooter Object) - http://download.mysee.com/plugin/booter.cab - Possibly nasty
O17 - HKLM\System\CCS\Services\Tcpip\..\{974052FD-77B4-4B41-B4CD-C7F725F4A6F9}: NameServer = 71.243.0.12 68.237.161.12 - Possibly nasty
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll - Unknown

elmarcorulz

Follow this. I found spyfalcon a batsrad to get rid of. Read through the instructions because there may be some you need to print out.

__________________
C2D E6300 @ 2.6Ghz
Gigabyte GA-965P-DS3
2GB DDR2 667
1TB (1x500GB 2x250GB HDD)
BFG 8800GTS 320MB

PFC Til I Die

opera936

I tried the above methods(auto n manual) but the thing still pops up eventhought all the things seems to be cleaned. Then i google it and found that after using the above method then to download a thing called SmitfraudFix will fix the whole issue. I did follow the above methods uptill the Panda virus scan part, i did do a scan(for 5 min after it found 5 infections) but it doesn't help me clean that bastard. Anyway thanks for the replies!

cell4me

I just got spyfalcon myself, run the SmitfraudFix then download ewido here http://www.ewido.net/en/download/ then update ewido's definitions and reboot into safe mode and do a full system scan with ewido and have it fix what it finds, then run hijackthis again and post a new log and I will tell you what to remove!

Jars

I don't get how you guys are getting infected with spyfalcon or spyquake spyaxe. Ive went to their sites numberous times and never have been infected.

cell4me

I was surfing porn sites and got it as a drive by!
That was using firefox, spyware blaster and spybot immunization, my tea timer was going off like crazy, I finally had to allow it to install just so I could uninstall it!
I can post a link if you want to get infected

PS: It's not there site that infects your PC, it is the software they sell for other sites to run that infects you!

Jars

It can't infect me, i have to many programs that protect me. A few of my own must i ad .. Anyways thats what u get, next time its gonna be worse when you surf porn sites.

cell4me

Thats what I thought too...lol! You are experiencing a false sense of security!
I was testing my security just like you was testing yours by going to spyfalcons and spyaxes sites!

Jars

I am almost a maleware specialist. I know what protects me