spyfalcon, plez help

O

opera936

New Member
I did removed spyfalcon with spyware doctor, but the popup in the taskmenu still pops up saying that my pc is infected with viruses. i even tried to remove it using the manual method, but the things that were supposed to be in the registry weren't there and the dll weren't in the dictorary they were supposed to be in. By the way i have the spyfalcon installer on my desktop if it is necessary for me to install it again inorder to remove it. following is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:32 PM, on 5/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\AVWLPSTA.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Opera\Opera.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\Tom.TOM-BYKJNBIV1YE\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://VeryCD.265.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: VeryCD Search Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll
O2 - BHO: VeryCD³¬¼¶ËÑË÷ - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll
O3 - Toolbar: VeryCD³¬¼¶ËÑË÷ - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - (no file)
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AVWLPSTA.EXE] AVWLPSTA.EXE START
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [YOKAssiant] Rundll32.exe C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll,YOKAssiant
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: VeryCD³¬¼¶ËÑË÷ - C:\PROGRA~1\YOK.com\SUPERS~1\yoksch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
O16 - DPF: {53AF6E02-F18F-4228-AC13-3E79773FBE50} (CMCBooter Object) - http://download.mysee.com/plugin/booter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141922977281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145624686765
O17 - HKLM\System\CCS\Services\Tcpip\..\{974052FD-77B4-4B41-B4CD-C7F725F4A6F9}: NameServer = 71.243.0.12 68.237.161.12
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

used info from http://forums.afterdawn.com/thread_view.cfm/302491
any help would be appreciated.
 
Here are my finds:


C:\WINDOWS\system32\AVWLPSTA.EXE - Unknown
C:\Program Files\BitComet\BitComet.exe - Unknown
R3 - URLSearchHook: VeryCD Search Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll - Possibly nasty
O4 - HKLM\..\Run: [AVWLPSTA.EXE] AVWLPSTA.EXE START - Possibly nasty
O4 - HKLM\..\Run: [YOKAssiant] Rundll32.exe C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll,Y OKAssiant - Unknown
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html - Nasty
O8 - Extra context menu item: VeryCD³¬¼¶ËÑË÷ - C:\PROGRA~1\YOK.com\SUPERS~1\yoksch.htm - Possibly nasty
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll - Possibly nasty
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) - Possibly nasty
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab - Possibly nasty
O16 - DPF: {53AF6E02-F18F-4228-AC13-3E79773FBE50} (CMCBooter Object) - http://download.mysee.com/plugin/booter.cab - Possibly nasty
O17 - HKLM\System\CCS\Services\Tcpip\..\{974052FD-77B4-4B41-B4CD-C7F725F4A6F9}: NameServer = 71.243.0.12 68.237.161.12 - Possibly nasty
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll - Unknown
 
I tried the above methods(auto n manual) but the thing still pops up eventhought all the things seems to be cleaned. Then i google it and found that after using the above method then to download a thing called SmitfraudFix will fix the whole issue. I did follow the above methods uptill the Panda virus scan part, i did do a scan(for 5 min after it found 5 infections) but it doesn't help me clean that bastard. Anyway thanks for the replies!
 
Last edited:
I just got spyfalcon myself, run the SmitfraudFix then download ewido here http://www.ewido.net/en/download/ then update ewido's definitions and reboot into safe mode and do a full system scan with ewido and have it fix what it finds, then run hijackthis again and post a new log and I will tell you what to remove!
 
I don't get how you guys are getting infected with spyfalcon or spyquake spyaxe. Ive went to their sites numberous times and never have been infected.
 
Jars said:
I don't get how you guys are getting infected with spyfalcon or spyquake spyaxe. Ive went to their sites numberous times and never have been infected.
Click to expand...
I was surfing porn sites and got it as a drive by!
That was using firefox, spyware blaster and spybot immunization, my tea timer was going off like crazy, I finally had to allow it to install just so I could uninstall it!
I can post a link if you want to get infected
80.gif


PS: It's not there site that infects your PC, it is the software they sell for other sites to run that infects you!
 
Last edited:
It can't infect me, i have to many programs that protect me. A few of my own must i ad :P.. Anyways thats what u get, next time its gonna be worse when you surf porn sites.
 
Jars said:
It can't infect me, i have to many programs that protect me.
Click to expand...
Thats what I thought too...lol! You are experiencing a false sense of security!
Jars said:
Anyways thats what u get, next time its gonna be worse when you surf porn sites.
Click to expand...
I was testing my security just like you was testing yours by going to spyfalcons and spyaxes sites!
 
Last edited:
really? I guarentee you are not a maleware specialist. You use programs, that doesn't mean anything. Cell4me your a joke you know nothing about spyware/maleware, just stop while ur ahead. You say logs are clean when they are not.

Winpatrol
Spyblaster
Ewido
Firewall
Anti-virus
restrict websites
*Know what ur doing*
 
Jars said:
Cell4me your a joke you know nothing about spyware/maleware, just stop while ur ahead. You say logs are clean when they are not.
Click to expand...
Exsqueeze me? You show me one log that I said was clean that was not...I know how to decphier a log and I guarantee that if I told anyone their log was clean it was! I have removed more spyware on this forum than you have with your whole 57 post!

Winpatrol
Spyblaster
Ewido
Firewall
Anti-virus
restrict websites
*Know what ur doing*

These are your special programs that is going to keep spyware off your computer?

These are programs that everyone I know uses, I thought you was going to post some kind of brand new kryptonite anti-malware program you created with c++ or something?

Maybe you should just stop while ur ahead
80.gif
 
You must log in or register to reply here.
Back
Top