spyfalcon Problem persisting

I followed the steps listed in http://forums.majorgeeks.com/showthread.php?t=85077
but even after running all this I still get the pop ups reporting that active x error. Wanted to know if you had a way to get rid of the pop ups by themselves since the program itself is gone. I even tried re installing the program and removing it again to no avail. I must be the only person who downloaded spyfalcon and installed it on purpose ehh ohh well any advice would be appreciated.

 

Welcome to MajorGeeks.com!

Please see the below thread on how to install and run Ewido Anti-Malware.

• Running Ewido Anti-Malware...

 

Thank you for the help. Ive solved the complication with the error there. Though now a new error has just started to come up and this one is odd as heck. Anyways if you can check out this screen shot and give me an idea of what you think it is i would appreciate it. It pops up at any time and..... it just poped up while i was typing this but that is beyond the point its not mallicious but it is dang irritating. Any tips guys?

 

Please follow my previous post, attach the Ewido log with a fresh HJT log.

 

k sorry about that guys ill correct the hjt install and attach the malware log the sec i finish the reset on hjt.

 

K finished re-installed hjt by the book and here is the two log files. As for my using msconfig for my boots if you mean startup your right im cutting far too many programs out of the sequence instead of just uninstalling. But if you mean for my safemode boots its my only choice i believe. Im using an Asus A8N deluexe board with a raptor drive so when i boot and hit F8 it doesnt have the option for booting into safe mode. So i resolved to using the msconfig to adjust the boot. Anyways thanks again for the help guys.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

Ewido

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:[/FONT][/B]

donfjnmd.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - URLSearchHook: (no name) - {11036E7F-8CBE-AB62-94A9-858AD8A6ABB9} - C:\WINDOWS\system32\hki.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {11036E7F-8CBE-AB62-94A9-858AD8A6ABB9} - C:\WINDOWS\system32\hki.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com

O20 - Winlogon Notify: winbug32 - C:\WINDOWS\SYSTEM32\winbug32.dll

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\hki.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\TEMP\donfjnmd.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\winbug32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, procede with this last step...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Well finished with the steps and just waiting to see if the nice window pops up for me though at times it can pop up several minutes apart so who knows when it will show but till then here is the log file.

 

Well im now about 30 mins in and no black box of death so i think i may be in the clear. I ran Burn in Test for about 15 minutes so hopefully if it was going to come up that would have brought it up. Though with my limited understading of what exactly that error was i have no idea what triggered it nor whether im in the clear or not. Though i really appreciate your help on this one as well as your patience. In short thanks for the help.

 

Have HJT fix the below entry:

O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)

After you complete the above your HJT log will be clean. Are you having any further problems?

 

Seems to be ok however i wont say that too loud knowing that at any moment a B(black)SOD might pop up. Ehh heres hoping for the best. Again appreciate the help not sure why but i got rid of the entry you sudgested as well just in case. I supose it wont hurt to have a clean.....er registry.

 

Well now im really ticked everything has worked just fine untill this morning i found my computer has been re infected even though i had panda running spyfalcon reinstalled itself and my favorite Black Screen of death is back. So now im gonna go ahead and go to war with the company. Ill repeate the steps you gave me in an attempt to get rid of these errors again. Then im going to contact BBB and my fathers lawfirm in regards to killing this company.

 

Well after the last adventure I installed and have been running panda 2006 titanium with the adware sweeper its set at high security and the spyfalcon program still managed to re install through the night.

 

Immediately after the black box of death subsided which did happen to fall after that last log so in retrospect your right it wouldnt appear in that log. As for azeurus yeah its my download agent so letting it run all night is common plave for me. Is it possible that the spyfalcon is accesing through that program? It is a P2P agent of sorts just torrent based. So its possible its accessing through the Nat port I used to let it through the firewall. What do you think?