New Variant of Spysheriff found! Need Help!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by cal20804tj, Feb 8, 2006.

  1. cal20804tj

    cal20804tj Private E-2

    It's called Spyfalcon v. 2.0. what happened is i got an windows update warning-looking balloon at the down right side of the taskbar where the update icon usually pops up. The message reads
    " Your Computer is infected!
    Possible harmful infection was detected......Click here to protect your PC from the biggest spyware threats."

    Of course I didn't click on it. It still automatically downloaded and installed this spyware looking software called Spyfalcon. it then automatically started and looked as if it was running a scan. However, after only 2 seconds, it completed the supposed scan and said Spysheriff had been detected. I then clicked on the balloon which caused the usual floods of casino pop-ups and resetting my starting page to enhancesecurity.com

    I did both the usuaal "read and run me first steps" and the special procedure for PS Guard, Spysheriff and such. It's a variant of trojan Zlob. i think...I did see the "mssearchnet.exe" process active. After running above-mentioned two procedures, I am back at the original position; the balloon pops out as the windows starts and downloads, and runs Spyfalcon again( with same Spysheriff detections) However, "mssearchnet.exe" is gone and seems to be gone for good. Any help on this would be greatly appreciated since this hard is a freshly installed one (my xp is still sp1. this happened while i was DLing the sp2 pack)Thanks in advance

    Here are the Activescan and smitfiles
     

    Attached Files:

    cal20804tj, Feb 8, 2006
    #1
  2. cal20804tj

    cal20804tj Private E-2

    Here is the current HJT
     

    Attached Files:

    cal20804tj, Feb 8, 2006
    #2
  3. cal20804tj

    cal20804tj Private E-2

    Mr. Spyfalcon is back again...I did everything as you mentioned...cry..
     
    cal20804tj, Feb 8, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the attach GetRunKey125b.zip to your PC someplace you can locate it. Then extract the files from the ZIP. Locate the getrunkey125b.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here as an attachment.
     

    Attached Files:

    Last edited: Feb 10, 2006
    chaslang, Feb 8, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also I have a question about the below in your Smitfile.txt log. It seems suspicious.

    "{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"="Wheel Mouse Optical Driver"

    Do you use an optical wheel mouse?

    Also does Spy Falcon appear in Add/Remove programs?
     
    chaslang, Feb 8, 2006
    #5
  6. cal20804tj

    cal20804tj Private E-2

    quick answers yo your questions:
    yes, i do have a logitech optical wheel mouse
    yes, i can remove it from add/remove in control panel
     
    cal20804tj, Feb 8, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are referring to Spy Falcon in add/remove programs.....right? If so, what happens when you try to uninstall it.

    Attach the runkeys.txt log too.
     
    chaslang, Feb 8, 2006
    #7
  8. cal20804tj

    cal20804tj Private E-2

    here is the log that you wanted me to run
     

    Attached Files:

    cal20804tj, Feb 8, 2006
    #8
  9. cal20804tj

    cal20804tj Private E-2

    it uninstalls as if it were a normal program...it even deletes its own desktop shortcut
     
    cal20804tj, Feb 8, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! But then what? Does it come back? When does it come back?
     
    chaslang, Feb 8, 2006
    #10
  11. cal20804tj

    cal20804tj Private E-2

    it comes back after a boot. spysweeper says it's in the start-up program list
     
    cal20804tj, Feb 8, 2006
    #11
  12. cal20804tj

    cal20804tj Private E-2

    Also, the Spyfalcon claims that [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}\InProcServer32]
    @="D:\WINDOWS\System32\dxmpp.dll"
    is infected by Spysheriff
     
    cal20804tj, Feb 8, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Funny that is the CLSID that made me ask if you had an optical mouse. The below showed in your logs and I was trying to determine if it was bad or good:

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"="Wheel Mouse Optical Driver"
     
    chaslang, Feb 8, 2006
    #13
  14. cal20804tj

    cal20804tj Private E-2

    hm....should go ahead and give it a shot?
    would regedit be okay?
     
    cal20804tj, Feb 8, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No let's get two things out of our way that could be interferring with the fixes first.

    Uninstall both MS Antispyware and SpySweeper. Then reboot and attach a new HJT log.
     
    chaslang, Feb 8, 2006
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After reboot and posting the new HJT log continue.



    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

    Now disconnect your cable to the internet (physically unplug it). And goto Add/Remove programs and uninstall it. Then reboot with no cable plugged in. After reboot, see if SpyFalcon is still gone. Then plug in your cable. Did SpyFalcon come back after plugging in the cable. Now connect to the internet (open a browser), did it come back?
     
    chaslang, Feb 8, 2006
    #16
  17. cal20804tj

    cal20804tj Private E-2

    sry, chas i had to go to work.
    here is the new hjt log
     

    Attached Files:

    cal20804tj, Feb 8, 2006
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You HJT log is clean! Are you still having problems with Spy Falcon?
     
    chaslang, Feb 8, 2006
    #18
  19. cal20804tj

    cal20804tj Private E-2

    it is fine now~ even after a reboot with internet connection, the annoying balloon is gone. thanks, chas
     
    cal20804tj, Feb 8, 2006
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No thank you D3 for starting the thread and then letting me pickup where you left off! :D
     
    chaslang, Feb 8, 2006
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds