spyfalcon removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by newport dave, Mar 23, 2006.

  1. newport dave

    newport dave Private E-2

    Just to let you know, you're instructions for removing spyfalcon worked a treat, and was a lot easier than I thought it would be. I'd managed to delete most of the spyfalcon files by just searching for them, that was before I found this site.

    I've also attached smitfiles.txt log (hopefully)

    Thanks alot

    Dave
     

    Attached Files:

    newport dave, Mar 23, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome Dave and welcome to Majorgeeks.

    Looks like SmitRem found more problems to remove. However you seem to have a big problem. Your smitfiles.txt log shows:
    You can have a big problem if this is truly missing. You should check for the c:\windows\system32\wininet.dll file to see if it exists and make sure it is the correct one for your OS. What is the file date? Check the file Version info by right clicking on it and selectiong Properties and look at the infor in the Version tab.

    Are you running an unpatch (no updates) Windows XP?


    Try this! Go to Start > Run and copy and paste this line in the Run box:

    regsvr32 wininet.dll

    Click OK.

    Now check another SmitRem log. Does it still show wininet.dll missing?
     
    Last edited: Mar 24, 2006
    chaslang, Mar 23, 2006
    #2
  3. newport dave

    newport dave Private E-2

    Hi, thanks for the reply and info. I did a search for wininet.dll, and its there, it also listed everything below.

    wininet.dll C:\WINDOWS\$NtUninstallKB896727$
    wininet.dll C:\WINDOWS\$NtUninstallKB905915$
    wininet.dll C:\WINDOWS\$NtUninstallKB912945$
    wininet.dll C:\WINDOWS\system32
    wininet.dll C:\WINDOWS\$hf_mig$\KB896727\SP2QFE
    wininet.dll C:\WINDOWS\$hf_mig$\KB905915\SP2QFE
    wininet.dll C:\WINDOWS\$hf_mig$\KB912945\SP2QFE
    wininet.dll C:\WINDOWS\SoftwareDistribution\Download\b1d748c98a066f11c2ebe15cec628a76\sp2gdr

    wininet.dll C:\WINDOWS\SoftwareDistribution\Download\b1d748c98a066f11c2ebe15cec628a76\sp2qfe


    As for my version of XP, I'm sure SP2, has I ran windows update yesterday after I'd removed Spyfalcon and there were no new downloads. Also here is some info from the version tab on my wininet.dll file.

    FILE VERSION: 6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)

    PRODUCT VERSION: 6.00.2900.2823


    Also below is a complete list of all updates I've done from the microsoft site, I don't know if this is any use to you.

    Windows XP Update for Windows XP (KB904942) 23 March 2006 Microsoft Update

    Windows XP Update for Windows XP (KB912945) 23 March 2006 Microsoft Update

    Windows XP Windows Genuine Advantage Validation Tool (KB892130) 23 March 2006 Microsoft Update

    Office 2002/XP Security Update for Excel 2002 (KB905755) 16 March 2006 Automatic Updates

    Office 2002/XP Security Update for Word 2002 (KB905754) 16 March 2006 Automatic Updates

    Office 2002/XP Security Update for PowerPoint 2002 (KB905758) 16 March 2006 Automatic Updates

    Office 2002/XP Update for Office XP (KB913471) 16 March 2006 Automatic Updates

    Windows XP Windows Malicious Software Removal Tool - March 2006 (KB890830) 16 March 2006 Automatic Updates

    Office 2002/XP Security Update for Outlook 2002 (KB905649) 16 March 2006 Automatic Updates

    Windows XP Security Update for Windows Media Player 10 for Windows XP (KB911565) 16 February 2006 Microsoft Update

    Windows XP Security Update for Windows XP (KB913446) 16 February 2006 Microsoft Update

    Windows XP Windows Malicious Software Removal Tool - February 2006 (KB890830) 16 February 2006 Microsoft Update

    Windows XP Security Update for Windows Media Player Plug-in (KB911564) 16 February 2006 Microsoft Update

    Windows XP Security Update for Windows XP (KB901190) 16 February 2006 Microsoft Update

    Windows XP Security Update for Windows XP (KB911927) 16 February 2006 Microsoft Update

    Windows XP Security Update for Windows Media Player 10 for Windows XP (KB911565) 16 February 2006 Microsoft Update

    Windows XP Realtek Semiconductor Corp - Sound - Realtek High Definition Audio 16 February 2006 Microsoft Update

    Windows XP Security Update for Windows XP (KB913446) 15 February 2006 Automatic Updates

    Windows XP Update for WMDRM-enabled Media Players (KB891122) 14 January 2006 Microsoft Update

    Windows XP Update for Windows XP HighMAT Support in CD Writing Wizard (KB831240) 14 January 2006 Microsoft Update

    Windows XP Windows Malicious Software Removal Tool - January 2006 (KB890830) 11 January 2006 Automatic Updates

    Office 2002/XP Security Update for Outlook 2002 (KB892841) 11 January 2006 Automatic Updates

    Windows XP Security Update for Windows XP (KB908519) 11 January 2006 Automatic Updates

    Windows XP Update for Windows XP HighMAT Support in CD Writing Wizard (KB831240) 09 January 2006 Microsoft Update

    Windows XP Security Update for Windows XP (KB912919) 07 January 2006 Automatic Updates

    Office 2002/XP Update for Access 2002 (KB904018) 28 December 2005 Microsoft Update

    Office 2002/XP Security Update for Office XP (KB873352) 28 December 2005 Microsoft Update

    Office 2002/XP Security Update for Word 2002 (KB895589) 28 December 2005 Microsoft Update

    Office 2002/XP Security Update for Office XP: WordPerfect 5.x Converter (KB873379) 28 December 2005 Microsoft Update

    Office 2002/XP Office XP Update: KB833858 28 December 2005 Microsoft Update

    Office 2002/XP Security Update for SharePoint Team Services (KB890829) 28 December 2005 Microsoft Update

    Office 2002/XP Office XP Update: KB837253 28 December 2005 Microsoft Update

    Office 2002/XP Office XP Service Pack 3 28 December 2005 Microsoft Update

    Office 2002/XP Office XP Service Pack 3 28 December 2005 Automatic Updates

    Windows XP Critical Update for Office XP on Windows XP Service Pack 2 (KB885884) 28 December 2005 Automatic Updates

    Windows XP Microsoft GDI+ Detection Tool (KB873374) 28 December 2005 Automatic Updates

    Windows XP Windows Genuine Advantage Validation Tool (KB892130) 28 December 2005 Microsoft Update

    Windows XP Security Update for Windows XP (KB901017) 28 December 2005 Automatic Updates

    Windows XP Security Update for Windows XP (KB896424) 28 December 2005 Automatic Updates

    Windows XP Update for Windows XP (KB910437) 28 December 2005 Automatic Updates

    Hope I've not overloaded you with too much info

    Thanks

    Dave
     
    newport dave, Mar 24, 2006
    #3
  4. newport dave

    newport dave Private E-2

    Almost forgot........

    file date info...

    File Created: 10 August 2004

    File Modified:9 January 2006

    The 9 Jan 2006 was about the time I bought my PC, which had XP preloaded, and no I didn't get a copy of XP on disc.

    I bought it from Dixons (A British High Street Electrical Retailer)
     
    newport dave, Mar 24, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are the file sizes and version numbers in the below folders the same as the one in system32

    wininet.dll C:\WINDOWS\SoftwareDistribution\Download\b1d748c98a066f11c2ebe15cec628a76\sp2gdr

    wininet.dll C:\WINDOWS\SoftwareDistribution\Download\b1d748c98a066f11c2ebe15cec628a76\sp2qfe

    Which file is the newest?
     
    chaslang, Mar 24, 2006
    #5
  6. newport dave

    newport dave Private E-2

    File ending gdr created & modified 9 jan 06, same size 643kb and file version as file in system32.

    File ending qfe created & modified 9 jan 06, size 647kb, file version : 6.00.2900.2823 (xpsp.060106-1527)
     
    Last edited by a moderator: Mar 25, 2006
    newport dave, Mar 25, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the 647kb file to a file named wininet.new in your system32 folder. You will have to make a copy with the new name in an intermediate folder first since you cannot (and I do not want you to) just copy the 647kb one directly to the system32 folder.

    Then boot into safe mode and do not open any browsers. Just locate the current wininet.dll file and rename it wininet.old. Then rename the wininet.new file to wininet.dll

    Now reboot in normal mode and run SmitRem and attach a new log. Let me know if everything else appears to be working okay.
     
    chaslang, Mar 25, 2006
    #7
  8. newport dave

    newport dave Private E-2

    Everything seems to be working fine.

    Checked the smitfile, and it's still showing wininet missing!!!!

    Attached the file anyway.
     

    Attached Files:

    newport dave, Mar 27, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Strange!!!! But besides the wininet.dll missing message, smitrem just found some more problem files. You should boot into safe mode and run it one more time and attach another log from it. Even if we cannot get it to stop saying wininet.dll is missing, those other items should not be getting detected if you are truly clean.
     
    chaslang, Mar 27, 2006
    #9
  10. newport dave

    newport dave Private E-2

    Please find attached smitfile.

    I don't know if it's off any significance, but when I turn on my PC or switch users, when I'm on the desktop screen and it's loading the icons on the bottom right of the taskbar, literally just for a second or less a red shield with a white cross appears connected to a dialogue bubble which says "Norton Internet security 2005 is turned off, Your computer maybe at risk".

    Norton though is turned on to auto enabled, and the icon is on the taskbar next to the above. I've also clicked on the check security tab, which allows the symantec website to test my PC's security and it always comes back with the results that all my ports are showing 'stealth'. So Norton is working, as it periodically pops up with messages that it as just blocked an attack on my PC whilst connected to the internet.
     

    Attached Files:

    newport dave, Mar 28, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm! Those files reported by SmitRem just are not going away. I think we had better do our standard full cleaning procedure to make sure you have nothing else hiding in your PC. I'll give the steps below but first answer two questions.

    How many user accounts are on this PC?
    Are you running SmitRem in safe mode and on which user account?

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
      • Bitdefender
      • Panda Scan
      • HijackThis
    .
     
    chaslang, Mar 28, 2006
    #11
  12. newport dave

    newport dave Private E-2

    Somehow I totally missed the part in your first reply about running regsvr32 wininet.dll. Just run it now and this is the message I received wininet.dll was loaded, but the DllRegisterServer entry point was not found. This file can not be registered.

    Hope this doesn't cause too many problems for you.

    I'll post the results of your above post in another post.
     
    newport dave, Mar 29, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Just attach the three requested logs when you finish.
     
    chaslang, Mar 29, 2006
    #13
  14. newport dave

    newport dave Private E-2

    I have 2 user accounts; mine and my wifes

    I ran smitrem in safe mode last time as requested, and in normal mode the times before that also as requested. They were all run in my user account 'david smee'.

    Downloaded all tools and ran them, also did on line scans. Below is what was found.

    SPYBOT.

    WINDOWS.ACTIVEDESKTOP
    User Settings:HKEY_USERS\S-1-5-21-704353416-2949482461-2084530805-1007\Software\Microsoft\Windows\CurrentVersion\Policices\Activedesktop\NoHTMLWallpaper!=W=1

    Vcodec.eMedia
    Executable:C:\Program Files\eMediaCodec\uninst.exe
    Program Directory:C:\Program Files\eMediaCodec

    **THESE WERE REMOVED/FIXED BY SPYBOT**


    Microsoft Windows Defender.

    C2.Lop
    File: d:\documents and settings\jacki smee\favorites\entertainment\games.url

    File: d:\documents and settings\david smee\favorites\entertainment\games.url

    When trying to remove above the following message appeared: 'Windows Defender encountered an error: 0x80501001. One or more actions could not be completed successfully.

    Both Ad-Aware and Microsoft Windows Malicious Software Removal Tool came back clean.

    Please find attached requested 3 logs.


    Also, the 31 items found by the Panda scan were not removed by the program, and I didn't remove them manually either.
     

    Attached Files:

    newport dave, Mar 30, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please install HJT properly as the directions in step 7 indicate.

    Also you did not post the Bitdefender log as per step 6. What you posted is a log summary which does not help us. If you do not follow the instructions in step 6 exactly as written you will not get the proper HTML file log.
     
    chaslang, Mar 30, 2006
    #15
  16. newport dave

    newport dave Private E-2

    Followed steps exactly as laid out.

    Also had to run bitdefender and panda scan in normal mode last time and this time for bitdefender.

    Not allowing me to upload hijackthis.log, as I have already attached the file in this thread previously.
     

    Attached Files:

    newport dave, Mar 31, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry but you did not follow the steps. If you did, you would have an HTML file with a .txt extension. We expect and want the file that is uploaded to be the HTML code. This is what the directions indicate. All you are posting is a log summary which does not tell us where the infections are located and in which files.

    Then you have not extracted HijackThis from the ZIP file and installed it properly yet. Look at your lastest HJT log file (the one you are trying to upload). Does it show this:

    D:\DOCUME~1\DAVIDS~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    If so, you still have not followed the directions in step 7. If you do not install it properly, you will not get backups of things we fix. And if a mistake is made, you could be in big trouble. This is one reason one it is very important to install it as instructed.


    All that being said I do not see anything major in your HJT log. So don't worry about HJT or Bitdefender anymore right now.

    The only thing of concern is that your Norton/Symantec AV application appears to be broken. Notice some of the files show as missing.

    You should however boot into safe mode and delete the below files that SmitRem seems to be having a problems removing:

    C:\WINDOWS\system32\1024\ld2202.tmp <--- it would be best to delete the whole 1024 folder
    C:\WINDOWS\system32\1024\ld24B2.tmp
    C:\WINDOWS\system32\ot.ico
     
    Last edited: Mar 31, 2006
    chaslang, Mar 31, 2006
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds