SpyFalcon removed, I hope

Discussion in 'Malware Help (A Specialist Will Reply)' started by redwoodtwig, Mar 10, 2006.

  1. redwoodtwig

    redwoodtwig Private E-2

    I followed the instructions in the sticky post about removing it. Attached is the log file from smitfiles.txt. I hope I did everything correctly, at least the popups from the command bar aren't happening any more.

    Does anyone here use the sysinternals programs? The data from autoruns is at the second attachement. It doesn't appear to do as much evaluation as hijackthis, but haven't run that yet, still reading up on it.

    In the meantime need to clean my wife's computer.

    Thanks for the wonderful forum,

    Brandon
     

    Attached Files:

    redwoodtwig, Mar 10, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Yes we do use many SysInternal tools. We have other tools we prefer to use for startups though.

    You have a problem revealed at the end of your Smitfiles.txt log.
    You need to search your PC for wininet without the extension (an extension is the characters after the period, like .dll) We need to get a copy back into the correct folder.

    Do you have a Windows CD that matches your OS and SP revision level?
     
    chaslang, Mar 10, 2006
    #2
  3. redwoodtwig

    redwoodtwig Private E-2

    Hmmm, guess I need to be outside the quote?
     
    redwoodtwig, Mar 11, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! You should not quote like you did. Only my text should be quoted! Yours should be outside the quotes otherwise your comments are easily missed.

    Check SmitRem again right now and see if it still gives the same result.

    We use the StartupList capability of HijackThis and we also use WinPfind and also our own tool which is covered in the below link:

    Using GetRunKey

    Are you having any more malware problems?
     
    Last edited: Mar 11, 2006
    chaslang, Mar 11, 2006
    #4
  5. redwoodtwig

    redwoodtwig Private E-2

    I'm not sure what you mean by
    "Check SmitRem again right now and see if it still gives the same result." Should I go back into safe mode and run it again? It was quite lengthy the first time.

    I did run GetRunKey and got the attached.

    Thanks again,

    Brandon
     

    Attached Files:

    redwoodtwig, Mar 12, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! If you want to be sure there is no problem, it is necessary! Your last log said:
    This is troublesome and we must be sure there is no problem.

    Is your system showing any signs of malware at this time? I do see some registry key entries that are not typical found and may be left over from SpyFalcon.
     
    chaslang, Mar 12, 2006
    #6
  7. redwoodtwig

    redwoodtwig Private E-2

    I ran it again in safe mode result at attachment. Still says wininet.dll is missing and wininet.dll is still there. attachement 2 shows what search for wininet yields -- mostly from my Delphi environment. I've been letting windows update itself.

    I don't use IE, I've firefox 1.5. I can't see any malware symptoms anymore. But I do have a few more processes than I used to have, hopefully due to my son installing final fantasy 11 (on his own account, which I had to give administrator rights to in order for him to play it, :-( )

    I also see some peculiar things in the smitfile, as well as my running process list at attachment 3. MsPMSPSv.exe?

    Thanks for your help and concern,

    Brandon
     

    Attached Files:

    redwoodtwig, Mar 13, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Notice that the smitfiles.txt log is still showing other files related to the infection being found too! I would guess this is because your wininet.dll file that is in the system32 folder is infected and it is allowing the problem to respawn.

    You are going to have to get a different copy (for your SP revision level) installed into the system32 folder. Do you have a Windows XP SP2 boot CD?


    MsPMSPSv.exe is valid process. See the below.
    http://www.liutilities.com/products/wintaskspro/processlibrary/mspmspsv/

    With the problems you are still showing and the fact that they seem to reoccur, you should run our standard cleaning steps below.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis


    When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
    • Bitdefender
    • Panda Scan
    • HijackThis
    .
     
    chaslang, Mar 13, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds