Spyware? WTF?!

[raildogg]

I was browsing tonigth and all of a sudden I get this message that has been popping up for the past 3 hours now. It says I have spyware and my computer is infected and I should get a program to remove it. On the lower right hand side, where all the icons are, a windows-like icon keeps popping up this message.

I guess its probably my mistake because I delayed updating to Firefox 1.5. I was still using the earlier version. I have ad-aware and spybot and they can't do a thing to fix this. Also, the message that keeps popping up keeps taking me to spyfalcon's website (which is a commercial product that I do not intend to buy). So what is the best solution?

Please don't say format because I am sick of doing that. I have formatted by hard drive at least 10 times in the past 4 months.

Also, if this icon is windows, then why does it keep taking me to the website of the product that I mentioned above?

 

[Evander]

I don't know about your specific problem but in case you haven't seen it, there's some good info in atech's consolidated security thread:
http://forums.anandtech.com/messageview...atid=33&threadid=1658987&enterthread=y

And this guy seems to know what he's doing (and doesn't make use of adaware or spybot):
http://theflyingpenguin.com/spyware-removal.shtml

 

[John]

It sounds like you have a Spy Axe variant. Pic

Here's the removal kit:
http://www.dcwclan.com/files/SpyAxeRemoval.zip

Now run Spyware Dr. (be sure to run the updater):
http://www.dcwclan.com/files/sdinstall.exe

You also have trojans so please run a scan:
http://www.bitdefender.com

 

[daveybrat]

Actually, that's a pretty easy malware to remove now. You simply need to go to this site:

Noahdfear's Smitrem removal tool

Scroll down the page and download the Smitrem.exe file.

Execute it and it wil extract itself into a folder. Boot into safe mode and go into the folder it created and double click the Runthis.bat file. After the program runs, you'll be good to go.

Good luck!

 

[John]

daveybrat, you are absolutely correct. However if you are bright enough to get a Spy Axe variant then you probably have other malware on your computer. I put ccleaner, noahdfear's tool, antipuper tool which takes out additional smitfrauds, and some detailed instructions and links to other tools in the kit that I put together.

 

[daveybrat]

Cool, i'll have to check out that kit you have john!

Thanks!

 

[raildogg]

You guys are amazing. Thank you a lot.

I tried all the programs you guys mentioned, plus a few I already had. The pesky thing that was in the toolbar is gone. It took me a while to do it, but now its gone, for now. Before it went away, I ran Spybot and that seemed to have made things a lot better.

Now I can play Command and Conquer: The First Decade, which just arrived today, in a relaxed mode. Heh, I'm not sure how many times I want to play those Red Alert 1 missions with Stavlos, Von (forget his name) and of course, Tanya guiding me through with those pre-mission clips!

 

[Jeff7]

You've got to get a good CoolWebSearch infection. My favorite kinds are the variants that use hidden registry entries, which instruct Windows Explorer to hide the files responsible for the infection - and the files themselves are randomly named, stashed somewhere in the Windows\system folder among the many many DLLs. The one that I saw locked up CWShredder, requiring manual removal.
It would be nice for the programmers of CWS to meet an ironic end, like maybe falling into a (fictional) CW-brand wood shredder. Sorry, I'm not good at thinking of ironic punishments quickly.

 

[raildogg]

Guess I spoke too soon. That same malware/spyware is back again and is as vicious as ever. It keeps on installing this spyware removal program called "SpyFalcon", which is probably a spyware program itself. I've tried CCleaner, ad-aware, spybot, Antipuper, spydoctor and these programs get rid of SpyFalcon but the message is still there on the toolbar and when I restart, it automatically installs SpyFalcon again.

Looks like I will have to thouroughly search my computer, or does anyone have more ideas for a fix? Or am I doing this wrong?

Thanks for all the help, guys.

 

[raildogg]

Update:

Well I believe I finally have gotten rid of it. I had to execute the smitrem file in safe mode and delete a .dll file and remove SpyFalcon from the add/remove menu.

It is gone for now.

Thanks again, all.

 

[mechBgon]

Suggestion: check your system with Microsoft Baseline Security Analyzer 2.0. Also ensure that all your antivirus software's detection options are turned on (spyware, adware, heuristics, archive/compressed-file scanning). And run it through a https://www.grc.com/x/ne.dll?bh0bkyd2">ShieldsUp</a> scan to see if it's visible to the Internet.

Also, if it was your Athlon64 that got hit, it couldn't hurt to fully enable Data Execution Prevention. Right-click My Computer, choose Properties, and do like this here.

 

[FreakyGuy]

http://forums.spybot.info/showthread.php?t=1958

Spybot knows how to get rid of it.

 

[Cipherfaction]

i got the spy falcon, thing i still can't fix it i can't find the dxmpp.dll file so that gay bubble is still there im soo pissed i used the smitrem thing but i still couldn't get it out !!! so one please help

 

[mechBgon]

Next try this: http://www.omnicast.net/~tmcfadden/scan.txt McAfee's been detecting & removing SpyFalcon and other SpyAxe clones. Follow the directions, including using Safe Mode With Command Prompt.

 

[Cipherfaction]

any other suggestions, that one seems kinda complicated, ive tried ALOT of ways still can't get rid of it!!!!

 

[mechBgon]

Originally posted by: Cipherfaction
any other suggestions, that one seems kinda complicated, ive tried ALOT of ways still can't get rid of it!!!!

What's complicated about it? Download a file and unzip it to a certain folder. Download another file and save it in the same folder. Reboot into Safe Mode W/Command Prompt and run one command. Sit back and watch malware get vaporized on sight. :evil:

 

[Cipherfaction]

the site got changed or something for the second file

 

[mechBgon]

The second file is still there. But if you want to make your own, it's just a .bat file that contains this command:

C:\McAfee\scan.exe /adl /all /allole /analyze /del /dohsm /mailbox /manalyze /mime /html C:\report.html /panalyze /program /streams /unzip /winmem

That is all one single command, including the C:\report.html bit. Since it's easy to make a typo in a command that long, I figured a batchfile would be easier for most people.

 

[potato28]

You could also do a roll-back. I did that when the original Spyaxe malware came out. Screwed up my system so much after 3 restarts I just rolled-back 2 weeks.

 

[John]

Originally posted by: Cipherfaction
any other suggestions, that one seems kinda complicated, ive tried ALOT of ways still can't get rid of it!!!!

1) Download and run CCleaner: http://www.majorgeeks.com/download.php?det=4191

2) Download this and execute this registry file: http://www.bleepingcomputer.com/files/reg/FixSF.reg

3) Reboot to safe mode and delete the following files and folders if you see them (enable hidden files and folders, uncheck hide extensions for known file types and hide protected OS files):

C:\Windows\System32\dxmpp.dll
C:\Windows\System32\ginuerep.dll
C:\Program Files\SpyFalcon\

4) Now run smitrem again, then run a panda activescan:
http://www.pandasoftware.com/products/activescan.htm

You should now be rid of Spy Falcon.

 

[pkme2]

I have used all the free spyware removal programs and have finally settled on Webroot's Spysweeper for my PCs. I buy them in 3-lots, for myself and students.
You can still use the freebies but they offer pro versions for a price; so I took a step forward and got the best out there. It works for me, although there's other choices out there. Your preference naturally....

 

[whitedog2]

System Restore worked for me.