SpyFalcon Aftermath?

iHatePopUpsiHatePopUps Singapore
edited March 2006 in Spyware & Virus Removal
I recently got hit by SpyFalcon and i followed all the steps posted to get rid of it. Now that it is done, i'm starting to experience strange stuffs bit by bit which i don't know if it is a problem worth bring up. I ridded myself of SpyFalcon 3 days ago. 2 days ago, i noticed in my windows Task Manager that I had "IEXPLORE.EXE" open when i didn't touch the internet for the entire time i was at my PC. Surprisingly, there are no popups either - just the program taking up some memory space. The same thing happened yesterday as well. Today that didn't happen, but after i opened my hotmail inbox, checked mail (there were no suspicious ones) and closed IE, i noticed that there were 2 new icons on my desktop, one labelled 'Online Pharmacy' and the other, a folder called 'Fast Loans'. Both were shortcuts to IE. I deleted both of them, cleared my Internet Temp Folder and Cookies, then ran Ad-Aware & SpywareBlaster, updated them and scanned (Full system). Fixed any errors that I found. Now i find that the 2 icons are back on my desktop again.
Both link to the same page "http://cc.mizuba.org/search.php?q=Fast+Loans&aff_id=9". How do i fix this?

Also, in my temp folder, there's this file that constantly appears even after I delete it called "Perflib_Perfdata_ffc.dat". Is it of any threat? What is it exactly?

Comments

  • iHatePopUpsiHatePopUps Singapore
    edited March 2006
    Now there's also this folder that keeps appearing in the temp folder as well named "AAWTMP". i've scanned my PC using Ad-aware another time now and it shows 9 object results of "Possible Browser Hijack Attempts" and say that they do not pose a threat. The results of the first scan also had this, but Ad-Aware gave it a lvl 8 warning. What is wrong? Someone help please.
  • iHatePopUpsiHatePopUps Singapore
    edited March 2006
    Here's my HJT log if you need it. I'll be posting the results of my pandascan later. Please tell me what to do. Here's the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:00:56 AM, on 3/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\BitTornado\btdownloadgui.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll (file missing)
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A8842474-7D8D-4371-9462-79560AC4808D}: NameServer = 202.156.1.48,202.156.1.68
    O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll
    O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MySql - Unknown owner - C:\MySql\bin\mysqld (file missing)
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
    O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
    O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
    O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
    O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
    O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
    O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
    O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceNARU - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
  • iHatePopUpsiHatePopUps Singapore
    edited March 2006
    Here's my ActiveScan results:


    Incident Status Location

    Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\winres.dll
    Adware:adware/block-checker Not disinfected C:\WINDOWS\SYSTEM32\ustart.exe
    Adware:adware/ist.istbar Not disinfected C:\Documents and Settings\Administrator\Favorites\~ VIP Free Porn ~.url
    Adware:adware/winres Not disinfected C:\WINDOWS\winres.dll
    Potentially unwanted tool:application/need2find Not disinfected HKEY_CURRENT_USER\SOFTWARE\NEED2FIND
    Spyware:spyware/altnet Not disinfected Windows Registry
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Administrator\Application Data\Sizepeaknew\bolt store.exe
    Joke:Joke/Stress Not disinfected C:\Documents and Settings\All Users\Start Menu\Programs\StressRelief.EXE
    Hacktool:HackTool/Flood Not disinfected C:\Program Files\mIRC\MiRCfullPro\system\dll\nHTMLn.dll
    Spyware:Spyware/AdClicker Not disinfected C:\shared\mechwarrior 3 no-cd crack.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\smitrem\smitRem\Process.exe
    Adware:Adware/SpywareStrike Not disinfected C:\WINDOWS\system32\ginuerep.dll
    Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\temp\win956.tmp.exe
    Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\winres.dll
    What do i do? Do i delete the files?
Sign In or Register to comment.