Big Help (SPYWARE) help please :)

Discussion in 'OT Technology' started by x deaD piXeL, Feb 26, 2006.

  1. x deaD piXeL

    x deaD piXeL Turn up the fucking music!

    Joined:
    Jan 24, 2006
    Messages:
    2,272
    Likes Received:
    0
    Location:
    Mill Ave baby, TEMPE AZ
    Well, I just finished getting rid of the biggest annoyance ever - SpyFalcon. I've tried everything else but still have ONE problem. These popups KEEP COMING UP NO MATTER WHAT. I've identified what process they use, but don't know anything else. Here's a ss of some processes (2 of them) and the popup. If you know how to get rid of it, please tell me. I've used SB S&D, SpySweeper, and AdAware. None detect it.

    [​IMG]
     
  2. Vaytan

    Vaytan New Member

    Joined:
    Aug 31, 2003
    Messages:
    8,852
    Likes Received:
    0
    Location:
    Wpg
    Try using Windows defender. If that does not work. Check it is a cmdservice kinda spyware.
     
  3. x deaD piXeL

    x deaD piXeL Turn up the fucking music!

    Joined:
    Jan 24, 2006
    Messages:
    2,272
    Likes Received:
    0
    Location:
    Mill Ave baby, TEMPE AZ
    "Check it is a cmdservice kinda spyware"

    What?
     
  4. Vaytan

    Vaytan New Member

    Joined:
    Aug 31, 2003
    Messages:
    8,852
    Likes Received:
    0
    Location:
    Wpg
    Use Spybot. And if it says cmdservice or some stuff like that , it is a bugger to get out. But I have a proggie that will removed it. ONly the cmdservice spyware.

    But I suggest you try Windows Defender antispyware. It beats EVERYTHING hands down.
     
  5. x deaD piXeL

    x deaD piXeL Turn up the fucking music!

    Joined:
    Jan 24, 2006
    Messages:
    2,272
    Likes Received:
    0
    Location:
    Mill Ave baby, TEMPE AZ
    Defender didn't get rid of it. Updated it and scanned 3 times.

    Um, I found out more info.
    The files running are all in c:/windows/temp and are ALL in use
    They don't show in the process list besides 2 of them
    I've tried deleting them in safe mode, still in use
    Just a second ago, microsoft blocked some random thing because It couldn't verify the publisher
    Every 10 seconds, the cmd prompt comes up as well as an error saying an illegal instruction occured
    MORE FILES KEEP BEING CREATED IN MY C:/WINDOWS/TEMP FOLDER
     
  6. x deaD piXeL

    x deaD piXeL Turn up the fucking music!

    Joined:
    Jan 24, 2006
    Messages:
    2,272
    Likes Received:
    0
    Location:
    Mill Ave baby, TEMPE AZ
    Logfile of HijackThis v1.99.1
    Scan saved at 9:22:12 PM, on 2/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\GetRight\GetRight.exe
    C:\WINDOWS\TEMP\win70.tmp.exe
    C:\WINDOWS\TEMP\win80.tmp.exe
    C:\WINDOWS\TEMP\win70.tmp.exe
    C:\WINDOWS\TEMP\win80.tmp.exe
    C:\WINDOWS\TEMP\win70.tmp.exe
    C:\WINDOWS\TEMP\fcfnkmmd.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Mike\LOCALS~1\Temp\Rar$EX00.437\HijackThis.exe

    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A0903783-5A1B-478D-963D-FDD350D3323B}: NameServer = 216.174.163.20,216.174.163.22
    O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
     
  7. Vaytan

    Vaytan New Member

    Joined:
    Aug 31, 2003
    Messages:
    8,852
    Likes Received:
    0
    Location:
    Wpg
    Did you use any Anti Virus software ?

    Was doing some research on spyfalcon. Nasty shit you got there. Might be easier to format it.

    Do a google search for Spyfalcon....

    Has some good tips to remove it all but If I were you just format it.
     
  8. x deaD piXeL

    x deaD piXeL Turn up the fucking music!

    Joined:
    Jan 24, 2006
    Messages:
    2,272
    Likes Received:
    0
    Location:
    Mill Ave baby, TEMPE AZ
    It's not SpyFalcon. It's totally different. It just got on here with spyfalcon at the same time from a different source diff company. Format isn't worth it..I know somebody knows about this and can help. I'm scanning w/ mcaffee now.
     
  9. x deaD piXeL

    x deaD piXeL Turn up the fucking music!

    Joined:
    Jan 24, 2006
    Messages:
    2,272
    Likes Received:
    0
    Location:
    Mill Ave baby, TEMPE AZ
    Please help me..I keep getting popups every 5 seconds it's killing me :(
     
  10. dieselv2

    dieselv2 *Roll over this car again...and the car gonna roll

    Joined:
    Feb 19, 2006
    Messages:
    50
    Likes Received:
    0
    Location:
    A house
    1 - Look in that folder for system32 for a vb-script which is generating the files. It's usually what causing it. rigth click on ti for property to see which company it's from. Don't bother deleting it as it coems back with a new name

    2 - Internet explorer is a welcome home to viruses/spyware. It is full of security holes...get another browser
     

Share This Page