954,255 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
6 Years Ago
0

Virus alert! icon in sytem try maybe spyfalcon

I am also getting a disable icon in the bottom right coner of my systray next to the clock. It flashes and popsup a box saying somthing about a virus alert get a animalware scanner program.
I click on it I go to spyfalcon.
Used it nothing happened. I did all the other things I read about in the other posts.
Does this virus files the same on all computers or does it effect different files?
here is my hijckthis file log for you:
Logfile of HijackThis v1.99.1
Scan saved at 9:51:01 AM, on 19/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\DigitalPersona\Bin\DpHost.exe
D:\WINDOWS\system32\MotorolaDAP.exe
D:\Program Files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe
D:\Program Files\Microsoft SQL Server\MSSQL$STOM\Binn\sqlservr.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Registry Mechanic\RegMech.exe
D:\WINDOWS\system32\ZoneLabs\isafe.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Safe OffSite\SOS Online Backup v1.2\sosuploadagent.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\ewido anti-malware\SecuritySuite.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Application Installers\KillBox.exe
D:\Program Files\TTMessenger 2.1\ttmessenger2.exe
D:\Application Installers\HijackThis.exe
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - D:\WINDOWS\system32\hpBE27.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FJTWAIN Setup] D:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Daemon14] D:\PROGRA~1\MICROS~2\GAMECO~1\STRATE~1\daemon14.exe
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [FtLnSOP_setup] D:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [DPAgnt] D:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StartMeSGS] D:\Program Files\Safe OffSite\SOS Online Backup v1.2\sosuploadagent.exe
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [c750348f.exe] D:\WINDOWS\system32\c750348f.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [c750348f.exe] D:\Documents and Settings\Home\Local Settings\Application Data\c750348f.exe
O4 - HKCU\..\Run: [TTMessenger] "D:\Program Files\TTMessenger 2.1\ttmessenger2.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [TTMessengerPDF] "D:\Program Files\TTMessenger 2.1\spool\PDFSaver.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = D:\Program Files\Audible\Bin\adhelper.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = D:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~3\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DPWLN - D:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: LMIinit - D:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: winhld32 - D:\WINDOWS\SYSTEM32\winhld32.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - D:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - D:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - D:\WINDOWS\system32\MotorolaDAP.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

I hope that helps to get rid off it. I wanted to retore to earlyer point. Though my computer could only restore to when the day it came on.

shrimpygirl
Newbie Poster
6 posts since May 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Remove these lines:

D:\WINDOWS\system32\devldr32.exe
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - D:\WINDOWS\system32\hpBE27.tmp
O4 - HKLM\..\Run: [c750348f.exe] D:\WINDOWS\system32\c750348f.exe
O4 - HKCU\..\Run: [c750348f.exe] D:\Documents and Settings\Home\Local Settings\Application Data\c750348f.exe
O20 - Winlogon Notify: winhld32 - D:\WINDOWS\SYSTEM32\winhld32.dll
O20 - Winlogon Notify: DPWLN - D:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: LMIinit - D:\WINDOWS\SYSTEM32\LMIinit.dll

It looks like there are multiple infections, are you running a virus scanner and up to date with windows updates?

Run a virus scanner (such as AVG: http://free.grisoft.com ) after doing this.

If you believe it is Spyfalcon, here is some spyfalcon removal instructions:
http://www.technibble.com/how-to-remove-spyfalcon/

Kn10
Light Poster
28 posts since Jan 2006
Reputation Points: 10
Solved Threads: 1
 
6 Years Ago
0

Uh,



O20 - Winlogon Notify: DPWLN - D:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: LMIinit - D:\WINDOWS\SYSTEM32\LMIinit.dll


These to are legit, belonging to the LogmeIn servce. Do not fix these...

More detailed instructions :).

Please run HJT again, selectDo ysstem scan only. Then check these items.


O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - D:\WINDOWS\system32\hpBE27.tmp

O4 - HKLM\..\Run: [c750348f.exe] D:\WINDOWS\system32\c750348f.exe

O4 - HKLM\..\Run: [c750348f.exe] D:\WINDOWS\system32\c750348f.exe

O4 - HKCU\..\Run: [c750348f.exe] D:\Documents and Settings\Home\Local Settings\Application Data\c750348f.exe

Click Fix Checked.

_________________________________________________

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

______________________________________________________

Please download ewido anti-malware it is a free version of the program.Install ewido anti-malware
When installing, under "Additional Options" uncheck..Install background guard
Install scan via context menu

Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful" )
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:Open up Ewido
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

Reboot.

___________________________________________________

Post a new HJT log, and teh ewido log, and teh smitfraudfix log - And we will continue the fix...

tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
 
6 Years Ago
0

I have done as said for hijackthis. I did the other suff before. It still is there. Also is in safemode.

What should I do next?

shrimpygirl
Newbie Poster
6 posts since May 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Here you go as asked

SmitFraudFix v2.44
Scan done at 13:00:13.20, 19/05/2006
Run from D:\Application Installers\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» D:\

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS
D:\WINDOWS\.protected FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32
D:\WINDOWS\system32\hp????.tmp FOUND !
D:\WINDOWS\system32\stdole3.tlb FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Home\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
D:\DOCUME~1\Home\STARTM~1\Programs\Startup\.protected FOUND !
D:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\Home\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{e04408db-4812-4478-8d4d-e46edcffd3b6}"="AutoDisc Ware"
[HKEY_CLASSES_ROOT\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6}\InProcServer32]
@="D:\WINDOWS\system32\fyhhxw.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6}\InProcServer32]
@="D:\WINDOWS\system32\fyhhxw.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

shrimpygirl
Newbie Poster
6 posts since May 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

I still have the icon in the sytem try next to clock. I don't think it is spyfalcon though links to it. I not got it installed.
What should I do? I restore my computer to early date.
Should I reinstall the system? I just want to know where to go from here? it is in safe mode.

shrimpygirl
Newbie Poster
6 posts since May 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Here you do as asked:
SmitFraudFix v2.44
Scan done at 13:15:15.32, 19/05/2006
Run from D:\Application Installers\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» End


What next?

shrimpygirl
Newbie Poster
6 posts since May 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Post another HJT log. so we can see what remains.

tayspen
<Insert title here>
Team Colleague
1,622 posts since Jul 2005
Reputation Points: 84
Solved Threads: 99
 
6 Years Ago
0

I have got rid off it. I deleted a file from my hard drive not in windows or the system32 folder. I also got rid of all my private data in firefox and Internet explorer my temporary iinternet files and cookies.
I forgot I reinstalled some programs that I didn't need or use. This all helped. So far. After that should do a reinstall and after each deletion of the Internet temp files
This has helped. So far.
Also I recommend any one who gets this problem please do as I did above. We all for get that we need to remove/delete the all the Internet temporary files and cookies some time off our computer.


Logfile of HijackThis v1.99.1
Scan saved at 8:58:32 AM, on 20/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
D:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
D:\Program Files\DigitalPersona\Bin\DPAgnt.exe
D:\Program Files\LogMeIn\LogMeInSystray.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\TTMessenger 2.1\spool\PDFSaver.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Audible\Bin\adhelper.exe
D:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\WINDOWS\system32\mrtMngr.EXE
D:\Program Files\DigitalPersona\Bin\DpHost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\WINDOWS\system32\MotorolaDAP.exe
D:\Program Files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe
D:\Program Files\Microsoft SQL Server\MSSQL$STOM\Binn\sqlservr.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
D:\WINDOWS\system32\ZoneLabs\isafe.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Data Deposit Box\Data Deposit Box\startup.exe
D:\Program Files\Data Deposit Box\Data Deposit Box\backup.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\Quicken1\qw.exe
D:\Program Files\TTMessenger 2.1\ttmessenger2.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
D:\Program Files\Mozilla Thunderbird\thunderbird.exe
D:\Program Files\Microsoft Office\Office10\MSPUB.EXE
D:\Program Files\ShipWorks\ShipWorks.exe
D:\Program Files\Crazy Browser\Crazy Browser.exe
D:\PROGRA~1\SMARTD~1\SMARTD~1.EXE
D:\Application Installers\HijackThis.exe
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [FtLnSOP_setup] D:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [DPAgnt] D:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StartMeSGS] D:\Program Files\Safe OffSite\SOS Online Backup v1.2\sosuploadagent.exe
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [TTMessenger] "D:\Program Files\TTMessenger 2.1\ttmessenger2.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [TTMessengerPDF] "D:\Program Files\TTMessenger 2.1\spool\PDFSaver.exe"
O4 - HKCU\..\Run: [c750348f.exe] D:\Documents and Settings\Home\Local Settings\Application Data\c750348f.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = D:\Program Files\Audible\Bin\adhelper.exe
O4 - Global Startup: Data Deposit Box.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = D:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~3\msgrapp.dll" (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - D:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - D:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - D:\WINDOWS\system32\MotorolaDAP.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Online Backup Service - Unknown owner - D:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

shrimpygirl
Newbie Poster
6 posts since May 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

I am pretty sure this is Spyfalcon, does the popup look like this:
[IMG]http://www.technibble.com/articlecontent/casestudy-virus/virus2.gif[/IMG]

If so, this is where you can find Spyfalcon removal instructions

Kn10
Light Poster
28 posts since Jan 2006
Reputation Points: 10
Solved Threads: 1
 
4 Years Ago
0

If you are sure that you have removed all the malware, viruses, trojans, etc.

Hit the start button.
Go to run...
Type in regedit
When the Registry Editor program starts, click on Edit at the top, click on Find...
Type in "Virus Alert!" without the quotes
One of the places it should find it is sTimeFormat
Right click on sTimeFormat
Click on Modify
Under Value Data: enter "h:mm:ss tt" without the quotes of course
Click on OK
Hit F3 to find any more instances of Virus Alert! and erase them
Restart your computer


Worked for me. Hope it helps

forallgoo
Newbie Poster
2 posts since May 2008
Reputation Points: 10
Solved Threads: 0
 
4 Years Ago
0

Thanks forallgoo, but this thread is two years old and I doubt the OP is coming back :D.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
4 Years Ago
0

I posted this info because my wife's computer was infected 5-26-08. It took me several hours to restore it. All of the programs that I used to fix it did not repair the little clock glitch. I guess the clock thing is technically not even a virus, but it was very annoying.

forallgoo
Newbie Poster
2 posts since May 2008
Reputation Points: 10
Solved Threads: 0
 
4 Years Ago
0

No worries :)

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
4 Years Ago
0
No worries :)


I also had the "VIRUS ALERT!" issue and solved it only by making the changes to the Registry mentioned aboveBUT
does anyone know what virus/malaware causes this? There may be other effects that we haven't discovered yet.

dsc123
Newbie Poster
1 post since May 2008
Reputation Points: 10
Solved Threads: 0
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed