VERY BAD - SpyFalcon 2.0

localmotion34 · Post by **localmotion34** » Fri Mar 10, 2006 5:32 am

this might be the MOST malicious spyware i have seen. i got a new Maxtor 300 Gig SATA 16 Meg cache drive, did a fresh dual boot of XP and Win64, and somehow this got onto my computer and wreaked HAVOC.

it took spybot, spyware doctor and Mcafee 2006 to get it off, plus booting into safe mode and using .REG files posted on spyware forums.

it creates an icon in the system tray and tells you that your computer is infected, and if you try to click it, it prompts you to pay for registering SpyFalcon to remove spyware on your computer.

it is listed as one of the most dangerous adwares out there. it downloads a ton of trojans that some people think are hooked to dialers, and might charge you for the connection. one of the dialers "license" agreements (i saw this posted on a forum) prohibits you from removing or altering the EXE without express consent of the author. which means by removing it or using a removal tool to delete or patch it, you are breaking the agreement and can be charged.

would anyone perhaps, hmmm, like to help write a removal tool that, umm, maybe links up to the DAT files it uses, and writes hundreds of megabytes of nonsense to them so the nonsense is transmitted back to the source and crashes their servers?

i did this once with another spyware and it got suspended my Comcast account for a bit. i am tired of this crap and really want to fight back hard. this time i am going to use an old crappy machine with an AMD 2800 processor, set it up at me grad school LAN, and give it a try. most they (the IT guys) can do it make me unhook it, and not deprive me of internet at home.

anyone else who is sick of this let me know, and maybe we can find a way to put a hurting on these people. if you cant tell already, i am so ripped i cant sleep.

PB · Post by PB » Fri Mar 10, 2006 6:00 am

> it took spybot, spyware doctor and Mcafee 2006 to get it off, plus
> booting into safe mode and using .REG files posted on spyware forums

Surely a quick System Restore to the install date would have removed it?
And you said "fresh" install, so I take it you weren't browsing with Firefox?

Num3 · Post by **Num3** » Fri Mar 10, 2006 10:41 am

I've found some trojans that copy them selfs into the system restore folder, so even if you run the antivirus and remove it, windows system restores it, over and over...

PB · Post by PB » Fri Mar 10, 2006 11:21 am

@Num3: I know that, but he said he did a recent fresh install of Windows, so
there'd be a restore point for that, which is the point that I was asking that he
restore to ("to the install date").

Num3 · Post by **Num3** » Fri Mar 10, 2006 12:08 pm

Yeah!

Ok, here's what i do with those trojan bastards:

a) look for the process name
b) find the launch path and program name
c) Find the regkey that launches the program name

After this info

d) kill the process
e) delete the file
f) delete the program

Post by **flaith** » Fri Mar 10, 2006 12:36 pm

and :
g) delete all the files in the 'temp' folder
h) delete all the files in the 'temporary internet files' folder

Num3 · Post by **Num3** » Fri Mar 10, 2006 1:04 pm

flaith wrote:and :
g) delete all the files in the 'temp' folder
h) delete all the files in the 'temporary internet files' folder

Upsss you're right!
I don't use IE, so don't need to use this

In fact i use AntiVir Guard also, which doesn't allow Mallware / Trojans / Dialups / Jokes to install! (has to be turned on in Advance Settings)

http://www.free-av.com/

Try it it's free and uses little memory!

Joakim Christiansen · Post by **Joakim Christiansen** » Fri Mar 10, 2006 1:36 pm

Num3 wrote:Ok, here's what i do with those trojan bastards:

a) look for the process name
b) find the launch path and program name
c) Find the regkey that launches the program name

After this info

d) kill the process
e) delete the file
f) delete the program

Not very easy when the program starts again rigth after you ended it, or when it adds a new key right after you deleted the key.

Num3 · Post by **Num3** » Fri Mar 10, 2006 1:50 pm

True...

Ok, even better:

Format c: /q !

PB · Post by PB » Fri Mar 10, 2006 1:51 pm

> i use AntiVir Guard

Yep, I ditched Avast for AntiVir and was amazed by how fast my PC became!
Avast was literally sucking the life out of my PC, to the point where I thought
my hardware was faulty or something!

Killswitch · Post by **Killswitch** » Fri Mar 10, 2006 1:57 pm

I had a problem with some spyware like this before. I found the offending .exe's (one would restore the other if you deleted it) then booted up in safe mode. I deleted both .exes and replaced them with blank ones and set them to be read only. I also got rid of the keys. It wiped out the problem and I haven't had a problem since

.

Joakim Christiansen · Post by **Joakim Christiansen** » Fri Mar 10, 2006 2:19 pm

PB wrote:> i use AntiVir Guard

Yep, I ditched Avast for AntiVir and was amazed by how fast my PC became!
Avast was literally sucking the life out of my PC, to the point where I thought
my hardware was faulty or something!

I also use that

www.free-av.com

techjunkie · Post by **techjunkie** » Fri Mar 10, 2006 3:29 pm

Where can you get SpyFalcon 2.0? Would be fun to play with it - on VMware or MS Virtual PC of course!

localmotion34 · Post by **localmotion34** » Fri Mar 10, 2006 5:21 pm

http://spyfalcon.com/

have fun with it. and let me know when you finally manage to get it off. i hope you have McaFee, thats the only thing that got it for me.

Baldrick · Post by **Baldrick** » Fri Mar 17, 2006 1:21 pm

Here is some info you might find usefull

http://securityresponse.symantec.com/av ... alcon.html

regards

PureBasic Forums - English

VERY BAD - SpyFalcon 2.0

VERY BAD - SpyFalcon 2.0

Re: VERY BAD - SpyFalcon 2.0