Spyfalcon - what a bu**er to remove

Does NOD detect this wonderful ) bit of software?

edited to disable link - Detox

 

Dont know, have you tried
http://www.superantispyware.com/
Free

 

Never inlcude links to such a dame malware , please !

I don't think so but I can't be sure. These days I used NOD32 for DOS with nod32.000 and it detected many other thing but not SpyFalcon. I can't guarantee for the full NOD32 for Windows.

SpyFalcon can easily be recognied and the free SpyBot S&D + Ad-Aware can take care of SpyFalcon if you scan in Safe Mode and it is crutial to turn off System Restore when you restart and that's it ... ;-)

By the way , I also would like to know if NOD32 can detect WinFixer ,SpyFalcon and Smithfraud ... ( I know it detects Vundo , for example) ;-)

Regards!

 

I can confirm that NOD32 detects SpyFalcon, WinFixer and similar variants generically without update. As for the programs themselves, some exe/dlls are detected by a signature, some heuristically and some others are pending for addition.

Trojan.Fakealert (DrWeb)
Download/WinFixer (Fortinet)
a variant of Win32/Adware.WinFixer (NOD32v2)
Trojan.Fakealert (VBA32)

 

Thanks Marcos for the prompt reply

 

Do you mean that the early detection system (AMON or IMON) can detect files (signatures or heuristic-no matter) ?

 

I've added a scan result where you can see the downloader being detected proactively using ThreatSense, without the appropriate signature.

 

How about once its on someones machine? Can it deal with removing the appropriate registry entries?

 

For such cases I use Ad-Aware SE and SpyBot S&D

 

NOD32 should detect the binary files necessary to run the program and delete them. I assume it would be ok to leave the reigistry as is, it shouldn't do any harm with the binaries removed. Otherwise you can use a registry cleaner or a dedicated anti-spyware program as HiTech_boy suggested.

 

Unfortunately it installs itself as a BHO which means it keeps coming back...

Off to try spybot etc!

 

Is it a fresh installation or NOD32 has been installed and kept up-to-date for a long time? Maybe you could drop an email to support[at]eset.com with a link to this thread and we'll try to help you without resorting to use another program.

 

Its a customers pc that was already infected. The main files had already been deleted but it kept coming back through the BHO and a link to a randomly named .tmp file in the win /system32 folder (I could see these in the registry).

I installed NOD on the pc but it didnt find anything unusual

Oh well, his infected computer, my job to clean it, my bank managers delight!

 

I have come across this one before

Hope this helps...

Let us know how you go.

Cheers

 

Hi, Blackspear. When I went to the prior Geeks to Go post and clk'd the red link VundoFix.exe (from Post #2 in "is HERE" link ), IMON gave Red Alert & prevented the page from loading. I'd be interested if that happens to others or is just my quirk. I'm Win Me, NOD32 up-to-date. Thanks & FYI.
Edit: I should have included the Alert data : Infiltration: Win32/PrcView application, which is what PYKKO found 2 posts below when he tried alternate sites from Blackspear.Probably a FP.

 

Try this link: http://www.atribune.org/ccount/click.php?id=4 with further info here: http://www.geekstogo.com/forum/index.php?showtopic=109063&hl=vundofix

Cheers

 

NOD32 prompts me with: Win32/PrcView application
Perhaps FP or a real threat.

 

Is this Blackspear encouraging us to download infected files??!!

 

ROFLMAO, yeah indeed, don't know why the direct link has Nod32 lighting up like that Marcos or Inspector would know.

Cheers

 

Hi if you want to know more about how to remove any of the above go to thiis new site just started up by captain spyware.
I have just joined it because he backed me up when someone on another forum was slagging off nod32.

Anyway here is the link.

http://www.virusvault.co.uk/fusionbb/fusionbb.php?

you may have to sign up to be a member but this site deals with nothing but malware.