Spyfalcon - what a bu**er to remove

Discussion in 'NOD32 version 2 Forum' started by pc-support, Apr 25, 2006.

Thread Status:
Not open for further replies.
  1. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Does NOD detect this wonderful :):) ) bit of software?

    edited to disable link - Detox
     
    Last edited by a moderator: Apr 25, 2006
  2. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
  3. ASpace

    ASpace Guest

    Never inlcude links to such a dame malware , please !

    I don't think so but I can't be sure. These days I used NOD32 for DOS with nod32.000 and it detected many other thing but not SpyFalcon. I can't guarantee for the full NOD32 for Windows.

    SpyFalcon can easily be recognied and the free SpyBot S&D + Ad-Aware can take care of SpyFalcon if you scan in Safe Mode and it is crutial to turn off System Restore when you restart and that's it ... ;-)

    By the way , I also would like to know if NOD32 can detect WinFixer ,SpyFalcon and Smithfraud ... ( I know it detects Vundo , for example) ;-)

    Regards!
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I can confirm that NOD32 detects SpyFalcon, WinFixer and similar variants generically without update. As for the programs themselves, some exe/dlls are detected by a signature, some heuristically and some others are pending for addition.

    Trojan.Fakealert (DrWeb)
    Download/WinFixer (Fortinet)
    a variant of Win32/Adware.WinFixer (NOD32v2)
    Trojan.Fakealert (VBA32)
     
  5. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Thanks Marcos for the prompt reply :D
     
  6. ASpace

    ASpace Guest


    Do you mean that the early detection system (AMON or IMON) can detect files (signatures or heuristic-no matter) ?

    :)
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I've added a scan result where you can see the downloader being detected proactively using ThreatSense, without the appropriate signature.
     
  8. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    How about once its on someones machine? Can it deal with removing the appropriate registry entries?
     
  9. ASpace

    ASpace Guest


    For such cases I use Ad-Aware SE and SpyBot S&D
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    NOD32 should detect the binary files necessary to run the program and delete them. I assume it would be ok to leave the reigistry as is, it shouldn't do any harm with the binaries removed. Otherwise you can use a registry cleaner or a dedicated anti-spyware program as HiTech_boy suggested.
     
  11. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Unfortunately it installs itself as a BHO which means it keeps coming back... :(

    Off to try spybot etc!
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Is it a fresh installation or NOD32 has been installed and kept up-to-date for a long time? Maybe you could drop an email to support[at]eset.com with a link to this thread and we'll try to help you without resorting to use another program.
     
  13. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Its a customers pc that was already infected. The main files had already been deleted but it kept coming back through the BHO and a link to a randomly named .tmp file in the win /system32 folder (I could see these in the registry).

    I installed NOD on the pc but it didnt find anything unusual

    Oh well, his infected computer, my job to clean it, my bank managers delight!
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  15. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    Hi, Blackspear. When I went to the prior Geeks to Go post and clk'd the red link VundoFix.exe (from Post #2 in "is HERE" link ), IMON gave Red Alert & prevented the page from loading. I'd be interested if that happens to others or is just my quirk. I'm Win Me, NOD32 up-to-date. Thanks & FYI.
    Edit: I should have included the Alert data : Infiltration: Win32/PrcView application, which is what PYKKO found 2 posts below when he tried alternate sites from Blackspear.Probably a FP.
     
    Last edited: Apr 26, 2006
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    NOD32 prompts me with: Win32/PrcView application
    Perhaps FP or a real threat. o_O
     
  18. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Is this Blackspear encouraging us to download infected files??!! :eek: :D :p
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    ROFLMAO, yeah indeed, don't know why the direct link has Nod32 lighting up like that :blink: Marcos or Inspector would know.

    Cheers :D
     
  20. thedon57

    thedon57 Registered Member

    Joined:
    Apr 4, 2006
    Posts:
    30
    Location:
    uk
    Hi if you want to know more about how to remove any of the above go to thiis new site just started up by captain spyware.
    I have just joined it because he backed me up when someone on another forum was slagging off nod32.

    Anyway here is the link.

    http://www.virusvault.co.uk/fusionbb/fusionbb.php?

    you may have to sign up to be a member but this site deals with nothing but malware.
     
Thread Status:
Not open for further replies.