SpywareQuake/SpyFalcon Removal Instructions, And other other Smitfraud Variants

sparksspace | Tuesday, January 08, 2008 | 0 comments

SpywareQuake and SpyFalcon belong to the Smitfraud family of desktop hijackers that pop up over the desktop or gives an alert from the taskbar near the clock and displays a warning message that your computer is infected with spyware and telling you to buy/download/install their program. These warnings are fake and are a goad to have you buy the commercial version of this software. This version is slightly different than the previous variants (SpywareStrike, SpyAxe,etc.) in that the alerts do not look like Windows Security alerts but are rather a square that appears from your taskbar. An example of this alert is below:
IPB Image
Other Smitfraud variants include:
Security IGuard
Virtual Maid
Search Maid
AntiVirusGold
PSGuard
RazeSpyware
SpyAxe
SpySheriff
SpywareStrike
WinHound
SpywareQuake/SpyFalcon/Smitfraud Removal
The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools.
1. Print out or save to notepad these instructions as you will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)
2. (WinXP & Win2k only) Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Note: SmitfraudFix will not run on Win98/ME. Please proceed to step 3 for those operating systems.
A folder named SmitfraudFix will be created on your Desktop.
IPB Image
Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
3a. Windows XP/2K (includes Ewido)
Download, install, and update Ewido AntiMalware (get the free trial version)
http://www.ewido.net/en/download/
a. Install Ewido AntiMalware
b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.
c. The program will prompt you to update click the OK button
d. The program will now go to the main screen
e. On the left hand side of the main screen click on Update
f. Click on Start. The update will start and a progress bar will show the updates being installed.
g. Do not scan yet. We'll do that later in SAFE MODE
3b. Alternatively, for Win98, WinME, download, install and update the latest version of Adaware SE
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
Install and update the program.
4. After the updates are installed, exit Ewido or Adaware, depending on which one you will be using for your system.
5. Reboot into Safe Mode
(Windows XP) To start the computer in safe mode
http://www.microsoft.com/resources/documen...e.mspx?mfr=true
Description of Safe Boot Mode in Windows 2000
http://support.microsoft.com/kb/202485
How to Start Windows Me in Safe Mode
http://support.microsoft.com/kb/273738
How to Start a Windows 98-Based Computer in Safe Mode
http://support.microsoft.com/kb/180902
6. Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
7. Stay in safe mode, start Ewido AntiMalware
a. Click on scanner
b. Click on *complete system scan*
c. Let the program scan the machine.
d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.
Checkmark the box: *Create encrypted backup in the quarantine* (recommended)
Click OK.
IPB Image
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
........................
For Win98/ME users, please scan with Adaware (full system scan) and let it remove any infected files found.
8. Exit the program and reboot back to normal mode.
9. Get a free online AV scan at Panda's ActiveScan
Let it remove any infected files found, and when it finishes save the log at the end to post back here. Y
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm
(Don't forget to *save report* at the end.                               10. Now  scan with HijackThis to produce a log. Logs needed in your post are:
rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed .Revert  with the folowing
Ewido Scan report
Panda ActiveScan report
Fresh HijackThis log

Category: , , , ,

Welcome to SparksSpace . This blog launched on Dec 2007 with a focus on Technology.You can find latest Computer Software, Tutorials, Tricks,Tips & Software promotions here!

0 comments