OT: Spy Falcon

Discussion in 'MCSE' started by kpg, May 11, 2006.

  1. kpg

    kpg Guest

    My Father-in-law's laptop lost the Internet, so, of course, wifey
    tells me to fix it.

    After running the arsenal of usual stuff I got everything except the
    prompt to install Spy Falcon. It's a red borderd box that pops up
    from the task bar and says:

    "Your Computer is Infected!" ...blah, blah..

    I tried every Spy Falcon, SpyAxe, SpyXXX removal technique I could
    find. (SpybotS&D, HijackThis, AVG, Windows Defender, Smitrem,
    SmitfraudFix, ewido, and serveral manual tehniques)

    All find nothing, because the computer does not actually have Spy
    Falcon installed. What it has is this little task bar trojan that
    prompts you to install Spy Falcon. This box has the same exact
    wording as that of Spy Falcon prompts I found on the web, but
    it is not in the XP style balloon like depicted on the sites, but
    in a custom little white box with a red border. When not poped up
    it has an icon that changes between the "Handicap" and the "No"
    icon (red circle with line).

    I'm thinking this is a rather new variant which is why it's not
    being detected. I'm assuming its Spy Falcon because that's where
    it takes you when clicked.

    It is still present in safemode, and it does not have a task in
    the task list. Startup items look fine too.

    Clever but annoying little bugger.
    kpg, May 11, 2006
    #1
    1. Advertising

  2. kpg

    LnkWizard Guest

    Re: Spy Falcon

    "kpg" <> wrote in message
    news:Xns97C0662418D6Bipostthereforeiam@127.0.0.1...
    > My Father-in-law's laptop lost the Internet, so, of course, wifey
    > tells me to fix it.
    >
    > After running the arsenal of usual stuff I got everything except the
    > prompt to install Spy Falcon. It's a red borderd box that pops up
    > from the task bar and says:
    >
    > "Your Computer is Infected!" ...blah, blah..
    >
    > I tried every Spy Falcon, SpyAxe, SpyXXX removal technique I could
    > find. (SpybotS&D, HijackThis, AVG, Windows Defender, Smitrem,
    > SmitfraudFix, ewido, and serveral manual tehniques)
    >
    > All find nothing, because the computer does not actually have Spy
    > Falcon installed. What it has is this little task bar trojan that
    > prompts you to install Spy Falcon. This box has the same exact
    > wording as that of Spy Falcon prompts I found on the web, but
    > it is not in the XP style balloon like depicted on the sites, but
    > in a custom little white box with a red border. When not poped up
    > it has an icon that changes between the "Handicap" and the "No"
    > icon (red circle with line).
    >
    > I'm thinking this is a rather new variant which is why it's not
    > being detected. I'm assuming its Spy Falcon because that's where
    > it takes you when clicked.
    >
    > It is still present in safemode, and it does not have a task in
    > the task list. Startup items look fine too.
    >
    > Clever but annoying little bugger.
    >


    Interesting, sounds like one of them there persistent buggers.
    You might want to take a run over to sysinternals.com
    and look at some of their tools for further research.

    ---------------------------------------------------------------------
    Lnkwizard2 MCNGP 2^5

    http://www.mcngp.com
    "He who does not test himself is worthless indeed"
    ---------------------------------------------------------------------
    LnkWizard, May 11, 2006
    #2
    1. Advertising

  3. Tell him it's unsupported, and that he has not paid for an extended warranty
    ~ which incidentally would not cover the fault.

    --
    lo0py
    =?Utf-8?B?TG9vcEJhY2s=?=, May 11, 2006
    #3
  4. kpg

    kpg Guest

    As LoopBack once said in microsoft.public.cert.exam.mcse

    > Tell him it's unsupported, and that he has not paid for
    > an extended warranty ~ which incidentally would not cover the fault.


    Well, he does keep me in cold beer while I'm working on it.

    Maybe that's why I'm having such a hard time with this one?

    kp "The longer I am the drunker I drink" g
    kpg, May 11, 2006
    #4
  5. Had a this problem with a computer my Brother-In-Law had. I used System
    Restore remove the problem. I was lucky enough to have a general idea of when
    it started up and could still choose a time before that event. Not sure if
    you can do the same but it might be worth a shot.

    Talyn



    "kpg" wrote:

    > My Father-in-law's laptop lost the Internet, so, of course, wifey
    > tells me to fix it.
    >
    > After running the arsenal of usual stuff I got everything except the
    > prompt to install Spy Falcon. It's a red borderd box that pops up
    > from the task bar and says:
    >
    > "Your Computer is Infected!" ...blah, blah..
    >
    > I tried every Spy Falcon, SpyAxe, SpyXXX removal technique I could
    > find. (SpybotS&D, HijackThis, AVG, Windows Defender, Smitrem,
    > SmitfraudFix, ewido, and serveral manual tehniques)
    >
    > All find nothing, because the computer does not actually have Spy
    > Falcon installed. What it has is this little task bar trojan that
    > prompts you to install Spy Falcon. This box has the same exact
    > wording as that of Spy Falcon prompts I found on the web, but
    > it is not in the XP style balloon like depicted on the sites, but
    > in a custom little white box with a red border. When not poped up
    > it has an icon that changes between the "Handicap" and the "No"
    > icon (red circle with line).
    >
    > I'm thinking this is a rather new variant which is why it's not
    > being detected. I'm assuming its Spy Falcon because that's where
    > it takes you when clicked.
    >
    > It is still present in safemode, and it does not have a task in
    > the task list. Startup items look fine too.
    >
    > Clever but annoying little bugger.
    >
    >
    >
    >
    >
    =?Utf-8?B?VGFseW4=?=, May 11, 2006
    #5
  6. kpg

    JaR Guest

    kpg <> wrote in news:Xns97C0662418D6Bipostthereforeiam@127.0.0.1:

    > I'm thinking this is a rather new variant which is why it's not
    > being detected. I'm assuming its Spy Falcon because that's where
    > it takes you when clicked.
    >
    > It is still present in safemode, and it does not have a task in
    > the task list. Startup items look fine too.
    >
    > Clever but annoying little bugger.
    >


    Here's a relevant discussion:

    http://www.newbie.org/help/lofiversion/index.php?t1883.html=

    Ever run Hijack This?

    --
    JaR
    MCNGP #22
    Remove hat to reply
    Abandon hope, all ye who enter here.
    JaR, May 11, 2006
    #6
  7. kpg

    kpg Guest

    As JaR once said in microsoft.public.cert.exam.mcse

    > http://www.newbie.org/help/lofiversion/index.php?t1883.html=


    Sure, I ran HijackThis, I looked over the report for obvious
    weird stuff, every line seemed to check out with something that
    was supposed to be there. I did zap a few odd ones to no avail.

    I've found a few new things I could try later, plus I'll go
    over the hijack log a lot closer.

    I could go back to a restore point, since this particular
    infection occurred yesterday or the day before. That would put
    a few problems back but those cleaned up pretty easily.


    It's kinda fun to zap spyware, but when they don't zap I get
    PO'ed.
    kpg, May 11, 2006
    #7
  8. kpg

    JaR Guest

    kpg <> wrote in news:Xns97C0940515718ipostthereforeiam@127.0.0.1:

    > It's kinda fun to zap spyware, but when they don't zap I get
    > PO'ed.


    Ah, but think of the satisfaction when you finally root the fusker out<BEG>

    I remember spending hours on Aurora the first time $PHB infected hisself
    with it.

    --
    JaR
    MCNGP #22
    Remove hat to reply
    Abandon hope, all ye who enter here.
    JaR, May 11, 2006
    #8
  9. kpg

    LoopBack Guest

    "kpg" <> wrote in message
    news:Xns97C07D9AE6203ipostthereforeiam@127.0.0.1...
    >
    > As LoopBack once said in microsoft.public.cert.exam.mcse
    >
    >> Tell him it's unsupported, and that he has not paid for
    >> an extended warranty ~ which incidentally would not cover the fault.

    >
    > Well, he does keep me in cold beer while I'm working on it.
    >
    > Maybe that's why I'm having such a hard time with this one?
    >
    > kp "The longer I am the drunker I drink" g


    I remember trying to balance/level off a stereo rack for my linn karik, with
    a 12 pack of beer. The longer you take, the harder it gets.
    LoopBack, May 12, 2006
    #9
  10. kpg

    Cerebrus Guest

    kpg wrote :

    >> Startup items look fine too.


    How did you check the Startup items ? Did you check the following two
    keys in the registry :

    - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    If the program is running in the System tray, and sending notification
    messages from there, it should show up in the process list. This could
    then lead you to the malicious exe.

    HTH,

    Regards,

    Cerebrus.
    Cerebrus, May 12, 2006
    #10
  11. kpg

    LnkWizard Guest


    > kpg <> wrote in

    news:Xns97C0940515718ipostthereforeiam@127.0.0.1:
    >
    > > It's kinda fun to zap spyware, but when they don't zap I get
    > > PO'ed.

    >
    > Ah, but think of the satisfaction when you finally root the fusker

    out<BEG>
    >


    I looked over the sysinternals tool and there are two that look to
    be quite useful. BTW, they are free. Autoruns and ProcessExplorer
    have loads of info that may help you.

    ---------------------------------------------------------------------
    Lnkwizard2 MCNGP 2^5

    http://www.mcngp.com
    "He who does not test himself is worthless indeed"
    ---------------------------------------------------------------------
    LnkWizard, May 12, 2006
    #11
  12. kpg

    kpg Guest

    As Cerebrus once said in microsoft.public.cert.exam.mcse

    > How did you check the Startup items ? Did you check the following two
    > keys in the registry :
    >
    > - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >
    > - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


    Yes.

    > If the program is running in the System tray, and sending notification
    > messages from there, it should show up in the process list.



    Yes, is should, but processes can be hidden or disguised.
    kpg, May 12, 2006
    #12
  13. kpg

    kpg Guest

    Re: got it.

    Spy Falcon is history!

    Well this is interesting (to me).

    After all the tools I tried, the one that worked was
    AdAware. I had used AdAware a long time ago until
    I (for some reason) decided that HiJackThis, ToolbarCop
    and SbyBot S&D were the only suite of tools I needed.

    Then in my enduring love and respect for Microsoft, when
    Windows Defender (Beta) came out I saw history repeating
    itself (as it has so many times in the past when MS
    took over the 3rd party utility market) and I said to myself,
    self, the MS tool is the way to go, who better to look for
    malicious software on Windows than the author of Windows
    itself? Now I feel stupid.

    Sbybot S&D and AdAware have always found different infections,
    which I always found curious. Sure there will be differences,
    but what we need is a centralized repository of malware, and
    I though MS was heading there.
    kpg, May 12, 2006
    #13
  14. Re: got it.

    I thought AdAware was spyware itself. It cleans off all the competing
    spy/ad ware but leaves its own stuff.

    <quick google search>

    Yeah, they were sued by the New York attorney general. They settled a few
    months ago. Maybe they are legit now.


    Death from Above


    "kpg" <> wrote in message
    news:Xns97C15286CA661ipostthereforeiam@127.0.0.1...
    > Spy Falcon is history!
    >
    > Well this is interesting (to me).
    >
    > After all the tools I tried, the one that worked was
    > AdAware. I had used AdAware a long time ago until
    > I (for some reason) decided that HiJackThis, ToolbarCop
    > and SbyBot S&D were the only suite of tools I needed.
    >
    > Then in my enduring love and respect for Microsoft, when
    > Windows Defender (Beta) came out I saw history repeating
    > itself (as it has so many times in the past when MS
    > took over the 3rd party utility market) and I said to myself,
    > self, the MS tool is the way to go, who better to look for
    > malicious software on Windows than the author of Windows
    > itself? Now I feel stupid.
    >
    > Sbybot S&D and AdAware have always found different infections,
    > which I always found curious. Sure there will be differences,
    > but what we need is a centralized repository of malware, and
    > I though MS was heading there.
    >
    >
    >
    Death from Above, May 12, 2006
    #14
  15. kpg

    Cerebrus Guest

    Re: got it.

    You didn't run AdAware ?????????????? <Shakes head>

    That's usually the second thing I run, after Spybot. They seem to work
    exceptionally, in combination.
    Cerebrus, May 12, 2006
    #15
  16. kpg

    Cerebrus Guest

    Re: got it.

    > > It's kinda fun to zap spyware, but when they don't zap I get
    > > PO'ed.

    > Ah, but think of the satisfaction when you finally root the fusker

    out<BEG>

    Now's the time for the celebration... Bring out the beer barrel...
    Cerebrus, May 12, 2006
    #16
  17. kpg

    kpg Guest

    Re: got it.

    As Death from Above once said in microsoft.public.cert.exam.mcse

    > I thought AdAware was spyware itself. It cleans off all the competing
    > spy/ad ware but leaves its own stuff.


    I recall AdAware documentation saying that it was possible to has false
    positives for other spyware removal tools because they find the signature
    in the software. One should look at the results before cleaning!


    > <quick google search>
    >
    > Yeah, they were sued by the New York attorney general. They settled a
    > few months ago. Maybe they are legit now.


    I'm confident they are not spyware (famous last words).
    kpg, May 12, 2006
    #17
  18. kpg

    kpg Guest

    Re: got it.

    As Cerebrus once said in microsoft.public.cert.exam.mcse

    > Now's the time for the celebration... Bring out the beer barrel...


    Well, if it had been more dramatic, like 37 registry edits while
    in recovery console, but all I did was run AdAware and it found it
    and cleaned it without any hoopla. Next reboot it was gone.

    I pretty sure all of AdAware's programmers look like the Swedish
    bikini team.
    kpg, May 12, 2006
    #18
  19. Re: got it.

    "Death from Above" <> wrote in message
    news:...
    >
    > I thought AdAware was spyware itself. It cleans off all the competing spy/ad
    > ware but leaves its own stuff.
    >
    > <quick google search>
    >
    > Yeah, they were sued by the New York attorney general. They settled a few
    > months ago. Maybe they are legit now.
    >
    >
    > Death from Above
    >
    >

    How funny, I knew that program was cr@p. I was a programmer for a guy that also
    ran a computer store, and all of his Techs *swore* by AdAware. I mean these guys
    *pushed* that software off onto _everybody_ that didn't own it. They even tried
    pushing it off onto me, but I told them the day I saw it that the program was a
    piece of sh!t and I didn't trust it.

    --
    Bigus Di©kus
    MCNGP 00110011
    -- Why won't techies to listen to programmers....
    Bigus Di©kus, May 12, 2006
    #19
  20. kpg

    kpg Guest

    Re: got it.

    As Bigus Di©kus once said in microsoft.public.cert.exam.mcse

    > How funny, I knew that program was cr@p. I was a programmer for a guy
    > that also ran a computer store, and all of his Techs *swore* by
    > AdAware. I mean these guys *pushed* that software off onto _everybody_
    > that didn't own it. They even tried pushing it off onto me, but I
    > told them the day I saw it that the program was a piece of sh!t and I
    > didn't trust it.



    Maybe that's why I stopped using it, it is a little candy-coated
    looking. But then is euro-ware.

    You should download it now. Install it on everything. In fact,
    I insist. Join us. We are not the problem, we are the solution.

    kp "Crush, Kill, Destroy" g
    kpg, May 12, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    HEXUS.beans :: FSP Group Epsilon FSP700-80GL Spy Shots

    Silverstrand, Oct 24, 2005, in forum: Front Page News
    Replies:
    0
    Views:
    626
    Silverstrand
    Oct 24, 2005
  2. Richard Jordan

    Spy Bot and Gator

    Richard Jordan, Aug 1, 2003, in forum: Computer Support
    Replies:
    11
    Views:
    741
    Monsignor Larville Jones MD
    Aug 5, 2003
  3. ***

    Getting rid of spy ware

    ***, Sep 9, 2003, in forum: Computer Support
    Replies:
    11
    Views:
    1,682
  4. Mike
    Replies:
    11
    Views:
    2,639
    Toolman Tim
    Feb 19, 2005
  5. Jonathan Roberts

    Broadvoice Falcon - WIFI/GSM Phone?

    Jonathan Roberts, May 7, 2006, in forum: VOIP
    Replies:
    0
    Views:
    1,019
    Jonathan Roberts
    May 7, 2006
Loading...

Share This Page