AlfaCleaner & SpyFalcon (Remover)

[Ruby]

Two more fake programs of Smitfraud, which promise to free systems from malware, which have been added before by these programs.

The AlfaCleaner can already be found on the Red List of SpywareWarrior.
You can find the following entry in a HijackThis Logfile:

O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe

Tenebril's Spyware Information about AlfaCleaner:

This application is adware, which might have been installed by another application. It can pop up advertisements even if you have a popup blocker on your computer. It can monitor your computer usage to generate ads that you are more likely to respond to. Adware can slow down your computer.

* Size: 9,249,622 bytes
* Threat level: Medium (more info...)
* Detections: 213 this month: 213
* Author: Innovagest
* Others by this author: Anti-Virus-Pro
* Appeared: 01/19/2006

Research

* Method of infection: AlfaCleaner can be downloaded from alpahcleaner.com. AlfaCleaner may also be installed through Windows exploits or other malware.
* Advertising: AlfaCleaner uses false positives to scare users into purchasing the full version. AlfaCleaner will often identify harmless cookies as a severe risk to privacy.

***

SpyFalcon replaces SpyAxe/SpywareStrike. Learn more on SunbeltBlog
Some more Information on CastleCops with these pictures in Original:

Here you see the program Spyfalcon

Website of Spyfalcon

The content of Spyfalcon or was it SpywareStrike

Domain Name: SPYFALCON.COM (195.225.176.79)
two more Domaine Names with the same IP address:

Spyfalconupdate.com
Updateyourwindows.com

Please add the domains listed above to your block lists.

SunbeltBlog:
SpyFalcon gets installed with the Video Codec:

“VCodec v3.05b is new generation multimedia compressor/decompressor which registers into the Windows collection of multimedia drivers...” This file VideoCodec3_05b is the trojan Trojan-Downloader.Win32.Zlob.cu, which shows up the popup “Your computer is infected!”.

SpyFalcon's entries in a HijackThis Log:

C:\Programme\SpyFalcon\spyfalcon.exe
C:\WINDOWS\system32\mssearchnet.exe
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpXXXX.tmp
O4 - HKLM\..\Run: [SpyFalcon] C:\Programme\SpyFalcon\SpyFalcon.exe /h

The Datfindbat shows the following entries:

C:\WINDOWS\system32\dxmpp.dll
C:\WINDOWS\system32\NVCTRL.0XE
C:\WINDOWS\system32\MSCORNET.0XE

RootkitRevealer makes you see these entries:

C:\Dokumente und Einstellungen\Name\Anwendungsdaten\Microsoft\Inte rnet Explorer\Quick Launch\SpyFalcon 2.0.lnk 09/02/2006 23:55 692 bytes Hidden from Windows API.
C:\Dokumente und Einstellungen\Name\Desktop\SpyFalcon.lnk 09/02/2006 23:55 674 bytes Hidden from Windows API.
C:\Dokumente und Einstellungen\Name\Startmenü\Programme\SpyFalcon 09/02/2006 23:55 0 bytes Hidden from Windows API.
C:\Dokumente und Einstellungen\Name\Startmenü\Programme\SpyFalcon\ SpyFalcon 2.0 Website.lnk 09/02/2006 23:55 686 bytes Hidden from Windows API.
C:\Dokumente und Einstellungen\Name\Startmenü\Programme\SpyFalcon\ SpyFalcon 2.0.lnk 09/02/2006 23:55 686 bytes Hidden from Windows API.
C:\Dokumente und Einstellungen\Name\Startmenü\Programme\SpyFalcon\ Uninstall SpyFalcon 2.0.lnk 09/02/2006 23:55 485 bytes Hidden from Windows API.
C:\Dokumente und Einstellungen\Name\Startmenü\SpyFalcon 2.0.lnk 09/02/2006 23:55 674 bytes Hidden from Windows API.
C:\Programme\SpyFalcon\blacklist.txt 25/01/2006 17:50 49.34 KB Hidden from Windows API.
C:\Programme\SpyFalcon\Lang 09/02/2006 23:55 0 bytes Hidden from Windows API.
C:\Programme\SpyFalcon\Lang\English.ini 09/02/2006 13:13 31.12 KB Hidden from Windows API.
C:\Programme\SpyFalcon\Logs 09/02/2006 23:55 0 bytes Hidden from Windows API.
C:\Programme\SpyFalcon\msvcp71.dll 27/07/2005 00:14 488.00 KB Hidden from Windows API.
C:\Programme\SpyFalcon\msvcr71.dll 27/07/2005 00:14 340.00 KB Hidden from Windows API.
C:\Programme\SpyFalcon\Quarantine 09/02/2006 23:55 0 bytes Hidden from Windows API.
C:\Programme\SpyFalcon\SpyFalcon.url 09/02/2006 23:55 50 bytes Hidden from Windows API.
C:\Programme\SpyFalcon\syg.db 08/02/2006 07:24 1.02 MB Hidden from Windows API.
C:\Programme\SpyFalcon\uninst.exe 09/02/2006 23:55 40.46 KB Hidden from Windows API.

A fake AntiSpyware program, hidden from Windows API and discovered by RootkitRevealer, what a dangerous new fake.

Using the following Operation Systems
WinXP or Win2K
you may want to clean up these infections with the

SmitFraudFix

Instructions
of use in
English


ChangeLog

>> to be continued >>

[Ruby]

SpyFalcon Removal

By the moment you can find two first methods to get rid of this new infection called SpyFalcon,
an adware producing fake tool which installs on the user's computer without his knowledge:

1. 2-Spyware.com
2. Spyware-Removal-Guideline.com

see also: TomCoyote

The other infection, AlfaCleaner, can already be removed with the SmitfraudFix Version 2.19

With Many Thanks to three of our Users
who told us all about the infection SpyFalcon on their systems:

Please have a look if the folder C:\Program Files\SpyFalcon
has gone with all its folders and files:

SpyFalcon\blacklist.txt
SpyFalcon\Lang
SpyFalcon\Lang\English.ini
SpyFalcon\Logs
SpyFalcon\msvcp71.dll
SpyFalcon\msvcr71.dll
SpyFalcon\Quarantine
SpyFalcon\sf.ini
SpyFalcon\SpyFalcon.exe
SpyFalcon\SpyFalcon.url
SpyFalcon\SpyFalcon.zip
SpyFalcon\syg.db
SpyFalcon\syg.db.old
SpyFalcon\uninst.exe

Instructions
in English, how to use the
SmitFraudFix