Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Remove Spyfalcon (removal Instructions)


  • Please log in to reply
14 replies to this topic

#1 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 09 February 2006 - 09:12 AM


How to remove SpyFalcon (Removal Instructions)

What this program does: SpyFalcon is a anti-spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version. If you are infected with this program you may receive warnings in your task bar that appear to be from Microsoft Security Center stating that you are infected with spyware and to run its special anti-spyware tool. This tool turns out to be the commercial version of SpyFalcon. These warnings are fake and are a goad to have you buy the commercial version of this software.


SpyFalcon Program
Tools Needed for this fix:
  • Roguescanfix (SpyFalcon Removal Tool)
  • smitRem.exe (Cleans up ancillary files installed by these types of infections)
  • FixSF.reg (Only if you are doing the manual fix)
Symptoms in a HijackThis Log:

O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h



Choose the removal method you would like to use:
  • Automated Removal (Easier, but requires a working Internet connection.)
  • Manual Removal (Does not require a working Internet Connection and should be used if automated does not work.)

Automated Removal Instructions:
  1. Print out these instructions as we will need to close every window that is open later in the fix.

  2. Download roguescanfix_setup.exe from here:

    roguescanfix_setup.exe

    Confirm that the file roguescanfix_setup.exe now resides on your desktop.

  3. Double-click on the roguescanfix_setup.exe file found on your desktop.

  4. Select your language from the drop down menu and then press the OK button.

  5. Now press the Next button.

  6. Select the option that says I accept the agreement and press the Next button

  7. Press the Next button again.

  8. Now click on the Install button.

  9. The installation program will start installing RogueScanFix into C:\Program Files\Roguescanfix and then display a new screen. At the next screen, leave the checkmark in the Launch RogueScanFix and press the Finish button.

  10. RogueScanFix will automatically be started and you will be presented with the Credits screen. At this screen press the spacebar and you will be presented with a menu. Press the number 1 on your keyboard and press enter. At the next screen simply press the spacebar on your computer to start the removal process.

    Note: Please note that when the program starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet.


    When the program starts, your desktop will disappear, which is normal, so please do not be concerned. It will then start the SpyFalcon uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpyFalcon.

    When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. Close this by press ing the Exit button. If there a notepad open called task.txt, you can close that as well. Now continue to Step 11.

    If there were more files that needed to be deleted, the program will prompt you to reboot your computer. Press the Yes button and allow the computer to reboot. When you are back at the desktop, close the task.txt notepad if it is open, and proceed to Step 11.

  11. Go to this page and click on the smitRem Download Link link to download smitRem.exe. When downloading smitRem.exe save it to your desktop. You will now see an icon on your desktop that looks like the one below.




  12. Double-click on the smitRem.exe file. You will now see a screen similar to the one below.






    Click on the Start button and the program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem.

  13. Next, please reboot your computer into Safe Mode by doing the following:

    1. Restart your computer

    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

    3. Instead of Windows loading as normal, a menu should appear

    4. Select the first option, to run Windows in Safe Mode.

    5. When you are at the logon prompt, log in as an Administrator

  14. When your computer has started in safe mode and you see the desktop.

  15. Close all open Windows.

  16. Open the smitRem folder on your desktop and the contents of the folder will be similar to the image below.





    Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.

  17. When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process.

    If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller.

    Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue.

    When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program as shown by the image below.





    This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop.

  18. When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.

  19. Reboot your computer back to normal mode.

  20. Perform an onlinescan with Panda: Panda Online

    1. Once you are on the Panda site click the Scan your PC button

    2. A new window will open...click the Check Now button

    3. Enter your Country

    4. Enter your State/Province

    5. Enter your e-mail address and click send

    6. Select either Home User or Company

    7. Click the big Scan Now button

    8. If it wants to install an ActiveX component allow it

    9. It will start downloading the files it requires for the scan (Note: It may take a few minutes)

    10. When download is complete, click on Local Disks to start the scan
Your computer should now be free of the SpyFalcon infection. If you are still receiving taskbar security warnings stating that you are infected open C:\Program Files\RoguesScanFix\task.txt and paste the contents of that log into a new topic in the HijackThis Logs Analysis or the Am i Infected forums and someone will advise you as to your next step. When posting the topic please also mention that you have already done the steps in this guide. If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log



Manual Removal Instructions:
  1. Print out these instructions as we will need to close every window that is open later in the fix.

  2. Download FixSF.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

    FixSF.reg Download Link

    Confirm that the file FixSF.reg now resides on your desktop as we will need it later.

  3. Go to this page and click on the smitRem Download Link link to download smitRem.exe. When downloading smitRem.exe save it to your desktop. You will now see an icon on your desktop that looks like the one below.




  4. Double-click on the smitRem.exe file. You will now see a screen similar to the one below.






    Click on the Start button and the program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem.

  5. Go to your desktop and double click on the FixSF.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.

  6. Next, please reboot your computer into Safe Mode by doing the following:

    1. Restart your computer

    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

    3. Instead of Windows loading as normal, a menu should appear

    4. Select the first option, to run Windows in Safe Mode.

    5. When you are at the logon prompt, log in as the user account you were logged on as when you extracted the SmitRem files.

  7. When your computer has started in safe mode and you see the desktop.

  8. Click on the Start Menu

  9. Click on the Control Panel option.

  10. Double-click on the Add or Remove Programs icon.

  11. Find the entry for SpyFalcon and double-click on it. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks.

  12. When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.

  13. Delete the following files and folders (Do not be concerned if a folder or file does not exist):

    C :\Windows\System32\dxmpp.dll
    C:\Windows\System32\ginuerep.dll
    C:\Windows\System32\twain32.dll
    C:\Windows\System32\reglogs.dll
    C:\WINDOWS\system32\sbnudh.dll
    C:\WINDOWS\System32\iqzv.dll C:\WINDOWS\system32\oqipt.dll C:\WINDOWS\system32\fyhhxw.dll C:\Windows\System32\appmagr.dll
    C:\WINDOWS\system32\htey.dll C:\Windows\System32\higjxe.dll C:\WINDOWS\system32\ulztc.dll C:\WINDOWS\system32\\bolnyz.dll C:\Windows\System32\oerucu.dll C:\Program Files\SpyFalcon\


  14. Close all open Windows.

  15. Open the smitRem folder on your desktop and the contents of the folder will be similar to the image below.





    Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.

  16. When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process.

    If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller.

    Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue.

    When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program as shown by the image below.





    This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop.

  17. When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.

  18. Reboot your computer back to normal mode.

  19. Perform an onlinescan with Panda: Panda Online

    1. Once you are on the Panda site click the Scan your PC button

    2. A new window will open...click the Check Now button

    3. Enter your Country

    4. Enter your State/Province

    5. Enter your e-mail address and click send

    6. Select either Home User or Company

    7. Click the big Scan Now button

    8. If it wants to install an ActiveX component allow it

    9. It will start downloading the files it requires for the scan (Note: It may take a few minutes)

    10. When download is complete, click on Local Disks to start the scan
Your computer should now be free of the SpyFalcon infection. If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log


This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 10 February 2006 - 04:12 PM

Guide updated to change the order of when to use the reg file in order to be able to delete the dxmpp.dll file in safe mode.

#3 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 03 March 2006 - 03:24 PM

Guide updated to include the new infector/task bar alerter:

C:\Windows\System32\ginuerep.dll

Thanks Marckie!

#4 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 25 April 2006 - 10:13 PM

This guide has been updated to include removal for a new variant spotted today by D-Trojanator. The new variant is:

c:\windows\system32\twain32.dll

#5 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 05 May 2006 - 10:43 AM

Updated today to reflect the new trojan:

C:\Windows\System32\reglogs.dll

#6 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 11 May 2006 - 01:50 PM

Updated the guide due to new trojan infector:

C:\Windows\System32\appmagr.dll

#7 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 18 May 2006 - 11:56 AM

Updated to remove the latest incarnation:

C:\WINDOWS\system32\sbnudh.dll

#8 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 18 May 2006 - 12:02 PM

Added instructions for automated cleaner.

#9 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 18 May 2006 - 02:46 PM

Updated for C:\WINDOWS\system32\fyhhxw.dll

#10 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 18 May 2006 - 07:43 PM

And another new variant:

C:\WINDOWS\system32\htey.dll

They are really moving today.

#11 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 19 May 2006 - 10:41 AM

Updated to include instructions for the following new variants:

C:\WINDOWS\System32\iqzv.dll
C:\WINDOWS\system32\oqipt.dll

#12 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 19 May 2006 - 11:21 PM

Updated the instructions to include instructions on what to do if the removal tool does not remove SpyFalcon automatically.

#13 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 26 May 2006 - 10:51 AM

Updated to include removal of the latest variants:

C:\WINNT\system32\oerucu.dll
C:\WINNT\system32\ulztc.dll

#14 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 29 May 2006 - 06:47 PM

Updated for new dll:

C:\WINDOWS\system32\bolnyz.dll

#15 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 PM

Posted 30 May 2006 - 03:02 PM

Updated for new variant:

C:\Windows\System32\higjxe.dll




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users