How To Remove Spyfalcon (removal Instructions)

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Spyware and Malware Removal Guides and Reading Room

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

How To Remove Spyfalcon (removal Instructions)

Options

Grinler View Member Profile	Feb 9 2006, 09:12 AM Post #1
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	How to remove SpyFalcon (Removal Instructions) What this program does: SpyFalcon is a anti-spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version. If you are infected with this program you may receive warnings in your task bar that appear to be from Microsoft Security Center stating that you are infected with spyware and to run its special anti-spyware tool. This tool turns out to be the commercial version of SpyFalcon. These warnings are fake and are a goad to have you buy the commercial version of this software. SpyFalcon Program Tools Needed for this fix: Roguescanfix (SpyFalcon Removal Tool) smitRem.exe (Cleans up ancillary files installed by these types of infections) FixSF.reg (Only if you are doing the manual fix) Symptoms in a HijackThis Log: O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h Choose the removal method you would like to use: Automated Removal (Easier, but requires a working Internet connection.) Manual Removal (Does not require a working Internet Connection and should be used if automated does not work.) Automated Removal Instructions: Print out these instructions as we will need to close every window that is open later in the fix. Download roguescanfix_setup.exe from here: roguescanfix_setup.exe Confirm that the file roguescanfix_setup.exe now resides on your desktop. Double-click on the roguescanfix_setup.exe file found on your desktop. Select your language from the drop down menu and then press the OK button. Now press the Next button. Select the option that says I accept the agreement and press the Next button Press the Next button again. Now click on the Install button. The installation program will start installing RogueScanFix into C:\Program Files\Roguescanfix and then display a new screen. At the next screen, leave the checkmark in the Launch RogueScanFix and press the Finish button. RogueScanFix will automatically be started and you will be presented with the Credits screen. At this screen press the spacebar and you will be presented with a menu. Press the number 1 on your keyboard and press enter. At the next screen simply press the spacebar on your computer to start the removal process. Note: Please note that when the program starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet. When the program starts, your desktop will disappear, which is normal, so please do not be concerned. It will then start the SpyFalcon uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpyFalcon. When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. Close this by press ing the Exit button. If there a notepad open called task.txt, you can close that as well. Now continue to Step 11. If there were more files that needed to be deleted, the program will prompt you to reboot your computer. Press the Yes button and allow the computer to reboot. When you are back at the desktop, close the task.txt notepad if it is open, and proceed to Step 11. Go to this page and click on the smitRem Download Link link to download smitRem.exe. When downloading smitRem.exe save it to your desktop. You will now see an icon on your desktop that looks like the one below. Double-click on the smitRem.exe file. You will now see a screen similar to the one below. Click on the Start button and the program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem. Next, please reboot your computer into Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. When you are at the logon prompt, log in as an Administrator When your computer has started in safe mode and you see the desktop. Close all open Windows. Open the smitRem folder on your desktop and the contents of the folder will be similar to the image below. Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool. When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process. If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller. Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue. When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program as shown by the image below. This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop. When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned. Reboot your computer back to normal mode. Perform an onlinescan with Panda: Panda Online Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a few minutes) When download is complete, click on Local Disks to start the scan Your computer should now be free of the SpyFalcon infection. If you are still receiving taskbar security warnings stating that you are infected open C:\Program Files\RoguesScanFix\task.txt and paste the contents of that log into a new topic in the HijackThis Logs Analysis or the Am i Infected forums and someone will advise you as to your next step. When posting the topic please also mention that you have already done the steps in this guide. If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Preparation Guide For Use Before Posting A Hijackthis Log Manual Removal Instructions: Print out these instructions as we will need to close every window that is open later in the fix. Download FixSF.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser. FixSF.reg Download Link Confirm that the file FixSF.reg now resides on your desktop as we will need it later. Go to this page and click on the smitRem Download Link link to download smitRem.exe. When downloading smitRem.exe save it to your desktop. You will now see an icon on your desktop that looks like the one below. Double-click on the smitRem.exe file. You will now see a screen similar to the one below. Click on the Start button and the program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem. Go to your desktop and double click on the FixSF.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button. Next, please reboot your computer into Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. When you are at the logon prompt, log in as the user account you were logged on as when you extracted the SmitRem files. When your computer has started in safe mode and you see the desktop. Click on the Start Menu Click on the Control Panel option. Double-click on the Add or Remove Programs icon. Find the entry for SpyFalcon and double-click on it. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks. When it has completed uninstalling you can close Add or Remove Programs and your Control Panel. Delete the following files and folders (Do not be concerned if a folder or file does not exist): C :\Windows\System32\dxmpp.dll C:\Windows\System32\ginuerep.dll C:\Windows\System32\twain32.dll C:\Windows\System32\reglogs.dll C:\WINDOWS\system32\sbnudh.dll C:\WINDOWS\System32\iqzv.dll C:\WINDOWS\system32\oqipt.dll C:\WINDOWS\system32\fyhhxw.dll C:\Windows\System32\appmagr.dll C:\WINDOWS\system32\htey.dll C:\Windows\System32\higjxe.dll C:\WINDOWS\system32\ulztc.dll C:\WINDOWS\system32\\bolnyz.dll C:\Windows\System32\oerucu.dll C:\Program Files\SpyFalcon\ Close all open Windows. Open the smitRem folder on your desktop and the contents of the folder will be similar to the image below. Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool. When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process. If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller. Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue. When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program as shown by the image below. This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop. When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned. Reboot your computer back to normal mode. Perform an onlinescan with Panda: Panda Online Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a few minutes) When download is complete, click on Local Disks to start the scan Your computer should now be free of the SpyFalcon infection. If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Preparation Guide For Use Before Posting A Hijackthis Log This is a self-help guide. Use at your own risk. BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum. If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you. -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	Feb 10 2006, 04:12 PM Post #2
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Guide updated to change the order of when to use the reg file in order to be able to delete the dxmpp.dll file in safe mode. -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	Mar 3 2006, 03:24 PM Post #3
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Guide updated to include the new infector/task bar alerter: C:\Windows\System32\ginuerep.dll Thanks Marckie! -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	Apr 25 2006, 10:13 PM Post #4
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	This guide has been updated to include removal for a new variant spotted today by D-Trojanator. The new variant is: c:\windows\system32\twain32.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 5 2006, 10:43 AM Post #5
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Updated today to reflect the new trojan: C:\Windows\System32\reglogs.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 11 2006, 01:50 PM Post #6
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Updated the guide due to new trojan infector: C:\Windows\System32\appmagr.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 18 2006, 11:56 AM Post #7
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Updated to remove the latest incarnation: C:\WINDOWS\system32\sbnudh.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 18 2006, 12:02 PM Post #8
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Added instructions for automated cleaner. -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 18 2006, 02:46 PM Post #9
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Updated for C:\WINDOWS\system32\fyhhxw.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 18 2006, 07:43 PM Post #10
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	And another new variant: C:\WINDOWS\system32\htey.dll They are really moving today. -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 19 2006, 10:41 AM Post #11
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Updated to include instructions for the following new variants: C:\WINDOWS\System32\iqzv.dll C:\WINDOWS\system32\oqipt.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 19 2006, 11:21 PM Post #12
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Updated the instructions to include instructions on what to do if the removal tool does not remove SpyFalcon automatically. -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 26 2006, 10:51 AM Post #13
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Updated to include removal of the latest variants: C:\WINNT\system32\oerucu.dll C:\WINNT\system32\ulztc.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 29 2006, 06:47 PM Post #14
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Updated for new dll: C:\WINDOWS\system32\bolnyz.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

Grinler View Member Profile	May 30 2006, 03:02 PM Post #15
Bleep Bleep! Group: Admin Posts: 31,508 Joined: 24-January 04 From: USA Member No.: 3	Updated for new variant: C:\Windows\System32\higjxe.dll -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 7th November 2009 - 03:58 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides