New SpyFalcon variant found today as well: C:\Windows\System32\higjxe.dll
Reg keys for C:\Windows\System32\higjxe.dll:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{a0c51615-738a-4542-801a-5af61614e182}”=”bedimples”
[HKEY_CURRENT_USER\Software\Classes\CLSID\
{a0c51615-738a-4542-801a-5af61614e182}\InProcServer32]
@=”C:\\WINDOWS\\system32\\higjxe.dll”
SpyFalcon removal guide updated.
New SpyFalcon variant released: C:\Windows\System32\bolnyz.dll
Registry keys involved:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{f5947202-e9cb-4a72-88e7-22f2cbd2b124}”=”chenopodiaceae”
[HKEY_CURRENT_USER\Software\Classes\CLSID\
{f5947202-e9cb-4a72-88e7-22f2cbd2b124}\InProcServer32]
@=”C:\\WINDOWS\\system32\\bolnyz.dll”
SpyFalcon removal guide updated.
Two more variants:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{5bc82bdb-bc03-4671-9a78-3ef2b68449de}”=”advisability”
[HKEY_CURRENT_USER\Software\Classes\CLSID\
{5bc82bdb-bc03-4671-9a78-3ef2b68449de}\InProcServer32]
@=”C:\WINDOWS\system32\oqipt.dll”
and
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{70fbd528-2d3c-4a00-9b8c-bbf441e534be}”=”AutoDisc Ware”
[HKEY_CURRENT_USER\Software\Classes\CLSID\
{70fbd528-2d3c-4a00-9b8c-bbf441e534be}\InProcServer32]
@=”C:\WINDOWS\System32\iqzv.dll”
SpyFalcon removal guide updated.
Another new SpyFalcon variant. Anyone else getting bored of all of these?
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{a566f298-05a6-4b3d-b672-da7c27316430}”=”AutoDisc Ware”
[HKEY_CURRENT_USER\Software\Classes\CLSID\
{a566f298-05a6-4b3d-b672-da7c27316430}\InProcServer32]
@=”C:\WINDOWS\system32\htey.dll”
SpyFalcon removal guide updated.
Two new variants of SpyFalcon have been released. The SpyFalcon removal guide has been updated to reflect these new variants.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{89aef01d-d237-49c7-84dc-4e1904c1fd31}”=”AutoDisc Ware”
[HKEY_CURRENT_USER\Software\Classes\CLSID\
{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=”C:\WINDOWS\system32\sbnudh.dll”
and
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{e04408db-4812-4478-8d4d-e46edcffd3b6}”=”AutoDisc Ware”
[HKEY_CURRENT_USER\Software\Classes\CLSID\
{e04408db-4812-4478-8d4d-e46edcffd3b6}\InProcServer32]
@=”C:\WINDOWS\system32\fyhhxw.dll”
Rumors are that the C:\WINDOWS\system32\fyhhxw.dll infector has randomly changing CLSID.
Appmagr.dll is loaded via the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{64ba30a2-811a-4597-b0af-d551128be340}”=”AppManager”
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
@=”C:\WINDOWS\system32\appmagr.dll”
The SpyFalcon removal instructions have been updated for this variant.
SpyFalcon is coming back strong and have released their latest variant, C:\Windows\System32\reglogs.dll.
Reglogs.dll is loaded via the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{35a88e51-b53d-43e9-b8a7-75d4c31b4676}”=”Register LogWare”
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{35a88e51-b53d-43e9-b8a7-75d4c31b4676}\InProcServer32]
@=”C:\WINDOWS\system32\reglogs.dll”
The SpyFalcon removal instructions have been updated for this variant.
If it wasn’t enough with all of the SpywareQuake variant being released, it looks like we now have a new SpyFalcon variant. This dll, C:\Windows\System32\twain32.dll, when loaded will issue fake security alerts on your taskbar. If you click on them, they will install SpyFalcon 2.0 on to your computer.
Twain32.dll is loaded via the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}”=”Twain”
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@=”C:\WINDOWS\system32\twain32.dll”
The SpyFalcon removal instructions have been updated for this variant.
Remember the wide spread infections of SpyAxe, SpyFalcon, and SpywareStrike? Now there is a new rogue-antispyware application out from the same developers called SpywareQuake. SpywareQuake uses the same method of installing a Trojan, c:\windows\system32\stickrep.dll, on your comptuer that issues fake security alerts as a fear tactic to make you purchase their commercial version of the program SpywareQuake.
This is a scam! No other way to put it. If you are infected with this application do not be tricked into purchasing the full version. Instead you follow the instructions we have put together on removing the infection for free. The removal guide can be found below:
Our friends at Spyfalcon have decided to use a new file to infect your machine and display the fake taskbar alerts. This file is:
C:\Windows\System32\ginuerep.dll
The removal guide at How To Remove Spyfalcon has been updated t reflect this new file. This file can not be removed in regular mode or in safe mode without first running the reg file found in the above guide.
Other methods to delete it are to killbox the file or rename it and reboot. Killboxing should delete it and renaming it will make it inactive a reboot.
A big thanks to the scumbags over at Spyfalcon for bringing us this new file!
Security news and information