SpyFalcon manual removal:
Kill processes:
atmclk.exe, dcomcfg.exe, dfrgsrv.exe, mscornet.exe, mssearchnet.exe, nvctrl.exe, spyfalcon.exe
Delete registry values:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpyFalcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{244B730E-D899-4E38-9428-03D1143242E0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SpyFalcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyFalcon
Unregister DLLs:appmagr.dll, bolnyz.dll, dxmpp.dll, fyhhxw.dll, ginuerep.dll, higjxe.dll, htey.dll, iqzv.dll, oerucu.dll, oqipt.dll, reglogs.dll, sbnudh.dll, twain32.dll, ulztc.dll
Delete files:atmclk.exe, dcomcfg.exe, dfrgsrv.exe, mscornet.exe, mssearchnet.exe, nvctrl.exe, spyfalcon.exe, appmagr.dll, bolnyz.dll, dxmpp.dll, fyhhxw.dll, ginuerep.dll, higjxe.dll, htey.dll, iqzv.dll, oerucu.dll, oqipt.dll, reglogs.dll, sbnudh.dll, twain32.dll, ulztc.dll, sf.ini, hp[X].tmp, ld[X].tmp
Delete directories:C:\Program Files\SpyFalcon
C:\Documents and Settings\[Current User]\Start Menu\Programs\SpyFalcon
Misc:[X] is a combination of four random characters.
Exact file location:
spyfalcon.exe, sf.ini - C:\Program Files\SpyFalcon
atmclk.exe, dcomcfg.exe, dfrgsrv.exe, mscornet.exe, mssearchnet.exe, nvctrl.exe, hp[X].tmp, ld[X].tmp, appmagr.dll, bolnyz.dll, dxmpp.dll, fyhhxw.dll, ginuerep.dll, higjxe.dll, htey.dll, iqzv.dll, oerucu.dll, oqipt.dll, reglogs.dll, sbnudh.dll, twain32.dll, ulztc.dll - C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32
Domain Name: SPYFALCON.COM (195.225.176.79)
Registrant:
SunShine Ltd
David Taylor
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null, 98101, PH
Tel. +206.9543154
Other domains at the same IP address:
Spyfalconupdate.com
Updateyourwindows.com
AVOID THESE DOMAINS AND THESE IPs! Better block it in your hosts File.
The manual removal instructions made it!
all spyware programs will not update and communicate on the net as Spyfalcon, blocks just about everything you want to do ...
Next step is to find out what f-secure is really worth!!!
Used to have Zone Labs and after I installed spy and ad ware I never ever had any troubles on the net, although with my printer ...
Cheers
thank you twice
keep going on
this is the worst spy/adware/virus ive ever had and it sucks. and why is this company not shut down?!?!?!
thanks al fixed
Endless thanks to you.
I feel confident enough in my meager computer skills to tinker with the inner workings of Windows, but without this, I would have been lost without knowing where to start.
This spyware is a Cancer. Without caution in "surgery," so to speak, it will grow back.
Several recomendations I would like to make:
SpyFalcon is a disease that fights back, so cut to the chase. Restart and go into safe mode. (I selected "Administrator" at the welcome screen, allowing me to access all users.) Doing so will allow you to "sneek up on it" unawares, and catch it with its guard down. Start the step to "Kill Processes," but in Safe Mode, it is unlikely that any of them will be active.
Under the step "Unregister DLLs," perform a Windows search for "dxmpp.dll" first. The results will give you the path extention to look for.
During the "Delete Files" step I thought it might be problematic to find the hp[X].tmp and the ld[X].tmp files since they have variable entry names. I performed a Windows search again, but I entered the file type (.tmp) in the text box which brought up all entries with the .tmp extention. This, I found, served two purposes. First, it made it easier to find them, but secondly, also I found multiple iterations of both files! (Likely the result of my initial unsuccessfull attempts at its removal.)
Lastly, during the "Delete Directories" step, I checked all the users, not just the [Current User]. I found nothing in the others, but there is no telling what may occur in other computers and infections. (Having enabled "Show Hidden Files and Folders," I found that there were other hidden "Users." Probably just a functionality aspect of Windows, not real users, but I checked them anyway.)
Good luck to everyone who has suffered this problem. You can get through it.
Win XP
I started in SAFE MODE with COMMAND PROMPT
I went to the PROGRAM FILES folder where SPY FALCON resides
I took a peek at the contents of the Spy Falcon folder and found that there were several more files listed than what appears in normal Windows mode. Including a couple of DLLs and a 54kb txt blacklist text file.
Step back to the PROGRAM FILES folder if you were curious enough to take a peek at the contents.
REMDIR SPYFALCON /S
This REMoves the DIRectory and all Subfolders.
Thats it.. over and done with. The two DLLs listed came up with mixed results
- Yahoo programs
- Microsoft necessary files
- Spy Axe, Spy Falcon, Backdoor trojan DLL
The key factor is WHERE these files are located.
I hope this helps speed along someone elses recovery.
The above is the payment service provoder for SpyFalcon, seems to me if everyone called the 800 number several times a day without ordering then the phone bill would eventually cause them to stop supporting SpyFalcons efforst also if you flood the mail box with nasty letters then some of this crap might stop... to me it would be worth paying the assalt charge to find these jerks that developed SpyFalcon and give them a real virus that would land them in a real hospital...
However, whenever I delete ld[X].tmp in Safe Mode, it reappears after I restart, with a new random 4-character string. I guess this means that there iss still something on my system that keeps creating this file.
Does anyone know how to stop this file from reappearing? I have to go to bed.
It doesnt seem to happen if you restart back into Safe Mode, so there must be something in the startup sequence that can be disabled to prevent these two files from cropping up again.
Boy this damn trojan causes dialer to start up and disconnect when trying to download scan engines and Task Manager window has no X at right top to close it. Only way to close TM is in the tray. Also, the dialer disconnects when activated. This is a hell of a problem until one can safely remove this program, then my computer runs normally. By the way, Netscape did not default to Spyfalcon web page, only IE.
Thanks Again
Win XP
I started in SAFE MODE with COMMAND PROMPT
I went to the PROGRAM FILES folder where SPY FALCON resides
I took a peek at the contents of the Spy Falcon folder and found that there were several more files listed than what appears in normal Windows mode. Including a couple of DLLs and a 54kb txt blacklist text file.
Step back to the PROGRAM FILES folder if you were curious enough to take a peek at the contents.
REMDIR SPYFALCON /S
This REMoves the DIRectory and all Subfolders.
Thats it.. over and done with. The two DLLs listed came up with mixed results
- Yahoo programs
- Microsoft necessary files
- Spy Axe, Spy Falcon, Backdoor trojan DLL
The key factor is WHERE these files are located.
I hope this helps speed along someone elses recovery.
and didnt grab any virus removal programs but i still got the windows world and that red X popping up do you know how i can remove it it keeps pooping up with messages
Edit: The icon is gone... i dont know how and why but its gone... im so 1337 :D
I have however finally removed this rubbish from my P.C and no longer have those annoying icons in the system tray popping up every now and again.
that will get rid of that stupid red dot wirh the x thing in the tray. do not forget to do this in safe mode.
Cheers
Thank you.
- boot to safe mode
- use process explorer (sysinternals) to kill the thread module running in "explorer.exe" called
ginuerep.dll, this process is the one that keeps rewriting the registry keys. just locate it on the threads tab and push the kill button for the module.
- delete all files listed above, would not delete ginuerep.dll, delted all *.tmp from system32
- follow all instructions above and delete all instances of "ginuerep.dll" in the registry
- denied everyone full control to the file ginuerep.dll with NTFS (got error, but it worked)
- reboot to safe mode again and now I was able to delete ginuerep.dll. after that reboot normally and it should be gone
- also go to control panelinternet options and change the home page back
- then in XP SP2 or higher, go to "manage add ons" and disable the security toolbar
you may also want to check the default search settings or other possible redirection
i have just run thru the reg keys and they are not there..
thanks for all the help.........................giles mackay qld
1. go to safe mode (run>msconfig>boot.ini> check /safeboot) reboot.
2. read above SpyFalcon manual removal. take out all the files like they say.
you will not be able to remove ginuerep.dll just yet. if you can't find some of
the things they tell you to remove no big deal.
3. once you erased all the junk, reboot in safe mode again, now go to c:winntsystem32
and erase the evil file ginuerep.dll.
4. great, you're set. to boot in normal mode, go back to boot.ini and uncheck /safeboot. then
reboot.
hooray.
Also, when you run msconfig, go to the Startup tab and uncheck SpyFalcon. This reduces the number of files you have to delete.
Also, Trojan Hunter V4.0 does not pick this up.
Wht the hell do we allow programs like this onto the market! These people who distribute malicious code should be locked up!
Already something I have done (I htink something I quarantined when I used spydoctor) has screwed up my computer when I turn it on. It says "C:/ not found". Not good.
Also, the address for Spy Falcon is listed above. Is that the real address? Can we go there in the Philippines and destroy this company and the guy listed above?
Cheers.
Any suggestions
1- download and install the free spyware doctor and run it.
2- when finished open the log of infected files and save it (I had 80 in total)
3- restart your computer in safe mode (which disables all the memory applications associated with spyfalcon)
4- manually remove registry entries, unregister .dll files associated with spyfalcon then delete the .ddl files and remove all traces of the program
5- run spyware doctor again and if there are some you missed (which not all can be picked up first time) remove them again and repeat as necessary.
It took me about an hour and 15 mins but there are no more traces of the bloody thing in my system AT ALL and all you have done is saved 30 bucks by doing the removal manually. If you dont know how to do any of this then this site has some instructions about unregistering .dlls and removing registry files.
My system are Windows XP 100% updated, and Norton Internet Security 2006 100% updated
The attack was only on Windows Internet Browser, but did not attack the Browser that I dayly
use Slimbrowser from Flashpeak.com
I tryed to get help from Norton, but they wanted money to help me, and still I have about
230 days left from my licence
Bent Pedersen Denmark
Thankyou guys for all the information you supplied to our business.
And just a footnote, Norton doesn’t help in any way and we are finding it also a pain in the arse with being to big and using all resources of ones computer, it doesn’t do its job any way, where is it known that you have to find a program to uninstall a program, specially with the Norton security,
Regards to the techs on this site.
Clickatec.com.au
Please help, this is getting way too annoying.
i got the programs from http://www.schrockinnovations.com/removespyfalcon.php and followed the instructions but modified the user,
there is probabaly a shorter way to edit the explorer.exe file and just delete the icon from startup but I'm not that clever with computers. I stumbled onto this solution after a day and a half.
I wrote next message too.
I STRONGLY RECOMMEND THAT YOU TRY IT BEFORE ATTEMPTING ANYTHING ELSE. I had a system checkpoint last night, which worked totally fine and you won't lose any work after the checkpoint(documents, saved games, that type of things). I lost a few programs that I installed afterwards but it's even better because they were all for this darn Spyfalcon!!!
SO YEAH, IF YOU HAVEN'T TURNED OFF YOUR SYSTEM RESTORE IT WILL DEFINITELY WORK FOR YOU!
It took me three hours to fix and Spy Doctor could not find it.
We have a free removal tutorial posted at http://www.schrockinnovations.com/removespyfalcon.php, but suddenly people started reporting that upon restarting their computers they were becoming reinfected. We have since found that two additional files are being installed now that were not before. We updated the fixsf.zip removal tool in the tutorial to include these files.
Good luck and please post back here and let us know if you have any problems getting it removed.
http://www.schrockinnovations.com
http://www.thorschrock.com
thanks
byron
spyware doctor removed all the files but I am still
pestered by the icon in the task bar
anybody got ideas to remove
thanks
I only could delete it in safe mode under c: prompt and deleting it manually from C:windowssystem32.
Norton did not find anything when I ran a scan. System Mechanic identified spyware but could not eliminate it.
I found this site in desperation. I tried the System Restre solution (which seems an obvious route to take) and it appears to have worked. My system is back to normal with no sign of any annoying pop-up warnings or flashing icons. The three short-cuts that appeared on my desktop have gone too.
Marvellous!
Then out of curiousity I changed the name to appmagr_begone.dll, it let me! I then restarted windows and the alert is now gone! Then I deleted appmagr_begone.dll out of system32 and it let me!!
Hopefully this will work for others too!
SOLTUION: Rename sbnudh.dll, kill the explorer.exe process or restart the computer, then delete the renamed file.
so you can't find it I look for all the dll's that were listed and no luck I did find a new dll called
FYHHXW.DLL I reloged in safe mode as Administrator (I don't get the flashing green icon in admin mode) went to c:/windows/system32 and del the fyhhxw.dll and reloged that worked
for me. hope that helps
But there's an question that I wanna know. That is I just found "appmgr.dll" in Windows XP
platform (in windowssystem32) instead of "appmagr.dll". Is it mis-typing ???
Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.com
Domain Name: SPYFALCON.COM
Registrant:
SpyFalcon ltd.
David Taylor (david.alant@gmail.com)
Unit 110 Alpha Bldg. Subic International Hotel Rizal cor.
Sta. Rita Road, Subic Bay Freeport
Olongapo City
null,2200
PH
Tel. +206.9543154
Creation Date: 16-Jan-2006
Expiration Date: 16-Jan-2007
Domain servers in listed order:
ns1.antispydns.biz
ns2.antispydns.biz
ns3.antispydns.biz
Anyway, this is what worked for me:
I used regedit to get rid of the registry entries, manually deleted the installation folder(c:program filesspyfalcon), then copied/pasted the list of files to delete from above into windows search and found only one: sbnudh.dll. Tried to unregister it, but couldn't--the message said that this dll couldn't be registered in the first place. Restarted in safe mode and deleted it, system tray icon gone!
Hope this helps SOMEONE. Man, what a pain...
Couldn't delete it or anything so I restarted in safe mode, found the file and deleted it, now it's all gone.
Thanks a lot guys :D
Post Comment: