NEWS
PARASITES
SOFTWARE
FORUM
DIRECTORY

 
 
 
 
 
 
  

Remove SpyFalcon. Description and removal instructions

 
Title: SpyFalcon
 Also known as: Spy Falcon
Type: Trojans
Severity scale:SpyFalcon severity is 70  (70 / 100)
 
SpyFalcon is a trojan that displays an icon in the system tray. This icon shows a message, which says that the compromised computer is infected with dangerous spyware parasites and asks the user to download and install a removal program, which actually is Spy Falcon, corrupt illegally distributed spyware remover. Once the user clicks on such message, the trojan opens a web site distributing SpyFalcon. It may also try to download the application. The trojan is able to change the Internet Explorer default home page and redirect the web browser to malicious web sites. SpyFalcon automatically runs on every Windows startup.

FORUM:
Discuss SpyFalcon in
spyware removal forum

SpyFalcon properties:
• Shows commercial adverts
• Connects itself to the internet
• Hides from the user
• Stays resident in background

Automatic SpyFalcon removal:

remover for SpyFalcon

SpyFalcon manual removal:

Kill processes:
atmclk.exe, dcomcfg.exe, dfrgsrv.exe, mscornet.exe, mssearchnet.exe, nvctrl.exe, spyfalcon.exe
HELP:
how to kill malicious processes

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpyFalcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{244B730E-D899-4E38-9428-03D1143242E0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SpyFalcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyFalcon
HELP:
how to remove registry entries

Unregister DLLs:
appmagr.dll, bolnyz.dll, dxmpp.dll, fyhhxw.dll, ginuerep.dll, higjxe.dll, htey.dll, iqzv.dll, oerucu.dll, oqipt.dll, reglogs.dll, sbnudh.dll, twain32.dll, ulztc.dll
HELP:
how to unregister malicious DLLs

Delete files:
atmclk.exe, dcomcfg.exe, dfrgsrv.exe, mscornet.exe, mssearchnet.exe, nvctrl.exe, spyfalcon.exe, appmagr.dll, bolnyz.dll, dxmpp.dll, fyhhxw.dll, ginuerep.dll, higjxe.dll, htey.dll, iqzv.dll, oerucu.dll, oqipt.dll, reglogs.dll, sbnudh.dll, twain32.dll, ulztc.dll, sf.ini, hp[X].tmp, ld[X].tmp
HELP:
how to remove harmful files

Delete directories:
C:\Program Files\SpyFalcon
C:\Documents and Settings\[Current User]\Start Menu\Programs\SpyFalcon
Misc:
[X] is a combination of four random characters.

Exact file location:
spyfalcon.exe, sf.ini - C:\Program Files\SpyFalcon
atmclk.exe, dcomcfg.exe, dfrgsrv.exe, mscornet.exe, mssearchnet.exe, nvctrl.exe, hp[X].tmp, ld[X].tmp, appmagr.dll, bolnyz.dll, dxmpp.dll, fyhhxw.dll, ginuerep.dll, higjxe.dll, htey.dll, iqzv.dll, oerucu.dll, oqipt.dll, reglogs.dll, sbnudh.dll, twain32.dll, ulztc.dll - C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32

Domain Name: SPYFALCON.COM (195.225.176.79)
Registrant:
SunShine Ltd
David Taylor
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null, 98101, PH
Tel. +206.9543154

Other domains at the same IP address:
Spyfalconupdate.com
Updateyourwindows.com

AVOID THESE DOMAINS AND THESE IPs! Better block it in your hosts File.

Other programs to remove SpyFalcon:

• SUPERAntiSpyware - Review - Download
• CounterSpy - Review - Download
• Windows Defender - Review - Download

Information added: 09/02/06
Information updated: 17/09/06

Additional resources related to SpyFalcon:

Attention: If you know or you have a website or page about SpyFalcon removal, feel free to add a link to this list: add url



more resources

Post Comment:

Attention: Use this form only if you have additional information about SpyFalcon parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.



Enter security code:


Comments from visitors:

1. by Guest. 2006-07-05 14:07:04
I found this article by searching the atmclk.exe. I don't seem to actually have the spyfalcon program, but atmclk.exe and dcomcfg.exe kept showing up on the process list, and I can't open any folders or IE...

2. by Guest. 2006-06-13 02:06:20
This was driving me insane, all I could find was reglogs.dll

Couldn't delete it or anything so I restarted in safe mode, found the file and deleted it, now it's all gone.

Thanks a lot guys :D

3. by Guest. 2006-06-10 00:06:43
This has been driving me nuts, especially since I'm working on this computer for someone else. I would never have figured it out if not for this site.

Anyway, this is what worked for me:

I used regedit to get rid of the registry entries, manually deleted the installation folder(c:program filesspyfalcon), then copied/pasted the list of files to delete from above into windows search and found only one: sbnudh.dll. Tried to unregister it, but couldn't--the message said that this dll couldn't be registered in the first place. Restarted in safe mode and deleted it, system tray icon gone!

Hope this helps SOMEONE. Man, what a pain...

4. by Guest. 2006-06-04 15:06:45
I have just recently battled Spyfalcon on a friend's computer and have gotten rid of the main virus itself. However, he is still getting the constant message bubble from the system tray, and the message that there is infected files on his computer whenever he opens up the internet. I have run a bunch of scans with many different anti-virus software programs, and they aren't catching anything anymore. I have no idea how to rid him of this. Any help anyone can give me is much appreciated. Thanks

5. by Guest. 2006-06-01 04:06:13
Update on SpyFalcon.com Registrant

Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.com
Domain Name: SPYFALCON.COM
Registrant:
SpyFalcon ltd.
David Taylor (david.alant@gmail.com)
Unit 110 Alpha Bldg. Subic International Hotel Rizal cor.
Sta. Rita Road, Subic Bay Freeport
Olongapo City
null,2200
PH
Tel. +206.9543154
Creation Date: 16-Jan-2006
Expiration Date: 16-Jan-2007
Domain servers in listed order:
ns1.antispydns.biz
ns2.antispydns.biz
ns3.antispydns.biz

6. by Guest. 2006-05-19 03:05:20
Yes. after renaming "sbnudh,dll" , the SF icon never interferes with system tray.
But there's an question that I wanna know. That is I just found "appmgr.dll" in Windows XP
platform (in windowssystem32) instead of "appmagr.dll". Is it mis-typing ???

7. by Guest. 2006-05-18 19:05:39
i was asked to reboot my computer into safe mode while removing another program and when i rebooted back to a time prior to spy falcon being on my computer after that, the spy falcon had disappeared.

8. by Guest. 2006-05-18 16:05:30
ok like outhers i tried all kinds of way to get rid of SF it seems it changes the name of the .dll
so you can't find it I look for all the dll's that were listed and no luck I did find a new dll called
FYHHXW.DLL I reloged in safe mode as Administrator (I don't get the flashing green icon in admin mode) went to c:/windows/system32 and del the fyhhxw.dll and reloged that worked
for me. hope that helps

9. by Guest. 2006-05-18 08:05:12
Like most people here I removed all files mentioned, but still had a wheelchair, I even removed appmagr.dll but the wheelchair was still there. So I sorted the system32 directory by date modified, and found that the appmagr.dll had been renamed to sbnudh.dll.

SOLTUION: Rename sbnudh.dll, kill the explorer.exe process or restart the computer, then delete the renamed file.

10. by Guest. 2006-05-18 06:05:42
I cant find any of the files listed anywhere on the net - everything has been removed from my machine... everything except that bloody icon of a wheelchair. Is it possible i have a newer version of this that has changed it's file name conventions?

11. by Guest. 2006-05-17 14:05:52
Did a Window System Restore for the day before. Afterwards went to System32 and deleted the files that weren't able to be deleted before. Poof! Its gone!!

12. by Guest. 2006-05-17 05:05:37
i dunnoe why, but when i turn on auto-protect, (i have removed everything but still, the UL Window Seek stuff still comes out), after 3 sec it is automatically turned off again. Is there anythign wrong? I heard from an IT friend that the Trojan is shifting into different directories... :P

13. by Guest. 2006-05-14 21:05:36
I was unable to remove appmagr.dll from c:windowssystem32, I tried deleting in manually in regular windows, in safemode, and in comand prompt. It wouldn't let me, it was obviously running, I couldn't get the virus alert out of my system tray.
Then out of curiousity I changed the name to appmagr_begone.dll, it let me! I then restarted windows and the alert is now gone! Then I deleted appmagr_begone.dll out of system32 and it let me!!
Hopefully this will work for others too!

14. by Guest. 2006-05-14 13:05:11
One more thing about that bullet-proof tray icon. I had cleaned everything related to SpyFalcon using Spy Doctor (yes I paid the $29 just for the aggravation factor) and still had the wheelchair and the 'Your computer is infected' pop up.' Tracked it to appmagr.dll as the only thing left. Could not unregister, as prior cleanup had apparently modified 'entry point.' Tried to delete in safe mode, but the bugger loaded already and I got the 'cannot delete, the file is being used by Windows' message. Booted in safe mode to command prompt, changed to the WINNTSYSTEM32 directory and deleted appmagr.dll. Gone. All you need is love.

15. by Guest. 2006-05-12 23:05:48
terrible, i removed spyfalcon with Ad-aware se but after 3 weeks its back!

16. by Guest. 2006-05-12 08:05:42
What a nasty blatant attack this was. I am no pc whizzkid, but I realised that none of the generated warnings seemed to come from my Windows. I was careful therefore not to click on any of the suspicious links.
Norton did not find anything when I ran a scan. System Mechanic identified spyware but could not eliminate it.
I found this site in desperation. I tried the System Restre solution (which seems an obvious route to take) and it appears to have worked. My system is back to normal with no sign of any annoying pop-up warnings or flashing icons. The three short-cuts that appeared on my desktop have gone too.
Marvellous!

17. by Guest. 2006-05-12 01:05:45
Couldn't get rid of that little @#$% in his wheelchair either for about 12 hours trying. Finally I found the .dll who was supporting it -- APPMAGR,dll --
I only could delete it in safe mode under c: prompt and deleting it manually from C:windowssystem32.

18. by Guest. 2006-05-10 09:05:51
find the location of the .exe, (c:windowssystem32atmclk.exe) - reboot in safe mode with command prompt then delete the file itself. (cmd: del c:windowssystem32atmclk.exe)

19. by Guest. 2006-05-09 18:05:35
tried everything mentioned here and still no luck getting rid of it.:(

20. by Guest. 2006-05-09 11:05:55
I have tried the suggestion of using schrockinnovations,com posted as 15/05. I had previously used spyware doctor.
spyware doctor removed all the files but I am still
pestered by the icon in the task bar

anybody got ideas to remove

thanks

See more comments about SpyFalcon >>>
Related news:
Similar parasites:
Related discussions:
Latest Spyware Threats: VirusProtect Pro | VirusLocker | SpyCrush | ContraVirus | SpyLocked | SpyDawn | AntiVerminser | SpywareQuake | VirusBurst | AntiVermins | AntiVermeans | Zlob | PopCorn.net | MovieLand | TagASaurus | BraveSentry | VirusBurster | SystemDoctor | VirusRescue | MalwareWipe | SpySheriff | CmdService | Smitfraud | SpywareStrike | WinFixer | WinHound | PestTrap | UnSpyPC
Agreement of Use | Privacy policy | Webmasters | Contact us | RSS Feeds
© 2001-2008 2-spyware.com All Rights Reserved. Reproduction in part or whole without written permission is prohibited. Powered by: eSolutions.