PDA

View Full Version : Manual removal instructions for SpyFalcon



PepiMK
2008-11-08, 18:08
The following instructions have been created to help you to get rid of "SpyFalcon" manually.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Categories:

malware


Description:

finds nonexistent threats to make the user buy the software. EULA is insufficient.
Uninstaller only removes icons, it does not work. common fraud
Supposed Functionality:
supposed to be an antispyware software
Desktop:

Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.


Shortcuts named "SpyFalcon.lnk" and pointing to "<$PROGRAMFILES>\SpyFalcon\SpyFalcon.exe".
Shortcuts named "SpyFalcon.lnk" and pointing to "SpyFalcon.exe".



Start Menu:

Please remove the following items from your start menu.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.


Items named "SpyFalcon 2.0.lnk" and pointing to "SpyFalcon.exe".



Quicklaunch area:

Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.


Quicklaunch symbols named "SpyFalcon 2.0.lnk" and pointing to "SpyFalcon.exe".



Important: There are more quicklaunch items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.


Entries named "SpyFalcon".
Entries named "SpyFalcon" and pointing to "<$PROGRAMFILES>\SpyFalcon\SpyFalcon.exe".



Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.


Products that have a key or property named "SpyFalcon".



Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.


The file at "<$PROGRAMFILES>\SpyFalcon\SpyFalcon.exe".
A file with an unknown location named "sfsetup.exe".
A file with an unknown location named "sfsetup.exe".
A file with an unknown location named "sfsetup.exe".
A file with an unknown location named "sfsetup.exe".
A file with an unknown location named "sfsetup.exe".
A file with an unknown location named "sfsetup.exe".
A file with an unknown location named "sfsetup.exe".
The file at "<$PROGRAMFILES>\SpyFalcon\SpyFalcon.exe".
A file with an unknown location named "SpyFalcon.exe".
The file at "<$SYSDIR>\ginuerep.dll".
A file with an unknown location named "ginuerep.dll".
The file at "<$LOCALSETTINGS>\Temp\~nsu.tmp\Au_.exe".
The file at "<$PROGRAMFILES>\SpyFalcon\SpyFalcon.exe".
The file at "<$PROGRAMFILES>\SpyFalcon\syg.db.old".
A file with an unknown location named "sfsetup.exe".


Make sure you set your file manager to display hidden and system files. If SpyFalcon uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.


The directory at "<$PROGRAMS>\SpyFalcon".
The directory at "<$PROGRAMS>\SpyFalcon".
The directory at "<$PROGRAMFILES>\SpyFalcon".
The directory at "<$PROGRAMFILES>\SpyFalcon\Lang".
The directory at "<$PROGRAMFILES>\SpyFalcon\Logs".
The directory at "<$PROGRAMFILES>\SpyFalcon\Quarantine".


Make sure you set your file manager to display hidden and system files. If SpyFalcon uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.


Delete the registry key "{008E3200-28EB-463b-9B58-75C23D80911A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0CBD1CBA-E034-4287-9B49-5F2912E1D33B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{18575620-E41D-4204-BF6F-964069D80F45}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4B860BE9-5B96-4443-9714-6ACD89989D1E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5796859D-53C4-46C1-AD6F-2A3C4D4306EB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{597892CA-A878-4A04-978F-DBA8DC2BB2FB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{673A88D4-C0E0-40D2-9B93-AE39D9A1675F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7CC220DA-D962-4935-AD3A-21F7CA4962E3}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9DD57F95-DA3A-4EDA-9475-27CCF366A4FD}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B4D9C59B-A091-4D79-90CC-DD92F3BACF63}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B8F90F00-CF78-4431-A13F-58B979F7EE20}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CDEB1FD8-0917-40A2-B915-8FB9D7FDD75C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CF277F5A-347E-40C2-BAF0-4F09D0607041}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D5DE421A-4AA5-4FE3-AA43-7D2A87D6267F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DD2D402A-DE41-47A6-AAC9-0D756776203E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E2F430FD-3062-4808-B23F-4B322BFED93F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E9B91E0C-305A-4DD2-9987-B3B0C254C6DE}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EFD28371-A165-4873-A158-421D208FFE5A}" at "HKEY_CLASSES_ROOT\Interface\".
A key in HKEY_CLASSES_ROOT\ named "SpyFalcon.PopupBlockerConnector", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "SpyFalcon.PopupBlockerConnector.1", plus associated values.
Delete the registry key "{B4E17829-DACB-4320-9ABF-DCB382221FC2}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{330A77C2-C15A-43B5-055C-B4E35EAED279}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{C9FA1DC9 -1FB3-C2A8-2F1A-DC1A33E7AF9D}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
Delete the registry key "{001501E7-C970-4CB1-9740-E055BF3DDFD6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0FBBBC44-296D-4A2F-AF45-BE1EE387F569}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{163469FD-6009-48E2-AD8C-47BB2E0D88BE}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{1694E5C6-9E1F-4C3B-B79A-828C2FC40003}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{200BD3A6-A02B-4BAC-A364-A9D8017E3C4E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{20C59F9F-33CB-4B1B-AFB6-B710DB845709}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{23D80835-4A3A-4572-9F5F-3F24A7A28AE5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{255CDDA3-576B-44C9-B944-46EAC18D5D6F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3261F690-1CA4-4839-928B-F4F898B74EB7}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{37B9988B-1997-41F4-A832-DAE42CC3F7C2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5B861FB8-903C-4996-B1D3-E9A86ED4BBCF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{6876543E-DA55-4F90-9CD2-5ED380D9516C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{701E8C3A-7910-4CCD-A9F8-7B9A5F5B3947}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{850300D6-D53B-4720-9372-6D31B85537E1}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8C803228-BD61-4744-8B79-949E3F512DDC}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B7C685F0-1804-4382-A8EF-17D33DF97069}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{244B730E-D899-4E38-9428-03D1143242E0}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "SpyFalcon.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Delete the registry key "SpyFalcon" at "HKEY_LOCAL_MACHINE\SOFTWARE\".


If SpyFalcon uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).


If you have any further questions, please ask in our forum (http://forums.spybot.info/).