Friday
2008-11-28, 17:59
The following instructions have been created to help you to get rid of "SpyHeal" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
Rogue antispyware software with inadequate detection patterns. Successor of SpywareQuake. Registration links to spywarequake.com
Supposed Functionality:
Supposed to be an antispyware software.
Removal Instructions:
Desktop:
Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Shortcuts that include "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe" in the target they point to.
Important: There are more desktop links that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Start Menu:
Please remove the following items from your start menu.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Items that include "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe" in the target they point to.
Important: There are more start menu items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Quicklaunch area:
Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Quicklaunch symbols named "SpyHeal 2.1.lnk" and pointing to "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe".
Important: There are more quicklaunch items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "SpyHeal" and pointing to "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe /h".
Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products with a key that includes "SpywareHeal" in its name or properties.
Products with a key that includes "SpywareHeals" in its name or properties.
Products with a key that includes "SpywareHealer" in its name or properties.
Products with a key that includes "Spyware Heal" in its name or properties.
Products with a key that includes "Spyware Heals" in its name or properties.
Products with a key that includes "Spyware Healer" in its name or properties.
Products with a key that includes "SpyHeals" in its name or properties.
Products with a key that includes "SpyHealer" in its name or properties.
Products with a key that includes "Spy Heal" in its name or properties.
Products with a key that includes "Spy Heals" in its name or properties.
Products with a key that includes "Spy Healer" in its name or properties.
Products with a key that includes "SpyHeal" in its name or properties.
Products that have a key or property named "SpywareHeal".
Products that have a key or property named "SpywareHeals".
Products that have a key or property named "SpywareHealer".
Products that have a key or property named "Spyware Heal".
Products that have a key or property named "Spyware Heals".
Products that have a key or property named "Spyware Healer".
Products that have a key or property named "SpyHeals".
Products that have a key or property named "SpyHealer".
Products that have a key or property named "Spy Heal".
Products that have a key or property named "Spy Heals".
Products that have a key or property named "Spy Healer".
Products that have a key or property named "SpyHeal".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\<$REGMATCH0>\antispy.sh".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\ignored.lst".
The file at "<$PROGRAMFILES>\$REGMATCH0\sq.ini".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\uninst.exe".
The file at "<$LOCALSETTINGS>\Temp\SHealLang.ini".
The file at "<$PROGRAMFILES>\SpyHeal 3.8\antispy.sh".
The file at "<$PROGRAMFILES>\SpyHeal 3.8\blacklist.txt".
The file at "<$PROGRAMFILES>\SpyHeal 3.8\uninst.exe".
The file at "<$PROGRAMFILES>\SpyHeal 3.8\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpyHeals\antispy.sh".
The file at "<$PROGRAMFILES>\SpyHeals\ignored.lst".
The file at "<$PROGRAMFILES>\SpyHeals\SpyHeals.exe".
The file at "<$PROGRAMFILES>\SpyHeals\sq.ini".
The file at "<$PROGRAMFILES>\SpyHeals\uninst.exe".
The file at "<$PROGRAMFILES>\SpyHeals\Lang\English.ini".
The file at "<$STARTMENU>\SpywareHeal 2.2.lnk".
The file at "<$STARTMENU>\SpywareHeals 2.2.lnk".
The file at "<$STARTMENU>\SpywareHealer 2.2.lnk".
The file at "<$STARTMENU>\Spyware Heal 2.2.lnk".
The file at "<$STARTMENU>\Spyware Heals 2.2.lnk".
The file at "<$STARTMENU>\Spyware Healer 2.2.lnk".
The file at "<$STARTMENU>\SpyHeals 2.2.lnk".
The file at "<$STARTMENU>\SpyHealer 2.2.lnk".
The file at "<$STARTMENU>\Spy Heal 2.2.lnk".
The file at "<$STARTMENU>\Spy Heals 2.2.lnk".
The file at "<$STARTMENU>\Spy Healer 2.2.lnk".
The file at "<$DESKTOP>\SpywareHeal.lnk".
The file at "<$DESKTOP>\SpywareHeals.lnk".
The file at "<$DESKTOP>\SpywareHealer.lnk".
The file at "<$DESKTOP>\Spyware Heal.lnk".
The file at "<$DESKTOP>\Spyware Heals.lnk".
The file at "<$DESKTOP>\Spyware Healer.lnk".
The file at "<$DESKTOP>\SpyHeals.lnk".
The file at "<$DESKTOP>\SpyHealer.lnk".
The file at "<$DESKTOP>\Spy Heal.lnk".
The file at "<$DESKTOP>\Spy Heals.lnk".
The file at "<$DESKTOP>\Spy Healer.lnk".
The file at "<$PROGRAMFILES>\SpywareHeal\antispy.sh".
The file at "<$PROGRAMFILES>\SpywareHeal\blacklist.txt".
The file at "<$PROGRAMFILES>\SpywareHeal\uninst.exe".
The file at "<$PROGRAMFILES>\SpywareHeal\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpywareHeals\antispy.sh".
The file at "<$PROGRAMFILES>\SpywareHeals\blacklist.txt".
The file at "<$PROGRAMFILES>\SpywareHeals\uninst.exe".
The file at "<$PROGRAMFILES>\SpywareHeals\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpywareHealer\antispy.sh".
The file at "<$PROGRAMFILES>\SpywareHealer\blacklist.txt".
The file at "<$PROGRAMFILES>\SpywareHealer\uninst.exe".
The file at "<$PROGRAMFILES>\SpywareHealer\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spyware Heal\antispy.sh".
The file at "<$PROGRAMFILES>\Spyware Heal\blacklist.txt".
The file at "<$PROGRAMFILES>\Spyware Heal\uninst.exe".
The file at "<$PROGRAMFILES>\Spyware Heal\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spyware Heals\antispy.sh".
The file at "<$PROGRAMFILES>\Spyware Heals\blacklist.txt".
The file at "<$PROGRAMFILES>\Spyware Heals\uninst.exe".
The file at "<$PROGRAMFILES>\Spyware Heals\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spyware Healer\antispy.sh".
The file at "<$PROGRAMFILES>\Spyware Healer\blacklist.txt".
The file at "<$PROGRAMFILES>\Spyware Healer\uninst.exe".
The file at "<$PROGRAMFILES>\Spyware Healer\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpyHeals\antispy.sh".
The file at "<$PROGRAMFILES>\SpyHeals\blacklist.txt".
The file at "<$PROGRAMFILES>\SpyHeals\uninst.exe".
The file at "<$PROGRAMFILES>\SpyHeals\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpyHealer\antispy.sh".
The file at "<$PROGRAMFILES>\SpyHealer\blacklist.txt".
The file at "<$PROGRAMFILES>\SpyHealer\uninst.exe".
The file at "<$PROGRAMFILES>\SpyHealer\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spy Heal\antispy.sh".
The file at "<$PROGRAMFILES>\Spy Heal\blacklist.txt".
The file at "<$PROGRAMFILES>\Spy Heal\uninst.exe".
The file at "<$PROGRAMFILES>\Spy Heal\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spy Heals\antispy.sh".
The file at "<$PROGRAMFILES>\Spy Heals\blacklist.txt".
The file at "<$PROGRAMFILES>\Spy Heals\uninst.exe".
The file at "<$PROGRAMFILES>\Spy Heals\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spy Healer\antispy.sh".
The file at "<$PROGRAMFILES>\Spy Healer\blacklist.txt".
The file at "<$PROGRAMFILES>\Spy Healer\uninst.exe".
The file at "<$PROGRAMFILES>\Spy Healer\Lang\English.ini".
The file at "<$PROGRAMS>\SpyHeal\SpyHeal 2.1 Website.lnk".
The file at "<$PROGRAMS>\SpyHeal\SpyHeal 2.1.lnk".
The file at "<$PROGRAMS>\SpyHeal\Uninstall SpyHeal 2.1.lnk".
The file at "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe".
The file at "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe".
The file at "<$PROGRAMFILES>\SpyHeal\SpyHeal.url".
A file with an unknown location named "spyheal_setup.exe".
A file with an unknown location named "spyheal_setup.exe".
Make sure you set your file manager to display hidden and system files. If SpyHeal uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMS>\<$REGMATCH0>".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>\Lang".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>\Logs".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>\Quarantine".
The directory at "<$PROGRAMFILES>\sh".
The directory at "<$PROGRAMFILES>\SpyHeal 3.8\Lang".
The directory at "<$PROGRAMFILES>\SpyHeal 3.8\Logs".
The directory at "<$PROGRAMFILES>\SpyHeal 3.8\Quarantine".
The directory at "<$PROGRAMS>\SpyHeals".
The directory at "<$PROGRAMFILES>\SpyHeals\Lang".
The directory at "<$PROGRAMFILES>\SpyHeals\Logs".
The directory at "<$PROGRAMFILES>\SpyHeals\Quarantine".
The directory at "<$PROGRAMFILES>\SpywareHeal".
The directory at "<$PROGRAMFILES>\SpywareHeals".
The directory at "<$PROGRAMFILES>\SpywareHealer".
The directory at "<$PROGRAMFILES>\Spyware Heal".
The directory at "<$PROGRAMFILES>\Spyware Heals".
The directory at "<$PROGRAMFILES>\Spyware Healer".
The directory at "<$PROGRAMFILES>\SpyHeals".
The directory at "<$PROGRAMFILES>\SpyHealer".
The directory at "<$PROGRAMFILES>\Spy Heal".
The directory at "<$PROGRAMFILES>\Spy Heals".
The directory at "<$PROGRAMFILES>\Spy Healer".
The directory at "<$PROGRAMS>\SpyHeal".
The directory at "<$PROGRAMFILES>\SpyHeal".
Make sure you set your file manager to display hidden and system files. If SpyHeal uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{3dab4d3e-1d45-406e-9cda-25227a7a2633}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{3dab4d3e-1d45-406e-9cda-25227a7a2633}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{3dab4d3e-1d45-406e-9cda-25227a7a2633}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry key "{3bb84870-e757-4fb1-a195-e2f7d3d95e40}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{3bb84870-e757-4fb1-a195-e2f7d3d95e40}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{3bb84870-e757-4fb1-a195-e2f7d3d95e40}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{93ac7c30-3878-4eaa-9420-7977285df5b1}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{93ac7c30-3878-4eaa-9420-7977285df5b1}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry key "{f8d02387-789a-4c0f-a1d8-8a93f33ee4df}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{f8d02387-789a-4c0f-a1d8-8a93f33ee4df}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{f8d02387-789a-4c0f-a1d8-8a93f33ee4df}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry key "{e51e3ade-ddc4-45d9-9a21-36cf20ea9306}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{e51e3ade-ddc4-45d9-9a21-36cf20ea9306}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{e51e3ade-ddc4-45d9-9a21-36cf20ea9306}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{aeabe83d-672b-4717-9154-45bd6283c610}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
Delete the registry value "{aeabe83d-672b-4717-9154-45bd6283c610}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
Delete the registry key "{aeabe83d-672b-4717-9154-45bd6283c610}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0EBCA7C4-AA97-4B47-99D7-4932A73E9198}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{16640BA0-193C-4BD5-882B-F92D6EF82156}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2A041B9C-44AC-47FF-9399-CB8AEEF1CFE8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4DFFBEAB-DB11-4602-A3E8-0454ED3F928B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{57DD6CFE-ABDB-46C2-92EB-316A5F499167}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{690D2910-BFD6-47D3-A96C-13E6BA2935E8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8407F578-6FA7-446A-8852-53E6A147472E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{85A126D1-2706-443D-9979-8841A1C5B482}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B11E589E-9A82-40EF-9777-8E13553F83D4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C2E39865-E9E9-462F-87CB-9A09CEB4795F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E12E00DE-9BE2-486C-A9F1-19730F93807E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EBDD9FB9-3A6C-4DA2-B0A9-D117528D4040}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ED33F056-D246-4FF2-8D2A-D9F3938753BF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EFC68768-18B9-4930-9643-F6DD7AA60A71}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F5EC0F1E-A3EB-49EA-BD87-989899B6E1C9}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FEB6CDEC-70F6-4D2B-BCA4-1AB3BCDCC513}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A48995B0-2BB5-4246-B0EA-55B2FFCF9129}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{131706D3-7294-4EDC-BA4B-5290BAB9FB36}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{241D6A46-E756-47C2-A95D-CB63313A5FAB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2E0ED423-67B0-4C73-BADB-57D673A92E92}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{41417555-4052-47C1-A7DF-C5A2B869F98E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4AE0048E-4C88-43DE-BBCC-2530A2C24634}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{544F9A30-7A37-4E83-95BF-704131C6B928}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{58F394DC-8F9C-41AF-99A8-0C5DBD830512}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{6D8D02FB-2877-40CF-8325-B6FFEC0811DA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7FB0A17F-60E7-47C6-BBF8-00A0427CF8EF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{85953437-B661-4DC1-98A6-FC7005B710FC}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{87664F4C-697D-437E-BF90-2FD7C6C0B04C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{984281D2-E2E0-442D-A2DD-88638F2CE04C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9D5ADF27-B3F9-493D-A15E-AB019B9FD18B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9DE6DA81-E460-4E25-937D-A3EE1E6FCA27}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EF215DAD-8E52-4C75-B779-5093B3855E79}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EF884BC1-EE64-4E8B-AE3D-84037A0D1606}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2A762197-1159-441E-BE28-4160C5494A66}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry value "isamonitor.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\".
Delete the registry key "{B0CB769E-2057-5D37-EA39-F7F57583005F}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{192c5b4a-3efd-40c7-9f99-c472deb8efc0}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D584A1F2-6441-7DBF-F659-22A8CA9DE1A8}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{96E6B1C3-B5D0-89CC-4909-92D85A48B1A0}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0A479D87-72AC-4DCE-A3F1-FDC882390F60}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{161D399B-0789-4402-864E-F4347690BD48}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{16737204-F9B6-45D0-BA08-EC632ACA96EA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{22C0F9FE-1453-4925-A7C9-7D118611770E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{37EEB3B8-A21E-4799-9266-9EC7D945674B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3BEE5AE6-A4D8-4FD3-B5D5-1385CEA2A22C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{46593BFA-1D7A-4A56-90EE-88E852649F3D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4A7CC1B7-3BA5-4CF6-8098-56D315EBEE11}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{55DADDE6-2501-415A-BC5F-6F75D6E771C5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{6C6E6CB6-8156-4901-AA42-B535181D17A3}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{775AD947-7128-4774-8623-55FADB5F74BB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{77DF43A0-4CD3-4BE1-B4FC-8B9F3857CBB6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{80787CB9-2E40-42BA-927A-C7E09C2C3D2E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8458EDF5-1DFD-4BF0-95AC-1D7463031D92}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C5BB6E2B-6CB5-4AAD-AEF7-2484D3E04EEF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E7137690-A900-4F77-824E-EC0177D74FD0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0E365E19-98A1-4291-A880-5C40DE007342}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{26981C6D-6DF6-4867-8784-27E02157B30B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5CF9DAF8-35AA-44FE-B548-C1ACC7DE2430}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5EF67439-A232-49FF-9CAA-7314BE3B4ADF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7AE3A21B-21C8-4841-B165-68B6621F1C8B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8BAA1A22-CD51-422F-86BA-8D2AC9CF5D10}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{94A8F959-D497-415D-A02B-D7843A7C5BE8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{97E04F3D-81F7-4305-974B-41689065833B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A7D94862-647A-4760-914A-3E6D7866AAC6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B9AA641A-7A6E-42F4-862D-222ABEA5B07B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BB797A32-F488-4022-A4F2-A690EC6CDDD4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BEDA5701-E71F-43A7-8588-C7313E405CA2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CF419FBD-8579-41E9-AF42-F27B79F29B09}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E36724AD-4698-4574-AB32-E67AB01E683A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E6B07DDD-1CA1-4E75-B160-31CCFEEB7A5E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F82A9A6F-071B-4448-B0DD-D0E1742D75FF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D44C8097-4533-49C4-8B02-B16D66057CFC}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{BE9DD753-BB1A-4B56-9A06-5BD5E02C90AE}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{192c5b4a-3efd-40c7-9f99-c472deb8efc0}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "SpyHeals" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "SpyHealer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "Spy Heal" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "Spy Heals" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "Spy Healer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{192C5B4A-3EFD-40C7-9F99-C472DEB8EFC0}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "SpyHeal.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Delete the registry key "SpyHeal" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If SpyHeal uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
Rogue antispyware software with inadequate detection patterns. Successor of SpywareQuake. Registration links to spywarequake.com
Supposed Functionality:
Supposed to be an antispyware software.
Removal Instructions:
Desktop:
Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Shortcuts that include "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe" in the target they point to.
Important: There are more desktop links that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Start Menu:
Please remove the following items from your start menu.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Items that include "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe" in the target they point to.
Important: There are more start menu items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Quicklaunch area:
Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Quicklaunch symbols named "SpyHeal 2.1.lnk" and pointing to "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe".
Important: There are more quicklaunch items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "SpyHeal" and pointing to "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe /h".
Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products with a key that includes "SpywareHeal" in its name or properties.
Products with a key that includes "SpywareHeals" in its name or properties.
Products with a key that includes "SpywareHealer" in its name or properties.
Products with a key that includes "Spyware Heal" in its name or properties.
Products with a key that includes "Spyware Heals" in its name or properties.
Products with a key that includes "Spyware Healer" in its name or properties.
Products with a key that includes "SpyHeals" in its name or properties.
Products with a key that includes "SpyHealer" in its name or properties.
Products with a key that includes "Spy Heal" in its name or properties.
Products with a key that includes "Spy Heals" in its name or properties.
Products with a key that includes "Spy Healer" in its name or properties.
Products with a key that includes "SpyHeal" in its name or properties.
Products that have a key or property named "SpywareHeal".
Products that have a key or property named "SpywareHeals".
Products that have a key or property named "SpywareHealer".
Products that have a key or property named "Spyware Heal".
Products that have a key or property named "Spyware Heals".
Products that have a key or property named "Spyware Healer".
Products that have a key or property named "SpyHeals".
Products that have a key or property named "SpyHealer".
Products that have a key or property named "Spy Heal".
Products that have a key or property named "Spy Heals".
Products that have a key or property named "Spy Healer".
Products that have a key or property named "SpyHeal".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\<$REGMATCH0>\antispy.sh".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\ignored.lst".
The file at "<$PROGRAMFILES>\$REGMATCH0\sq.ini".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\uninst.exe".
The file at "<$LOCALSETTINGS>\Temp\SHealLang.ini".
The file at "<$PROGRAMFILES>\SpyHeal 3.8\antispy.sh".
The file at "<$PROGRAMFILES>\SpyHeal 3.8\blacklist.txt".
The file at "<$PROGRAMFILES>\SpyHeal 3.8\uninst.exe".
The file at "<$PROGRAMFILES>\SpyHeal 3.8\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpyHeals\antispy.sh".
The file at "<$PROGRAMFILES>\SpyHeals\ignored.lst".
The file at "<$PROGRAMFILES>\SpyHeals\SpyHeals.exe".
The file at "<$PROGRAMFILES>\SpyHeals\sq.ini".
The file at "<$PROGRAMFILES>\SpyHeals\uninst.exe".
The file at "<$PROGRAMFILES>\SpyHeals\Lang\English.ini".
The file at "<$STARTMENU>\SpywareHeal 2.2.lnk".
The file at "<$STARTMENU>\SpywareHeals 2.2.lnk".
The file at "<$STARTMENU>\SpywareHealer 2.2.lnk".
The file at "<$STARTMENU>\Spyware Heal 2.2.lnk".
The file at "<$STARTMENU>\Spyware Heals 2.2.lnk".
The file at "<$STARTMENU>\Spyware Healer 2.2.lnk".
The file at "<$STARTMENU>\SpyHeals 2.2.lnk".
The file at "<$STARTMENU>\SpyHealer 2.2.lnk".
The file at "<$STARTMENU>\Spy Heal 2.2.lnk".
The file at "<$STARTMENU>\Spy Heals 2.2.lnk".
The file at "<$STARTMENU>\Spy Healer 2.2.lnk".
The file at "<$DESKTOP>\SpywareHeal.lnk".
The file at "<$DESKTOP>\SpywareHeals.lnk".
The file at "<$DESKTOP>\SpywareHealer.lnk".
The file at "<$DESKTOP>\Spyware Heal.lnk".
The file at "<$DESKTOP>\Spyware Heals.lnk".
The file at "<$DESKTOP>\Spyware Healer.lnk".
The file at "<$DESKTOP>\SpyHeals.lnk".
The file at "<$DESKTOP>\SpyHealer.lnk".
The file at "<$DESKTOP>\Spy Heal.lnk".
The file at "<$DESKTOP>\Spy Heals.lnk".
The file at "<$DESKTOP>\Spy Healer.lnk".
The file at "<$PROGRAMFILES>\SpywareHeal\antispy.sh".
The file at "<$PROGRAMFILES>\SpywareHeal\blacklist.txt".
The file at "<$PROGRAMFILES>\SpywareHeal\uninst.exe".
The file at "<$PROGRAMFILES>\SpywareHeal\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpywareHeals\antispy.sh".
The file at "<$PROGRAMFILES>\SpywareHeals\blacklist.txt".
The file at "<$PROGRAMFILES>\SpywareHeals\uninst.exe".
The file at "<$PROGRAMFILES>\SpywareHeals\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpywareHealer\antispy.sh".
The file at "<$PROGRAMFILES>\SpywareHealer\blacklist.txt".
The file at "<$PROGRAMFILES>\SpywareHealer\uninst.exe".
The file at "<$PROGRAMFILES>\SpywareHealer\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spyware Heal\antispy.sh".
The file at "<$PROGRAMFILES>\Spyware Heal\blacklist.txt".
The file at "<$PROGRAMFILES>\Spyware Heal\uninst.exe".
The file at "<$PROGRAMFILES>\Spyware Heal\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spyware Heals\antispy.sh".
The file at "<$PROGRAMFILES>\Spyware Heals\blacklist.txt".
The file at "<$PROGRAMFILES>\Spyware Heals\uninst.exe".
The file at "<$PROGRAMFILES>\Spyware Heals\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spyware Healer\antispy.sh".
The file at "<$PROGRAMFILES>\Spyware Healer\blacklist.txt".
The file at "<$PROGRAMFILES>\Spyware Healer\uninst.exe".
The file at "<$PROGRAMFILES>\Spyware Healer\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpyHeals\antispy.sh".
The file at "<$PROGRAMFILES>\SpyHeals\blacklist.txt".
The file at "<$PROGRAMFILES>\SpyHeals\uninst.exe".
The file at "<$PROGRAMFILES>\SpyHeals\Lang\English.ini".
The file at "<$PROGRAMFILES>\SpyHealer\antispy.sh".
The file at "<$PROGRAMFILES>\SpyHealer\blacklist.txt".
The file at "<$PROGRAMFILES>\SpyHealer\uninst.exe".
The file at "<$PROGRAMFILES>\SpyHealer\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spy Heal\antispy.sh".
The file at "<$PROGRAMFILES>\Spy Heal\blacklist.txt".
The file at "<$PROGRAMFILES>\Spy Heal\uninst.exe".
The file at "<$PROGRAMFILES>\Spy Heal\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spy Heals\antispy.sh".
The file at "<$PROGRAMFILES>\Spy Heals\blacklist.txt".
The file at "<$PROGRAMFILES>\Spy Heals\uninst.exe".
The file at "<$PROGRAMFILES>\Spy Heals\Lang\English.ini".
The file at "<$PROGRAMFILES>\Spy Healer\antispy.sh".
The file at "<$PROGRAMFILES>\Spy Healer\blacklist.txt".
The file at "<$PROGRAMFILES>\Spy Healer\uninst.exe".
The file at "<$PROGRAMFILES>\Spy Healer\Lang\English.ini".
The file at "<$PROGRAMS>\SpyHeal\SpyHeal 2.1 Website.lnk".
The file at "<$PROGRAMS>\SpyHeal\SpyHeal 2.1.lnk".
The file at "<$PROGRAMS>\SpyHeal\Uninstall SpyHeal 2.1.lnk".
The file at "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe".
The file at "<$PROGRAMFILES>\SpyHeal\SpyHeal.exe".
The file at "<$PROGRAMFILES>\SpyHeal\SpyHeal.url".
A file with an unknown location named "spyheal_setup.exe".
A file with an unknown location named "spyheal_setup.exe".
Make sure you set your file manager to display hidden and system files. If SpyHeal uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMS>\<$REGMATCH0>".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>\Lang".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>\Logs".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>\Quarantine".
The directory at "<$PROGRAMFILES>\sh".
The directory at "<$PROGRAMFILES>\SpyHeal 3.8\Lang".
The directory at "<$PROGRAMFILES>\SpyHeal 3.8\Logs".
The directory at "<$PROGRAMFILES>\SpyHeal 3.8\Quarantine".
The directory at "<$PROGRAMS>\SpyHeals".
The directory at "<$PROGRAMFILES>\SpyHeals\Lang".
The directory at "<$PROGRAMFILES>\SpyHeals\Logs".
The directory at "<$PROGRAMFILES>\SpyHeals\Quarantine".
The directory at "<$PROGRAMFILES>\SpywareHeal".
The directory at "<$PROGRAMFILES>\SpywareHeals".
The directory at "<$PROGRAMFILES>\SpywareHealer".
The directory at "<$PROGRAMFILES>\Spyware Heal".
The directory at "<$PROGRAMFILES>\Spyware Heals".
The directory at "<$PROGRAMFILES>\Spyware Healer".
The directory at "<$PROGRAMFILES>\SpyHeals".
The directory at "<$PROGRAMFILES>\SpyHealer".
The directory at "<$PROGRAMFILES>\Spy Heal".
The directory at "<$PROGRAMFILES>\Spy Heals".
The directory at "<$PROGRAMFILES>\Spy Healer".
The directory at "<$PROGRAMS>\SpyHeal".
The directory at "<$PROGRAMFILES>\SpyHeal".
Make sure you set your file manager to display hidden and system files. If SpyHeal uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{3dab4d3e-1d45-406e-9cda-25227a7a2633}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{3dab4d3e-1d45-406e-9cda-25227a7a2633}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{3dab4d3e-1d45-406e-9cda-25227a7a2633}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry key "{3bb84870-e757-4fb1-a195-e2f7d3d95e40}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{3bb84870-e757-4fb1-a195-e2f7d3d95e40}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{3bb84870-e757-4fb1-a195-e2f7d3d95e40}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{93ac7c30-3878-4eaa-9420-7977285df5b1}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{93ac7c30-3878-4eaa-9420-7977285df5b1}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry key "{f8d02387-789a-4c0f-a1d8-8a93f33ee4df}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{f8d02387-789a-4c0f-a1d8-8a93f33ee4df}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{f8d02387-789a-4c0f-a1d8-8a93f33ee4df}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry key "{e51e3ade-ddc4-45d9-9a21-36cf20ea9306}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{e51e3ade-ddc4-45d9-9a21-36cf20ea9306}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{e51e3ade-ddc4-45d9-9a21-36cf20ea9306}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "{aeabe83d-672b-4717-9154-45bd6283c610}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
Delete the registry value "{aeabe83d-672b-4717-9154-45bd6283c610}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
Delete the registry key "{aeabe83d-672b-4717-9154-45bd6283c610}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0EBCA7C4-AA97-4B47-99D7-4932A73E9198}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{16640BA0-193C-4BD5-882B-F92D6EF82156}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2A041B9C-44AC-47FF-9399-CB8AEEF1CFE8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4DFFBEAB-DB11-4602-A3E8-0454ED3F928B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{57DD6CFE-ABDB-46C2-92EB-316A5F499167}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{690D2910-BFD6-47D3-A96C-13E6BA2935E8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8407F578-6FA7-446A-8852-53E6A147472E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{85A126D1-2706-443D-9979-8841A1C5B482}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B11E589E-9A82-40EF-9777-8E13553F83D4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C2E39865-E9E9-462F-87CB-9A09CEB4795F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E12E00DE-9BE2-486C-A9F1-19730F93807E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EBDD9FB9-3A6C-4DA2-B0A9-D117528D4040}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ED33F056-D246-4FF2-8D2A-D9F3938753BF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EFC68768-18B9-4930-9643-F6DD7AA60A71}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F5EC0F1E-A3EB-49EA-BD87-989899B6E1C9}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FEB6CDEC-70F6-4D2B-BCA4-1AB3BCDCC513}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A48995B0-2BB5-4246-B0EA-55B2FFCF9129}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{131706D3-7294-4EDC-BA4B-5290BAB9FB36}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{241D6A46-E756-47C2-A95D-CB63313A5FAB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2E0ED423-67B0-4C73-BADB-57D673A92E92}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{41417555-4052-47C1-A7DF-C5A2B869F98E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4AE0048E-4C88-43DE-BBCC-2530A2C24634}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{544F9A30-7A37-4E83-95BF-704131C6B928}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{58F394DC-8F9C-41AF-99A8-0C5DBD830512}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{6D8D02FB-2877-40CF-8325-B6FFEC0811DA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7FB0A17F-60E7-47C6-BBF8-00A0427CF8EF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{85953437-B661-4DC1-98A6-FC7005B710FC}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{87664F4C-697D-437E-BF90-2FD7C6C0B04C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{984281D2-E2E0-442D-A2DD-88638F2CE04C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9D5ADF27-B3F9-493D-A15E-AB019B9FD18B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9DE6DA81-E460-4E25-937D-A3EE1E6FCA27}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EF215DAD-8E52-4C75-B779-5093B3855E79}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EF884BC1-EE64-4E8B-AE3D-84037A0D1606}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2A762197-1159-441E-BE28-4160C5494A66}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry value "isamonitor.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\".
Delete the registry key "{B0CB769E-2057-5D37-EA39-F7F57583005F}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{192c5b4a-3efd-40c7-9f99-c472deb8efc0}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D584A1F2-6441-7DBF-F659-22A8CA9DE1A8}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{96E6B1C3-B5D0-89CC-4909-92D85A48B1A0}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0A479D87-72AC-4DCE-A3F1-FDC882390F60}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{161D399B-0789-4402-864E-F4347690BD48}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{16737204-F9B6-45D0-BA08-EC632ACA96EA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{22C0F9FE-1453-4925-A7C9-7D118611770E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{37EEB3B8-A21E-4799-9266-9EC7D945674B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3BEE5AE6-A4D8-4FD3-B5D5-1385CEA2A22C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{46593BFA-1D7A-4A56-90EE-88E852649F3D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4A7CC1B7-3BA5-4CF6-8098-56D315EBEE11}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{55DADDE6-2501-415A-BC5F-6F75D6E771C5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{6C6E6CB6-8156-4901-AA42-B535181D17A3}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{775AD947-7128-4774-8623-55FADB5F74BB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{77DF43A0-4CD3-4BE1-B4FC-8B9F3857CBB6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{80787CB9-2E40-42BA-927A-C7E09C2C3D2E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8458EDF5-1DFD-4BF0-95AC-1D7463031D92}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C5BB6E2B-6CB5-4AAD-AEF7-2484D3E04EEF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E7137690-A900-4F77-824E-EC0177D74FD0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0E365E19-98A1-4291-A880-5C40DE007342}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{26981C6D-6DF6-4867-8784-27E02157B30B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5CF9DAF8-35AA-44FE-B548-C1ACC7DE2430}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5EF67439-A232-49FF-9CAA-7314BE3B4ADF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7AE3A21B-21C8-4841-B165-68B6621F1C8B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8BAA1A22-CD51-422F-86BA-8D2AC9CF5D10}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{94A8F959-D497-415D-A02B-D7843A7C5BE8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{97E04F3D-81F7-4305-974B-41689065833B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A7D94862-647A-4760-914A-3E6D7866AAC6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B9AA641A-7A6E-42F4-862D-222ABEA5B07B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BB797A32-F488-4022-A4F2-A690EC6CDDD4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BEDA5701-E71F-43A7-8588-C7313E405CA2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CF419FBD-8579-41E9-AF42-F27B79F29B09}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E36724AD-4698-4574-AB32-E67AB01E683A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E6B07DDD-1CA1-4E75-B160-31CCFEEB7A5E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F82A9A6F-071B-4448-B0DD-D0E1742D75FF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D44C8097-4533-49C4-8B02-B16D66057CFC}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{BE9DD753-BB1A-4B56-9A06-5BD5E02C90AE}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{192c5b4a-3efd-40c7-9f99-c472deb8efc0}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "SpyHeals" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "SpyHealer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "Spy Heal" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "Spy Heals" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "Spy Healer" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{192C5B4A-3EFD-40C7-9F99-C472DEB8EFC0}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "SpyHeal.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Delete the registry key "SpyHeal" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If SpyHeal uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.