How to remove SpyFalcon

Spyfalcon is a new rogue anti-spyware program that is designed to fool users into paying for a full version of the program in order to remove a supposed infection which the ‘free version’ put there in the first place.

Spyfalcon works very similar to antispylab which we documented in an earlier post by showing fake windows popup messages. Users get infected by hackers/crackers making use of an exploit in Windows XP which effects unpatched machines. Once the infection is removed the user must visit the Windows update site. Alot of users have reported this virus/adware to cause a little wheelchair icon in the system tray.

How to remove Spyfalcon

You should save or print these instructions as you probably will not have internet access during the repairs.

• First, right click over this link roguescanfix_setup.exe and select “Save File As” or “Save Link as” and save this file to your desktop.
• Double click the roguescanfix_setup.exe file to run it. Once it loads, select your language from the drop down menu and press OK. Then Press Next.
• Select “I accept the agreement” and press Next.
• Press the Next button again.
• Click the Install Button.
• The program will start installing RogueScanFix and at the next screen, leave the “Launch RogueScanFix selection checked and click Finish.
• RogueScanFix will automatically start and you will see a credits screen. Press spacebar at this screen and you will be presented with a menu. Press the number 1 on your keyboard and press Enter. On the next screen press spacebar and the program will start the removal process.
  
  Note: When the program starts it will try to access the internet which your firewall will probably alert you about. The program needs to get a file from the internet that will be used during cleanup, please allow the download.exe or run.bat to access the internet.
• While the program is operating the icons on your desktop may disappear for a moment, this is normal so there is no need for concern. The program will start the Spyfalcon uninstall program. When it starts click the Uninstall button. When it has finished, click OK.
• When the uninstall program is finshed and it was able to remove all the spyfalcon files you will see a prompt saying “Completed Script Execution”. Press OK. It will now launch the Brute Force Unnstaller program which you should close by pressing the Exit button. If it launches notepad with a file called Task.txt you can close this as well.
• Right click over this link spyfalcon_removal.reg and select “Save File As” or “Save Link as” and save this file to your desktop.
• Now, download SmitRemFix.exe and save it to your desktop. Once it has downloaded, double click on it which will extract it. Do not run the actual program yet as it must be done in safe mode.
• Goto your desktop and double click the spyfalcon_removal.reg file which you downloaded earlier and when it asks if you would like to merge the information, click YES and then the OK Button
• Load into Windows Safe mode by restarting the computer and just before the Windows XP screen comes up, press F8 and choose safemode.

Once in Safemode:

• Click Start > Control Panel and choose “Add/Remove Programs”
• This will now show you a list of the programs you have installed. Find “Spyfalcon” and double click on it, this will begin the uninstallation of the program and just follow the prompts, however dont allow it to reboot the computer if it asks.
• Once it has finished uninstalling you may close the Control panel or Add/Remove Programs windows.
• On your computer, find the following files and folders and delete them if they exist (dont be concerned if they dont exist):

  C:\Windows\System32\dxmpp.dll

  C:\Program Files\Spyfalcon\

  C:\Windows\System32\ginuerep.dll

  C:\Windows\System32\twain32.dll

  C:\Windows\System32\reglogs.dll

  C:\Windows\System32\appmagr.dll

• Close all open windows and open the SmitRemFix folder which we extracted to your desktop earlier.
• In the SmitRemFix folder, there is a file called RunThis.bat, double click it and it will start the tool. Follow the instructions and if it finds an infection if will start an uninstaller, when this happens click on the Uninstall Button which will finish the removal. When it is done, SmitRemFix will close automatically. During this stage your desktop may disappear for a few seconds while it removes and residual infection.
• Your computer should be now free from infection however you should run your virus scanner or use a free online scanner such as PandaOnline

Once it is complete, Prevent Spyfalcon from infecting you again:

• Restart the computer back into normal mode and visit the Windows Update Site (there is usually a icon in your start menu somewhere. If you dont have this icon you can open your browser and goto http://windowsupdate.microsoft.com