Member Panel

Jericho34

I've recently obtained a nasty little spyware called SpyFalcon that horribly slows my computer, in addition to popping up an add trying to get me to clear spyware by buying their program.

I've seen a few fixes to use that involve using the uninstall program from Control Panel in Safe Mode, then using Panda's free anti-virus scan on their website.

But I can uninstall it from Control Panel, because it says it's already uninstalled, and it won't let me run the Panda anti-virus because of a complex ActiveX issue.

It also installed about:blank, which really ****ed me off because I got rid of it a year ago. Does anyone know of any other fixes that don't involve the above method?

Hengis

Welcome to PC Help Forum.

The best course of action for you is to follow the detailed procedure in the link below - [Pre-Work]. You will generate 2 logs, post them back into this thread and a Security Team member will assist you in permanently removing your malware.

joe5

Hya Jericho.

Before running the Prework , follow these removal instructions first please:

NOTES:

Even if you do not find some (or all) of the files mentioned or you do not see SpywareQuake (or SpyFalcon....etc) in Add/Remove programs or the folder for it, just continue with ALL steps thru to the end.
In the below instructions the %System32% text is an abbreviation for your either c:\Windows\System32 or c:\Winnt\System32 It depends on how/where you installed your Windows OS. Thus %System32%\stickrep.dll means either C:\Windows\System32\stickrep.dll or C:\Winnt\System32\stickrep.dll

Now copy the contents of the below Quote Box to Notepad. Then click File and then Save
As. Change the Save as Type to All Files. Name the file fixquake.reg and then click save. it to your Desktop. We will use it later
after a reboot into safe mode.

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}"=-
"{35A88E51-B53D-43E9-B8A7-75D4C31B4676}"=-
"{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}"=-
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"=-
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"=-
"{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"=-
"{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"=-
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"=-
"{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SpywareQuake"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SpyFalcon"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run]
"dcomcfg.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SpywareQuake.com]

[-HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7A932ED2-1737-4AB8-B84D-C71779958551}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objecta\{7A932ED2-1737-4AB8-B84D-C71779958551}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A932ED 2-1737-4AB8-B84D-C71779958551}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5C7051 0-5A01-B2A5-CF84-D6DC13859967}]

[-HKEY_CLASSES_ROOT\CLSID\{1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E}]
[-HKEY_CLASSES_ROOT\CLSID\{35A88E51-B53D-43E9-B8A7-75D4C31B4676}]
[-HKEY_CLASSES_ROOT\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}]
[-HKEY_CLASSES_ROOT\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}]
[-HKEY_CLASSES_ROOT\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0}]
[-HKEY_CLASSES_ROOT\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}]
[-HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}]
[-HKEY_CLASSES_ROOT\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}]

Now download smitRem.exe written by noahdfear and save the file to your Desktop.
Double click on the smitRem.exe file and click the Start button to extract it to its own folder named SmitRem on the desktop.
(this should be the default selection). Do not run anything else related to the program yet!
Now you will need to print or save these instructions locally (to a text file on your Desktop) for later reference. This is necessary
because you must not have any browers open and must not connect to the internet while following the below steps.
Now disconnect your cable to the internet (physically unplug it).
After saving the instructions, reboot into Safe mode
Now once in safe mode, goto Add/Remove programs and uninstall Spyware Quake and/or SpyFalcon (if they are found).
Now double-click on the fixquake.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to
the Desktop) and when it prompts to Add in to the registry, say yes.
Run Windows Explorer by right clicking Start & Select Explore
Navigate to your %System32% folder C:\Windows\system32 )or C:\Winnt\system32 depending on how/which OS you have installed.)
Look for the following files based upon where you have Windows installed:
- %System32%\dxmpp.dll
- %System32%\ginuerep.dll
- %System32%\stickrep.dll
- %System32%\__delete_on_reboot__stickrep.dll
- %System32%\suprox.dll
- %System32%\xenadot.dll
- %System32%\sivudro.dll
- %System32%\twain32.dll
- %System32%\dvdcap.dll
- %System32%\reglogs.dll
  When you locate the files, right click on them and select Rename. Change the dll extension to DDD. For example: rename xenadot.dll to xenadot.DDD We will fully delete the files later.
Now open the smitRem folder on your Deskop, double click on it to access the folder, then double click the RunThis.bat file to start
the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. If you cannot get RunThis
.bat to work in safe mode, REBOOT into normal mode (with no internet connection) and repeat the above step from the point of booting in safe
mode.
The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg;
Local Disk C: or partition where your operating system is installed. Upload this file later after reboot.
Now reboot your system into normal mode.
Now after reboot relocate the DLL files we renamed with a DDD extension in the above step and delete them. If you have a
problem deleting these files, try rebooting one more time into safe mode and attempt another deletion. If it still does not delete, make sure you tell us later.
Also delete the below files and folders if found:
- C:\Program Files\AdwareSheriff
- C:\Program Files\Spyware Quake
- C:\Program Files\SpywareQuake.com
- C:\Program Files\SpyFalcon
- C:\Windows\System\1024 (or C:\Winnt\System\1024 )
- %System32%\1024
- %System32%\atmclk.exe
- %System32%\dcomcfg.exe
- %System32%\dfrgsrv.exe
- %System32%\hp????.tmp ( where ???? is any 4 random characters)
- %System32%\ld???? .tmp ( where ???? is any 4 random characters)
- %System32%\mssearchnet.exe
- %System32%\msvol.tlb
- %System32%\ncompat.tlb
- %System32%\nvctrl.exe
- %System32%\ot.ico
- %System32%\simpole.tlb
- %System32%\stdole3.tlb
- %System32%\ts.ico
- C:\Documents and Settings\[Current User Account]\Start Menu\Programs\SpywareQuake <---- where [Current User
  Account] is the actual user account name you are logged into.
Reconnect your cable to the internet.

After that to see what needs to be done to get rid of the rest , follow the Prework instructions and when done , post the Smitrem log , the Ewido log and the Hijackthis log.

Jericho34

Alright, yet another hoop:

While trying to add fixquake to the registry, I get an error message that says

"Cannot import C:\.....Fixquake.reg: The specified file is not a registry script. You can only imoprt binary registry files from within the registry editor."

I did it exactly as above- copied the quote info, into notepad, save as fixquake.reg and all files. Is there something blocking registry changes?

joe5

Try it like this , download and unzip the attached file and when asked to use the fixquake.reg use this one instead.

comptech

The instructions joe5 gave you seem to be along the right track, I ran across a tutorial that might offer a bit more help though, especially since there seem to be several new variants of SpyFalcon out there. You can check it out at http://removespyfalcon.com if you're still have problems removing SpyFalcon.

joe5

Originally Posted by comptech

The instructions joe5 gave you seem to be along the right track, I ran across a tutorial that might offer a bit more help though, especially since there seem to be several new variants of SpyFalcon out there. You can check it out at http://removespyfalcon.com if you're still have problems removing SpyFalcon.

Uhhmm.. my instructions are not "along the right track".. they are excactly right.. And funny that you mention new variants.. since those instruction you posted are out of date.. mine not..