SpyFalcon Advertisment

Posted on 2006-05-21
Last Modified: 2010-04-11

i was erm...... looking at PORNO!:D and stupidly installed some porno thing

my anti-virus didnt pop-up at all, untill AFTER i had installed it in which case it was a lil too late

i immedietely rebooted into safe mode and ran my virus scanner (NOD32), but when i got into safe mode, the virus STILL appeared in my system trya :O

its basically the Windows Accessability icon and it keeps swapping to a red cirlce wid a red line going though it and back every second

i also get a pop-up message coming up everymin or so about how i have a virus or some shit (oviously its the virus causeing this message) and when i click on the message it takes me to SpyFalcon homepage

NOD32 anti-virus scanner(from safe mode) reported 2 files in C:\Windows\system32\ win32.exe and svhost.exe, both were infected + deleted, yet i still had it in taskbar after a reboot?

so i looked on google for SpyFalcon removal tools but none of them work, i DONT have the SpyFalcon folder in /Program Files/ and i dont have it in add / remove programs

from what i can see all i have is the advertisment for it and NOT SpyFalcon itself, but then again what do i know, lol <<< theres a picture of the pop-up message, and as you can see, the disabled person in the task bar(next to VNC)
Question by:Nightma12
    LVL 97

    Expert Comment

    Greetings, Nightma12 !

    Use SymRemFix to remove SpyFalcon.  Follow the instructions in this website

    Best wishes!
    LVL 1

    Author Comment

    those were the exact steps that i got from google myself that did not work

    i personally dont think i have SpyFalcon? just some silly program advertising it that wont go from my taskbar :@

    dont know though
    LVL 97

    Expert Comment


    You ran SymRemFix?  Let see your HijackThis log. Download HijackThis

    Run the program and you will find many entries. Most are OK. Post the log at and click Analyse, Save.  Post a link to the saved list here.
    LVL 47

    Accepted Solution

    Hi Nightma112,

    Run these tools:
    1.  Download roguescanfix_setup.
    Doubleclick roguescanfix_setup to install it.

    After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.

    Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
    If your firewall gives an alert, allow it instead of blocking it.
    In case you still get the message BFU.exe is not present, download from here.
    Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder. Then doubleclick Roguescanfix.bat again.

    The tool will uninstall some programs and delete related files and registry keys.
    When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
    Please make sure the uninstall of the programs are finished before you click Yes to reboot.

    2.  Please download SmitfraudFix:
    Extract the content (a folder named SmitfraudFix) to your Desktop.
    Next, please reboot your computer in Safe Mode by rebooting the computer,
    and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
    the options listed.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected
    You will be prompted : "Registry cleaning - Do you want to clean the
    registry?" answer "Yes" by typing Y and press "Enter" in order to remove
    the Desktop background and clean registry keys associated with the
    The tool will now check if wininet.dll is infected. You may be prompted to
    replace the infected file (if found); answer "Yes" by typing Y and press
    The tool may need to restart your computer to finish the cleaning process;
    if it doesn't, please restart it into Normal Windows.

    LVL 1

    Author Comment


    rpggamergirl: will these removes my themes and such? as i ran SysRemFix that war1 posted and it  deleted my themes, resized my taskbar and removed my wallpaper
    LVL 97

    Expert Comment

    Regarding your HijackThis log, put a check mark by the following items, and then click "Fix Checked"

    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)                         O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp4586.tmp (file missing)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)                 
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

    If you did install these items, have HijackThis remove it

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

    Use the reg file here to restore your wallpaper
    LVL 47

    Assisted Solution

    Just fix this entrries:
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)    
    O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp4586.tmp (file missing)

    The SmitfraudFix will remove the desktop background if run in a non-infected computer.

    I suggest you just run the Rougescanfix.
    LVL 1

    Author Comment

    Rougescanfix done the trick :)

    Thanks! :D
    LVL 47

    Expert Comment

    Glad to hear it's gone.

    Thanks for the points! :)

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now