Spywarelocked, Is The Latest in A Series of Fake Anti-Spyware, or

SpywareLocked, is the latest in a series of fake anti-spyware, or rogue anti-spyware, programs.
These programs are being distributed through sites hosting Zlob Trojans, which are malware that
disguises themselves as a video or audio codec that you need to download and install in order to
use a particular video or audio file. In reality, though, when you install these Trojans, they will
instead show fake security alerts and install the SpyLocked or SpywareLocked program on to
your computer.
When SpyLocked and SpywareLocked are downloaded to your computer by a Zlob trojan, they
will automatically start and act as if they are scanning your computer. They will then provide a
list of grossly exaggerated and fake results including the actual Zlob Trojan that installed it in the
first place. SpywareLocked and SpyLocked will then prompt you to purchase the full
commercial version of the software before you can remove these items. This is a complete scam,
and the results are a tactic used to scare you into purchasing their software. Needless to say, do
not purchase them. A screenshot of SpyLocked and SpywareLocked can be found below.
SpyLocked Screenshot
When infected, you will also see fake alerts on your Windows taskbar. These alerts will state that
you are infected with some sort of spyware or other security threat and that you need to install an
anti-spyware program. When you click on these links, it will launch SpyLocked or
SpywareLocked, or if they are not installed, download them first before it launches it. These
alerts are fake and are are being used as a scare tactic to make you think you need to purchase the
SpyLocked or SpywareLocked programs. The current text of the fake security alert is:
System has detected a number of active spyware applications that may impact the performance
of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date
anti-spyware solution.
An example of the fake alert is shown below:
SpyLocked or SpywareLocked Fake Security Alert
Tools Needed for this fix:
 SmitFraudFix (Automated Fix)

 FixSL.reg (Only needed for manual fix)
Symptoms in a HijackThis Log:
O4 - HKLM\..\Run: [SpyLocked] C:\Program Files\SpyLocked\SpyLocked.exe /h

O4 - HKLM\..\Run: [SpywareLocked] C:\Program
Files\SpywareLocked\SpywareLocked.exe /h
O4 - HKLM\..\Run: [SpywareLocked 3.3] "C:\Program Files\SpywareLocked 3.3\Spy-
Locked.exe" /h
O4 - HKLM\..\Run: [SpywareLocked 3.4] "C:\Program Files\SpywareLocked
3.4\SpywareLock.exe" /h
O4 - HKLM\..\Run: [SpywareLocked 3.5] "C:\Program Files\SpywareLocked
3.5\SpywareLocked 3.5.exe" /h
O4 - HKLM\..\Run: [SpyLocked 3.6] "C:\Program Files\SpyLocked 3.6\SpyLocked
3.6.exe" /h
3.7.exe" /h
3.9.exe" /h
O4 - HKLM\..\Run: [SpyLocked 4.0] "C:\Program Files\SpyLocked 4.0\SpyLocked 4.1exe"
/h
4.1.exe" /h
4.3.exe" /h
Add/Remove Programs control panel entry:
SpyLocked 3.1
SpywareLocked 3.2
SpywareLocked 3.3
SpywareLocked 3.4
SpywareLocked 3.5
SpyLocked 3.6
SpyLocked 3.7
SpyLocked 3.8
SpyLocked 3.9
SpyLocked 4.0
SpyLocked 4.1
SpyLocked 4.3
Guide Updates:
03/19/07 - Initial guide creation.

03/20/07 - Added automated removal via SmitFraudFix
03/25/07 - Updated guide to reflect the change of its name to SpywareLocked
05/09/07 - Updated for SpyLocked 3.7
Choose the removal method you would like to use:
 Automated Removal (Easier, but requires a working Internet connection.)

 Manual Removal (Should be used if automated method does not work.)
Automated Removal Instructions for SpyLocked and SpywareLocked:

1. Print out these instructions as we will need to close every window that is open later in the
fix.
2. Download SmitfraudFix.exe from here and save it to your desktop:
SmitFraudFix.exe
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-
click on the icon as of yet. We will use it in later steps. The icon will look like the one
below:
3. Next, please reboot your computer into Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows
icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
5. When you are at the logon prompt, log in as the same user that you had performed
the previous steps as.
4. When your computer has started in safe mode, and you see the desktop, close all open
Windows.
5. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The
icon will look like the one below:
6. When the tool first starts you will see a credits screen. Simply press any key on your
keyboard to get to the next screen.
7. You will now see a menu as shown in the image below. Press the number 2 on your
keyboard and the press the enter key to choose the option Clean (safe mode
recommended).
8. The program will start cleaning your computer and go through a series of cleanup
processes. When it is done, it will automatically start the Disk Cleanup program as shown
by the image below.
This program will remove all Temp, Temporary Internet Files, and other files that may be
leftover files from this infection. This process can take up to a few hours depending on
your computer, so please be patient. When it is complete, it will close automatically and
you will should continue with step 11.
9. When Disk Cleanup is finished, you will be presented with an option asking Do you
want to clean the registry ? (y/n). At this screen you should press the Y button on your
keyboard and then press the enter key.
10. When this last routine is finished, you will be presented with a red screen stating
Computer will reboot now. Close all applications. You should now press the spacebar on
your computer. A counter will appear stating that the computer will reboot in 15 seconds.
Do not cancel this countdown and allow your computer to reboot.
11. Once the computer has rebooted, you will be presented with a Notepad screen containing
a log of all the files removed from your computer. Examine this log, and when you are
done, close the Notepad screen.
Your computer should now be free of the SpyLocked and SpywareLocked infections.
If you are still having problems with your computer after completing these instructions, then
please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log
Manual Removal Instructions for SpyLocked and SpywareLocked:
These steps may appear to be long and daunting. They are, though, quite easy to do and consist
of so many steps only because I have written them in an extremely detailed manner.
1. Print out these instructions as we will need to close every window that is open later in the
fix.
2. Download FixSL.reg to your desktop by right clicking on the following link and then
selecting Save Link As or Save File as, depending on your browser.
FixSL.reg Download Link
Confirm that the file FixSL.reg now resides on your desktop as we will need it later.
3. Download SmitfraudFix.exe from here and save it to your desktop:
SmitFraudFix.exe
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-
click on the icon as of yet. We will use it in later steps. The icon will look like the one
below:
4. Go to your desktop and double click on the FixSL.reg file that you downloaded earlier.
When it asks if you would like to merge the information, press the Yes button and then
the OK button.
5. Click on the Start button and then select the Run option.
6. In the Open: field type c:\windows\system32 and then press the OK button.
7. When the folder appears, if it says These files are hidden, click on the Show the
contents of this folder option.
8. We now need to make it so you can see hidden files.

1. Click on the Tools menu and select Folder Options.
2. Click on the View tab.
3. Under the Hidden files and folders category select Show hidden files and
folders.
4. Uncheck Hide protected operating system files.
5. Press Apply and then OK.
6. If you still can not see the file, then undo these changes and skip to step 11.
9. Scroll through the list of files in this folder and look for fyxkaah.dll. Right-click on
fyxkaah.dll and select rename. Rename the file to fyxkaah.dll.bad.
Look for the file onwtj.dll and rename the file to onwtj.dll.bad.
Look for the file tahxqcj.dll and rename the file to tahxqcj.dll.bad.
Look for the file qvjpt.dll and rename the file to qvjpt.dll.bad.
Look for the file oyopu.dll and rename the file to oyopu.dll.bad.
Look for the file yronl.dll and rename the file to yronl.dll.bad.
Look for the file qzviz.dll and rename the file to qzviz.dll.bad.
Look for the file pkgvyg.dll and rename the file to pkgvyg.dll.bad.
Look for the file ygjun.dll and rename the file to ygjun.dll.bad.
Look for the file czxtyx.dll and rename the file to czxtyx.dll.bad.
Look for the file yuspej.dll and rename the file to yuspej.dll.bad.
Look for the file ilmpjy.dll and rename the file to ilmpjy.dll.bad.
Look for the file rcohty.dll and rename the file to rcohty.dll.bad.
Look for the file dxovx.dll and rename the file to dxovx.dll.bad.
Look for the file lcsrsrv.dll and rename the file to lcsrsrv.dll.bad.
Look for the file egzcqg.dll and rename the file to egzcqg.dll.bad.
Look for the file xuoce.dll and rename the file to xuoce.dll.bad.
Look for the file kgkdbsk.dll and rename the file to kgkdbsk.dll.bad.
Look for the file antzozc.dll and rename the file to antzozc.dll.bad.
Look for the file uimcu.dll and rename the file to antzozc.dll.bad.
Look for the file dtjby.dll and rename the file to dtjby.dll.bad
Look for the file indwvm.dll and rename the file to indwvm.dll.bad
Look for the file viuaoq.dll and rename the file to viuaoq.dll.bad
Look for the file eeuydc.dll and rename the file to eeuydc.dll.bad
Look for the file pkjcoxq.dll and rename the file to pkjcoxq.dll.bad
Look for the file afkvvy.dlll and rename the file to afkvvy.dll.bad
Look for the file dooep.dll and rename the file to dooep.dll.bad
Look for the file pjgerka.dll and rename the file to pjgerka.dll.bad
Look for the file pjgerka.dll and rename the file to pjgerka.dll.bad
Look for the file rxqcpn.dlll and rename the file to rxqcpn.dll.bad
Note: Please rename any of the above files that you may find. If you do not find any of
these files, then you should post a note about it in the Am I Infected? forum.
10. After you rename the file, you can close the System32 folder window.
11. Next, please reboot your computer into Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows
icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
5. When you are at the logon prompt, log in as the same user which you had done
the previous steps.
12. When your computer has started in safe mode and you see the desktop, click on the Start
Menu button.
13. Click on the Control Panel option.
14. Double-click on the Add or Remove Programs icon.
15. Find the entry for SpyLocked 3.1, SpywareLocked 3.2, SpywareLocked 3.3,
SpywareLocked 3.4, SpyLocked 3.5, SpyLocked 3.6, SpyLocked 3.7, SpyLocked 3.8,
SpyLocked 3.9, SpyLocked 4.0, SpyLocked 4.1 , or SpyLocked 4.3 and double-click
on it to uninstall them if found. Follow the prompts to uninstall the program, but do not
allow it to reboot the computer if it asks.
16. When it has completed uninstalling you can close Add or Remove Programs and your
Control Panel.
17. Delete the following files and folders (Do not be concerned if this folder does not exist):
C:\Windows\System32\fyxkaah.dll.bad
C:\Windows\System32\onwtj.dll.bad
C:\Windows\System32\qvjpt.dll.bad
C:\Windows\System32\oyopu.dll.bad
C:\Windows\System32\yronl.dll.bad
C:\Windows\System32\ilmpjy.dll.bad
C:\Windows\System32\pkgvyg.dll.bad
C:\Windows\System32\qzviz.dll.bad
C:\Windows\System32\ygjun.dll.bad
C:\Windows\System32\czxtyx.dll.bad
C:\Windows\System32\yuspej.dll.bad
C:\Windows\System32\rcohty.dll.bad
C:\Windows\System32\dxovx.dll.bad
C:\Windows\System32\lcsrsrv.dll.bad
C:\Windows\System32\egzcqg.dll.bad
C:\Windows\System32\xuoce.dll.bad
C:\Windows\System32\kgkdbsk.dll.bad
C:\Windows\System32\antzozc.dll.bad
C:\Windows\System32\uimcu.dll.bad
C:\Windows\System32\dtjby.dll.bad
C:\Windows\System32\indwvm.dll.bad
C:\Windows\System32\viuaoq.dll.bad
C:\Windows\System32\eeuydc.dll.bad
C:\Windows\System32\pkjcoxq.dll.bad
C:\Windows\System32\afkvvy.dll.bad
C:\Windows\System32\dooep.dll.bad
C:\Windows\System32\pjgerka.dll.bad
C:\Program Files\SpyLocked\
C:\Program Files\SpywareLocked\
C:\Program Files\SpywareLocked 3.4\
C:\Program Files\SpywareLocked 3.5\
C:\Program Files\SpyLocked 3.6\
18. Close all open Windows.
19. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The
icon will look like the one below:
22. You will now see a menu as shown in the image below. Press the number 2 on your
keyboard and the press the enter key to choose the option Clean (safe mode
recommended).
23. The program will start cleaning your computer and go through a series of cleanup
processes. When it is done, it will automatically start the Disk Cleanup program as shown
by the image below.
This program will remove all Temp, Temporary Internet Files, and other files that may be
leftover files from this infection. This process can take up to a few hours depending on
your computer, so please be patient. When it is complete, it will close automatically and
you will should continue with step 25.
24. When Disk Cleanup is finished, you will be presented with an option asking Do you
want to clean the registry ? (y/n). At this screen you should press the Y button on your
keyboard and then press the enter key.
25. When this last routine is finished, you will be presented with a red screen stating
Computer will reboot now. Close all applications. You should now press the spacebar on
your computer. A counter will appear stating that the computer will reboot in 15 seconds.
Do not cancel this countdown and allow your computer to reboot.
26. Once the computer has rebooted, you will be presented with a Notepad screen containing
a log of all the files removed from your computer. Examine this log to see what files were
found, and when you are done, close the Notepad screen.
27. We next perform an online scan with Panda to find any possible inactive remnants from
this infection: Panda Online
1. Once you are on the Panda site click the Scan your PC button
2. A new window will open...click the Check Now button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It may take a
few minutes)
10. When download is complete, click on Local Disks to start the scan
28. When the online scan has been completed, let it remove what it finds, and then you can
close Internet Explorer.
Your computer should now be free of the SpyLocked and SpywareLocked infections.
If you are still having problems with your computer after completing these instructions, then
please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using
this information. If you would like help with any of these fixes, you can post a HijackThis
log in our HijackThis Logs and Analysis forum.
If you have any questions about this self-help guide then please post those questions in our
AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will
help you.
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
 Back to top of the page up there ^
#2 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Joined: 24-January 04
 Gender:Male
 Location:USA
Posted 20 March 2007 - 10:00 AM

Guide updated for for the new infector:
C:\Windows\System32\onwtj.dll
Lawrence
should do this!
#3 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Posted 25 March 2007 - 08:35 PM
Program has changed its name to SpywareLocked along with a new infector:
C:\WINDOWS\system32\tahxqcj.dll
Lawrence
should do this!
#4 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Posted 27 March 2007 - 08:39 AM
Updated for new infector:
C:\Windows\System32\qvjpt.dll
Lawrence
should do this!
#5 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA

Updated for C:\Windows\System32\oyopu.dll
Lawrence
should do this!
#6 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
New infector: C:\Windows\System32\yronl.dll

Lawrence
should do this!
#7 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Posted 05 April 2007 - 10:45 AM
Updated for infectors:
C:\Windows\System32\pkgvyg.dll
C:\Windows\System32\qzviz. dll
Lawrence
should do this!
#8 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Posted 12 April 2007 - 01:24 PM
Updated for new version and new infector:
C:\Windows\System32\ygjun.dll
Lawrence
should do this!
#9 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Updated for the new infectors:
C:\Windows\System32\czxtyx.dll
C:\Windows\System32\yuspej. dll
Lawrence
should do this!

#10 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Updated for: C:\Windows\System32\ilmpjy.dll

Lawrence
should do this!
#11 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA

Updated for the latest infector:
C:\Windows\System32\dxovx.dll
Lawrence
should do this!
#12 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Posted 02 May 2007 - 10:02 AM
Updated for new infection:
C:\Windows\System32\lcsrsrv.dll
Lawrence
should do this!
#13 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Posted 05 May 2007 - 07:39 PM
Updated for:
C:\Windows\System32\egzcqg.dll
C:\Windows\System32\xuoce.dll
Lawrence
should do this!
#14 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Posted 09 May 2007 - 11:28 AM
Updated for the new infector:
C:\Windows\System32\kgkdbsk.dll
Lawrence
should do this!
#15 Grinler

 Bleep Bleep!

 Group: Admin
 Posts: 33,503
 Gender:Male
 Location:USA
Posted 09 May 2007 - 04:34 PM
Updated for new infector:
C:\Windows\System32\antzozc.dll
Lawrence
should do this!

Spywarelocked, Is The Latest in A Series of Fake Anti-Spyware, or

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Spywarelocked, Is The Latest in A Series of Fake Anti-Spyware, or

Uploaded by

Copyright:

Available Formats

SpywareLocked, is the latest in a series of fake anti-spyware, or rogue anti-spyware, programs.

An example of the fake alert is shown below:

SpyLocked or SpywareLocked Fake Security Alert

Tools Needed for this fix:

 SmitFraudFix (Automated Fix)

Symptoms in a HijackThis Log:

O4 - HKLM\..\Run: [SpyLocked] C:\Program Files\SpyLocked\SpyLocked.exe /h

Add/Remove Programs control panel entry:

03/19/07 - Initial guide creation.

Choose the removal method you would like to use:

 Automated Removal (Easier, but requires a working Internet connection.)

Automated Removal Instructions for SpyLocked and SpywareLocked:

2. Download SmitfraudFix.exe from here and save it to your desktop:

1. Restart your computer

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

Preparation Guide For Use Before Posting A Hijackthis Log

Manual Removal Instructions for SpyLocked and SpywareLocked:

FixSL.reg Download Link

3. Download SmitfraudFix.exe from here and save it to your desktop:

8. We now need to make it so you can see hidden files.

1. Restart your computer

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

13. Click on the Control Panel option.

14. Double-click on the Add or Remove Programs icon.

18. Close all open Windows.

2. A new window will open...click the Check Now button

3. Enter your Country

4. Enter your State/Province

5. Enter your e-mail address and click send

6. Select either Home User or Company

7. Click the big Scan Now button

8. If it wants to install an ActiveX component allow it

This is a self-help guide. Use at your own risk.

 Back to top of the page up there ^

Posted 20 March 2007 - 10:00 AM

 Back to top of the page up there ^

Posted 25 March 2007 - 08:35 PM

 Back to top of the page up there ^

Posted 27 March 2007 - 08:39 AM

Updated for new infector:

 Back to top of the page up there ^

Posted 28 March 2007 - 10:26 PM

 Back to top of the page up there ^

Posted 29 March 2007 - 04:42 PM

New infector: C:\Windows\System32\yronl.dll

 Back to top of the page up there ^

Posted 05 April 2007 - 10:45 AM

Updated for infectors:

 Back to top of the page up there ^

Updated for new version and new infector:

 Back to top of the page up there ^

Posted 18 April 2007 - 12:39 PM

Updated for the new infectors:

 Back to top of the page up there ^

Posted 22 April 2007 - 12:36 PM

Updated for: C:\Windows\System32\ilmpjy.dll

 Back to top of the page up there ^

Posted 30 April 2007 - 09:33 PM

 Back to top of the page up there ^

Posted 02 May 2007 - 10:02 AM