Professional Documents
Culture Documents
Spywarelocked, Is The Latest in A Series of Fake Anti-Spyware, or
Spywarelocked, Is The Latest in A Series of Fake Anti-Spyware, or
These programs are being distributed through sites hosting Zlob Trojans, which are malware that
disguises themselves as a video or audio codec that you need to download and install in order to
use a particular video or audio file. In reality, though, when you install these Trojans, they will
instead show fake security alerts and install the SpyLocked or SpywareLocked program on to
your computer.
When SpyLocked and SpywareLocked are downloaded to your computer by a Zlob trojan, they
will automatically start and act as if they are scanning your computer. They will then provide a
list of grossly exaggerated and fake results including the actual Zlob Trojan that installed it in the
first place. SpywareLocked and SpyLocked will then prompt you to purchase the full
commercial version of the software before you can remove these items. This is a complete scam,
and the results are a tactic used to scare you into purchasing their software. Needless to say, do
not purchase them. A screenshot of SpyLocked and SpywareLocked can be found below.
SpyLocked Screenshot
When infected, you will also see fake alerts on your Windows taskbar. These alerts will state that
you are infected with some sort of spyware or other security threat and that you need to install an
anti-spyware program. When you click on these links, it will launch SpyLocked or
SpywareLocked, or if they are not installed, download them first before it launches it. These
alerts are fake and are are being used as a scare tactic to make you think you need to purchase the
SpyLocked or SpywareLocked programs. The current text of the fake security alert is:
System has detected a number of active spyware applications that may impact the performance
of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date
anti-spyware solution.
SpyLocked 3.1
SpywareLocked 3.2
SpywareLocked 3.3
SpywareLocked 3.4
SpywareLocked 3.5
SpyLocked 3.6
SpyLocked 3.7
SpyLocked 3.8
SpyLocked 3.9
SpyLocked 4.0
SpyLocked 4.1
SpyLocked 4.3
Guide Updates:
SmitFraudFix.exe
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-
click on the icon as of yet. We will use it in later steps. The icon will look like the one
below:
3. Next, please reboot your computer into Safe Mode by doing the following:
2. After hearing your computer beep once during startup, but before the Windows
icon appears, press F8.
5. When you are at the logon prompt, log in as the same user that you had performed
the previous steps as.
4. When your computer has started in safe mode, and you see the desktop, close all open
Windows.
5. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The
icon will look like the one below:
6. When the tool first starts you will see a credits screen. Simply press any key on your
keyboard to get to the next screen.
7. You will now see a menu as shown in the image below. Press the number 2 on your
keyboard and the press the enter key to choose the option Clean (safe mode
recommended).
8. The program will start cleaning your computer and go through a series of cleanup
processes. When it is done, it will automatically start the Disk Cleanup program as shown
by the image below.
This program will remove all Temp, Temporary Internet Files, and other files that may be
leftover files from this infection. This process can take up to a few hours depending on
your computer, so please be patient. When it is complete, it will close automatically and
you will should continue with step 11.
9. When Disk Cleanup is finished, you will be presented with an option asking Do you
want to clean the registry ? (y/n). At this screen you should press the Y button on your
keyboard and then press the enter key.
10. When this last routine is finished, you will be presented with a red screen stating
Computer will reboot now. Close all applications. You should now press the spacebar on
your computer. A counter will appear stating that the computer will reboot in 15 seconds.
Do not cancel this countdown and allow your computer to reboot.
11. Once the computer has rebooted, you will be presented with a Notepad screen containing
a log of all the files removed from your computer. Examine this log, and when you are
done, close the Notepad screen.
Your computer should now be free of the SpyLocked and SpywareLocked infections.
If you are still having problems with your computer after completing these instructions, then
please follow the steps outlined in the topic linked below:
These steps may appear to be long and daunting. They are, though, quite easy to do and consist
of so many steps only because I have written them in an extremely detailed manner.
1. Print out these instructions as we will need to close every window that is open later in the
fix.
2. Download FixSL.reg to your desktop by right clicking on the following link and then
selecting Save Link As or Save File as, depending on your browser.
Confirm that the file FixSL.reg now resides on your desktop as we will need it later.
SmitFraudFix.exe
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-
click on the icon as of yet. We will use it in later steps. The icon will look like the one
below:
4. Go to your desktop and double click on the FixSL.reg file that you downloaded earlier.
When it asks if you would like to merge the information, press the Yes button and then
the OK button.
5. Click on the Start button and then select the Run option.
6. In the Open: field type c:\windows\system32 and then press the OK button.
7. When the folder appears, if it says These files are hidden, click on the Show the
contents of this folder option.
9. Scroll through the list of files in this folder and look for fyxkaah.dll. Right-click on
fyxkaah.dll and select rename. Rename the file to fyxkaah.dll.bad.
Look for the file onwtj.dll and rename the file to onwtj.dll.bad.
Look for the file tahxqcj.dll and rename the file to tahxqcj.dll.bad.
Look for the file qvjpt.dll and rename the file to qvjpt.dll.bad.
Look for the file oyopu.dll and rename the file to oyopu.dll.bad.
Look for the file yronl.dll and rename the file to yronl.dll.bad.
Look for the file qzviz.dll and rename the file to qzviz.dll.bad.
Look for the file pkgvyg.dll and rename the file to pkgvyg.dll.bad.
Look for the file ygjun.dll and rename the file to ygjun.dll.bad.
Look for the file czxtyx.dll and rename the file to czxtyx.dll.bad.
Look for the file yuspej.dll and rename the file to yuspej.dll.bad.
Look for the file ilmpjy.dll and rename the file to ilmpjy.dll.bad.
Look for the file rcohty.dll and rename the file to rcohty.dll.bad.
Look for the file dxovx.dll and rename the file to dxovx.dll.bad.
Look for the file lcsrsrv.dll and rename the file to lcsrsrv.dll.bad.
Look for the file egzcqg.dll and rename the file to egzcqg.dll.bad.
Look for the file xuoce.dll and rename the file to xuoce.dll.bad.
Look for the file kgkdbsk.dll and rename the file to kgkdbsk.dll.bad.
Look for the file antzozc.dll and rename the file to antzozc.dll.bad.
Look for the file uimcu.dll and rename the file to antzozc.dll.bad.
Look for the file dtjby.dll and rename the file to dtjby.dll.bad
Look for the file indwvm.dll and rename the file to indwvm.dll.bad
Look for the file viuaoq.dll and rename the file to viuaoq.dll.bad
Look for the file eeuydc.dll and rename the file to eeuydc.dll.bad
Look for the file pkjcoxq.dll and rename the file to pkjcoxq.dll.bad
Look for the file afkvvy.dlll and rename the file to afkvvy.dll.bad
Look for the file dooep.dll and rename the file to dooep.dll.bad
Look for the file pjgerka.dll and rename the file to pjgerka.dll.bad
Look for the file pjgerka.dll and rename the file to pjgerka.dll.bad
Look for the file rxqcpn.dlll and rename the file to rxqcpn.dll.bad
Note: Please rename any of the above files that you may find. If you do not find any of
these files, then you should post a note about it in the Am I Infected? forum.
10. After you rename the file, you can close the System32 folder window.
11. Next, please reboot your computer into Safe Mode by doing the following:
2. After hearing your computer beep once during startup, but before the Windows
icon appears, press F8.
5. When you are at the logon prompt, log in as the same user which you had done
the previous steps.
12. When your computer has started in safe mode and you see the desktop, click on the Start
Menu button.
15. Find the entry for SpyLocked 3.1, SpywareLocked 3.2, SpywareLocked 3.3,
SpywareLocked 3.4, SpyLocked 3.5, SpyLocked 3.6, SpyLocked 3.7, SpyLocked 3.8,
SpyLocked 3.9, SpyLocked 4.0, SpyLocked 4.1 , or SpyLocked 4.3 and double-click
on it to uninstall them if found. Follow the prompts to uninstall the program, but do not
allow it to reboot the computer if it asks.
16. When it has completed uninstalling you can close Add or Remove Programs and your
Control Panel.
17. Delete the following files and folders (Do not be concerned if this folder does not exist):
C:\Windows\System32\fyxkaah.dll.bad
C:\Windows\System32\onwtj.dll.bad
C:\Windows\System32\qvjpt.dll.bad
C:\Windows\System32\oyopu.dll.bad
C:\Windows\System32\yronl.dll.bad
C:\Windows\System32\ilmpjy.dll.bad
C:\Windows\System32\pkgvyg.dll.bad
C:\Windows\System32\qzviz.dll.bad
C:\Windows\System32\ygjun.dll.bad
C:\Windows\System32\czxtyx.dll.bad
C:\Windows\System32\yuspej.dll.bad
C:\Windows\System32\rcohty.dll.bad
C:\Windows\System32\dxovx.dll.bad
C:\Windows\System32\lcsrsrv.dll.bad
C:\Windows\System32\egzcqg.dll.bad
C:\Windows\System32\xuoce.dll.bad
C:\Windows\System32\kgkdbsk.dll.bad
C:\Windows\System32\antzozc.dll.bad
C:\Windows\System32\uimcu.dll.bad
C:\Windows\System32\dtjby.dll.bad
C:\Windows\System32\indwvm.dll.bad
C:\Windows\System32\viuaoq.dll.bad
C:\Windows\System32\eeuydc.dll.bad
C:\Windows\System32\pkjcoxq.dll.bad
C:\Windows\System32\afkvvy.dll.bad
C:\Windows\System32\dooep.dll.bad
C:\Windows\System32\pjgerka.dll.bad
C:\Program Files\SpyLocked\
C:\Program Files\SpywareLocked\
C:\Program Files\SpywareLocked 3.4\
C:\Program Files\SpywareLocked 3.5\
C:\Program Files\SpyLocked 3.6\
C:\Program Files\SpyLocked 3.7\
C:\Program Files\SpyLocked 3.8\
C:\Program Files\SpyLocked 3.9\
C:\Program Files\SpyLocked 4.0\
C:\Program Files\SpyLocked 4.1\
C:\Program Files\SpyLocked 4.2\
C:\Program Files\SpyLocked 4.3\
19. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The
icon will look like the one below:
20. When the tool first starts you will see a credits screen. Simply press any key on your
keyboard to get to the next screen.
21. When the tool first starts you will see a credits screen. Simply press any key on your
keyboard to get to the next screen.
22. You will now see a menu as shown in the image below. Press the number 2 on your
keyboard and the press the enter key to choose the option Clean (safe mode
recommended).
23. The program will start cleaning your computer and go through a series of cleanup
processes. When it is done, it will automatically start the Disk Cleanup program as shown
by the image below.
This program will remove all Temp, Temporary Internet Files, and other files that may be
leftover files from this infection. This process can take up to a few hours depending on
your computer, so please be patient. When it is complete, it will close automatically and
you will should continue with step 25.
24. When Disk Cleanup is finished, you will be presented with an option asking Do you
want to clean the registry ? (y/n). At this screen you should press the Y button on your
keyboard and then press the enter key.
25. When this last routine is finished, you will be presented with a red screen stating
Computer will reboot now. Close all applications. You should now press the spacebar on
your computer. A counter will appear stating that the computer will reboot in 15 seconds.
Do not cancel this countdown and allow your computer to reboot.
26. Once the computer has rebooted, you will be presented with a Notepad screen containing
a log of all the files removed from your computer. Examine this log to see what files were
found, and when you are done, close the Notepad screen.
27. We next perform an online scan with Panda to find any possible inactive remnants from
this infection: Panda Online
1. Once you are on the Panda site click the Scan your PC button
9. It will start downloading the files it requires for the scan (Note: It may take a
few minutes)
10. When download is complete, click on Local Disks to start the scan
28. When the online scan has been completed, let it remove what it finds, and then you can
close Internet Explorer.
Your computer should now be free of the SpyLocked and SpywareLocked infections.
If you are still having problems with your computer after completing these instructions, then
please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log
BleepingComputer.com can not be held responsible for problems that may occur by using
this information. If you would like help with any of these fixes, you can post a HijackThis
log in our HijackThis Logs and Analysis forum.
If you have any questions about this self-help guide then please post those questions in our
AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will
help you.
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#2 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
C:\Windows\System32\onwtj.dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#3 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
Program has changed its name to SpywareLocked along with a new infector:
C:\WINDOWS\system32\tahxqcj.dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#4 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
C:\Windows\System32\qvjpt.dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#5 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
#6 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
#7 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
C:\Windows\System32\pkgvyg.dll
C:\Windows\System32\qzviz. dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#8 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
Posted 12 April 2007 - 01:24 PM
C:\Windows\System32\ygjun.dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#9 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
C:\Windows\System32\czxtyx.dll
C:\Windows\System32\yuspej. dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
#11 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
C:\Windows\System32\dxovx.dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#12 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
C:\Windows\System32\lcsrsrv.dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#13 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
Updated for:
C:\Windows\System32\egzcqg.dll
C:\Windows\System32\xuoce.dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#14 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
Posted 09 May 2007 - 11:28 AM
C:\Windows\System32\kgkdbsk.dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!
#15 Grinler
Bleep Bleep!
Group: Admin
Posts: 33,503
Joined: 24-January 04
Gender:Male
Location:USA
C:\Windows\System32\antzozc.dll
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone
should do this!