SpyLocked Removal Instructions (Update)

SpyLocked, or also known as SpywareLocked is a malicious rogue, which has a whole bag of tricks which serve its malevolent plan – to mislead you into purchasing the fake full version of SpyLocked.

Figure 1. Spylocked screenshot

Phony anti-virus programs, which resemble the real products in layout, and try to sell their phony full versions at a solid price, are called rogues. New rogues appear every day, and it becomes very difficult for the average user to differentiate between the legitimate applications and the fake ones, because they are very similar at first sight. Rogues always have some clever name – like SpyLocked or System Check, and seemingly feasible interface.

SpyLocked is distributed via malicious Trojans, which come disguised as video or audio codecs that you are prompted to download and install in order to gain access to a given video or audio file. If you are misled into downloading the codec, the Trojans immediately get settled into the system and download SpyLocked.

After its installation, SpyLocked performs a series of tricks which aim at scaring you into believing that there are various malware pieces in your PC. This is a lie via which the rogue aims at making you pay for its full version.

To start with – fake scans. SpyLocked starts scans of your system every time and again, without asking for your authorization. After each scan, it displays a counterfeit list of infections. The only real virus in this list is the very Trojan which has downloaded it. All the rest of the viruses are made up to frighten you. The rogue counts on the possibility that your fear may push you into buying SpyLocked’s full version, which is advertised after each scan as capable of removing all the viruses found by SpyLocked’s trial version. The truth is that there is no trial or full version of this product. It is all one and the same scam, which has been created by hackers in an attempt to gain profit by unsuspecting victims.

Fake security alerts are another deception-weapon used by SpyLocked. It makes them pop up extremely frequently. The bogus warnings are created to look very scary. Most of them claim that there are too many viruses in the PC, others state that there are attempts of identity theft and some even try to convince the user that a remote attacker (hacker) has managed to gain access to the computer. Below, you can see one of the less scary examples of SpyLocked notifications:

System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date anti-spyware solution.

The alerts may look legitimate, and they come from Windows taskbar, but this does not mean the information, included in them, is accurate. Apart from being irritating, the counterfeit scans and warnings also slow down the computer’s performance palpably and hinder your work on the PC.

To put it in a nutshell, if SpyLocked manages to find a way inside your system, the best way to treat it is to remove it immediately with the help of a legitimate anti-virus program.

We will constantly update the instructions to combat against Spylocked and its variants. Please feel free to post comments if you have any questions or suggestions regarding Spylocked. This is a great community and I am sure that you would find the answers. Good luck! (New variant is also known as VirusProtect) (New variant is also known as Trojan.Win32)

Although this virus was seen 4 years ago, researchers found that newly discovered malware strains have the same fingerprint as the old SpyLocked rogue.


Manual Removal Instructions:

Stop SpyLocked Processes:
(Learn how to do this)
spylocked.exe
SpywareLocked.exe
Spy-Locked.exe
SpywareLock.exe
SpywareLocked 3.5.exe
SpyLocked 3.6.exe
SpyLocked 3.7.exe (new)
SpyLocked 3.9.exe (new)
SpyLocked 4.0 exe (new)
SpyLocked 4.1.exe (new)
SpyLocked 4.2.exe (new)
SpyLocked 4.3.exe (new)
Unregister SpyLocked DLL Files:
(Learn how to do this)
xkrdk.dll
onwtj.dll
fyxkaah.dll
higehsg.dll
geplxss.dll
tvomnc.dll
tahxqcj.dll
qvjpt.dll
oyopu.dll
yronl.dll
isadd.dll
pkgvyg.dll
qzviz.dll
Ygjun.dll
yuspej.dll
czxtyx.dll
bpvol.dll
splug.dll
dxovx.dll
lcsrsrv.dll
ilmpjy.dll
rcohty.dll
egzcqg.dll
xuoce.dll
kgkdbsk.dll
antzozc.dll
uimcu.dll
dtjby.dll
indwvm.dll
viuaoq.dll
eeuydc.dll
pkjcoxq.dll
afkvvy.dll (new)
dooep.dll (new)
pjgerka.dll (new)
rxqcpn.dll (new)

Find and Delete these SpyLocked Files:
(Learn how to do this)
spylocked.exe
xkrdk.dll
onwtj.dll
fyxkaah.dll
higehsg.dll
geplxss.dll
tvomnc.dll
tahxqcj.dll
qvjpt.dll
oyopu.dll
yronl.dll
isadd.dll
pkgvyg.dll
pmsnrr.exe
pmmnt.exe
isamntr.exe
avD.exe
codecaddon1169[1].exe
SpywareLocked 3.3.lnk
Spy-Locked.exe
qzviz.dll
Ygjun.dll
SpywareLock.exe
SpywareLocked 3.5.exe
SpywareLocked 3.5.lnk
yuspej.dll
czxtyx.dll
bpvol.dll
splug.dll
SpyLocked 3.6.exe
SpyLocked 3.6.url
SpyLocked 3.6 Website.lnk
dxovx.dll
lcsrsrv.dll
ilmpjy.dll
rcohty.dll
egzcqg.dll
xuoce.dll
SpyLocked 3.7.exe
kgkdbsk.dll
antzozc.dll
SpyLocked 3.9.exe
SpyLocked 3.9.url
SpyLocked 3.9.lnk
uimcu.dll
dtjby.dll
indwvm.dll
viuaoq.dll
eeuydc.dll
pkjcoxq.dll
SpyLocked 4.0.exe
SpyLocked 4.0.url
SpyLocked 4.0.lnk
SpyLocked 4.1.exe
SpyLocked 4.1.url
SpyLocked 4.1.lnk
SpyLocked 4.2.exe
SpyLocked 4.2.url
SpyLocked 4.2.lnk
SpyLocked 4.3.exe (new)
SpyLocked 4.3.url (new)
SpyLocked 4.3.lnk (new)
afkvvy.dll (new)
dooep.dll (new)
pjgerka.dll (new)
rxqcpn.dll (new)

Remove SpyLocked Registry Values:
(Learn how to do this)
43DF1CEE-70B3-4E2D-A740-4AC468786207
6AFB5B8E-ACFD-4489-91B3-DAA1388A31EC
E9817993-83FF-4343-B14E-6CDFB378B21D
815B01A0-BF97-41E9-ACF2-32B76F98A960
5CA1A9F6-10F8-4008-B884-755B25B6848A
F5D23930-23C6-440E-AB55-D019E1171539
50450F27-B90B-422B-A4C9-5EC5A5B78001
2C5B5226-045D-4A46-B4FC-228B0891FEEC
314120E4-5A05-492C-9BF2-22558CF0F202
630CBF61-54CC-4AC3-97B0-D4071345807C
EDE2A2B4-B1CB-4BF8-93D1-154E49284A71
314120E4-5A05-492C-9BF2-22558CF0F202
C5BF4465-5322-462F-B41F-459F649F3996
392D4A36-6ADF-4A99-A820-3014A53E62E3
3BF6C840-4D12-4FB5-88A2-E2BC03461DC2
42F16135-D0A4-43A2-990C-27FCABD9C19F
E4703CF2-7F82-4AD7-B317-8EC1CBC9B619
4D31CCA1-C42B-4796-851F-CA8ED4CD2A7E

 

(If you find this helpful, please feel free to share it with friends by digg, del.icio.us, Reddit or Google.)

Tags: , ,

By

Comments

  1. Brian says:

    Fred, CMD is the DOS command prompt where you can enter the commands manually. It’s part of all the Windows OS and it can be accessed via “Start”, then “Run”, and then type “CMD”. You can try the manual removal instructions to remove the flashing “X”. It’s been suggested previously, if you go through the comments, to sort the dll’s and find the infected files by date or size. Either way works just fine. This is by far the most efficient way to remove this for free. However, if you don’t like to go through all this hassle and don’t mind to pay, purchasing Spyhunter is another option. Hope this helps. Good luck!

  2. Enrique says:

    I am having trouble opening ‘CMD’, when i type ‘CMD’ the box opens but i cannot type anything. within 5-10 seconds the box closes itself, do you think this is something to do with spylocked?

    I have spent the entire day trying to get rid of it, please help!

  3. Brian says:

    Enrique, it’s possible that the Spylocked processes are still running in the background. Make sure you end the corresponding processes first.

  4. Lawrence says:

    It took me 4 1/2 hours to do this and you folks helped me find the only 1 thing i couldn’t find. the dooep.dll file. that got rid of that annoying flashing shield.
    old school man;
    first do a search on your hard drive for the following and delete all,
    spylock,
    imsm*,
    iesmin*,
    iesunst*,
    iesmn*,
    use alt/cntrl/delete/ to activate task manager and end as many as these processes as possible before deleting them. 2 files will not delete as you can’t stop them from running. “imsmain.exe” and one other one{it’s slipped my mind right now}you’ll notice when you can’t stop the process with task manager. Write the file names down exactly where they are located.

    then click your start button and select run. then type regedit and enter.

    Click edit and search all the above and delete them from your registry as well.

    you may as well delete the key for the” dooep.dll while your in your registry.

    Reboot your computer and hit f10. Select safe mode with dos”

    using dos go to the directory where the 2 files are located and delete them.

    then go to c:/windows/system32 and delete the dooep.dll file.

    Reboot your computer and go back to your registry and delete any remnants of those two files.

    using control panel check your program files for anything that shouldn’t be there. remove it but if it asks you to reboot, click cancel. it shoud just disappear.

    your computer should be running just as fast as ours is now!
    This should all take about an hour and a half!

    Enjoy online again!

    Lawrence.

  5. Gay Lord says:

    Not sure how helpful this will be, but it may help somebody. Here’s what I did, as best I can remember.

    After installing the spylocked garbage and realizing it was bad, I tried to remove it with Add/Remove program. After that, I checked in C: and saw the spylocked folder was left. I tried to delete the group of items in the folder but was denied. I then deleted them individually until only a half dozen were left (wouldn’t let me delete them as they were active).

    Pulling up Task Manager I saw that they were active under processes. Their names were something like isms.exe, iss.exe, imss.exe, or something like that. Ending their processes didn’t help, as they re-appeared two seconds later, but ending the process tree did. Once they were no longer active, I was then able to delete the files, and indeed, the whole folder.

    I thought I was done, but still had the annoying taskbar icon (red shield/blue question mark), which kept pulling me out of any program running (like games!) to desktop every few minutes.

    Using the Spyhunter listed here, I did a scan. It listed the zlob trojans, but only one registry key. Going into regedit, I went to Find and then entered the key number. When it found it (listed as “canker”) I deleted it. With that one key gone, the taskbar icon was gone.

    Note this didn’t remove any other traces of the trojan, and is not recommended to fully clean your system. I only mention it here as a lazy, just-do-enough approach. But it fixed my taskbar.

  6. Troy in Texas says:

    I scanned using SpyHunter and after 5 hours of trying to manually delete all those files, purchased the Full Version. Presto all the pop ups stopped but the Icon and annoying message was still there. I still had a ‘.dll’ file that was not detected and I could not erase it manually until I followed the instructions from Asad back in his April post. Asad thank you so much for these instructions;

    “Start Command Prompt. You should write this in CMD(DOS): ‘cd C:\Windows\System32′ and ENTER. And then close explorer.exe (using task manager) and go back into CMD and type in ‘del (filename)’ and ENTER. Then go back to task manager, to file, new task and type in ‘explorer.exe’ and ENTER.”

    Hint: Follow these instructions in order and do not close the task manager or CMD window during the above instructions. Also, the bad “.dll” file in my experience was the newest one on the bottom of the list.

    Thanks Asad and Spyhunter

  7. Tim says:

    FYI, here is a new dll from Spylocked; pjgerka.dll

  8. Norbi says:

    I cannot start my spyhunter. It says that something doesn’t work correctly

  9. Leifur Sigurdsson says:

    Hi thanks, By using your site I got rid of the trouble, it was pjgerka.dll that was in my computer. I recomend Spyhunter to everyone :)

  10. Daniele Milano says:

    all -

    after removing most of spylocked with Spybot I had same problem as many above with flashing icon in taskbar
    I applied ASAD method and it worked (thank you so much)
    Only difference the name of bad file that was not any of the ones listed above; new name is “pjgerka.dll”
    I found it sorting files in system32 by date; googling it I found it associated with Spylocked in a site (languange was Russian or similar, but likage was obvious)
    hope it helps

  11. Tim says:

    This is another dll from spylocked: rxqcpn.dll

  12. Theodore says:

    HOORAY ITS GONE!

    Ok so what i did:1st removed all spyware with spyware removal program.Then i searched “.dll” and found the newest one (pjgerka.dll).I tried asads method but it sais that the dll couldnt be found so went manually to the system32 folder,renamed pjgerka.dll to EVIL.dll and then right-click and delete.GONE!!!

  13. Ivan says:

    WOW! SpyHunter is a great detection tool, and this forum is very, very helpful. I was able to remove the annoying spyware from the PC. I removed the registry entries and cookies and .exe files first, then restarted XP in safe mode with DOS prompt. Right here was I able to delete the .dll file.

  14. John says:

    Hey guys! I found a new library that infected my PC on 6/28/07 named rxqcpn.dll. I searched for the other dll’s listed in this forum and didn’t find anything. I manually the Spylocked executables and got rid of them but the SYSTEM ALERT message kept popping up. It stopped when I deleted this DLL from the WINDOWS\SYSTEM32 folder and the registry DB in a folder called INPROCSERVER32.

    More to come if I discover something else!

  15. Ben Gaster says:

    Hi all,

    I can’t find any of the processes listed above yet I’ve still got that flashing icon in my sys tray. What i have got is pjgerka.dll in system32. Does anyone know what process is linked to this?

    Thanks

  16. Paul Boyce says:

    Hello All,

    I spent 4 hours on the phone with Dell trying to get spylocked off my system they couldn’t do it, he wanted me to back up my computer and reinstall everything! I found free software that took it off in 5 minutes. it is called Counter Spy I could not believe it took it off because of the problem I was having but it worked!! and for a computer illiterate like myself it was great news.

    Thanks,

    Paul

  17. Jeff says:

    Hi, All:

    I, too, was infected with Spylock. I got rid of the flashing icon, but now when I reboot, I’m getting an error message stating: “Error loading C:\WINDOWS\system32\eehofao.dll” and then below that, “The specified module could not be found”

    Help please..

  18. Opethian says:

    Hi guys,

    Ive just been infected with the Spylock crap and was able to delete it but found a new “.dll” file from spylocked its “myqlejy.dll”
    Hope it helps.

  19. Patrick says:

    Helllo
    Ben Gaster I had the same file as you “pjgerka.dll” I renamed the file to badfile.dll and deleted it and got rid of my flashing icon in my sys tray
    Thanks though all of you because you got me in the right direction to salve my problem

  20. CWilliams says:

    I have MacAfee installed and (it says) working, but ‘VirusProtectPro’ still got on my (Vista) machine.

    I think it was in an ActiveX browser plug-in, which, BTW, failed to install (Firefox browser). After failing, it then launched Internet Explorer to “look for the latest version” – is this yet another security hole in Internet Explorer?

    And why didn’t MacAfee spot a problem with the ActiveX – or doesn’t it scan them?

  21. John says:

    AS far as removing the virusprotectpro blinking icon in the system tray. After removing all references to virusprotectpro by using the “Add/Remove Programs’ utility in Settings, I used BitDefender and Spybot to remove the viruses and or adware, but was still left with the blinking icon (alternating red/blue type shield). I finally found a file in c:\windows\system\cqsfk.dll it is probably in \system32 in windows versions 2000 and above, (I’m still using Windows 98SE), you have to go to safe mode to remove it. That was the file which contained the blinking icon and would redirect to the virusprotect site.

  22. liq says:

    i have a question. a while back in april i downloaded a fake video codec on accident and my ciomputer got infected. i got norton and it removed everything but spylocked. im sure i did that my self but ever since my computer everynow and then has a pop up from norton saying this security risk has been romoved or intrusion or something. i really want to know whether my computer is still infected so if yall could reply itd be helpful

  23. Justin says:

    I used SpyHunter to get rid of Virus Protect Pro & SpyLocked, this worked great except for the flashing icon. I had to use SpyHunter several times before it finally identified one file – ‘khtbpdl.dll’ in Windows\System32. I then tried to delete this at the cmd promt but access was denied. Then I opened windows explore and searched for ‘khtbpdl.dll’, when I found it I changed its name to’badboy.dll’ and this changed the flashing icon to a flashing ‘?’. I restarted my computer and then deleted ‘badboy.dll’. The icon is finally gone!

    It took me 2 days of hard work to sort out this problem, it seems that the .dll file you need to delete keeps changing.

    One other thing, I don’t know if it makes any difference but I disconnected from the internet while I found the file, changed its name & deleted it.

  24. a says:

    I used your offer but it did not delet the spy. Good gesture would have been to allow one time use.Otherwise you are no better than the rest.

  25. Hi, I’m a 61 year old photographer gran in South Africa living far from big cities with computer fundis in them to solve problems! I put “flashing red shield” into Google and it came up with a whole lot of sites that I went through but I am afraid of anything that says “go into CMD” or anything like that as I haven’t got a clue how to do it. I found a post from someone who said that the program “Counter Spy” removed it. I will have to pay for it after two weeks if I want to to get automatic updates but the flashing shield and the pop-ups have gone completely, thank goodness. For someone who is afraid of looking for dlls and deleting the wrong thing it is a real boon. But am I free of it or is it stealthily running underground?
    It disabled my PC-cillen by making it re-start every few minuites so it never finished a scan.
    Anyway for those who like me don’t know enough to be able to manually delete files this seems to be the answer.(Or am I living in a fool’s paradise?!)

  26. Ben says:

    I can not thank you guys/girls enough with some of the helpful tips that were posted here!
    I got tricked into downloading zlog through an activeX, and after the initial removal from spybot S&D and symantec. about 3 hours of frustration later tyring to follow the directions at top and getting basically “it isnt there” the 2 most helpful tips i got were Erythorbic saying to search all .dll’s and looking for the date.
    And of course asad’s method of deleting the files.
    besides that, even though im to cheap to buy he program im keeping spynomore just because it catches more then S&D.

    My point is dont make the mistake I did and try to remove stuff already removed.

  27. steve says:

    had a little bit of trouble with spylocked infecting my computer (running XP), could not remove the software at the normal add/remove programs, used JV16 powertools to remove the software, still had the popups, used “Spybot S&D” to remove some more crap, still had the last popup which takes you to the internet site, did a search for “spylocked” on google and downloaded and installed “SmitFraudFix” ran the search, ran the automated cleaner, said yes to the registry cleaner and it was all gone, YAY!

    probably should have started with “SmitFraudFix” in the first place instead of frigging around trying to do it myself, the program worked really well and was simple to use, even for me.

    Steve

  28. gilles rixen says:

    hey guys,

    I just installed some kind of video programm to see vids but it turned out to be a spam. now if all these informations are correct then it would mean that I have about 5 of the virus I found.

    first of all I had the spylocked… which I uninstalled but there are two icons flashing me and telling me how viruses are entering the computer: messages like= there might be a risk that blabla virus is in your computer click on this baloon to find a antipy programm

    and the trajon.zlob which I already solved by changing my homepage.

    and a third one which file I cannot delete because it is “used”. file name: online add-ons
    the dll names are: isfmdl.dll and ictmdl.dll the last one I alreay renamed and put to the desktop but the first one protest because its used.

    now I am wondering how patatic the live of a hacker is but can someone help me please?

    gilles

  29. Jellowe says:

    I recently came across this on a client’s machine and no spyware application I had could detect or remove it. Ad-aware found the actual program AntiSpy.exe and removed it along with the registry entries, but it did not get rid of the flashing/alternating “red shield/blue question” icon and accompanying message. I searched and found this website. I used Asad’s method which was very helpful. The filename was “jhzpcn.dll” and the file size was 13Kb. I also have a helpful tip for finding the dll in question.

    Open the Windows search utility and search for “*.dll” within C:\Windows\System32 directory (susbstitute for your actual windows folder if different).

    When the search is complete, right-click anywhere on the header bar (where it says “Name”…”In Folder”…”Size”…etc.) and you get a popup menu. Select “More…” at the bottom. Scroll down to the bottom of the list and place a check in “Company”.

    The search box will now list “Microsoft” on almost every dll file. Now click “Size” on the header bar to sort files by size.

    Now scroll down the list for anything that has a blank “company” field (most will say microsoft or intel or something). You can take note of each filename and check them against the list compiled here. It may be random though so if it looks suspect, it might be causing the problem.

    Then just follow Asad’s directions above.

    Thanks to all!

  30. Dear Asad,

    I have studied your removal instructions closely but would request your help and advise whether my Dell desktop with my classic Windows 98, Second Edition, can handle your Windows XP and VISTA format meaning my Windows 98, 2nd Edition, only provide from START, with RUN and closing Windows with MS-DOS to use to go to Windows\System32 Folder.Is there a Task Manager from MS-DOS to use for your other following instructions to complete the task ?
    Please provide step by step instructions to eliminate SpyLocked virus icon from taskbar. In a way lucky,I only have irritating flashing icon at the right side of the tashbar but without pop-up at all! Many Thanks, Robert.

  31. Dear Asad,

    I`ve posted my request for help some 7 days ago. Would you kindly give your reply as soon as possible?

    Regards, Robert K N Wong.

  32. rach says:

    Wahhh,,,

    help..i can’t get rid of that darn software counterfeit…i was so stupid to install that..it drives me crazy!!!!!!anyway,,i’ved learned my lesson….

  33. Faeed says:

    Problem Event Name: DynaCrash32
    Application Name: iexplore.exe
    Application Version: 7.0.6001.18000
    Application Timestamp: 47918f11
    Exception Offset: 000442eb
    Report Id: 636488131
    Additional Information 1: fd00
    Report Id: 636488131
    OS Version: 6.0.6001.2.1.0.768.3
    Locale ID: 6153
    Additional Information 1: fd00
    Additional Information 2: ea6f5fe8924aaa756324d57f87834160
    Additional Information 3: fd00
    Additional Information 4: ea6f5fe8924aaa756324d57f87834160

    Extra information about the problem
    Bucket ID: 322159953

  34. Faeed says:

    please help me,
    it realy makes me agitated,

  35. domain says:

    Nice site! thanks for the great post…%d%a%d%aPeople should read this.

  36. Free PSP Demos says:

    you have a great blog here! would you like to make some invite posts on my blog?

Trackbacks

  1. Eric says:

    Eric…

    I like the way you have layed it down in this post thanks….

  2. MOBY says:

    Bookmarks…

    I can’t add your post to Digg. How I do this?…

  3. Olga says:

    All I can say is WOW! Extremely nice layouts, awesome graphics and great articles. No matter how many times I come here, I am still impressed by the very professional appearance. Congratulations on a job well done.

Speak Your Mind

*