SpyLocked, or also known as SpywareLocked is a malicious rogue, which has a whole bag of tricks which serve its malevolent plan – to mislead you into purchasing the fake full version of SpyLocked.
Figure 1. Spylocked screenshot
Phony anti-virus programs, which resemble the real products in layout, and try to sell their phony full versions at a solid price, are called rogues. New rogues appear every day, and it becomes very difficult for the average user to differentiate between the legitimate applications and the fake ones, because they are very similar at first sight. Rogues always have some clever name – like SpyLocked or System Check, and seemingly feasible interface.
SpyLocked is distributed via malicious Trojans, which come disguised as video or audio codecs that you are prompted to download and install in order to gain access to a given video or audio file. If you are misled into downloading the codec, the Trojans immediately get settled into the system and download SpyLocked.
After its installation, SpyLocked performs a series of tricks which aim at scaring you into believing that there are various malware pieces in your PC. This is a lie via which the rogue aims at making you pay for its full version.
To start with – fake scans. SpyLocked starts scans of your system every time and again, without asking for your authorization. After each scan, it displays a counterfeit list of infections. The only real virus in this list is the very Trojan which has downloaded it. All the rest of the viruses are made up to frighten you. The rogue counts on the possibility that your fear may push you into buying SpyLocked’s full version, which is advertised after each scan as capable of removing all the viruses found by SpyLocked’s trial version. The truth is that there is no trial or full version of this product. It is all one and the same scam, which has been created by hackers in an attempt to gain profit by unsuspecting victims.
Fake security alerts are another deception-weapon used by SpyLocked. It makes them pop up extremely frequently. The bogus warnings are created to look very scary. Most of them claim that there are too many viruses in the PC, others state that there are attempts of identity theft and some even try to convince the user that a remote attacker (hacker) has managed to gain access to the computer. Below, you can see one of the less scary examples of SpyLocked notifications:
System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date anti-spyware solution.
The alerts may look legitimate, and they come from Windows taskbar, but this does not mean the information, included in them, is accurate. Apart from being irritating, the counterfeit scans and warnings also slow down the computer’s performance palpably and hinder your work on the PC.
To put it in a nutshell, if SpyLocked manages to find a way inside your system, the best way to treat it is to remove it immediately with the help of a legitimate anti-virus program.
We will constantly update the instructions to combat against Spylocked and its variants. Please feel free to post comments if you have any questions or suggestions regarding Spylocked. This is a great community and I am sure that you would find the answers. Good luck! (New variant is also known as VirusProtect) (New variant is also known as Trojan.Win32)
Although this virus was seen 4 years ago, researchers found that newly discovered malware strains have the same fingerprint as the old SpyLocked rogue.
Manual Removal Instructions:
Stop SpyLocked Processes:
(Learn how to do this)
spylocked.exe
SpywareLocked.exe
Spy-Locked.exe
SpywareLock.exe
SpywareLocked 3.5.exe
SpyLocked 3.6.exe
SpyLocked 3.7.exe (new)
SpyLocked 3.9.exe (new)
SpyLocked 4.0 exe (new)
SpyLocked 4.1.exe (new)
SpyLocked 4.2.exe (new)
SpyLocked 4.3.exe (new)
Unregister SpyLocked DLL Files:
(Learn how to do this)
xkrdk.dll
onwtj.dll
fyxkaah.dll
higehsg.dll
geplxss.dll
tvomnc.dll
tahxqcj.dll
qvjpt.dll
oyopu.dll
yronl.dll
isadd.dll
pkgvyg.dll
qzviz.dll
Ygjun.dll
yuspej.dll
czxtyx.dll
bpvol.dll
splug.dll
dxovx.dll
lcsrsrv.dll
ilmpjy.dll
rcohty.dll
egzcqg.dll
xuoce.dll
kgkdbsk.dll
antzozc.dll
uimcu.dll
dtjby.dll
indwvm.dll
viuaoq.dll
eeuydc.dll
pkjcoxq.dll
afkvvy.dll (new)
dooep.dll (new)
pjgerka.dll (new)
rxqcpn.dll (new)
Find and Delete these SpyLocked Files:
(Learn how to do this)
spylocked.exe
xkrdk.dll
onwtj.dll
fyxkaah.dll
higehsg.dll
geplxss.dll
tvomnc.dll
tahxqcj.dll
qvjpt.dll
oyopu.dll
yronl.dll
isadd.dll
pkgvyg.dll
pmsnrr.exe
pmmnt.exe
isamntr.exe
avD.exe
codecaddon1169[1].exe
SpywareLocked 3.3.lnk
Spy-Locked.exe
qzviz.dll
Ygjun.dll
SpywareLock.exe
SpywareLocked 3.5.exe
SpywareLocked 3.5.lnk
yuspej.dll
czxtyx.dll
bpvol.dll
splug.dll
SpyLocked 3.6.exe
SpyLocked 3.6.url
SpyLocked 3.6 Website.lnk
dxovx.dll
lcsrsrv.dll
ilmpjy.dll
rcohty.dll
egzcqg.dll
xuoce.dll
SpyLocked 3.7.exe
kgkdbsk.dll
antzozc.dll
SpyLocked 3.9.exe
SpyLocked 3.9.url
SpyLocked 3.9.lnk
uimcu.dll
dtjby.dll
indwvm.dll
viuaoq.dll
eeuydc.dll
pkjcoxq.dll
SpyLocked 4.0.exe
SpyLocked 4.0.url
SpyLocked 4.0.lnk
SpyLocked 4.1.exe
SpyLocked 4.1.url
SpyLocked 4.1.lnk
SpyLocked 4.2.exe
SpyLocked 4.2.url
SpyLocked 4.2.lnk
SpyLocked 4.3.exe (new)
SpyLocked 4.3.url (new)
SpyLocked 4.3.lnk (new)
afkvvy.dll (new)
dooep.dll (new)
pjgerka.dll (new)
rxqcpn.dll (new)
Remove SpyLocked Registry Values:
(Learn how to do this)
43DF1CEE-70B3-4E2D-A740-4AC468786207
6AFB5B8E-ACFD-4489-91B3-DAA1388A31EC
E9817993-83FF-4343-B14E-6CDFB378B21D
815B01A0-BF97-41E9-ACF2-32B76F98A960
5CA1A9F6-10F8-4008-B884-755B25B6848A
F5D23930-23C6-440E-AB55-D019E1171539
50450F27-B90B-422B-A4C9-5EC5A5B78001
2C5B5226-045D-4A46-B4FC-228B0891FEEC
314120E4-5A05-492C-9BF2-22558CF0F202
630CBF61-54CC-4AC3-97B0-D4071345807C
EDE2A2B4-B1CB-4BF8-93D1-154E49284A71
314120E4-5A05-492C-9BF2-22558CF0F202
C5BF4465-5322-462F-B41F-459F649F3996
392D4A36-6ADF-4A99-A820-3014A53E62E3
3BF6C840-4D12-4FB5-88A2-E2BC03461DC2
42F16135-D0A4-43A2-990C-27FCABD9C19F
E4703CF2-7F82-4AD7-B317-8EC1CBC9B619
4D31CCA1-C42B-4796-851F-CA8ED4CD2A7E
(If you find this helpful, please feel free to share it with friends by digg, del.icio.us, Reddit or Google.)
Here is another dll from Spylocked indwvm.dll.
Tim,
You have done well by mentioning the indwvm.dll, It is actually the latest file. The best way to go about it is to use Asad method. i.e via cmd prompt and killing eplorer.exe temporarily then issue the del command. It works perfectly.
Note: You might still have issues like the file could not be found when you place the command, You may try rename the file and try it again. If it doesn’t listen. Delete it from windows. It should work well. Regards.
OK .. I’ve gone through all the post and tried all the ideas with no luck. ALl the files listed are not on the CPU. My flashing icon is an ! in a Yellow Triangle and the other Flash is an DirectX icon. I just need to get rid of this flashing ICON then I’ll be all set .. Ideas ???
thanks!
When i try to end the processes, it just comes back up. Can anyone help?
I deletd the infected file indwvm.dll which i found using AD-Aware se personal which by the way is free. the icon on the right hand corner is gone. I followed so many different leads that I don’t know who to thanks. thanks to everyone for all the input.
Another dll from SpyLocked viuaoq.dll
Quick question. I have been getting crazy pop ups, so I got spybot search and destroy and the only thing that it cannot fix is Smitfraud, any thoughts?
Hello everyone, after such a long time of being away!
This forum has grown about 60 times since i was here.
The person (who i can’t remmember) that found a way of getting rid of it using the rename and restart procedure, it is a good idea. So many thanks on pointing that out.
However if you don’t want to restart your computer, use my way of deleting which is to stop explorer.exe and delete it from CDM (using DOS commands) – For more details on this, go up and find my posts.
The dlls that i found long time ago, was from another website called:www.bleepingcomputer.com/forums/topic85376.html and go to the very bottom looking for the posts of a person called Grinler. But DO NOT use the instruction on that website as they are very complex and time wasting ideas. They also suggest using a program called smitfraudfix.exe which i think is a virus itself as when i did a virus scan with AVG Anti-Virus, it was in the dangerous category so i deleted it.
All i am trying to say is WATCH OUT!!!
I think we should all spam in anger the spylocked website and continuasly ask help from anyone with a legal status that controls the web to destroy the website!!!
PS.
I writing from Ballarat, VIC, Australia
and i am also 16 years old.
What about you guys?
After spending a day pulling my hair out, I finally got this bugger off my system thanks to the many numerous suggestions I found here. What worked for me was using Spy Hunter to scan (free), then without closing it down I did a regedit in run, working through the menus to remove everything but the cookies. I used ad aware to get rid of the cookies and now all is fine. Phew. Thanks again to all who posted with ideas.
I wanted to add something to my post. I am very impressed with Spy Hunter and am strongly considering purchasing it.
GO TO SYSTEM 32 FOLDER
SORT ALL DLL BY SIZE(YES SIZE)
SPYLOCKED BASED DLL SIZE ABOUT 7 KB.( i had indwvn.dll)
LOOK DLL PROPERTY. IF IT IS UNKNOWN.(NOT MISCROSOFT CORP)
RENAME IT.( ICON WILL CHNAGED -DIFFERENT LOOK)
LOG OF
AND DELET IT.
REBOOT.
ICON WILL BE DISAPPEREAD.
TRY THIS.
PS. USE PC CILLIN INTERNET SECURITY.THIS ONE IS TOO GOOD.
Dear fellows,
I completely agree with Asad to take action against them.
From my side, I have sent a message to Google asking them to stop advertise them, but in vain!! Google is blind.
Please send messages you too, perhaps they’ll wake up and remove them from their lists.
Best regards
hey,
just wanted to say that i had the EXACT same problem as ken variya. so basically i think you’re the most amazing person in the world right now. the only difference was that my file was named indwvm.dll. so i recommend trying to fix it the same way as he did.
thanks ken man you ROCK!
Hello.
The people here that didn’t understand how to remove the spyware, i was trying to get the popup back to my computer and make a video of my screen removing it.
I went to their website and downloaded the program and installed it. The strange thing however is that the popup was not on my computer. It seems that the popup only goes to your computer if you install the fake video codec.
Spylocked i think will defend their case by saying they had no idea of an spyware as they dont have it on their explorer. But I say that they purposely put the spyware on the video codec so it wouldn’t seem their fault and at the same time get away with it.
Rather than all these 150 posts to read from, yes I am talking to you new people, Why doesn’t anybody that has an idea just make a video of them selves removing it using hypercam because it would be much easier to understand.
The post above, i meant to write “they had no idea of any spyware as they dont have it on their installer”
Solved the icon problem with the help of many on this site thanks! What worked for me was Ken Variya’s tip on the file size. I cross checked all .dll files of 7 kb in the Windows/system32 with the date I encountered the problem. Found only one (in my haste to delete I forgot to record the filename but it was none of the ones previously mentioned, sorry). It was close to the date but not exact (file was 5/22 vs problem date 5/25).
I renamed the file to “.doc” from .dll and the icon changed to word doc. I dragged it onto my desktop and rebooted. Icon gone!!! I then deleted the file ignoring a warninmg that it is a system file and may cause problems. Relief!
Hi, my computer got infected with spylocked 4 and i’ve tried everthing mentionned on this forum and i still have problems. Since my computer havec infected by spylocked i can’t use windows update. It always said that i have install activeX…each time i installe it and it does’nt seem to stay installed at all cause i still get the activeX message…is anyone know something about this situation??
Thank to Ken Variya, I have solved my computer problem.
File was in Systems32. Sorted files by Size. Found .dll that was exactly 7kb. Renamed, restarted the computer, and deleted the file.
viuaoq.dll
Was my infected file. I used Spyhunter (free version) to find files and I went through myself to delete each individually. Time consuming, but effective. Thanks for everyones help and assistance.
Good luck to everyone
After six hours of work… IT”S GONE!!!! With mine, I had no .exe processes in the task manager and no .dlls that I could find.
Here’s what I did…
First: I ran my OWN spyware killer (Spy Sweeper) to get rid of the trojan.
Next: Downloaded the free version of SpyHunter and ran it to find the registery names.
Third: Opened up the registery editor (Start Menu -> Run -> regedit) and manually deleted ALL the registry keys that SpyHunter had found.
Fourth: Re-ran SpyHunter and it came up clean. *sweet*
Fifth: Opened My Computer and searched for all .dlls modified in the last week. Only one came up that was a system32 file that was 7kb (it was pkjcoxq.dll if you care, but they seem to switch so fast it doesn’t matter…)
Sixth: Renamed it to pkjcoxq.doc (warning: system file! Ignore that.) and moved it to my desktop. (the icon should switch from a triangle-thing to a blue ?)
Seventh: restarted
Eight: deleted file from desktop and the STUPID BLINKING ICON IS GONE!!!!!
Ninth: I’m rescanning my computer, but it’s almost done and it’s looking good…
Cross your fingers that I got it all… and GOOD LUCK TO YOU!!!
-Debbie
another bad file: “eeuydc.dll”
Good luck.
I just got spylocked this morning, and it took me 8 hours to get off, but thanks to these replies i finally got if off… My problem is my computer is insanely slow and it won’t go anywhere, i had to go to safe mode to do anything, if i’m not in safe mode and click on internet or even the start button, it locks up for 15 minutes… Does anyone know what could be wrong? The blinking icon is gone and i find nothing else, but it’s been so slow ever since it got on my computer.. Please any help would be appreciated
I’m very close to loosing it so please help!
I’ve been infected with Spylocked4.1 and have found ‘eeuydc.dll’ in the c:\windows\system32 directory I can only run DOS but does not let me rename or delete the file. I constantly get the following two popup window messages.
1. ‘Windows explores has stopped working’
followed by
2. ‘windows explorer is restarting’
These keep appearing one after the other whether I click on cancel or not and while they’re up I can not access anything on my computer so I can not rename the files through windows or install spyhunter or run any other program. Can not open control panel, my computer, search, nothing except for DOS and Task Manager.
I have read the entire site and tried several of the suggestions… But I still can not solve the problem.
If you have any suggestions I would be forever thankful!
Rocio,
California
Wow! I am new to the intricacies of computers
but thanks Asad. I followed your instructions (once I figured out how to open the task Manager!) and resolved the pop up problem!
Thanks again!
Ditto that. After going through the whole list of dll files with little hope I found one (eeudyc.dll) and followed Asad’s instructions and the flashing icon is finally gone. Also noticed that a spylocked process started again, though I thought I had removed it using (paid) version of spyhunter, possibly when I tried deleting the .dll file directly, or could the icon itself be the cause? I stopped the process then followed Asad’s instructions. Registry files are clean! Checking regular files. It’s so satisfying when you work long and hard and finally something works the way you were told it would!
RYAN DID IT!! NEW FILE NAME PKJCOXQ.dll was in system32 folder. had to rename it. icon DID change. restarted computer and deleted renamed file (changed it to .doc) We’ll see what happens next. I see a common thread: system32 folder, .dll file ext, and 7kb file. Also it was dated 12/21/2004. I got it 6/3/07.
IMPORTANT NOTE: When you right click on the .dll file, you won’t see a “version” tab. That’s how I knew it was a rogue .dll file
Cordia, Thank you very much !!!
I followed your steps and that idiot stupid icon IS GONE !!!
Thanks God there is an Internet.
cheers to all of you for the advice on this page, especially ASAD and CORDRIA
finally got rid of that annoying icon
the latest .dll seems to be *eeuydc.dll*
This site is great. Mine was eeuydc.dll as well. I already had Sypware Doctor and it fixed everything except the blinking icon in the system tray. I found the file by sorting my system 32 file by date modified and found it, though it was actually dated a week early. I just used the trick someone recommended and changed it to a word file and moved it to the desktop, rebooted and deleted it. Works great now. I recommend Spyware Doctor by the way, it has protected me from crap like this except when I get in a hurry and hit the wrong button.
i got the spylocked files off of my comp, but when i run spyhunter, some zlob trojans (registry only) come up.
I can’t seem to figure out how to locate them so i can delete them. What do look up to find them?
Iv been at this a while, so im getting really frustrated any help at all would be helpful…
thank you for your smarts on a cumputer im still new at this
this is a fast system
how do i do this
Hi,
yesterday I removed Spylock with this very good instructions. Thank you very much.
There are now 4 other, new processes to stop and files to delete:
iesmin.exe
imsmn.exe
iesmn.exe
imsmain.exe
l got Spylocked through a fake ActiveX download.
Its the most annoying thing l’ve ever seen..
I used Ken Variaya’s method and managed to delete the dirty little trojan that turned up earlier this evening.
I was using XP in Parallels on my Mac, so imagine my horror when this bug turned up. I was positive that I’d already disabled my internet connenction from XP, but I think clicking and dragging a “live” file between systems may have done it. Hopefully I’m now error free, as I’ve suffered no other ill effects on either system since.
The file I deleted was named, MSVCR71.dll
Actually thinking back, I was trying to download an ActiveX control when the bug appeared, like the user above my first post.
Help! I have read all of the posts and was able to get rid of the spyware, however I still have that ANNOYING icon (blue question mark with red x, with “system alert” blurb that pops up. I have searched all of the .dll files and could fine none for 6/8, which is when I got the virus from a fake Active X download. Any suggestions out there?
Hi,
what happedned with my last post? I am quite sure I’ve posted here quite a long reply with my experience with this ugly malware, but now it is gone…
If it was deleted by administrators could you please send me an e-mail why? Thank you.
Johny
Ok, so once again (much shorter version):
I was infected dwo days ago, solved the problem yesterday. Everything failed and flashing icon was still there. Finally I used a “sort by date” method and found a strange .dll from day before attack (yesgnhr.dll). Renamed it and icon started flashing; restarted PC and icon was gone. Then I deleted it and celebrated
Malware software was called SpyCrush, but I am writing my experience here, because it is still the same SW, only with different name, and this thread is far longer (and better indexed by search engines) than the similar one on this blog.
Thanks and good luck
Johny
You people here deserve medals for all the hard work and contributions you make to helping remove locked spyware. Since last night I had been attacked by something called SpyCrush. I read many many of the postings and especially Asad’s contribution of Mar 27th, 2007. With his new infector file called “tahxqcj.dll”.
Well now I have downloaded SpyHunter and feel well pleased with it. But back to the problem, despite my existing Spyware removal program dealing with many files and the Registry and I also deleted files appropriately, that flashing icon in the system tray remained.
I wrote to SpyHunter and asked for their help. Then suddenly after looking at Asad’s posting I remembered my infection began around 21:30 last night and I went to the Windows/System32 folder and there was a suspicious file. It was called “tczij.dll”. I took what I thought was a huge chance and followed Asad’s instructions to the letter that he had written for that other file.
Sure enough my computer came back on fine and that total annoyance (the flashing icon and rubbish message in the system tray) created by this company that has little regard for the irritations it causes in this respect. It just infects us and walks away, who do they think they are. I even wrote directly to them to ask how I could remove this monstrosity, maybe they will reply later, we will see. I have since switched my computer off and then on again and all is great.
Thought I would post this just in case at this very moment someone, somewhere is about to pull their hair out over this marauder into our system tray. I did also write to SpyHunter to let them know also, and told them that my discovery was really down to this website and ASAD’s contribution in particular.
So once again it is time to say “Thanks ASAD, you have done it again” keep up the good work – we all appreciate your efforts on our behalfs.
David
Slight correction (addition) to my last posting!
Where I wrote:
“Sure enough my computer came back on fine and that total annoyance (the flashing icon and rubbish message in the system tray) created by this company that has little regard for the irritations it causes in this respect.”
please add after the word “respect”….
“..had gone!!”
You see they wind me up so much I cannot even finish a sentence correctly….!
Thanks.
Download and run Ad-aware-Se from Lavasoft.com.It has a free version of their software in the Home section of their web page. It does a nice job removing Spylock and Zlob. Select the on reboot route after the scan,since you can’t delete files of running process. After the system reboots Ad-aware-Se runs before spylock. Choose the smart scan selection (for brevity) or do a full system scan. Then follow the instuctions.
can this be fix by just rebooting your pc?
ok, i tried the Asad method,i can’t seem to to find that dll files. i also searched .dll since i got infected today two things came up. iesplg.dll iesbpl.dll there, i tried to delete that too, the DOSE can’t seem to find it…
Thanks to Asad and everyone else for all of your help. I got a new pesky dll file that caused my pesky little icon in the systray entitled “DOOEP.dll” Thank god I am finally rid of all that $hit.
Here are two new dll from Spylocked: afkvvy.dll and dooep.dll
This is just to say thank you people for the help you provide to us helpless idiots (just referring to my own stupid self). I have SpybotS&D and the TeaTimer utility that TOLD ME it was not safe to install that piece of “sh*t” but I thought was not a harmful thing.
Well OK SpybotS&D removed most of the malicious stuff from my PC except that annoying blinking cr*p and I found Jollie’s suggestion of changing the name to dooep.doc AND IT WORKED !! It was the last in the list. “dooep.dll”
Congratulations, surf safely and many thanks !!!
P.S. I could not dwld SpyHunter as my “safety configuration prevents it” ha ha ha ha
Joe, I’ve been searching and searching for the previously mentioned .dll files…I found afkvvy.dll but wasn’t sure…now off to delete it.
what is CMD?
I also have this red icon with a flashing white x in my system tray.
how can i get rid of it?