HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

New rogue called SpyLocked

by Donna Buenaventura / March 19, 2007 2:21 PM PDT

"SpyLocked is the latest in a series of fake anti-spyware, or rogue anti-spyware, programs. These programs are being distributed through sites hosting Zlob Trojans, which are malware that disguises itself as a video or audio codec that you need to download and install in order to use a particular video or audio file. In reality, though, when you install these Trojans, they will instead show fake security alerts and install the SpyLocked program on to your computer.

When SpyLocked is downloaded to your computer by a Zlob trojan, it will automatically start and act as if it is scanning your computer. It will then provide a list of grossly exagerated and fake results including the actual Zlob Trojan that installed it in the first place. It will then prompt you to purchase the full commercial version of the software before you can remove these items. This is a complete scam, and the results are a tactic used to scare you into purchasing their software. Needless to say, do not purchase it. "

More details and How to remove SpyLocked (Removal Instructions) at:
http://www.bleepingcomputer.com/forums/topic85376.html

Discussion is locked
You are posting a reply to: New rogue called SpyLocked
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: New rogue called SpyLocked
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Here is some more information on SpyLockeed
by IHateMalware / March 21, 2007 6:04 PM PDT

Heres what others say about SpyLocked

Sunbelt Software

SpyLocked may be marketed by malware that displays false or exaggerated warnings of spyware infection on the desktop to entice users to download the program. SpyLocked typically displays exaggerated or false scan reports of infection to frighten the user into paying for the program since the free version of the program will not perform threat removal.

http://research.sunbelt-software.com/threatdisplay.aspx?name=SpyLocked&threatid=129037

Collapse -
spylocked flashing icon on task bar
by kidmystery / April 1, 2007 4:06 AM PDT

I deleted every file and registry entry I could find and still had the flashing icon on the task bar. I later located a file named oyopu.dll in the system32 folder. After deleteing this file, the icon went away.
Hope this helps someone else.

Collapse -
I've been spylocked
by dudeonacloud / April 21, 2007 4:09 AM PDT

I looked for the oyopu.dll and don't see it...could it be somewhere else?

Collapse -
Could it be "hidden"?
by Carol~ Forum moderator / April 21, 2007 9:12 AM PDT
In reply to: I've been spylocked

Dude..

If you haven't "unhidden" your files and folders, it could be one reason you're not seeing it.

Click on the Tools menu and select Folder Options.
Click on the View tab.
Under the Hidden files and folders category select Show hidden files and folders.
Uncheck Hide protected operating system files.
Press Apply and then OK


If that doesn't help, it may help to look for it while in Safe Mode. See the second #11 listed halfway down the page at:
http://www.bleepingcomputer.com/forums/topic85376.html

It may help..
Carol

Collapse -
SpyLocked is now detected by freeware RogueRemover
by Donna Buenaventura / March 25, 2007 10:02 PM PDT
Collapse -
Donna
by tomron / March 25, 2007 10:33 PM PDT

I looked in RogueRemover programs targeted drop down menu and it is not listed.Unless it will be listed in an up dated version. Happy

Collapse -
It's there
by Donna Buenaventura / March 25, 2007 10:45 PM PDT
In reply to: Donna

I personally requested via private message to the author of RogueRemover to kindly include SpyLocked in the detection. His response the other day is.. it will be added and released in next update together with detection with many other rogue products.

Update was released and it includes SpyLocked.

It is there today:
See the post of Roddy in Updates thread today:
http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=240102&messageID=2441529#2441529

See the history:
http://www.malwarebytes.org/rogueremover_database_history.php

"Version 113 (3/25/07)

[Added]
AdwareCleaner, AdwareGuardian, AdwareStopper, AdwareSweep, AdwareSweeper, MalwaresWipeds, PestWiper, SpyContra, SpyLocked, SpywareHound, VirusBlasters, VirusBurst

[Updated]
AntiVermins, Anti-Virus&Spyware, DriveCleaner 2006, MalwareAlarm, MalwareWipe, PestCapture, Rogue.Infector, SystemDoctor 2006, SpyDeface, SpyHeal, Spyware Stormer, Ultimate Cleaner

[Removed]
No applications were delisted.

[Notes]
We have now reached 300 rogue applications detected!"

The database also has SpyLocked in the list:
http://www.malwarebytes.org/database.php

Collapse -
Eureka !!!
by tomron / March 25, 2007 10:55 PM PDT
In reply to: It's there

Just as I thought,it needed to be updated,I checked Roddy's post.

Thanx Happy

Collapse -
Here's the ID
by Donna Buenaventura / March 25, 2007 10:46 PM PDT
In reply to: Donna
Collapse -
And a screenshot that it is there..
by Donna Buenaventura / March 25, 2007 10:51 PM PDT
In reply to: Donna
Collapse -
Still have a system tray icon with annoying pop-up
by cmrabbu / March 26, 2007 1:53 PM PDT

The RogueRemover was successful in removing the last Registry Key that seemed to remain after I thought I had gotten all traces of SpyLocked.

Unfortunately, though I still have an icon in my system tray that toggles between a questions mark and a strike through icon. Annoying "system alert!" pop-ups stem from this icon periodically.

Suggestions on removal? Thanks!!

Collapse -
System Alert pop-up
by Donna Buenaventura / March 26, 2007 5:04 PM PDT

Try the self-help guide by BleepingComputer.com at:
http://www.bleepingcomputer.com/forums/topic69886.html
There's automated and manual removal.

If you are not comfortable in using the above, please post a HijackThis log in Bleeping Computer forum and they'll assist you in finding the issue and provide removal.

Collapse -
cmrabbu
by tomron / March 26, 2007 11:50 PM PDT
"RogueRemover was successful in removing the last Registry Key"

I don't understand,are you saying that RogueRemover removes registry keys?

Tom
Collapse -
spylocked icon popup
by wood0454 / April 27, 2007 3:57 AM PDT

i just renamed ilmpjy.dll to ilmpjy.bad ( in c:\windows\system32). That did it!

just make sure you can see system and hidden files in tools, folder options,its in system32

Collapse -
Same is mentioned here
by IHateMalware / April 27, 2007 3:04 PM PDT
In reply to: spylocked icon popup
Collapse -
wood0454 & ilmpjy.dll
by sigmundo / May 1, 2007 11:24 PM PDT
In reply to: spylocked icon popup

Just to let everyone know wood0454 has got the solution to removing those unbelievably annoying system tray icons - just remember to set the folder options otherwise you will not find the ilmpjy.dll file.

Thanks, wood0454!

Collapse -
SpyLocked Removal
by Tatiana25_2006 / May 9, 2007 4:56 AM PDT
In reply to: spylocked icon popup

As a tech I have seen may cases of spylocked. To remove spylocked download smitrem.exe ( about halfway down the page )from http://noahdfear.geekstogo.com/ and smitfraudfix ( the first link under download siri.urz.free ) from
http://siri.geekstogo.com/SmitfraudFix.php . Save both to your desktop.
Boot your computer into safe mode and run these 2 tools and it shall remove spylocked. Smitrem.exe - Click on start so that it extracts all. On your desktop you will have a new yellow folder for smitrem , open that folder and choose runthis. Press any key all the way through untill the scan starts. Allow the scan to run it checks for may tyoes of malware and removes them. Once that completes , right click on smitfraudfix , choose extract all. You will have a new folder , inside the folder choose smitfraudfix. Using the keyboard 2 and enter , then y and enter. Next do 3 and enter , y and enter. Once complete choose q to quit. Once you have run both tools reboot your pc and the warning that you are infected with malware should now be gone.

Best of luck

Collapse -
smitrem.exe
by Bugbatter / May 9, 2007 11:03 AM PDT
In reply to: SpyLocked Removal

You can skip smitrem.exe. It has not been updated in months, and will definitely will not clean newer variants. SmitfraudFix should take care of the problem, unless there are also other infections present that it cannot handle.

Collapse -
Cannot get rid of flashing icon
by stephenzi / June 29, 2007 9:19 PM PDT
In reply to: spylocked icon popup

I did the search (with hidden files included) for ilmpjy.dll, and nothing came up. Any suggestions on how to get rid of the icon and the warning pop ups?

I have downloaded Spyhunter and Spyware Doctor, and they say I have no more threats, but I still have that flashing Icon and the pop up warning.

I am using a PC with XP.

Any help will be appreciated.

Thanks,

Steve

Collapse -
Steve, Did You Follow The Instructions Posted...
by Grif Thomas Forum moderator / June 30, 2007 6:33 AM PDT

..by Donna in the link at the beginning of this thread.. Here's that link again:

http://www.bleepingcomputer.com/forums/topic85376.html

Download SmitFraudFix from the location provided in the link above.. REstart the computer into Safe Mode, then run SmitFraudFix per the instructions, then reboot the computer. AFTER after following all the instructions for running SmitFraudFix and rebooting the computer, then run all the other tools you have.

Hope this helps.

Grif

Collapse -
(NT) Thanx Donna
by tomron / March 26, 2007 2:09 PM PDT
Collapse -
(NT) You're welcome Tom :)
by Donna Buenaventura / March 26, 2007 5:05 PM PDT
In reply to: Thanx Donna
Collapse -
I remeber bonzi-buddy and 14 of 16 were in the registry
by darclew1 / April 1, 2007 6:45 AM PDT
In reply to: You're welcome Tom :)

Some were so obvious that it was a link between other ones that were healthy. I think I had WIN98SE then and one was blocking Windows MediaPlayer 9.0 - it was listed before it in the registry. Once I dug them all out and deleted. There were no more problems. It was picked up by a trial of CA's Pest Patrol now it is CA Antispyware. I got them from Ad-Aware SE and they were there as to their locations, all Ihad todo was move the link over to right to see were they were located, went to Run, typed in regedit & clicked ok so I could find them in the registry using the list in Ad-Aware. Some were in CLSID. One said only bonzi. I used that for someone who had a lady friend use his computer and all her mail was still there. She isn't now. Darrell

Collapse -
thank you
by brainyboy44 / May 30, 2007 6:41 AM PDT

thank you so much, the software website you posted really helped me get rid of my rogue antivirus, spylocked. your link was the only one that worked, and it was free too!

Collapse -
I was spylocked
by kportwood / June 30, 2007 7:38 AM PDT

Thank you so much guys for this article!!! i have spent 5 hours tonight uninstalling spylocked, updating AVG, running spybot and scanning my computer, and all the time that blooming pop up would not go away. thanks to you all for recommending rogueremover i ghave got rid of it WOOP WOOP!!! so big big thanks!

Collapse -
Spylocked May Be Exploiting .Ani Vulnerability
by psiebenand / April 28, 2007 1:25 PM PDT

I have read a few reports online that Spylocked my be exploiting the .ani cursor vulnerability. can anyone confirm this? This would explain why our customers continually get reinfected after removing spylocked unless they patch their systems. The trouble is, a lot of the computers we deal with use Realtec chipsets, so patching causes a ton of other headaches...

Message was edited by: admin

Collapse -
There's A Patch For The Realtek Issue
by Grif Thomas Forum moderator / April 28, 2007 3:05 PM PDT

First, install the ANI cursor update, then install the patch.. It should stop the problem with Realtek errors.. At least it has on all our machines. See the link below..

http://support.microsoft.com/?kbid=935448

Hope this helps.

Grif

Collapse -
Your post requires an edit
by Donna Buenaventura / April 30, 2007 2:51 PM PDT

I've sent an alert to the forum admin today to edit your post by removing the link in your post. All your posts is also requested today to remove the link to your website. Most of your posts point to your site only and it's blatant advertising. The other username is tschrock1 which also links to the said site over and over again.

Kindly read the complete policies of CNET forums:
http://forums.cnet.com/4520-6035-6656401.html?tag=dir.forum

Thank you for the understanding and cooperation.

Regarding your question, please see reply of fellow moderator and MVP Grif Thomas because if one has a patched system, there's no worry anymore on whatever vulnerability is targetted by malware. That is if the patch fixes the same issue that a malware will exploit.

Collapse -
: New rogue called SpyLocked
by terry387 / April 30, 2007 10:51 PM PDT

This sounds very similar to Spy Sheriff.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.