Description of Fake Anti-Spyware
SpyLocked, which recently morphed into dozens of variations changing its name, is the latest in a series of fake anti-spyware, or rogue anti-spyware, programs. These programs are being distributed through sites hosting Zlob Trojans, which are malware that disguises themselves as a video or audio codec that you need to download and install in order to use a particular video or audio file. In reality, when you install these Trojans, they will instead show fake security alerts and install the SpyLocked aka Desktop Hijack Malware program on your computer. When the Desktop Hijack Malware are downloaded to your computer by a Zlob trojan, it will automatically start and act as if it is scanning your computer. It will then provide a list of grossly exaggerated and fake results including the actual Zlob Trojan that installed SpyLocked. SpyLocked will then prompt you to purchase the full commercial version of the software before you can remove these items. This is a complete scam, and the results are a tactic used to scare you into purchasing their software.
SpyLocked Screenshot
When infected, you will also see fake alerts on your Windows taskbar. These alerts will state that you are infected with some sort of spyware or other security threat and that you need to install an anti-spyware program. When you click on these links, it will launch SpyLocked or SpywareLocked, or if they are not installed, download them first before it launches it. These alerts are fake and are being used as a scare tactic to make you think you need to purchase the SpyLocked or SpywareLocked programs.
An example of the fake alert is shown below:
SpyLocked and other Rogue Anti-Spyware Fake Security Alerts
Tools Needed for this fix: click to download
- SmitFraudFix v2.300 (WinXP, Win2K) - Automated Fix method SmitFraudFix is a tool that S!Ri created to remove rogue anti-spyware applications that utilize Trojans to issue fake taskbar security alerts or that change your background in order to scare you into purchasing the full commercial version of their software... These infections are difficult to remove and are usually bundled with so much other malware, that traditional antispyware or antivirus programs have difficulty completely cleaning these deep infections. SmitFraudFix v2.300 will remove all these rogue anti-spyware variations:
AdwarePunisher, AdwareSheriff, AlphaCleaner, Antispyware Soldier, AntiVermeans, AntiVermins, AntiVerminser, AntiVirGear, AntivirusGolden, AVGold, BraveSentry, IE Defender, MalwareCrush, MalwareWipe, MalwareWiped, MalwaresWipeds, MalwareWipePro, MalwareWiper, PestCapture, PestTrap, PSGuard, quicknavigate.com, Registry Cleaner, Security iGuard, Smitfraud, SpyAxe, SpyCrush, SpyDown, SpyFalcon, SpyGuard, SpyHeal, SpyHeals, SpyLocked, SpyMarshal, SpySheriff, SpySoldier, Spyware Vanisher, Spyware Soft Stop, SpywareLocked, SpywareQuake, SpywareKnight, SpywareRemover, SpywareSheriff, SpywareStrike, Startsearches.net, TitanShield Antispyware, Trust Cleaner, UpdateSearches.com, Virtual Maid, Virus Heat, Virus Protect, Virus Protect Pro, VirusBlast, VirusBurst, VirusRay, Win32.puper, WinHound, Brain Codec, ChristmasPorn, DirectAccess, DirectVideo, EliteCodec, eMedia Codec, EZVideo, FreeVideo, Gold Codec, HQ Codec, iCodecPack, IECodec, iMediaCodec, Image ActiveX Object, Image Add-on, IntCodec, iVideoCodec, JPEG Encoder, Key Generator, Media-Codec, MediaCodec, MMediaCodec, MovieCommander, MPCODEC, My Pass Generator, NetProject, Online Image Add-on, Online Video Add-on, PCODEC, Perfect Codec, PowerCodec, PornPass Manager, PornMag Pass, PrivateVideo, QualityCodec, Silver Codec, SearchPorn, SiteEntry, SiteTicket, SoftCodec, strCodec, Super Codec, TrueCodec, VideoAccess, VideoBox, VidCodecs, Video Access ActiveX Object, Video ActiveX Object, Video Add-on, VideoCompressionCodec, VideoKeyCodec, VideosCodec, WinAntiSpyPro, WinMediaCodec, X Password Generator, X Password Manager, ZipCodec...
Symptoms in a HijackThis Log:
O4 - HKLM\..\Run: [SpyLocked] C:\Program Files\SpyLocked\SpyLocked.exe /h
O4 - HKLM\..\Run: [SpywareLocked] C:\Program Files\SpywareLocked\SpywareLocked.exe /h
O4 - HKLM\..\Run: [SpywareLocked 3.3] "C:\Program Files\SpywareLocked 3.3\Spy-Locked.exe" /h
O4 - HKLM\..\Run: [SpywareLocked 3.4] "C:\Program Files\SpywareLocked 3.4\SpywareLock.exe" /h
O4 - HKLM\..\Run: [SpywareLocked 3.5] "C:\Program Files\SpywareLocked 3.5\SpywareLocked 3.5.exe" /h
Add/Remove Programs control panel entry:
SpyLocked 3.1
SpywareLocked 3.2
SpywareLocked 3.3
SpywareLocked 3.4
SpywareLocked 3.5
Automated Removal Instructions for SpyLocked and SpywareLocked:
- Print out these instructions as we will need to close every window that
is open later in the fix.
- Download SmitfraudFix.zip then unZip and save it to your desktop:
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:
- Next, please reboot your computer into Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the
Windows logo appears, press F8 repeatedly.
- Instead of Windows loading as normal, depending on your system you may see 2 menus. If you are asked which storage device to start select your main hard drive, the Boot menu should appear next
- Select the first option, to run Windows in Safe Mode. Do not select Safe-Mode with Network Support.
- When you are at the logon prompt, log in as the same USER that you had
performed the previous steps as.
- Restart your computer
- When your computer has started in Safe Mode, and you see the desktop, close
all open Windows. You'll notice none of your security programs will be loaded which is exactly what you want for malware cleaning.
- Now, double-click on the SmitFraudfix icon that should be residing on your
desktop.The icon will look like the one below:
- When the tool first starts you will see a credits screen. Simply press
any key on your keyboard to get to the next screen.
- You will now see a menu as shown in the image below. Press the number 2
on your keyboard and the press the enter key to choose the
option Clean (safe mode recommended).
- The program will start cleaning your computer and go through a series of
cleanup processes. When it is done, it will automatically start the Disk Cleanup
program as shown by the image below.
This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 11.
- When Disk Cleanup is finished, you will be presented with an option asking
Do you want to clean the registry ? (y/n). At this
screen you should press the Y button on your keyboard and
then press the enter key.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
-
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
- When this last routine is finished, you will be presented with a red screen
stating Computer will reboot now. Close all applications.
You should now press the spacebar on your computer. A counter will appear
stating that the computer will reboot in 15 seconds. Do not cancel this countdown
and allow your computer to reboot.
-
Note: process.exe (part of SmitfraudFix tool) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
- Once the computer has rebooted, you will be presented with a Notepad screen
containing a log of all the files removed from your computer. Examine this
log, and when you are done, Save the text Log file and close the Notepad screen.
- OPTIONAL: next perform an Online Scan running XP in normal mode with your Firewall running using any of the major Anti-Virus websites, some scanners require your personal information (you can always use random info). Online Scans are useful as secondary tests to verify a PC is clean without buying or installing another complete program along side your main Anti-Virus Security. Example Online Scans are:
Trend Micro,
Trend Micro's Java Scan for non-IE browsers,
Bitdefender,
Norton/Symantec,
Panda . . .
- start by clicking Scan your PC
- in new window select type of scan, allow ActiveX Control to begin session
- input survey info if prompted, then begin Scan
- depending on scanner it will either scan while online or download 1-3meg program which you must click to start the scan locally which no longer uses the internet.
- once finished view then save Report
- if Malware is detected the scanner may offer to clean/remove threat, or you will have to search for the matching removal tool to clean the named-threat and repair damaged files. In either case Online Scans are a great tool to verify the PC is clean.