Searched everywhere.. I cannot remove SpyLock.

[HelpMePlease]

Hi, I am new to this forum and I need help. I got the Spylock spyware and I searched everywhere, but I cannot find a solution.

I think the main problem is that I'm using Windows ME, which cannot run Rogue Remover and it cant even run Smit Fraud Fix.

All I need is a program that can work with windows ME. I'm no expert on computers so manually removing it won't help. Does anyone know a program that can delete Spylock and can function on Windows ME?

Thanks!!

[RubbeR DuckY]

Ok, let's take a look.

Please do this.

Download 'Hijack This!'. http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Do a system scan and save a logfile".

When the Notepad window opens, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

[HelpMePlease]

Ok, i downloaded the HijackThis thing. Here is the log:

Logfile of HijackThis v1.99.1

Scan saved at 10:25:35, on 2007-4-1

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\SPYNOMORE\SNM.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\HJT\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [sNM] C:\PROGRAM FILES\SPYNOMORE\SNM.EXE /startup

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...n9x/AvSniff.cab

O21 - SSODL: hemine - {9d6fac42-a7be-4702-87ef-75d8dc14249e} - C:\WINDOWS\SYSTEM\tahxqcj.dll

[RubbeR DuckY]

The offending entry is present,

Please open HijackThis once more. Select 'None of the above, just start the program'. Place a checkmark next to the following item.

O21 - SSODL: hemine - {9d6fac42-a7be-4702-87ef-75d8dc14249e} - C:\WINDOWS\SYSTEM\tahxqcj.dll

Restart your computer. Navigate to and delete C:\WINDOWS\SYSTEM\tahxqcj.dll. If you can't find the file let me know. If SpyLocked is listed in the Add/Remove programs list, please attempt to uninstall it.

The SpyLocked issue should be gone, however I do have a few suggestions. If you haven't paid for SpyNoMore, uninstall it. It has a very shady past.

Let me know how it goes!

[HelpMePlease]

Your advice was good, but it seems that FileAssassin cannot run on Windows ME =(.

What do I do next without File Assassin?

Thanks.

[RubbeR DuckY]

I edited my directions after I realized you were running Windows ME =).

[HelpMePlease]

I did everything you said and.. it worked! I no longer have Spy Locked and I deleted SpyNoMore just in case..

Thanks!!!!!

PS: In my Remove/Add program, there is a thing called Windows Safety Alert. What is that thing?

Thanks!

[RubbeR DuckY]

It doesn't look safe at all, from google searches. I think it is linked with Zlob, which you had. If you didn't install it, then uninstall it =). Another suggestion: If you don't have Spybot Search & Destroy installed, it is a very good Anti-Spyware utility that is compatible with Windows ME:

http://www.safer-networking.org/en/mirrors/index.html

Question: Do you know where you were infected with SpyLocked?

[HelpMePlease]

I think it was one of those video codecs I downloaded when i was trying to watch anime... I downloaded DivX codec, but it said that I needed to download this other weird codec, so I downloaded it... But right after the installation, SpyLocked popped out, so I uninstalled DivX. It was still there so I decided to go here and ask some experts.

I also remember something when i was scanning with SpyNoMore. It says that Windows Safety Alert is a trojan. If you click remove on Windows Safety alert, it will redownload trojans like SpyLocked. So i didnt remove it on my "Add/Remove" thing. I will download the SpyBot Search and Destroy to see if it will delete it. Thanks for the link!

[RubbeR DuckY]

Yup.. sadly thats how most infections occur nowadays, via codecs. If you can remember the exact site, send me an e-mail marcin at malwarebytes dot org [spammer protected].

[JeanInMontana]

Don't mean to butt in, but wouldn't that site be in the history?

[RubbeR DuckY]

This topic has been resolved so it is now closed. If anybody else needs help removing Spylocked please try RogueRemover at http://www.malwarebytes.org/rogueremover.php. If that does not work, please post a Hijack This log in another topic.

Glad we could help!