NEWEST GUIDES

 

30 April 2008

How to repair Recycle Bin

30 April 2008

How to remove Win32.Brontok.A@mm

30 April 2008

How to remove Trojan.AutoRun.A

   

dotted line short

 

 TOP 3 GUIDES

 
27 July 2007
How to remove Trojan.Vundo.DMA

16 July 2007
How to remove Trojan.Downloader.Istbar.D

01 June 2007
How to remove Trojan.Clicker.CM

 

 

 How to remove Adware.SpywareLock.A



THREAT NAME 
   Adware.SpywareLock.A


 

CLEAN INSTRUCTIONS

1. Open Task Manager select the rundll32.exe process, right click on it and click on End Process
   (this will stop the flashing icon from the system tray and the fake messages).

2. Open Windows Explorer, browse to C:\Windows\System32 folder and delete the rcohty.dll file.

3. Go to Start, Run, type regedit and press OK.


NB: Before you edit the registry, please export the keys that you plan to edit, or create a backup of the system.

4. Navigate to the following registry keys:


HKEY_CLASSES_ROOT\CLSID\

5. Delete the key:


{b23dc537-3e13-44c7-bf67-d8405eb377f7}

6. Navigate to:

 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

7. Delete the key:


{b23dc537-3e13-44c7-bf67-d8405eb377f7}

8. Navigate to:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

9. Delete the key:

 

Windows Safety Alert

10. Restart the computer and run a full scan with BullGuard.

 

 

SYMPTOMS

1. A fake notification appear telling the user that the system is infected.

 

2. A flashing icon appear on the Taskbar.

 

3. A click on the icon open internet explorer and a connection is established to


   http://www.spy{blocked}locked.com


DESCRIPTION
1. When it is executed the malware will create the following registry keys:

HKCLR\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}


HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert

2. It drops a file named rcohty.dll to Windows system folder and it will execute it (trough rundll32.exe).

 

3. When the dll is loaded it will verify the existance of the key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareLocked 3.5

If it is present then it will get the value of DisplayIcon and it will execute it. If it's not present, the dll will show a flashing icon in the system tray and a fake warning message:

"System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up to date antispyware solution."

4. If a user click on the icon then a new internet explorer window appeares and a connection is made to http://www.spy{blocked}locked.com.

5. Also it tries to open a connection to http://kerato{blocked}mir2.biz/

If the connection is successfull, it will download a file and execute it.


Author:
The BullGuard Team