A few days ago we ended up with a specific Trojan.Ransomware that targets Russian web users. It hijacks the computer and displays a message in Russian saying that you need to send and an SMS on given number to retrieve the activation code.
We got it from a fake porn website that prompts web users to install pornoplayer.exe in order to watch requested video.
Of course, that doesn't mean you are protected against such malware just because you live in U.S or Europe. It can hijack your computer as well. So, let's say your PC is locked, you don't understand anything in Russian and you can't use their phone number. What would you do? Please follow the general Trojan.Ransomware removal guide below.
Trojan.Ransomware removal instructions:
1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.
2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens.
3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.
4. Locate the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.
Default value is Explorer.exe.
Modified value data points to Trojan.Ransomware executable file.
If Trojan.Ransomware modified the Shell value data, please copy the location of the executable file it points to into Notepad and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor. Proceed to step 5.
If the default value data (Explorer.exe) wasn't modified, please locate the second registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
In the righthand pane select the randomly named registry key. In our case it was 22997148.
Copy the location of the executable file into Notepad and then delete the registry key. Right click on the registry key and choose Delete. Click Yes to confirm and exit the Registry editor. Proceed to step 5.
5. Delete Trojan.Ransomware files. Use the file location you saved into Notepad or otherwise noted in step 4. In our case, Trojan.Ransomware resided in %UserProfile% directory. There was a randomly named folder 22997148.
Full path: C:\Documents and Settings\Michael\22997148\22997148.EXE
NOTE: %UserProfile% refers to:
C:\Documents and Settings\[UserName] (for Windows 2000/XP)
C:\Users\[UserName]\ (for Windows Vista & Windows 7)
6. Go back into "Normal Mode". Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.
Associated Trojan.Ransomware files and registry values:
Files:
- %UserProfile%\[SET OF RANDOM NUMBERS]\
- %UserProfile%\[SET OF RANDOM NUMBERS]\[SET OF RANDOM NUMBERS].exe
C:\Documents and Settings\[UserName] (for Windows 2000/XP)
C:\Users\[UserName]\ (for Windows Vista & Windows 7)
Registry values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS]"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell = [SET OF RANDOM NUMBERS]"
0 comments:
Post a Comment