Windows заблокирован!For those of you unfamiliar with ransomware -- it's a kind of malware with a particularly nasty payload. Windows заблокирован! Trojan ransom blocks software and asks for a ransom in exchange for releasing control of your computer. It gives instructions on how to send 200 Hryvnia (UAH) via WebMoney to free the computer. Hryvnia is a national currency of Ukraine. This scheme is very popular in Russian too. Ransomware can be spread in several ways but usually cyber crooks use fake pornographic websites to distribute the "Windows заблокирован!" and similar malware. In this case, Trojan Ransom claims that you were watching illegal pornographic videos (as usual) and if you won't pay the ransom your files will be deleted. But that's not all, if you choose not to pay the fine they will notify the authorities and your case will be handled in a court. Of course, that's not true. Don't worry about that. If your computer is infected with the Windows заблокирован! ransomware, please follow the removal instructions below. Good luck and be safe online!
Microsoft Security обнаружил нарушения использования сети интернет.
Причина: просмотр нелицензионного гей и детского порно.
Windows заблокирован! malware removal instructions:
1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.
3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.
4. Locate the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.
Default value is Explorer.exe.
Modified value data points to Trojan Ransomware executable file.
Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.
5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. In our case, "Windows заблокирован!" was run from the My Documents. There was a file called porn_video.exe.
Full path: C:\Documents and Settings\Michael\My Documents\porn_video.exe
Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.
6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
7. If the problem persists, please follow the general Trojan.Ransomware removal guide.
Associated Windows заблокирован! ransomware files and registry values:
Files:
- [SET OF RANDOM CHARACTERS].exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ "Shell" = "[SET OF RANDOM CHARACTERS].exe"
0 comments:
Post a Comment