A few days ago we ended up with a specific Trojan.Ransomware that targets Russian web users. It hijacks the computer and displays a message in Russian saying that you need to send and an SMS on given number to retrieve the activation code.
We got it from a fake porn website that prompts web users to install pornoplayer.exe in order to watch requested video.
Of course, that doesn't mean you are protected against such malware just because you live in U.S or Europe. It can hijack your computer as well. So, let's say your PC is locked, you don't understand anything in Russian and you can't use their phone number. What would you do? Please follow the general Trojan.Ransomware removal guide below.
Trojan.Ransomware removal instructions:
1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.
2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens.
3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.
4. Locate the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.
Default value is Explorer.exe.
Modified value data points to Trojan.Ransomware executable file.
If Trojan.Ransomware modified the Shell value data, please copy the location of the executable file it points to into Notepad and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor. Proceed to step 5.
If the default value data (Explorer.exe) wasn't modified, please locate the second registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
In the righthand pane select the randomly named registry key. In our case it was 22997148.
Copy the location of the executable file into Notepad and then delete the registry key. Right click on the registry key and choose Delete. Click Yes to confirm and exit the Registry editor. Proceed to step 5.
5. Delete Trojan.Ransomware files. Use the file location you saved into Notepad or otherwise noted in step 4. In our case, Trojan.Ransomware resided in %UserProfile% directory. There was a randomly named folder 22997148.
Full path: C:\Documents and Settings\Michael\22997148\22997148.EXE
NOTE: %UserProfile% refers to:
C:\Documents and Settings\[UserName] (for Windows 2000/XP)
C:\Users\[UserName]\ (for Windows Vista & Windows 7)
6. Go back into "Normal Mode". Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.
Associated Trojan.Ransomware files and registry values:
Files:
- %UserProfile%\[SET OF RANDOM NUMBERS]\
- %UserProfile%\[SET OF RANDOM NUMBERS]\[SET OF RANDOM NUMBERS].exe
C:\Documents and Settings\[UserName] (for Windows 2000/XP)
C:\Users\[UserName]\ (for Windows Vista & Windows 7)
Registry values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS]"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell = [SET OF RANDOM NUMBERS]"
12 comments:
hello..i have the same problem now but the malware will not allow me boot with command prompt.what can i do now..and i also have a pre installed ubuntu os ...is there a way i can get rid of it from the other side
my window is not loading after switching to safe mode......so where to type that explorer....
Hello, got the same problem as trexx. Command prompt won't show up. What now?
help pls..... same problem :( :(
cmd prompt won't show... It's blocked too now what??? =| ... Please help. I'm using windows 7. And it's "... at address 0x3BC3".
@ Saad Khan and others, try this code 754-896-324-589-742
got the same problem but at address 0x21CB
please help
If command prompt is not opening in safe mode then you can do a parallel installation and recover your data or do a fresh installation.
Thanks a bunch, it worked for me after I got a ransomware virus that claimed to be from the FBI. The file was bunda.exe on mine.
I reached to the step where it says to modify shell. I did that and got "Default value is Explorer.exe" however it is not leading me to "Modified value data points to Trojan Ransomware executable file." what should i do? how do i get the location?
it says "Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter" i know it sounds silly but how do i get registry editor?
I followed the instrucions to the point where I looked in the Shell folder but this was pointing to explorer.exe just as I would expect in a non-infected computer. So the virus is not hiding here! What to do now? I have the Metropolitan/Strathclyde Police version of the virus. This is the same virus which was mentioned on BBC Radio4 a few days ago. Can anyone help?