June 7, 2010 at 14:32We remove the winlock trojan
I know that they don’t really like such posts on the hub, nevertheless I believe that this method can be useful to some or just save time. A trojan that I found fresh and is detected by just a few antiviruses. The results of testing virustotala. I could not find the unlock code either. Therefore, in order not to tire the description of how I was looking for it, I will make a post in the form of a short guide.
So, after infection on the desktop, this kind of muck appears: The Trojan prevents the launch of most programs (browsers, regedit, processexplorer), though for some reason msconfig is ignored. To unlock, asks to send an SMS to number 5121 with the text 4579304. The steps to delete are as follows: 1) Go to the directory
C: \ Program Files \ Common Files \ Office \ and delete the exel.exe file this is the ill-fated shell.
There are a few notes to this: perhaps the location is chosen randomly, unfortunately there is no way to check. And one more thing: I deleted through linux, but in my opinion it is not protected, so you can delete it from under Windows.
2) Reboot. Run regedit. In contrast to this case, my Trojan registered itself in the shell. Therefore, in the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon branch, set only Explorer.exe.
View before the change: 3) Check the hosts file (C: \ Windows \ System32 \ drivers \ etc \). By default, there should be one uncommented line:
127.0.0.1 localhost
That's basically it. Be careful. Hope post someone save my time.
PS: Naturally, I sent the infected file for scanning to anti-virus companies that did not detect it.
P.S2: While writing the text, an answer came from Kaspersky Lab:
“exel.exe - Trojan-Ransom.Win32.PinkBlocker.bmu
Currently this file is detected by an antivirus with fresh anti-virus databases.”
Update databases.
So, after infection on the desktop, this kind of muck appears: The Trojan prevents the launch of most programs (browsers, regedit, processexplorer), though for some reason msconfig is ignored. To unlock, asks to send an SMS to number 5121 with the text 4579304. The steps to delete are as follows: 1) Go to the directory
C: \ Program Files \ Common Files \ Office \ and delete the exel.exe file this is the ill-fated shell.
There are a few notes to this: perhaps the location is chosen randomly, unfortunately there is no way to check. And one more thing: I deleted through linux, but in my opinion it is not protected, so you can delete it from under Windows.
2) Reboot. Run regedit. In contrast to this case, my Trojan registered itself in the shell. Therefore, in the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon branch, set only Explorer.exe.
View before the change: 3) Check the hosts file (C: \ Windows \ System32 \ drivers \ etc \). By default, there should be one uncommented line:
127.0.0.1 localhost
That's basically it. Be careful. Hope post someone save my time.
PS: Naturally, I sent the infected file for scanning to anti-virus companies that did not detect it.
P.S2: While writing the text, an answer came from Kaspersky Lab:
“exel.exe - Trojan-Ransom.Win32.PinkBlocker.bmu
Currently this file is detected by an antivirus with fresh anti-virus databases.”
Update databases.