Trojans of the Winlock family, known as "Windows blockers", have been extorting money from ordinary users for more than five years now. By now representatives of this class malware seriously evolved and became one of the most frequent problems... Below are suggested ways to deal with them on your own, and recommendations are given to prevent infection.
Malware is shorthand for malware software - is an umbrella term that refers to any software program specifically designed to perform an unauthorized and often harmful action. Viruses, backdoors, keyloggers, spyware, adware, rootkits and Trojans are just a few examples of what counts as malware. A few years ago it was enough to call something a "virus" or "Trojan horse", but today methods and vectors of infection have appeared, and the terms "virus and trojan" no longer give a satisfactory definition for all types that exist.
The appearance of a Trojan on the system usually occurs quickly and unnoticed by the user. The person performs the usual set of actions, browses the web, and does not do anything special. At some point, a full-screen banner just appears, which cannot be removed in the usual way.
The picture can be frankly pornographic, or vice versa - framed as strictly and menacingly as possible. There is only one result: in a message placed on top of other windows, you need to transfer the specified amount to such and such a number or send a paid SMS message. It is often accompanied by threats of criminal prosecution or the destruction of all data if the user does not rush to pay.
Update your software. This is especially true for things like your operating system, security software, and web browser, but it's also true for any program you use frequently. Viruses often take advantage of bugs or exploits in the code of these programs to propagate to new machines, and while the companies that make the programs usually fix holes quickly, these fixes only work if they've been downloaded to your computer.
How to unlock your computer from a virus
It is also important to avoid activities that could put your computer at risk. These include opening unwanted attachments email, visiting unknown websites, or downloading software from untrusted websites or peer-to-peer file transfer networks.
Of course, you shouldn't pay the extortionists. Instead, you can figure out which operator cellular communication belongs to the specified number, and report it to the security service. In some cases, you may even be told the unlock code over the phone, but you can't really count on it.
Treatment methods are based on an understanding of the changes that the Trojan makes to the system. It remains to identify them and cancel in any convenient way.
However, self-help is still available through the articles on this support portal. It should also be noted that our agents technical support do not have access to your unlock password. When this happens, you will see a message similar to the one below on your device's lock screen. Time Remaining password: 2 seconds To restore the platform, select one of the following options :. 1 - User password 2 - Server token password.
This device is locked and could be lost. If found, please use the following information to return your device. Please select one of the above options to continue. While blocking can occur for several reasons, the steps for unlocking are the same. Some of the possible reasons blocking.
With bare hands
For some Trojans, there is indeed an unlock code. In rare cases, they will even honestly delete themselves completely after entering the correct code. You can find it out on the corresponding sections of the websites of antivirus companies - see examples below.
You can access specialized sections of Doctor Web, Kaspersky Lab and other anti-virus software developers from another computer or phone.
The computer is marked as a stolen computer physically tampered with. ... To enter a password on a locked device, select the on-screen option for a password, passcode, or passphrase and enter your password. If the password is accepted, the computer will start working.
Be careful when reading and entering the recovery code, ensuring that you are not mistaken in symbols for others. If the recovery code is accepted, the computer will start working. Glossary of terms used in this article. This scam assumes that internet users discover that their computer has been frozen and a pop-up warning appears on the screen. The fraudster claims that they will unlock the computer if the fee is paid.
After unlocking, do not be overjoyed and do not turn off your computer. Download any free antivirus and perform a full system scan. To do this, use, for example, the Dr.Web CureIt! or Kaspersky Virus Removal Tool.
Simple horses - simple measures
Before using complex methods and special software, try to get by with the available tools. Call the Task Manager with the key combination (CTRL) + (ALT) + (DEL) or (CTRL) + (SHIFT) + (ESC). If it works, then we are dealing with a primitive Trojan, the fight against which will not cause problems. Find it in the list of processes and force quit.
Don't let a scammer ransom you - if you pay, you are not guaranteed to regain control of your computer, and there is likely to be significant data loss when removing a virus or unlocking your computer. All of a sudden, your computer freezes and you get a pop-up alert from what appears to be a reputable authority like the Australian Federal Police. The warning states that your computer is locked because you broke the law or visited an illegal site. These services include purchasing a cash voucher from a store, which can then be used for online payments. If you pay, scammers may or may not unlock your computer. Even if you regain access to your computer, malware can continue to run so that fraudsters can use your personal and financial data to commit fraud. Be careful with the sites you visit and do not open emails from unknown senders - Emails may contain malware, and some sites may automatically download malicious software to your computer. Always keep your computer safe with anti-virus and anti-spyware software and a good firewall. Buy computer and anti-virus software from a reputable source. Be careful what you store on your computer - if a fraudster gains access to your personal data, they can use it to steal your identity and your money. If you think your computer is infected, immediately contact your bank or financial institution and change your passwords. If you receive a pop-up warning and are unable to perform any functions on your computer, it may be infected and you may need a computer specialist to remove the malware. If you can perform some security functions on your computer, use security software to run a virus scan. If you received this scam, unfortunately, your computer's security has been compromised. Even if you've managed to regain control of your computer - whether by your own discretion or by paying a fraud - it can still be infected with malware. Use your security software to run a virus scan, but if you have any doubts, contact your antivirus software vendor or computer specialist.
- The warning may include a police logo to make it appear legal.
- Before downloading the file, make sure it is from a reputable source.
- If the file is a program, make sure you know exactly what it will do.
The third party produces a vague name and no description. If in doubt, just unload all suspicious ones one by one until the banner disappears.
If the Task Manager is not invoked, try using a third-party process manager via the Run command launched by pressing (Win) + (R). This is what a suspicious process looks like in System Explorer.
This is scary, especially if you haven't backed up your data. “Cybercrime evolves as the bad guys get smarter and use newer technology,” said Michael Keizer, executive director of the National Cybersecurity Alliance. "They are always looking for new ways to steal your money."
Solving the problem via the Internet
They can usually be deleted, which restores access to your files and documents. There is only one decryption key, and the bad guys have that on their server. If you do not pay the ransom, this key will be destroyed within three days. To give a sense of urgency, the digital clock on the screen is counted from 72 hours to show how much time remains before the unique decryption key is destroyed.
You can download the program from another computer or even from your phone. It takes only a couple of megabytes. The "check" link searches the online database for information about the process, but usually everything is clear. After closing the banner, it is often necessary to restart Explorer (the explorer.exe process). In Task Manager, click: File -\u003e New Task (Run) -\u003e c: \\ Windows \\ explorer.exe.
Unblock computer from banner using antivirus
Note the yellow reverse clock in the lower left corner. This gives the time remaining until the unique decryption key is destroyed and the encrypted files are permanently inaccessible. I have a distraught wife who accuses me! Open this file and bad things will start to happen, although it may take several days for the ransom demand to appear on your screen after the machine is infected.
Outdated way to unlock
The author or is it a genius. Another wrote: "This thing is disgusting and has the potential to cause enormous damage all over the world." Cyber \u200b\u200bfraudsters target both businesses and individual computer users - anyone who will pay to restore access to their files.
When the Trojan is deactivated for the duration of the session, it remains to find its files and delete them. You can do this manually or use a free antivirus.
A typical location for a Trojan is in the directories of temporary files of the user, system and browser. It is still advisable to perform a full check, since copies can be located anywhere, and the trouble does not come alone. Look full list autorun objects will help the free utility Autoruns.
Our company was infected this morning. The virus hit the car 4 days ago and today we received a ransom pop-up message. All files on the network drive that the user had access to are now encrypted. We had backups, although they weren't fresh enough, so despite all our feelings against it, we paid the ransom and it all started decrypting overnight. Of course, there is no guarantee that there will be a happy ending if you pay the ransom. And then there is the big problem - by doing this, you are helping finance a criminal operation.
Military stealth
At the first stage, a feature in the behavior of some standard programs... When you see the banner, try blindly launching Notepad or WordPad. Press (WIN) + (R), write notepad and press (ENTER). A new one will open under the banner text Document... Dial any gibberish and then briefly press the power off button on the system unit. All processes, including the Trojan, will start terminating, but the computer will not shutdown.
How to remove a banner using unlock codes
Go online and there is no way to ensure that malware doesn't get onto your computer - even if you follow all the rules safe work... Therefore, you need to act defensively, which means regular backup.
“Back up, back up, back up, back up,” Schmidt said. "This is the only way to reduce the risk of losing your files permanently." This backup copy should be a snapshot of everything in the system, not a simple sync, as is the case with most automated external hard drives and many cloud services... With these synchronized backups, saved files that have changed on the master drive are overwritten with new ones. If malware encrypts your essential files, these backups will also be encrypted and useless.
Notepad - will stop the galloping horse and return access to the admin!
Old school
More advanced versions of Trojans have the means to counter attempts to get rid of them. They block the launch of the task manager, replace other system components.
In this case, restart your computer and hold down the (F8) key for a moment. windows boot... The download method selection window will appear. We need "Safe Mode with Command Prompt". After the console appears, write explorer and press (ENTER) - the explorer will start. Next, write regedit, press (ENTER) and see the registry editor. Here you can find the entries created by the trojan and find the place where it starts automatically.
Remove banner from Windows startup
Your backup should be disconnected from your computer until the next time you need to access it. The message alleges that you have illegally visited or distributed copyrighted content such as videos, music, and software. Therefore, in order to remove the ban on your computer, payment is required within 48-72 hours. This type of malware is invoked and used to request payment from the victim. In turn, the fraudster “promises” to unblock your computer.
Most often, you will see the full paths to the Trojan files in the Shell and Userinit keys in the branch
HKLM \\ Software \\ Microsoft \\ Windows NT \\ CurrentVersion \\ Winlogon
In Shell, the Trojan is written instead of explorer.exe, and in Userinit, it is indicated after the comma. Copy the full name of the Trojan file to the clipboard from the first detected entry. IN command line write del, make a space and right-click the context menu.
Boot the infected computer to Safe Mode using the network
The window " Extra options downloads ". IN safe mode you will notice that the desktop background is replaced with a solid black color.
Scanning your computer with antivirus software
If you've already installed on your computer, download the latest malware definitions and run a full scan of your computer. However, if you don't have malware removal software, download and install it. Whichever tool you decide to use, make sure you download the most recent malware definitions.In it, select the "insert" command and press (ENTER). One trojan file has been deleted, we do the same for the second and subsequent ones.
Removing the trojan from the console - the file was in a temporary folder.
Then we perform a search in the registry by the name of the trojan file, carefully review all the entries found and delete the suspicious ones. We clear all temporary folders and the trash can. Even if everything went perfectly, do not be lazy then perform a full scan with any antivirus.
If the Trojan stops working network connections, try to restore windows settings Sockets API using the AVZ utility.
Operation under general anesthesia
It is useless to deal with cases of serious infection from under the infected system. It is more logical to boot from a known clean one and calmly cure the main one. There are dozens of ways to do this, but one of the easiest is to use the free Kaspersky WindowsUnlocker utility included with Kaspersky Rescue Disk. Like DrWeb LiveCD, it is based on Gentoo Linux. The image file can be written to a disc or made a bootable flash drive from it using the Kaspersky USB Rescue Disk Maker utility.
Prudent users do it well in advance, while the rest turn to their friends or go to the nearest Internet cafe during the infection.
When turning on the infected computer, hold down the key to enter the BIOS. This is usually (DEL) or (F2) and the corresponding prompt is displayed at the bottom of the screen. Insert Kaspersky Rescue Disk or bootable USB flash drive. In the download settings ( Boot options) select the optical disc drive or flash drive as the first boot device (sometimes it may appear in the expandable hDD list). Save changes (F10) and exit BIOS.
Modern bIOS version Allows you to select a boot device on the fly, without going into basic settings. To do this, you need to press (F12), (F11) or a key combination - for more details, see the message on the screen, in the instructions for motherboard or laptop. After the reboot, Kaspersky Rescue Disk will start running.
Russian is available, and treatment can be performed automatically or manual mode – step by step instructions on the developer's website.
Fighting early
Trojans that attack the main boot record (MBR). They appear before Windows boots, and you won't find them in the autorun sections.
The first step in dealing with them is to restore source code MBR. In the case of XP, for this we boot from installation disk Windows, by pressing the (R) key, call the recovery console and write the fixmbr command in it. Confirm it with the (Y) key and reboot. For Windows 7, a similar utility is called BOOTREC.EXE, and the fixmbr command is passed as a parameter:
After these manipulations, the system boots again. You can start searching for copies of the Trojan and its delivery vehicles with any antivirus.
On a crusade with a Phillips screwdriver
On low-power computers and especially laptops, the fight against Trojans can take a long time, since booting from external devices difficult, and the verification takes a very long time. In such cases, simply remove the infected hard drive and connect it to another computer for treatment. To do this, it is more convenient to use boxes with eSATA or USB 3.0 / 2.0 interface.
In order not to spread the infection, we first disable autorun from the HDD on the "treating" computer (and it would not hurt to start from other types of media). It is most convenient to do this with the free AVZ utility, but the check itself is better done with something else. Go to the "File" menu, select "Troubleshooting Wizard". Check "System Problems", "All" and click "Start". After that, check the "Allowed autorun from HDD" item and click "Fix the marked problems".
Also, before connecting an infected hard drive, you should make sure that resident anti-virus monitoring is running on the computer with adequate settings and that there are fresh databases.
If the sections of the external hard disk are not visible, go to "Disk Management". To do this, in the window "Start" -\u003e "Run" write diskmgmt.msc and then press (ENTER). Partitions on the external hard drive must be assigned letters. They can be added manually by the command "change drive letter ...". After that check external hard drive entirely.
To prevent reinfection, you should install any antivirus with a real-time monitoring component and adhere to the general security rules:
- try to work from under account with limited rights;
- use alternative browsers - most infections occur through Internet Explorer;
- disable Java scripts on unknown sites;
- disable autorun from removable media;
- install programs, add-ons and updates only from the official websites of the developers;
- always pay attention to where the proposed link actually leads;
- block unwanted pop-ups with browser add-ons or standalone programs;
- timely install updates for browsers, general and system components;
- allocate a separate disk partition for the system, and store user files on another.
Following the last recommendation makes it possible to make small images of the system partition (with Symantec Ghost programs, Acronis True Image, Paragon Backup and Recovery or at least standard windows tool "Archiving and Restoring"). They will help you with a guaranteed recovery of the computer in a matter of minutes, regardless of what it is infected with and whether antiviruses can detect the Trojan.
The article provides only basic methods and general information. If you are interested in the topic, visit the GreenFlash project website. On the pages of the forum you will find many interesting solutions and tips for creating a multiboot flash drive for all occasions.
The distribution of Winlock Trojans is not limited to Russia and neighboring countries. Modifications exist in almost all languages, including Arabic. In addition to Windows, Mac OS X is also trying to infect such Trojans. Linux users cannot experience the joy of defeating an insidious enemy. The architecture of this family of operating systems does not allow writing any efficient and universal X-lock. However, you can "play doctor" on virtual machine with a Windows guest OS.
