Getting rid of the new Winlockʻer
Yesterday I happened to pick out the new Winlock `s from the computer of a colleague designer.
Seeing a familiar divorce asking me to send an SMS to the number 3116, I went to the DrWeb website for an unlock code. But alas, the locker turned out to be new. Quickly on the forums really did not find anything. I decided that it would be easier to pick it out manually.
Loker was pretty primitive.
In safe mode, the locker was also loaded. Consequently, autoload as a launch point is no longer available.
Locker covered the entire screen and blocked windows opened with hot keys.
However, holding Ctrl + Shift + Esc managed to cause the Task Manager to flicker over the locker for very short periods of time. Apparently because of the slowness of work in a safe mode. Under normal boot it did not work out.
In tasks brazenly hung a single process nvcvc32.
Loaded it, too, rather casually - the command line window was opened and very quickly closed, being replaced with the locker window. Sleight of hand helped to poke the cross of this window before loading it. So I got a clean desktop. Explorer did not boot.
Well, then everything in a primitive scenario. From the windows folder deleted this nvcvc32.exe.
It remained to find the bootloader.
Search the registry for the place where explorer.exe is launched. I brought it to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Winlogon \ Shell .
In this parameter, a run of one rundll.bat was assigned to explorer.exe, which also lay in the windows folder.
After deleting it and rebooting about the locker, nothing more resembled.
')
Today it has already appeared on the DrWeb site under the name Trojan.Winlock.2925.
On an infected machine, Windows XP was installed (native, this is a laptop).
Seeing a familiar divorce asking me to send an SMS to the number 3116, I went to the DrWeb website for an unlock code. But alas, the locker turned out to be new. Quickly on the forums really did not find anything. I decided that it would be easier to pick it out manually.
Loker was pretty primitive.
In safe mode, the locker was also loaded. Consequently, autoload as a launch point is no longer available.
Locker covered the entire screen and blocked windows opened with hot keys.
However, holding Ctrl + Shift + Esc managed to cause the Task Manager to flicker over the locker for very short periods of time. Apparently because of the slowness of work in a safe mode. Under normal boot it did not work out.
In tasks brazenly hung a single process nvcvc32.
Loaded it, too, rather casually - the command line window was opened and very quickly closed, being replaced with the locker window. Sleight of hand helped to poke the cross of this window before loading it. So I got a clean desktop. Explorer did not boot.
Well, then everything in a primitive scenario. From the windows folder deleted this nvcvc32.exe.
It remained to find the bootloader.
Search the registry for the place where explorer.exe is launched. I brought it to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Winlogon \ Shell .
In this parameter, a run of one rundll.bat was assigned to explorer.exe, which also lay in the windows folder.
After deleting it and rebooting about the locker, nothing more resembled.
')
Today it has already appeared on the DrWeb site under the name Trojan.Winlock.2925.
On an infected machine, Windows XP was installed (native, this is a laptop).
Source: https://habr.com/ru/post/112482/
All Articles