Winlockers - removing when nothing else to do
The history of the winlockers has been long overdue. It was especially interesting in December 2009 - January 2010 with the advent of the Digitala family. It is interesting because it helps to organize an infection with the functionality of the ZeroAccess rootkit ( Get Accelerator ) or download a malicious library from an ADS stream with control and blocking of anti-virus processes ( iLite Net Accelerator ) - this is, you know, not to change the policies of the conductor and userinit to add! And the idea of ​​dropping after communicating with the command server - as a result, now the old droppers do not work, but did they work fine back in February? Hmm, people are now impoverished on ideas - but oh well! :)
It will not be about “monsters” of blocking Windows, but about much more miserable counterparts, of which 90%. So, the situation is: you have a cheerful window of extortion and a non-working system.
1. Try to find out the unlock code using this service here (or this and this one ). If the code does not help, continue on the following points. If it helps, go straight to step 5.
')
2. If you can run the software with the blocker window - we make logs , lay it out there, you can clean it up :) The launch can be done with the help of this information , although it does not always help.
3a If you can not start - we boot in safe mode.
3b. If secure is locked, we boot from the LiveCD.
And in 3a and 3b we go into the folders:
and carefully pack all the exe-files into the archive, after which we delete them. The most convenient way to do this is by organizing a search in folders using the "* .exe" mask, because you need to check the subfolders along these paths too.
4. We pack into a zip-archive and delete everything here:
5. We try to boot in normal mode. If we succeed, we immediately make logs , we post it there.
Why is it so important to collect logs even if it turns out that you deleted the malware by guessing the code or manually deleting files? The fact is that at one time there were quite a lot of dummy winlockers who were simply deleted when entering any code. Or, on the net at every corner, there was a “thundering” recipe for removing such a malicious program. All of them performed and felt like kulkhackers who paid wirmeyker. No matter how wrong!
The essence of such dummies was not to block the system, but to install on no other malicious file, for example, ZBot. At the same time, after the “treatment”, the joyful user did not even imagine that in fact he remained infected.
So, it's better to make sure everything is clean.
Good luck with your treatment!
It will not be about “monsters” of blocking Windows, but about much more miserable counterparts, of which 90%. So, the situation is: you have a cheerful window of extortion and a non-working system.
1. Try to find out the unlock code using this service here (or this and this one ). If the code does not help, continue on the following points. If it helps, go straight to step 5.
')
2. If you can run the software with the blocker window - we make logs , lay it out there, you can clean it up :) The launch can be done with the help of this information , although it does not always help.
3a If you can not start - we boot in safe mode.
3b. If secure is locked, we boot from the LiveCD.
And in 3a and 3b we go into the folders:
C:\Documents and Settings\All Users\
C:\Documents and Settings\_
C:\Documents and Settings\_\Application Data
C:\Documents and Settings\_\Local Settings
C:\Documents and Settings\_\Local Settings\Application Data
C:\Documents and Settings\_\ \\and carefully pack all the exe-files into the archive, after which we delete them. The most convenient way to do this is by organizing a search in folders using the "* .exe" mask, because you need to check the subfolders along these paths too.
4. We pack into a zip-archive and delete everything here:
C:\Documents and Settings\_\Local Settings\Temporary Internet Files
C:\Documents and Settings\_\Local Settings\Temp
C:\WINDOWS\Temp
C:\Temp5. We try to boot in normal mode. If we succeed, we immediately make logs , we post it there.
Why is it so important to collect logs even if it turns out that you deleted the malware by guessing the code or manually deleting files? The fact is that at one time there were quite a lot of dummy winlockers who were simply deleted when entering any code. Or, on the net at every corner, there was a “thundering” recipe for removing such a malicious program. All of them performed and felt like kulkhackers who paid wirmeyker. No matter how wrong!
The essence of such dummies was not to block the system, but to install on no other malicious file, for example, ZBot. At the same time, after the “treatment”, the joyful user did not even imagine that in fact he remained infected.
So, it's better to make sure everything is clean.
Good luck with your treatment!
Source: https://habr.com/ru/post/96859/
All Articles