Russian Ransomware Lockemall (Trojan.Winlock) Removal!!

Hi Guys & Gals,

There is a new(ish) type of Malware going around that hails from Russia. It's a type of Malware called Ransomware. It basically completely locks you out of your PC, even if you reboot your PC up in safe-mode it will run and lock you out. This blog will go through the basic steps of removing such Randsomware from your PC. It's not easy to get rid of but by carefully following this blog you should be fine.

What Does The Malware Do?

It locks you out of your PC. It does this by altering some keys in the Windows registry and re-directing your shell and user log-in (your windows log-on and desktop) to the infected file rather than using "Explorer.exe" for your shell and "userinit.exe" for your log-in.

When infected you will see a screen such as this, it's all in Russian and it's basically asking you to pay some money in order to "un-lock" it and remove it from your system:

Step 1: First things first...

Since this Malware locks you out from everything you will need to boot your PC using a pre-installed Windows environment using a boot CD. The best one that I have found is called "Ultimate Boot CD 4 Windows (UBCD4WIN)". The ISO file can be burned to a CD/DVD and booted, it loads up a small version of Windows and is packed with useful tools and the ability to connect to the internet. Even if you don't have any nasties on your PC I always recommend having one of these CD's handy, it could save your system one day.

You can download it here: http://www.megaupload.com/?d=T8OSEYW1

To burn the ISO to a CD or DVD you will need burning software such as Nero etc... if you don't have one you can download a good free one called ImgBurn here: http://download.imgburn.com/SetupImgBurn_2.5.5.0.exe

Step 2: Reboot PC Using UBCD4WIN...

Restart your PC and if all is good it should boot from your CD and a menu should pop-up. From this menu select "Launch Ultimate Boot CD for Windows" using your keyboard. This will then launch UBCD4WIN and start up a virtual version of Windows XP (be patient, this might take a while). If you don't see this menu your PC is probably not configured to try and boot from your CD-ROM drive. Sometimes by tapping F12 as your PC is booting will let you chose what to boot from, if this is the case select "CD-ROM" and hit enter.

If this is not the case you will need to configure your BIOS to boot from CD first and HD next. Basic information on how to do this can be found here: http://www.hiren.info/pages/bios-boot-cdrom

Step 3: Finding the Infected File and Removing It...

Now that virtual Windows XP has loaded up click on Start/Run and in that box type: explorer.exe and hit OK. This will run Explorer/Filemanager which will allow us to find the Malware file and delete it.

The location of this file will depend if your PC runs Windows XP or Windows Vista/7.

If you're using WindowXP the file will be in these folders, so navigate to them using Explorer and delete the file: 

C:\Document and Settings\All Users\Application Data

If you're using Windows 7/Vista, navigate to this folder:

C:\ProgramData

Look out for a file called something like "22CC6C32.exe" the actual numbers and letters might be different for you. Select this file (click once, DON'T double click) and hit "Delete" on your keyboard to delete it.

Step 4: Correcting The Registry...

We now need to correct the registry so that our log-in points to the correct files and not the infected file (which now doesn't even exist). You must take great care when editing the registry, so if you are unsure get someone who's comfortable with it. With that said, launch a tool included with UBCD4WIN called "RegEdit(Remote)".

This can be found by clicking on: Start/Programs/Registry Tools/Regedit(Remote)

Select "Administrator" or the name of your Administrator account and click on "OK". This will allow you to load up the registry editor and begin work.

We need to edit two keys: "Shell" and "Userinit", both can be found at the following location so navigate to it using RegEdit (be exact):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Once there look on the right hand side pane window and scroll down until you see a key called "Shell" and double click on it, this will open up it's properties allowing you to edit the "Value Data". The value data at the moment points to the infected file, we need to change this.

Simply enter in: Explorer.exe     ...and hit "OK".

Now scroll down a little until you see a key called "Userinit" and double click on it to open its properties. Once again it's pointed to the infected file so change this.

Simply enter in: c:\windows\system32\userinit.exe,    ...and hit "OK".

Please make sure you enter in both values carefully particularly the "userinit.exe" value which does require a "," at the end.

Once this is done the Malware won't be able to start and you should be able to boot into Windows normally so exit out of UBCD4WIN by removing your CD and restart your PC in the normal way.

Step 5: Clearing up...

Once you are booted into your PC normally it's always a good idea to mop up any infected remaining files that might still be there. I recommend Malwarebytes Anti-Malware for this task so download and install it here:

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-1080...

Once installed and updated run it and select a "Full Scan", let it remove anything it finds.

In Summary...

While this may seem a long process it sure beats re-formatting your drive and losing everything. Re-formatting should only be done as a very last resort especially in this day and age where you have programs that can repair your PC and have it running like new.

-Track