i-Tube

Russian Ransomware Lockemall (Trojan.Winlock) Removal!!

Hi Guys & Gals,

 

There is a new(ish) type of Malware going around that hails from Russia. It's a type of Malware called Ransomware. It basically completely locks you out of your PC, even if you reboot your PC up in safe-mode it will run and lock you out. This blog will go through the basic steps of removing such Randsomware from your PC. It's not easy to get rid of but by carefully following this blog you should be fine.

 

What Does The Malware Do?

 

It locks you out of your PC. It does this by altering some keys in the Windows registry and re-directing your shell and user log-in (your windows log-on and desktop) to the infected file rather than using "Explorer.exe" for your shell and "userinit.exe" for your log-in.

 

When infected you will see a screen such as this, it's all in Russian and it's basically asking you to pay some money in order to "un-lock" it and remove it from your system:

 

 

Step 1: First things first...

 

Since this Malware locks you out from everything you will need to boot your PC using a pre-installed Windows environment using a boot CD. The best one that I have found is called "Ultimate Boot CD 4 Windows (UBCD4WIN)". The ISO file can be burned to a CD/DVD and booted, it loads up a small version of Windows and is packed with useful tools and the ability to connect to the internet. Even if you don't have any nasties on your PC I always recommend having one of these CD's handy, it could save your system one day.

 

You can download it here: http://www.megaupload.com/?d=T8OSEYW1

 

To burn the ISO to a CD or DVD you will need burning software such as Nero etc... if you don't have one you can download a good free one called ImgBurn here: http://download.imgburn.com/SetupImgBurn_2.5.5.0.exe

 

Step 2: Reboot PC Using UBCD4WIN...

 

Restart your PC and if all is good it should boot from your CD and a menu should pop-up. From this menu select "Launch Ultimate Boot CD for Windows" using your keyboard. This will then launch UBCD4WIN and start up a virtual version of Windows XP (be patient, this might take a while). If you don't see this menu your PC is probably not configured to try and boot from your CD-ROM drive. Sometimes by tapping F12 as your PC is booting will let you chose what to boot from, if this is the case select "CD-ROM" and hit enter.

 

If this is not the case you will need to configure your BIOS to boot from CD first and HD next. Basic information on how to do this can be found here: http://www.hiren.info/pages/bios-boot-cdrom

 

Step 3: Finding the Infected File and Removing It...

 

Now that virtual Windows XP has loaded up click on Start/Run and in that box type: explorer.exe and hit OK. This will run Explorer/Filemanager which will allow us to find the Malware file and delete it.

 

The location of this file will depend if your PC runs Windows XP or Windows Vista/7.

 

If you're using WindowXP the file will be in these folders, so navigate to them using Explorer and delete the file: 

 

C:\Document and Settings\All Users\Application Data

 

If you're using Windows 7/Vista, navigate to this folder:

 

C:\ProgramData

 

Look out for a file called something like "22CC6C32.exe" the actual numbers and letters might be different for you. Select this file (click once, DON'T double click) and hit "Delete" on your keyboard to delete it.

 

Step 4: Correcting The Registry...

 

We now need to correct the registry so that our log-in points to the correct files and not the infected file (which now doesn't even exist). You must take great care when editing the registry, so if you are unsure get someone who's comfortable with it. With that said, launch a tool included with UBCD4WIN called "RegEdit(Remote)".

 

This can be found by clicking on: Start/Programs/Registry Tools/Regedit(Remote)

 

Select "Administrator" or the name of your Administrator account and click on "OK". This will allow you to load up the registry editor and begin work.

 

We need to edit two keys: "Shell" and "Userinit", both can be found at the following location so navigate to it using RegEdit (be exact):

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

 

Once there look on the right hand side pane window and scroll down until you see a key called "Shell" and double click on it, this will open up it's properties allowing you to edit the "Value Data". The value data at the moment points to the infected file, we need to change this.

 

Simply enter in: Explorer.exe     ...and hit "OK".

 

Now scroll down a little until you see a key called "Userinit" and double click on it to open its properties. Once again it's pointed to the infected file so change this.

 

Simply enter in: c:\windows\system32\userinit.exe,    ...and hit "OK".

 

Please make sure you enter in both values carefully particularly the "userinit.exe" value which does require a "," at the end.

 

Once this is done the Malware won't be able to start and you should be able to boot into Windows normally so exit out of UBCD4WIN by removing your CD and restart your PC in the normal way.

 

Step 5: Clearing up...

 

Once you are booted into your PC normally it's always a good idea to mop up any infected remaining files that might still be there. I recommend Malwarebytes Anti-Malware for this task so download and install it here:

 

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-1080...

 

Once installed and updated run it and select a "Full Scan", let it remove anything it finds.

 

In Summary...

 

While this may seem a long process it sure beats re-formatting your drive and losing everything. Re-formatting should only be done as a very last resort especially in this day and age where you have programs that can repair your PC and have it running like new.

 

-Track

Views: 92

Comment

You need to be a member of i-Tube to add comments!

Join i-Tube

Comment by Trackeditor on September 17, 2011 at 7:13pm

@Shawny As far as I'm aware this only targets Windows, so MAC's should be fine. I would for sure download and burn a rescue CD such as Ultimate Boot CD for Windows (UBCD4WIN) as sometimes that's your only way of booting into some kind of Windows Environment. As long as you can access the net from there you should be able to clear most infections. My best advice to you when getting a new PC is installing some good, and free, Anti-virus and Anti-Malware programs.... the two I recomend are MS Security Essentials and Malwarebytes Anti-Malware:

 

MS Security Essentials

MalwareBytes

 

Hope this helps...

 

-track.

"Like Us"

Latest Activity

Profile IconClifton Beaird and kary gibson joined i-Tube
Jan 21
carpetNumNum posted a status
"wassup bitches numnumnum me love eat carpet.thx for letting me in"
Jan 11
SNAKELOC updated their profile
Jan 7
carpetNumNum is now a member of i-Tube
Jan 6
Real man commented on Magicwhoha's video
Thumbnail

Make them wet !

"Rain is but gases fucking.  :)"
Nov 8, 2019
Real man promoted Cosmic Joe's video
Nov 8, 2019
Real man is now a member of i-Tube
Nov 8, 2019
Mura is now a member of i-Tube
Oct 30, 2019
John Francis Roche, Jr. commented on moomay piola's video
Thumbnail

EARTHQUAKE CAUGHT ON CAMERA ~ FUNNY ~ NOW!

"We've had a couple of minor quakes here over the years too."
Sep 26, 2019
John Francis Roche, Jr. commented on moomay piola's video
Thumbnail

the nursing home

"That's fuckin funny  :)  yep I finally got this itube thingy sorted"
Sep 26, 2019
T-Bone is now a member of i-Tube
Sep 5, 2019
moomay galasso-piola posted a status
"NOT A FUCKEN THING RIGHT NOW......"
Sep 1, 2019
moomay galasso-piola is now a member of i-Tube
Sep 1, 2019
John Francis Roche, Jr. commented on moomay piola's video
Thumbnail

EARTHQUAKE CAUGHT ON CAMERA ~ FUNNY ~ NOW!

"Mooz, I can't view the video.  Probably being blocked for some reason by the firewall in…"
Sep 1, 2019
moomay galasso-piola shared a profile on Facebook
Sep 1, 2019
moomay galasso-piola promoted KCDennis's blog post Response (updated for the LULZ!)
Sep 1, 2019
John Francis Roche, Jr. is now a member of i-Tube
Aug 30, 2019
Kikua updated their profile
Aug 8, 2019
MBD - Tha Last NetBender commented on UncaDollas's video
Thumbnail

UncaDolla$ smokes Pot

"Hey Unc! It's been legal here in DC for a while.  Shit's good, bro. Pineapple Exp.…"
Jul 14, 2019
Home inspection

© 2020   Created by Pyramid Head.   Powered by

Badges  |  Report an Issue  |  Terms of Service