Wednesday 18 May 2011

Your Windows has been blocked - Ransomware targeting american people



This trojan blocker ( MD5: 0193afae6bd74de23d3bc1aec15bcacb ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.


Number to call: 1-800-255-5227
ANDI RAZVAN SIMION
STR. DACIA 73
BRASOV (Romania)

Unfortunaly there is no way for unlock the computer with a generic serial.

Manual remove:
1) Restart your pc
2) Before the Windows XP splash screen, press the F8 key to enter the Windows Advanced Options Menu and choose: Safe Mode
3) Type 'regedit' in the console and go here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
You will see a key named "explorer.exe" with this path:
C:\Documents and Settings\%username%\Application Data\Microsoft\explorer.exe
4) Now you know the location, just remove the key "explorer.exe" with a right click
5) Now go to the folder:
C:\Documents and Settings\%username%\Application Data\Microsoft\explorer.exe
and delete "explorer.exe"
6) Reboot your computer.

Note for malware analysts: The ransomware do a network activity for defind the receiver.

3 comments:

  1. does it actually delete your shit if you reboot?.. or is it just a scare tactic

    ReplyDelete
  2. Scare tactic, like the timer at the top.
    I've tested to modify the date in safe mode to make it expire.
    When it reach zero it comme back to 23:30

    ReplyDelete
  3. Matt (anonymous)18 May 2011 at 16:04

    alright, thanks steven

    ReplyDelete