Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Wednesday, March 9, 2011

Remove Trojan.Ransomware (Uninstall Guide)

Tell your friends:
Trojan.Ransomware is a piece of malware that hijacks your computer and demands payment in exchange for the unlock key. If you don't have the key, you can't do anything. Very often, ransomware locks Windows in Safe Mode and Safe Mode with Networking too; otherwise you could easily get rid of it. However, there are a couple of steps that you can generally follow to get rid of the majority of Trojan.Ransomware type infections.

A few days ago we ended up with a specific Trojan.Ransomware that targets Russian web users. It hijacks the computer and displays a message in Russian saying that you need to send and an SMS on given number to retrieve the activation code.





We got it from a fake porn website that prompts web users to install pornoplayer.exe in order to watch requested video.





Of course, that doesn't mean you are protected against such malware just because you live in U.S or Europe. It can hijack your computer as well. So, let's say your PC is locked, you don't understand anything in Russian and you can't use their phone number. What would you do? Please follow the general Trojan.Ransomware removal guide below.


Trojan.Ransomware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to Trojan.Ransomware executable file.



If Trojan.Ransomware modified the Shell value data, please copy the location of the executable file it points to into Notepad and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor. Proceed to step 5.

If the default value data (Explorer.exe) wasn't modified, please locate the second registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

In the righthand pane select the randomly named registry key. In our case it was 22997148.



Copy the location of the executable file into Notepad and then delete the registry key. Right click on the registry key and choose Delete. Click Yes to confirm and exit the Registry editor. Proceed to step 5.

5. Delete Trojan.Ransomware files. Use the file location you saved into Notepad or otherwise noted in step 4. In our case, Trojan.Ransomware resided in %UserProfile% directory. There was a randomly named folder 22997148.

Full path: C:\Documents and Settings\Michael\22997148\22997148.EXE



NOTE: %UserProfile% refers to:
C:\Documents and Settings\[UserName] (for Windows 2000/XP)
C:\Users\[UserName]\ (for Windows Vista & Windows 7)

6. Go back into "Normal Mode". Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.


Associated Trojan.Ransomware files and registry values:

Files:
  • %UserProfile%\[SET OF RANDOM NUMBERS]\
  • %UserProfile%\[SET OF RANDOM NUMBERS]\[SET OF RANDOM NUMBERS].exe
%UserProfile% refers to:
C:\Documents and Settings\[UserName] (for Windows 2000/XP)
C:\Users\[UserName]\ (for Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM NUMBERS]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell = [SET OF RANDOM NUMBERS]"
Share this information with other people:

12 comments:

trexx said...

hello..i have the same problem now but the malware will not allow me boot with command prompt.what can i do now..and i also have a pre installed ubuntu os ...is there a way i can get rid of it from the other side

Anonymous said...

my window is not loading after switching to safe mode......so where to type that explorer....

steambun said...

Hello, got the same problem as trexx. Command prompt won't show up. What now?

Anonymous said...

help pls..... same problem :( :(

Saad Khan said...

cmd prompt won't show... It's blocked too now what??? =| ... Please help. I'm using windows 7. And it's "... at address 0x3BC3".

Anonymous said...

@ Saad Khan and others, try this code 754-896-324-589-742

Anonymous said...

got the same problem but at address 0x21CB
please help

Mander said...

If command prompt is not opening in safe mode then you can do a parallel installation and recover your data or do a fresh installation.

Anonymous said...

Thanks a bunch, it worked for me after I got a ransomware virus that claimed to be from the FBI. The file was bunda.exe on mine.

Alex said...

I reached to the step where it says to modify shell. I did that and got "Default value is Explorer.exe" however it is not leading me to "Modified value data points to Trojan Ransomware executable file." what should i do? how do i get the location?

Alex said...

it says "Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter" i know it sounds silly but how do i get registry editor?

Anonymous said...

I followed the instrucions to the point where I looked in the Shell folder but this was pointing to explorer.exe just as I would expect in a non-infected computer. So the virus is not hiding here! What to do now? I have the Metropolitan/Strathclyde Police version of the virus. This is the same virus which was mentioned on BBC Radio4 a few days ago. Can anyone help?