This page has been robot translated, sorry for typos if any. Original content here.

Virus Send SMS to activate Vkontakte or Windows - How to cure?

[How to properly treat ( according to the classification of Dr.Web )]

The appearance of the virus:
(* Text and appearance may be different. Below is one of the examples)




Symptoms:
- The virus is activated either when the user tries to start the program (any .exe file), or immediately after loading Windows.
- User login may be accompanied by errors like:
- ["userinit.exe (rundll32.exe) - Application Error ... Memory cannot be written"]
- The virus demonstrates a banner of arbitrary (different) content, which occupies 70-80% of the Windows Desktop.
- The banner is not possible to roll \ close, it is placed above all windows of the OS.
- To "unlock" the normal operation of the system and stop the display of the banner, it is proposed to enter the unlock code, for which virus money is required, by sending an SMS with a code to a short number.

Attention (!) People, be smarter - in no case do not send SMS (!)


Method of treatment:
For the technically untrained PC user, who, with the word "registry", starts the easiest way to turn control over the system as much as an SMS message! The easiest way out is to use code-unlock generators.

Deactivation service of extortioners-blockers (c) of Kaspersky Lab
http://support.kaspersky.ru/viruses/deblocker

Doctor Web helps to get rid of the Trojan blocking access to the system
http://news.drweb.com/show/?i=304&c=9&p=0

Unlock Windows (c) ESET
http://esetnod32.ru/support/winlock.php

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ATTENTION!

If the banner has disappeared, this does not mean that the virus is completely removed from your system !!! After successful unblocking I recommend to immediately check the system. How? Read the relevant instructions

If the code did not fit, or it was not found

We need to fix a few parameters in the registry of an infected operating system.
To access the registry, you need a windows-based Live CD:

- ERD Commander of the corresponding version (5.0 - for xp, 6.0 - for vista, 6.5 - for 7)
- Alkidlivecd (includes Erdcommander) - BARTPE or similar WINPE mini with registry editor

Methods of eliminating banner blockers by editing the Windows registry

It is necessary to check several registry keys and provide parameters properly.

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Shell
Userinit


HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows
AppInit_DLLs
. . . (in robot)


















- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

After editing the registry, I recommend immediately from under livecd

To beat (completely to remove) on the hung sections hdd
RECYCLER
System Volume Information

Remove from directories
C: \ WINDOWS \ Temp
C: \ WINDOWS \ system32 \ config \ systemprofile \ LocalSettings \ Temp & Temporary Internet Files
C: \ Documents adns Settings \% name% \ LocalSettings \ Temp & Temporary Internet Files

Check directory root for suspicious files
C: \ Documents adns Settings \% name% \ ApplicationData
C: \ WINDOWS \ system32 \ config \ systemprofile \ LocalSettings \ Temp & Temporary Internet Files
C: \ Documents adns Settings \% name% \ ApplicationData \ StartMenu \ Programs \ Startup
or
C: \ Documents adns Settings \% name% \ ApplicationData \ Main menu \ Programs \ Startup


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Elimination of the consequences of the presence of the virus in the system:

1. if TCP / IP parameters are set manually - save them in a separate text file
Start -> Run -> cmd / k ipconfig / all> C: \ net_settings.txt

2. check the file C: \ WINDOWS \ system32 \ drivers \ etc \ hosts for the left entries
Start -> * correct file hosts


3. we do Winsock (commands need to be entered in an open window cmd)
netsh winsock reset netsh winsock reset catalog netsh int ip reset resetlog.txt netsh interface reset all * http://support.microsoft.com/kb/299357

4. Overload the OS
if all else fails, remove the network card from the Device Dispenser
Start -> Run -> devmgmt.msc -> Network Cards -> Adapter -> "Delete" context menu item

5. Overload the OS and wait for the Windows to find the existing board and initialize it.

5.1. If all else fails, run the AVZ utility http://www.z-oleg.com/secur/avz/download.php
File -> System Restore -> 14. Automatic correction of SPl / LSP settings

5.2. We overload the OS if problems are present
File -> System Restore -> 15. Reset SPI / LSP and TCP / IP Settings (XP +)

5.3. We overload the OS if problems are present
File -> System Restore -> 18. Full re-creation of SPI settings

6. If after the aforementioned network the network still does not work normally - run the integrity check of Windows system files
(!) Know the CD with the Windows distribution kit of the editorial version (Home / Pro) and Service Pack (2/3) of the yak installed.
Start -> Run -> sfc / scannow

or

Expand X: \ I386 \ tcpip.sy_ C: \ WINDOWS \ system32 \ tcpip.sys



Unlock Codes