This page has been robot translated, sorry for typos if any. Original content here.

Virus Send SMS to activate Vkontakte or Windows - How to cure?

[How to treat correctly ( by Dr.Web classification )]

Appearance of the virus:
(* Text and appearance can be different. Below is one example)




Symptoms:
- The virus is activated, or when the user attempts to start the program (any .exe file), or immediately after the Windows startup.
- The user login to the system may be accompanied by errors like:
- ["userinit.exe (rundll32.exe) - Application error ... Memory can not be written"]
- The virus demonstrates a banner of arbitrary (different) content, which occupies 70-80% of the Windows desktop.
- The banner can not be minimized / closed, it is placed above all OS windows.
- To "unblock" the normal operation of the system and stop displaying the banner, it is suggested to enter the unlock code, for which virus requires money, by sending an SMS with a code to a short number.

Attention (!) People, be smarter - in any case do not send SMS (!)


Method of treatment:
For a technically unprepared user, a PC that at the word "registry" shudders with the simplest option to turn control of the system is already as much as an SMS message! The simplest way out of the situation is the use of generators codes-rozblokuvannya.

Service of deactivation of extortion-blockers (c) of Kaspersky Lab
http://support.kaspersky.com/viruses/deblocker

Doctor Web helps you get rid of the Trojan blocking access to the system
http://news.drweb.com/show/?i=304&c=9&p=0

Unlocking Windows (c) ESET
http://esetnod32.ru/support/winlock.php

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ATTENTION!

If the banner has disappeared, it does not mean that the virus is completely removed from your system !!! After a successful unlock, I recommend that you immediately check the system. How? Read the appropriate instruction

If the code does not fit, or it was not found

We need to fix several parameters in the registry of the infected operating system.
To access the registry, you will need a windows-based Live CD:

- ERD Commander of the corresponding version (5.0 for xp, 6.0 for vista, 6.5 for 7)
- Alkidlivecd (includes Erdcommander) - BARTPE or similar WINPE mini with a registry editor

Method for removing banners-blockers with the help of editing the Windows Registry

It is necessary to check several sections of the registry and bring the parameters properly

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Shell
Userinit


HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows
AppInit_DLLs
. . . (in the robot)


















- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

After editing the registry I recommend immediately from under livecd

Nail (completely remove) on the hdd sections
RECYCLER
System Volume Information

Remove from catalogs
C: \ WINDOWS \ Temp
C: \ WINDOWS \ system32 \ config \ systemprofile \ LocalSettings \ Temp & Temporary Internet Files
C: \ Documents adns Settings \% name% \ LocalSettings \ Temp & Temporary Internet Files

Check the root of the directory for suspicious files
C: \ Documents adns Settings \% name% \ ApplicationData
C: \ WINDOWS \ system32 \ config \ systemprofile \ LocalSettings \ Temp & Temporary Internet Files
C: \ Documents adns Settings \% name% \ ApplicationData \ StartMenu \ Programs \ Startup
or
C: \ Documents adns Settings \% name% \ ApplicationData \ Main Menu \ Programs \ Startup


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Elimination of the consequences of the virus stay in the system:

1. if the TCP / IP parameters are set manually - save them to a separate text file
Start -> Run -> cmd / k ipconfig / all> C: \ net_settings.txt

2. check the file C: \ WINDOWS \ system32 \ drivers \ etc \ hosts on the left of the left entries
Start -> * the correct hosts file


3. do Winsock (commands must be entered in the open window cmd)
netsh winsock reset netsh winsock reset catalog netsh int ip reset resetlog.txt netsh interface reset all * http://support.microsoft.com/kb/299357

4. Overloading the OS
if nothing has helped, remove the network card from the "Device Manager"
Start -> Run -> devmgmt.msc -> Network adapters -> Adapter -> Delete context menu item

5. Overload the OS and wait until the Windows finds the existing board and initializes it

5.1. If nothing helped, we launch the AVZ utility http://www.z-oleg.com/secur/avz/download.php
File -> System Restore -> 14. Automatic correction of SPl / LSP settings

5.2. We overload the OS if there are problems
File -> System Restore -> 15. Resetting SPI / LSP and TCP / IP Settings (XP +)

5.3. We overload the OS if there are problems
File -> System Restore -> 18. Full re-creation of SPI settings

6. If after the above-mentioned network still does not work normally - we run the integrity check of Windows system files
(!) to be recognized as a CD in the Windows distribution of the program (Home / Pro) and the Service Pack (2/3) is installed.
Start -> Run -> sfc / scannow

or

expand X: \ I386 \ tcpip.sy_ C: \ WINDOWS \ system32 \ tcpip.sys



Unlock codes