Virus Send SMS to activate Vkontakte or Windows - How to cure?

[How to treat correctly ( by Dr.Web classification )]

Appearance of the virus:
(* Text and appearance can be different. Below is one example)

Symptoms:
- The virus is activated, or when the user attempts to start the program (any .exe file), or immediately after the Windows startup.
- The user login to the system may be accompanied by errors like:
- ["userinit.exe (rundll32.exe) - Application error ... Memory can not be written"]
- The virus demonstrates a banner of arbitrary (different) content, which occupies 70-80% of the Windows desktop.
- The banner can not be minimized / closed, it is placed above all OS windows.
- To "unblock" the normal operation of the system and stop displaying the banner, it is suggested to enter the unlock code, for which virus requires money, by sending an SMS with a code to a short number.

Attention (!) People, be smarter - in any case do not send SMS (!)

Method of treatment:
For a technically unprepared user, the PC, which at the word "registry" shudders the simplest way to turn control of the system, is not even a message of SMS! The simplest way out of the situation is the use of generators codes-rozblokuvannya.

Service of deactivation of extortion-blockers (c) of Kaspersky Lab
Http://support.kaspersky.com/viruses/deblocker

Doctor Web helps you get rid of the Trojan blocking access to the system
Http://news.drweb.com/show/?i=304&c=9&p=0

Unlocking Windows (c) ESET
Http://esetnod32.ru/support/winlock.php

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ATTENTION!

If the banner has disappeared, it does not mean that the virus is completely removed from your system !!! After successful unlocking, I recommend that you immediately check the system. How? Read the appropriate instruction

If the code does not fit, or it was not found

We need to fix a few parameters in the registry of the infected operating system.
To access the registry, you will need a windows-based Live CD:

- ERD Commander of the corresponding version (5.0 for xp, 6.0 for vista, 6.5 for 7)
- Alkidlivecd (includes Erdcommander) - BARTPE or similar WINPE mini with a registry editor

The technique of removing banners-blockers with the help of editing the Windows Registry

It is necessary to check several sections of the registry and bring the parameters properly

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Shell
Userinit

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows
AppInit_DLLs
. . . (In the robot)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

After editing the registry I recommend immediately from under livecd

Nail (completely remove) on the hdd sections
RECYCLER
System Volume Information

Remove from catalogs
C: \ WINDOWS \ Temp
C: \ WINDOWS \ system32 \ config \ systemprofile \ LocalSettings \ Temp & Temporary Internet Files
C: \ Documents adns Settings \% name% \ LocalSettings \ Temp & Temporary Internet Files

Check the root of the directory for suspicious files
C: \ Documents adns Settings \% name% \ ApplicationData
C: \ WINDOWS \ system32 \ config \ systemprofile \ LocalSettings \ Temp & Temporary Internet Files
C: \ Documents adns Settings \% name% \ ApplicationData \ StartMenu \ Programs \ Startup
or
C: \ Documents adns Settings \% name% \ ApplicationData \ Main Menu \ Programs \ Startup

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Elimination of the consequences of the virus stay in the system:

1. if the TCP / IP parameters are set manually - save them to a separate text file
Start -> Run -> cmd / k ipconfig / all> C: \ net_settings.txt

2. check the file C: \ WINDOWS \ system32 \ drivers \ etc \ hosts on the left of the left entries
Start -> * the correct hosts file

3. do Winsock (commands must be entered in the open window cmd)
Netsh winsock reset netsh winsock reset catalog netsh int ip reset resetlog.txt netsh interface reset all * http://support.microsoft.com/kb/299357

4. Overloading the OS
If nothing has helped, remove the network card from the "Device Manager"
Start -> Execute -> devmgmt.msc -> Network Cards -> Adapter -> context menu item "Delete"

5. Overload the OS and wait until the Windows finds the existing board and initializes it

5.1. If nothing has helped - we launch the AVZ utility http://www.z-oleg.com/secur/avz/download.php
File -> System Restore -> 14. Automatic correction of SPl / LSP settings

5.2. We overload the OS if there are problems
File -> System Restore -> 15. Resetting SPI / LSP and TCP / IP settings (XP +)

5.3. We overload the OS if there are problems
File -> System Restore -> 18. Full re-creation of SPI settings

6. If after the above-mentioned network still does not work normally - we run the integrity check of Windows system files
(!) To be recognized as a CD in the Windows distribution of the program (Home / Pro) and the Service Pack (2/3) is installed.
Start -> Run -> sfc / scannow

or

Expand X: \ I386 \ tcpip.sy_ C: \ WINDOWS \ system32 \ tcpip.sys

Unlock codes

Liked? Subscribe to RSS news!
You can also support shram.kiev.ua, press:

It will not be superfluous for your friends to learn this information, share their article with them!

Expand / Collapse

Comments

When commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.