This was performed on a virtual machine
This is a trojan that infects the following files:
The Company Name of both explorer.exe files was: Belkin Corporation
The MD5 hash value of both explorer.exe files was: cc3031638f4aef9c8d4062bb3103140b (VT)
This trojan prevents you from doing anything in both Safe Mode and Normal Mode. You're only provided the screen from the screenshot at the top of this post.
The objective here is to restore a clean copy of explorer.exe to both of the above locations.
You need to boot from another device such as a CD, DVD, or USB or slave the infected hard drive to another working (booting) system.
There are many ways to do this; I will provide you with one fairly easy way.
This only applies to the Windows XP operating system!
If you are able to boot from your Windows XP CD, you will be presented with the below:
Press the letter "R" to "Repair a Windows XP installation using Recovery Console."
Press the number "1" to login to your appropriate Windows installation.
When you are at the command prompt window, type in the following two commands:
- expand d:\i386\explorer.ex_ c:\windows\explorer.exe
- expand d:\i386\explorer.ex_ c:\windows\system32\dllcache\explorer.exe
You should be asked to overwrite the existing files unless you have already deleted them. If asked, press "y" for yes. You want to replace the existing (infected) versions.
When both files have been successfully replaced, you should be able to boot into Windows normally again without the Ecops ransom message.