Ecops (Ransom Trojan) - 02.25.2012 - Analysis and Removal

This was performed on a virtual machine

This is a trojan that infects the following files:

• C:\Windows\explorer.exe
• C:\Windows\system32\dllcache\explorer.exe

The Company Name of both explorer.exe files was: Belkin Corporation
The MD5 hash value of both explorer.exe files was: cc3031638f4aef9c8d4062bb3103140b  (VT)

This trojan prevents you from doing anything in both Safe Mode and Normal Mode. You're only provided the screen from the screenshot at the top of this post.


The objective here is to restore a clean copy of explorer.exe to both of the above locations.
You need to boot from another device such as a CD, DVD, or USB or slave the infected hard drive to another working (booting) system.

There are many ways to do this; I will provide you with one fairly easy way.

This only applies to the Windows XP operating system!

If you are able to boot from your Windows XP CD, you will be presented with the below:

Press the letter "R" to "Repair a Windows XP installation using Recovery Console."

Press the number "1" to login to your appropriate Windows installation.

When you are at the command prompt window, type in the following two commands:

• expand d:\i386\explorer.ex_ c:\windows\explorer.exe
• expand d:\i386\explorer.ex_ c:\windows\system32\dllcache\explorer.exe

The letter d: symbolizes your CD-Rom drive letter. Typically this is d:, but if you have more than one disc drive or multiple hard drives, it could be a different letter. In this case, I find it easiest to type map for a full listing of the drives in the system.

You should be asked to overwrite the existing files unless you have already deleted them. If asked, press "y" for yes. You want to replace the existing (infected) versions.

When both files have been successfully replaced, you should be able to boot into Windows normally again without the Ecops ransom message.
__________________________________________________________________________________