Friday, April 13, 2012

WindowsSecurity (Ransom Trojan) - 04.13.2012 - Analysis and Removal


Creates this registry value:
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
points to the malicious that was run.

Creates a bad value under this key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Look for a value similar to: "S112106111" which points to the malicious file that was run.


Main objective is to delete the one malicious file you ran. For example I ran a file from my desktop called be65d.exe. I would need to delete this file before I am able to get into Windows again.

No comments:

Post a Comment