Windows “activation” ransomware

by Tom Kelchner
with manual repair by The Computer Doctor

Trojan-Ransom.Win32.Winac.A

Our analyst Adam Thomas found this: a piece of ransomware that locks up Windows until you enter your credit card data.

First it claims you are running a pirated version of Windows and they need your billing details. “…but your credit card will NOT be charged.”

And of course that’s true.


Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate:



Basically, the Trojan locks your system. The only thing you can do is complete the "activation". You can choose to "activate windows" or "do it later". If you choose to do it later, you machine reboots.

If you go through the process of entering your data (including your credit card number), then your system will work again.



Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it.



VIPRE detects it as Trojan-Ransom.Win32.Winac.A


The Manual Removal Instructions:

Kill processes: corpstats.exe, data2.exe, data3.exe, data4.exe, svchost.exe, winstart.exe, 002.exe, 004.exe, 006.exe, 007.exe, 008.exe, 009.exe

Delete registry values: HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\RunOnceEx\cleanup

Delete files: corpstats.exe, data2.exe, data3.exe, data4.exe, svchost.exe, winstart.exe, 002.exe, 004.exe, 006.exe, 007.exe, 008.exe, 009.exe, dat1.bat

Exact file location: corpstats.exe - C:\Windows\System\oobe\Setup, C:\Windows\System32\oobe\Setup or C:\Winnt\System32\oobe\Setup
data2.exe, data3.exe, data4.exe, svchost.exe, winstart.exe, 002.exe, 004.exe, 006.exe, 007.exe, 008.exe, 009.exe, dat1.bat - C:\Windows or C:\Winnt

Related articles

• McAfee Antivirus Detects 'svchost.exe' As Infected With W32/wecorl.a Virus; Causes Computers to Restart Repeatedly (lockergnome.com)
• Ransoming your Windows activation (winextra.com)
• Few answers after McAfee antivirus update hits Intel, others (infoworld.com)

Getting Past "Being Used By Another Person Or Program" Errors

Have you ever had an annoying situation where you tried to delete a file or folder and were given an error message that the file is in use by another person or program? or one of the following similar errors?

• Cannot delete file: Access is denied
  
• The file is in use by another program or user.
• The source or destination file may be in use.
• Make sure the disk is not full or write-protected and that the file is not currently in use.
• There has been a sharing violation.

You go to the task manager and can't find the offending program running in processes, so what do you do? Reboot and hope for the best? Sometimes even this doesn't help.

I stumbled on a great tool for this problem called Unlocker.

After installing unlocker, when you get these error messages, just right click on the file and choose the unlocker options and you will be given a windows that shows what program(s) is effecting the file you are trying to delete and give you the options to kill the process, unlock, or unlock all. Try the unlock and that will usually let you delete the file otherwise kill the process and it definitely will.

In addition to helping delete files that are locked, you can also use this tool to help rename locked files or make them movable to a different directory.

The best part is that the tool is free but you can choose to send a donation also.

Related articles by Zemanta

• Delete files in windows with Unlocker (techblissonline.com)
• Locked File Deletion Software Unlocker Updated (ghacks.net)