Jump to content

Recommended Posts

  • Staff
What is WinLock2?

The Malwarebytes research team has determined that WinLock2 is ransomware. These applications deny you access to your own files or computer, or threaten to do so, unless you pay the ransom.
This particular one is a screenlocker.

How do I know if I am infected with WinLock2?

This is how the main screen of the ransomware looks:


You will see this warning if you use a wrong PIN code:


How did WinLock2 get on my computer?

Ransomware applications use different methods for spreading themselves. This particular one was offered as a crack for a popular game.

How do I remove WinLock2?

Due to the nature of this infection it requires a few extra steps to remove the infection.
  • In the form fill out a string of 16 elements as the pincode, for example 0123456789abcdefand click on the button marked "Zaplatt".
  • If you entered a pincode with the correct lentgh You will see this prompt:
  • Click OK in that prompt and you will see this prompt:
  • this is asking you to reboot, but we advise you to follow the instructions below first.
  • Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of WinLock2?
  • Malwarebytes removes WinLock2 completely.
How would the full version of Malwarebytes help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes for additional protection.

As you can see below the full version of Malwarebytes would have protected you against the WinLock2 rogue. It would have warned you before the application could start encrypting your files, giving you a chance to stop it before it became too late. And warned you about an outgoing connection to a malware server.



Technical details for experts

Possible signs in FRST logs:

(Hewlett-Packard Company) C:\Users\{username}\Desktop\Call_of_Duty_WWII_SKIDROWcracked.exe
HKLM\...\Run: [WinLock2] => C:\Users\{username}\Desktop\Call_of_Duty_WWII_SKIDROWcracked.exe [867328 2017-12-19] (Hewlett-Packard Company)
HKCU\...\Policies\system: [DisableTaskMgr] 1
Alterations made by the installer:
Registry details [View: All details] (Selection)
       "WinLock2"="REG_SZ", "C:\Users\{username}\Desktop\Call_of_Duty_WWII_SKIDROWcracked.exe"
       "DisableTaskMgr"="REG_DWORD", 1
Malwarebytes log:

-Log Details-
Scan Date: 12/21/17
Scan Time: 5:02 PM
Log File: 4e065fdc-e668-11e7-b3d5-080027750297.json
Administrator: Yes

-Software Information-
Components Version: 1.0.236
Update Package Version: 1.0.3537
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 244881
Threats Detected: 5
Threats Quarantined: 5
Time Elapsed: 4 min, 17 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Ransom.Winlock, C:\USERS\{username}\DESKTOP\CALL_OF_DUTY_WWII_SKIDROWCRACKED.EXE, Quarantined, [1262], [471199],1.0.3537

Module: 1
Ransom.Winlock, C:\USERS\{username}\DESKTOP\CALL_OF_DUTY_WWII_SKIDROWCRACKED.EXE, Quarantined, [1262], [471199],1.0.3537

Registry Key: 0
(No malicious items detected)

Registry Value: 1
Ransom.Winlock, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WinLock2, Quarantined, [1262], [471199],1.0.3537

Registry Data: 1

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Ransom.Winlock, C:\USERS\{username}\DESKTOP\CALL_OF_DUTY_WWII_SKIDROWCRACKED.EXE, Quarantined, [1262], [471199],1.0.3537

Physical Sector: 0
(No malicious items detected)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.