• Content
  • Comments (0)
  • Related articles
Feb
25
2013

How to remove Trojan Ransom.Win32.Foreign.acvz (KIS) or LockScreen.AQD trojan (NOD) Monday, 25 February 2013

A new and better version of  Trojan Ransom.Win32.Blocker.ajpo is now on lose, the name is Trojan Ransom.Win32.Foreign.acvz (according to Kaspersky Internet Security) or LockScreen.AQD trojan (according to ESEN NOD32). The trojan has two files, skype.dat and skype.ini, the trojan itself is located in skype.dat. The skype.ini is just the trigger, harmless if there is no skype.dat in the sistem. The files are located in current user Application Data folder (ex: c:\Documents and Settings\User\Application Data). This version is not so easy to remove, in first place because the trick which involves the cut of the internet connection from computer before Windows log in doesn’t work anymore, the trojan starts anyway and screen is full white if no internet connection is present, with no access to Task Manager or any other applications. And the second because is that smart to understand that Windows is started in Safe Mode, in this case will reboot the computer and you can’t stop it. So, are only two options to safely remove this troian without reinstalling your OS:

  • since the trojan is located on the current user folder (Application Data), and gets activated by skype.ini on user logon the easiest way to remove it is to already have another acount active, usually Administrator account, just log in and remove it manually or by antivirus scan and clean
  • if there is no other account active in the computer then the only way to remove this trojan without reinstalling the OS is to have/make a bootable FDD/CD/DVD/USB with Ms-DOS to start with then browse and manually delete the files skype.dat and skype.ini. Or have/make an CD/DVD/USB with minimal Windows / LINUX with a reliable ativirus integrated, to BOOT form and run the scan & clean. Is efficient to use the last method only if you want to make sure that you get a full system scan else is fast and effective to start in Ms-DOS, manually browse and delete the files, reboot the station.

NOTE: the infected workstation already got ESET NOD32 active and up to date (in our case) but still this trojan managed to pass through, nevertheless at scan & clean ESET NOD32 did his job, detected and quarantined the trojan but to be true a bit too late. We made a copy of the skype.dat and tested the Microsoft Windows Essential to see if is up for this task, sorry to inform that the MSE did not even detected Trojan

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*