A new malware is making the round on Internet specifically targeting Windows operating system users. The malware attacks Windows users on the core of the system – activation. The malware is a Trojan horse or randomware that pretends to be a Windows Activation program, and it locks up Windows with claims that user is running a pirated version of Windows although it’s not.
When a computer is infected, the system will display a dialog screen simulating Microsoft Windows Activation which states that the Windows needed to be reactivated. The screen looks like the following:
Microsoft Piracy Control
Your copy of Windows was activated by another user.
To help reduce software piracy, please re-activate your copy of Windows now.
We will ask for your billing details, but your credit card will NOT be charged.
You must activate Windows before you can continue to use it.
Microsoft is committed to your privacy. For more information, www.microsoft.com/privacy.
Do you want to activate Windows now?
The Fake Windows Activation screen locks up the computer, disables Task Manager, and provides two options – “Activate Windows” or “Do it later”. To activate Windows, the malware will then ask for name, contact information and credit card details. If the users choose not to re-activate the Windows now but to re-activate later, the computer will be shut down, and once restarted, the entire procedure will be repeated again, until user enters private data. As soon as credit card information is entered, it will be charged.
The badware should be removed from the system immediately. Most anti-malware can easily automatically detect and clean the Fake Windows Activation rouge malware. The anti-virus software that can be used including, but not limited to the following:
However, do note that the virus may prevent and stop the anti-malware from running or executing, especially in the case of Fake Windows Activation where desktop is been blocked. Thus, in order to remove Fake Windows Activation malware, reboot the computer into Safe Mode (or Safe Mode with Networking if you haven’t downloaded and installed Malwarebytes or other anti-malware software yet), by pressing F8 during initial computer boot up. Once in the Safe Mode, run Malwarebytes Anti-Malware to scan and remove all detected malicious software.
NOTE: If you have problem installing Malwarebytes’Anti-Malware or other antimalware software, try ton rename the setup installer to winlogon.exe or iexplore.exe. Then double click the program and follow the install steps.
It’s also possible to manually remove traces of Fake Windows Activation Trojan from the PC, by doing the following:
- Kill the following processes: [Random Name].exe
- Delete the following registry keys and values:
HKEY_CURRENT_USER\Software\[Random Name] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Re-enable Task Manager by changing the following registry value to “0”:
“DisableTaskMgr” = “1”
- Unregister the following malicious DLLs:
Hint: Type regsvr32 /u mtl.dll in elevated Command Prompt window.
- Delete thye following malicious files: