Wednesday, 27 April 2011

"System plugin at address 0x00874324 got critical error" Ransomware Removal

"System plugin at address 0x00874324 got critical error" is a fake warning and the only visible part of the infection which is defined as a Trojan/Ransomware. This type of malware intentionally displays fake system errors or security alerts to scare you into believing a problem exists on your computer. The ransom Trojan blocks the Task Manager and other system tools. It won't let you enter pretty much anything including System Restore, Safe Mode, Last known good configuration, etc. Logging on as the Administrator or any other User won't help either. "System plugin at address 0x00874324 got critical error" demands payment in exchange for the identification key. You need to call one of the given international (premium-rate) numbers to get your 5 digit number which unlocks the computer. However, you shouldn't do that. If you are on a full system lock down, please follow the steps in the removal guide below.

Here is a screenshot of what the misleading "System plugin at address 0x00874324 got critical error" looks like:

Update, 3:55 a.m. PDT: a new variant of this Trojan has been released. The fake warning is pretty much the same as it was before, only the error text is different: "System process at address 0xE4783995 have just crashed, please follow these steps to deactivate it from your system." We will post the new code as it becomes available. Meanwhile, please follow the alternate removal instructions.

Update, 5:40 a.m. PDT: yet another version of this Trojan Ransomware. Fraudulent error text: "System process at address 0x3BC3 have just crashed, please follow these steps to deactivate it from your system."

More about the scam:

"This is an international number via satellite. It is very difficult to counter this phenomenon because these numbers are beyond the laws of Switzerland, "says Caroline Sauser, spokesman for the Federal Office of Communications (Ofcom). "The number is 0088 213 affiliated with the company Telespazio, but there is no evidence that the company is behind the scam. Indeed, Telespazio acquires thousands of numbers in the block, it is very likely that it then distributes them to different customers."

"System plugin at address 0x00874324 got critical error" removal instructions:

1. You can use this code to unlock your computer: 27496. New code: 754-896-324-589-742. (Thanks to Rick from the Netherlands)

2. If the above code doesn't work, please follow the general Ransomware removal guide.

3. You can repair your computer if you have Windows CD. Video tutorials:
4. If you don't have Windows CD, you can use another computer to burn a Rescue Disk to clean an infected computer. Here's a list of available Rescue Disk:
5. If none of the above recommendations work, you can follow the alternate removal guide at Malwarebytes forum.

6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Associated "System plugin at address 0x00874324 got critical error" files and registry values:


Windows XP:
  • C:\Documents and Settings\[UserName]Application Data\svchost.exe
  • C:\Documents and Settings\[UserName]Application Data\delself.bat
  • C:\Documents and Settings\[UserName]Application Data\svchost.tmp_time
Windows Vista/7:
  • C:\ProgramData\svchost.exe
  • C:\ProgramData\delself.bat
  • C:\ProgramData\svchost.tmp_time
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit= "
Share the knowledge:

No comments:

Post a Comment