No replies to this topic

[Metallica]

Content is republished with permission from Malwarebytes.

What is Padlock?

The Malwarebytes research team has determined that Padlock is a screenlocker. These applications deny you access to your own files or computer, or threaten to do so.
This particular one also claims to have deleted your files.

How do I know if I am infected with Padlock?

This is how the main screen of the screenlocker looks:



And see these warning when you type in the wrong password:



How did Padlock get on my computer?

Screenlocker applications use different methods for spreading themselves. This particular may have been offered as a Google Chrome installer or update, given that it uses the Chrome icon and the name of the startup key.

How do I remove Padlock?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps.
There are two methods to get back to your desktop and regain control over the system.

• Type the password into the textfield at the bottom of the screen. The correct password is ajVr/G\RJz0R.
• Use the key combination Ctrl-Alt-Del to invoke Task Manager and end the process called padlock.exe.

After reaching your desktop, using either of these methods, please follow the instructions below.

• Please download Malwarebytes to your desktop.
• Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.

Is there anything else I need to do to get rid of Padlock?

• Malwarebytes removes Padlock completely.

How would the full version of Malwarebytes help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes for additional protection.

As you can see below the full version of Malwarebytes would have protected you against the Padlock screenlocker. It would have warned you before the application could start encrypting your files, giving you a chance to stop it before it became too late. And warned you about an outgoing connection to a malware server.



Technical details for experts

Possible signs in FRST logs:

 HKCU\...\Run: [Google Chrome] => C:\Users\{username}\Desktop\padlock.exe [4358144 2016-12-22] (Google)

Alterations made by the installer:

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "Google Chrome"="REG_SZ", "C:\Users\{username}\Desktop\padlock.exe"

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/27/16
Scan Time: 8:10 AM
Logfile: mbamPadlock.txt
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.867
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 352820
Time Elapsed: 8 min, 5 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
Trojan.LockScreen, C:\USERS\{username}\DESKTOP\PADLOCK.EXE, Quarantined, [162], [355200],1.0.867

Module: 1
Trojan.LockScreen, C:\USERS\{username}\DESKTOP\PADLOCK.EXE, Quarantined, [162], [355200],1.0.867

Registry Key: 0
(No malicious items detected)

Registry Value: 1
Trojan.LockScreen, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Chrome, Delete-on-Reboot, [162], [355200],1.0.867

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.LockScreen, C:\USERS\{username}\DESKTOP\PADLOCK.EXE, Delete-on-Reboot, [162], [355200],1.0.867

Physical Sector: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
• Malware Execution Prevention

Save yourself the hassle and get protected.