In the wake of CryptoDefense and Bit, here comes another encrypting ransomware known as POSHCODER. They all work based on the same mechanism. Once POSHCODER affects a machine, all the documents would refuse to open; instead lines of threatening words will be displayed to ask for Bitcoin as ransom.
How POSHCODER Ransomware Penetrates A Machine
As computer becomes one of the most required items in nowadays life and Internet becomes the most powerful thing to connect the whole world, cyber criminals are prone to embed vicious codes on the Internet for rapid propagation and wider penetration. POSHCODER ransomware is actually geared by Trojan horse, the one is adept at exploiting backdoor/vulnerability/bugs/loopholes. Thus all the actions resulting in any one of these things would give the encrypting ransomware fact chance for infiltration:
- Access some prohibited sites, porn sites especially.
- Download and install the programs bundled with browser hijacker or sticky extensions.
- No regular check on computer health by running full scan for any possible virus and vulnerability.
POSHCODER Ransomware Truth
In fact, POSHCODER doesn’t pop up all of a sudden from nowhere. It lurks in a target machine so as to release the vicious codes for deeper affection and require for encrypting keys from its remote server. Usually no weird behavior will be manifested. But occasion redirects or more pop-up ads could occur since it the way for implanted POSHCODER ransomware to get encrypting keys from server.
Removal Thread to Remove POSHCODER Ransomware
This removal thread is not able to help decrypt files but to remove the vicious items generated and related to the encrypting ransomware. People should be clear that encrypting key is concerning cryptography while POSHCODER is all about computer virus. They are not the same. Though the decryption is not yet figured out, it is always necessary to remove POSHCODER vicious items away from the machine in case more mechanical issues will be incurred or additional infiltration will be realized due to the vulnerability and backdoor thereby. The residual damages are shown in the last section of this article. Be noted that certain level of computer skills and virus knowledge is required to carry out the below thread completely and correctly without giving rise to additional problems. Should you have any question, you may want to get answers or help from Global PC Support Center.
1. create a new user account from Safe Mode with Command Prompt.
- Cold restart the system and keep tapping on "F8 key" as the computer is booting.
- Highlight "Safe Mode with Command Prompt" option when "Windows Advanced Options Menu" prompts up.
- Press Enter key to type “explorer.exe” and hit Enter key again for another desktop.
- Go to Control Panel and create a new user account with admin rights:
Windows 7 - User Accounts and Family Safety > User Accounts > ‘Manage another account’ > ‘Create a new account’ > tick ‘Administrator’ > press Create Account button.Windows 8
Windows XP - ‘User Account’ > ‘Create a new account’ > Type a name for the new user account > press ‘Next’ > tick ’Computer administrator’ > press ‘Create Account’.
Windows Vista - ‘Add or Remove User Accounts’ > ‘Create a New Account’ > Enter an account name > tick ’Computer administrator’ > click ‘Create Account button’
- Cold restart the system.
- Hold down shift key and keep tapping F8 functional key together to select Troubleshoot with arrow keys.
- Select Advanced options then and hit Restart button at the right bottom of the screen.
- Please hit F6 to get into safe mode with command prompt.
- Type “explorer.exe” then and hit Enter key again for another desktop.
- Double click on ‘Control Panel’ on another start screen.
- Click on ‘Add a user’ under ‘Users’ which is on the left pane.
- If Windows Live id is available, use it to create a new account.
- Otherwise, click on ‘More about logon options’ to fill in the given form
- Then follow the on-screen hint to finish creating a user account with admin rights.
2. navigate to the following directories and remove all temp files.
C:\Documents and Settings\administor user name\Local Settings\Temp
C:\Documents and Settings\current user name \Local Settings\temp\
C:\Documents and Settings\user name\Local Settings\Temporary Internet Files
3. show hidden files and folders to remove POSHCODER in local disk.
Find and remove some strange files with unreasonable name such as [random number]/[random letter].exe in roaming folder under C:\Windows and C:\Windows\system32.
%Program Files%\ random
%Roaming% [abnormal letters].exe
4. access Database to remove the items generated by POSHCODER.
HKEY_LOCAL_MACHINE\SOFTWARE\ POSHCODER virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
Residual Damages by POSHCODER Ransomware
- Error message pops up to tell that something is missing or will not run.
- Browser hijacking and redirecting problem would be triggered.
- The computer is running much slowly in general.
- Access to certain form of Safe Mode is denied.
- Some functional key or combination will not work.
- BSoD could happen after several reboots.
Other Related Posts
How to Remove POSHCODER Ransomware (.Poshcoder Cleanup)