NTK Screenlocker Description
The NTK Screenlocker is a Trojan screen locker that was first observed on February 16, 2017. The NTK Screenlocker is very similar to other screen locker Trojans that had been observed in previous months. Although there is no evidence that the NTK Screenlocker is connected to threats released previously directly, it is very likely that the NTK Screenlocker uses code recycled from previously existing threats. At the moment, it is uncertain who is behind the NTK Screenlocker attack. However, it is clear that the NTK Screenlocker is being distributed using spam email attachments that use an exploit that targets a vulnerability in Microsoft Word and other software.
Another Threat Using the Anonymous Symbol
Samples of the NTK Screenlocker that have been recovered in the wild make it seems that the NTK Screenlocker uses messages in French. The NTK Screenlocker runs as 'Winban.exe' on the victim's computer, changing a key in the Windows Registry to ensure that it runs when Windows starts up automatically. The NTK Screenlocker blocks numerous Windows features that would allow computer users to skip an intrusive message, such as the Windows Task Manager, Command Prompt and Registry Editor. The victim is asked to contact an email address associated with the NTK Screenlocker and make a large ransom payment in exchange for the password needed to unlock the victim's computer.
The NTK Screenlocker displays a full-screen message that includes animation and the Guy Fawkes mask imagery. The NTK Screenlocker message reads as follows:
'You got pOwned by NTK
Ton PC est bloqué Si tu veux pouvoir le réutiliser, suis les instructions ci-dessous.
1: Appuyez sur "Afficher coordonnées"
2: Envoyez un mail et mettre en objet : Code UTK
3: le vous enverrai le code contre une rançon
Below is an English translation of the above message:
'You got pOwned by NTK
Your PC is blocked If you want to be able to reuse it, follow the instructions below.
1: Press "Display coordinates"
2: Send an e-mail and put in object: UTK code
3: you will receive the code in exchange for a ransom
When the victim clicks on the button that reads 'Display Coordinates' (in French), a short message that includes an email address is displayed. Computer users are instructed to use a different device to carry out the payment. Fortunately, the NTK Screenlocker can be removed with the password '15s4e56dsjdhfy87,' which will stop the lock screen completely. After stopping the lock screen by entering the password, the following message will appear:
Suivez les instructions pour pouvoir effacer le virus :
1. Appuyez sur Ctrl+Alt+Suppr
2. Ouvrir le gestionnaire des taches
3. Exécuter une nouvelle tache : explorer.exe Cliquer sur le bouton Windows de votre clavier 4. Cliquer sur le dossier Startup
5. Supprimer le fichier Winban.exe
6. Redémarrer l'ordinateur
Appuyez sur continuer pour utiliser votre PC.'
Which translated reads as follows:
'Unlock the Virus
Follow the instructions to clear the virus:
1. Press Ctrl + Alt + Delete
2. Open the task manager
3. Run a new task: explorer.exe Click on the Windows button on your keyboard
4. Click on the Startup folder
5. Delete the Winban.exe file
6. Restart the computer
Press continue to use your PC.'
Dealing with the NTK Screenlocker
Following the removal instructions will remove the NTK Screenlocker infection from the affected computer. However, PC security researchers strongly advise computer users to take steps to ensure that their machines are protected completely. Malware often strikes in conjunction with other infections, and if the NTK Screenlocker is present on a computer, it is very likely that other threats are present as well. Malware researchers strongly advise computer users to use a reliable, fully updated anti-malware program to ensure that not only the NTK Screenlocker is removed, but any other threats that have had been installed as well. Computer users also are advised to take precautions against the NTK Screenlocker, since it is possible that in the future con artists will update it to use a different password or add more advanced features, such as an encryption engine.
Infected with NTK Screenlocker? Scan Your PC for FreeDownload SpyHunter's Spyware Scanner
to Detect NTK Screenlocker * SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.
Security Doesn't Let You Download SpyHunter or Access the Internet?
Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.