PornoPlayer

PornoPlayer is responsible for a malware application that locks the infected computer. The malware (sometimes called "ransomware" because it does nothing but hold the computer hostage) is entirely in Russian, and was created in order to scam Russian PC users. Therefore, most PC users outside of Russia will have absolutely no idea what the malware is demanding, making PornoPlayer especially frustrating to try to remove.

What PornoPlayer is, and what PornoPlayer does to an Infected PC

The ransomware itself does not really have an agreed-upon name in English, aside from being referred to as PornoPlayer. Various security software companies and anti-malware researchers have different names for the malware, including Blue Trash, Porno Player, WinAD, Homoblocker, and the generic names Trojan.Ransom and Trojan.Ransomware. PornoPlayer is a Trojan dropper, which is promoted on fake or malicious pornographic websites, including EroTube and SpermTV. Some other sites that had been promoting PornoPlayer have already been shut down, including Chm0k. On the sites that spread the malware, PornoPlayer is typically installed through pop-up advertisements, which may exploit drive-by-download techniques or install phony video codecs. The file itself is always compressed, but the compression format varies: PornoPlayer.exe may be a zip file, or PornoPlayer.exe may be compressed using UPX or Mystic Compressor.

PornoPlayer completely prevents any programs from opening, even when Windows is in Safe Mode. PornoPlayer is able to do this because when PornoPlayer is downloaded and unpacked, PornoPlayer makes changes to the Winlogon autorun key in the Windows registry. Windows runs Winlogon before anything else. In the Winlogon key, PornoPlayer makes a change that tells Windows to load PornoPlayer instead of Explorer – so the very first thing that Windows does is load PornoPlayer. What you'll see is a blue screen, with white and red text, and you will not be capable to bypass the screen to be able to use your computer.

The PornoPlayer Window, and How to Disable It

The ransom screen that shows up when Windows starts tries to manipulate the user into paying money to remove the "adware" that they supposedly chose to install. The screen thanks the user for installing the "promotional module" and assures him that by doing this, he has gained access to some kind of web community with resources that include some very explicit, adult content. The ransom payment is supposedly the penalty for removing this "ad module" early and cutting ties to the pornographic community. Part of what the PornoPlayer window says is extremely graphic in a way that is intended to shock or disgust the user of the infected PC, so that they will be encouraged to pay up in order to avoid seeing any related content or being associated with it. There is a phone number to call, and the user is expected to make a payment of 460 rubles to remove the malware, in order to get a confirmation code. According to the PornoPlayer window, you get one chance to enter that code correctly, ever, and if you screw it up – too bad!

There are codes that can be entered into PornoPlayer in order to disable it long enough to uninstall PornoPlayer. However, because PornoPlayer has been updated extremely frequently since about December 2010 – sometimes with multiple updates within a single day – there are many different deactivation codes, and not all of them will work for everyone. Also, to add a heaping dose of weirdness to this malware, about half of PornoPlayer's deactivation codes are references to the video game Starcraft. Some of the known Starcraft-related codes are: ZERATUL, KERRIGAN IS SO SEXY, KERRIGAN IS NOT SEXY, and STARCRAFT. Other known codes include: WISH I HAD AN ANGEL, SHAME ON THE NIGHT, IRON MAIDEN, CHILDREN OF DUNE, and DU RIECHST SO GUT.

Please remember that even if you are able to disable PornoPlayer temporarily by using one of the codes, you still need to remove the malware from your computer. PornoPlayer can be removed, but you will need either a good anti-virus program (if you disable PornoPlayer) or the help of an expert who can walk you through removing PornoPlayer through the Safe Mode command prompt. Of course, the best thing to do is to avoid getting infected with this kind of malware in the first place, by using reliable security software and safe Internet browsing practices.

SpyHunter Detects & Remove PornoPlayer