Portugal is not the exception for ransomware developers. Recently we have been able to discover that there is a special virus program that attacks many computers today and locks systems completely. The virus depicts itself as the supposed message from the police bodies, however, this is not so. The police and law enforcement bodies are not connected with the developers of the above-mentioned ransomware hijacker. When the virus penetrates into the computer it totally disables it. Users would not be able to run any application they need for their job or personal needs. When they try to reboot their computer the same picture would come up telling that user has been found to be engaged in illegal activities that are forbidden in accordance with the current legislation. In particular, the ransomware accuses users of watching sinful content, promoting and spreading it over the world wide web. In addition, the warning tells that you were found to spread spam from your computer and even to support terrorist activities. Well, to receive such message is very scary even if you haven’t done anything like that.
Atenção!!!
Foi detectado um caso de atividade ilegal. O sistema operacional foi bloqueado por violação das leis da República Português! Foi detectada a violação seguinte:
Do seu endereco IP com o numero de “[removed]” foi feita para acessar sites que contenham pornografia, pornografia infantil, bestialidade, tambem como a violencia sobre as criancas. No computador tambem foram encontrados arquivos de video contendo pornografia, violencia e os elementos de pornografia infantil. Uma vez que tambem spamming e-mail foi feito com subtexto de terrorismo.
O bloqueio do computador é feito para eliminar a possibilidade de ações ilegais por parte deles.
Para remover o bloco em seu computador, você deve pagar uma multa de 100 €.
Você tem duas formas de pagamento:
1) Efetuar o pagamento pelo Ukash:
Para isso, digite o código que você recebeu na linha de pagamento e clique em OK (se você tiver vários códigos, inseri-los um após o outro, em seguida, pressione OK).
Se o sistema falhar, você deve enviar e-mail de código (deposito@cyber-psp.pt).
2) Efetuar o pagamento via Paysafecard:
Para isso, digite o código que você recebeu (se necessário juntamente com a senha) na linha de pagamento, e clique em OK (se você tiver vários códigos, inseri-los um após o outro, e então clique em OK).
Se o sistema falhar, você deve enviar e-mail o código (deposito@cyber-psp.pt).
The virus asks you to pay certain amount of money in order to unlock your system. Otherwise, the malware says, your computer would remain in the same locked condition and all details about your supposed criminal activities would be reported to the police with respective actions performed by them subsequently. Users are instructed by the scam to donate the penalty funds by means of indicating Ukash voucher codes or Paysafecard PIN codes in the required fields. However, there is no guarantee that the system will be unlocked once the amount has been paid. Obeying the instructions of these malware makers is a serious mistake and the total waste of your money. There are other ways how you can actually get rid of this serious ransomware-type virus application. All of them require manual assistance, so you need some basic skills how to restore your system to the normal mode with full functionality. Please follow the removal guidelines below.
Ransomware removal sequence of steps:
- Restart your system into Safe Mode with Command Prompt. While your PC is booting hit “F8 key” on your keyboard repeatedly. This will lead you to “Windows Advanced Options Menu” as depicted below. Apply your arrow keys to go to Safe Mode with Command Prompt and then hit Enter key. Important! You need to login as the same user you were previously logged in with in the normal Windows mode. Please find more detailed information on rebooting into safe mode in this guide.
- While Windows boots the Windows command prompt will appear as depicted in the screenshot below. In the command prompt you need to type “regedit” (without quotation marks) and hit Enter. The Registry Editor window comes up.
- Find the following registry entry:
- Once Windows OS boots you will not see any desktop icons. Do not panic, this problem will be resolved soon. First of all, use the key combination “Ctrl+Alt+Del” or “Ctrl+Shift+Esc” (recommended) and launch Task Manager. Click File → New Task (Run…)
- This would open Internet Explorer broswer. Now you must download clean explorer.exe file and over-write the existing one which is infected. Please make sure you download the correct file for your version of Windows OS:
- Open up Task Manager once again. For this purpose click File → New Task (Run…) as you made in previous steps.
- Type in regedit and click OK to open Registry Editor.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the righthand panel select the registry key named Shell. Right click on this registry key and select Modify.
The default value is Explorer.exe.
Now you must amend the value data to iexplore.exe. Click OK to save your changes and now quit (shut down) the Registry editor.
Now return to “Normal Mode“. In order to reboot your PC, at the command prompt, type “shutdown /r /t 0” (without quotation marks) and hit Enter.
Type in iexplore and hit OK or click Enter keyboard button.
Click on the link to download the file. Select Save. Then go to C:\Windows folder and select available explorer.exe file. Click Save to overwrite the malicious explorer.exe file.
Find the same registry entry referred to in the step 3 of this tutorial.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the righthand panel choose the registry entry with the name Shell. Right click on this registry entry and select Modify. Delete iexplore.exe and type in Explorer.exe as it was initially. Click OK to save performed amendments.
Shut down Registry Editor and reboot your PC now. This should reslove your problem. The last but not the least – make sure to scan your PC with reliable and powerful anti-virus software.
Important! If this ransomware removal solution did not help you please consider another similar guide available here.
