Spanish-speaking countries, regretfully, did not escape the impact of ransomware attacks nowadays striking the entire world. So, some PCs are today being under the lock of this virus that hijacks the desktop and replaces the common desktop background with its own, quite a scary one. Here is what is says:
Las operaciones sobre las actividades ilegales se detectaron en el ordenador.
Atencion!
El sistema operativo esta bbqueado a causa de una violacion. Sus acciones se consideran ilegales en Espana y la Union Europea.
Esta IP [removed]fue descubierto y reportado a las autoridades policiales. El usuario de este IP para usar el equipo para ver contenido pornografico, pornografia infantil, bestialidad, y la
violencia contra bs ninos.
El ordenador tambien cuenta con archivos de video con pornografia ilegal, ya que nuestro sistema de expbracion detecta bs elementos de la violencia y la pornografia en la computadora. Ademas de su correo electronico personal se han encontrado, envio mensajes de correo electronico como spam, y tambien encontro correos electronicos con caracter terrorista. Nuestros servidores tienen bbqueado el equipo deje de sus actividades ilegales.
Para desbbquear el equipo, debe pagar una multa de $ 150.00. Le garantizamos la discrecion y la seguridad de su informacion al recibir el pago de la multa. Aqui hay formas de pago:
1) El pago “Ukash”:
Debe introducir un codigo adquirido en la ventana que aparece en la pantalla. Despues de introducir un codigo valido, haga clic en Aceptar.
2) Pago “Paysafecard”:
Debe introducir un codigo adquirido en la ventana que aparece en la pantalla. Despues de introducir un codigo valido, haga clic en Aceptar.
(Si tiene varbs codigos, introduzcabs uno a uno en una linea). Despues de introducir el codigo para desbbquear el equipo de 1 a 3 dias de negocios. No violan la ley.
Si el sistema genera un error despues de ingresar el codigo que necesitas para enviar el codigo a traves de correo electronico – (e-mail info@stopkriminal.net).
If you receive such a message occasionally you must understand that it was prepared by online fraudsters. This is the trap that some people have stepped into. They were deceived and finally made the decision to effect the payment as the ransom price to get their systems unlocked. Still, this ransomware scam program does not give any guarantees that the PC would no longer be blocked after specifying the respective financial information. Thus, doing what the malware instructs is the total waste of funds. Instead of indicating those Paysafecard or Ukash voucher PIN-codes you’d better stick to the removal guideline that will help you delete this nasty infection from your computer. This requires some manual steps to be made on your part and some extra knowledge of general computer fundamentals. Nevertheless, if you follow this guide you will find out what exactly you should do in order to unlock your PC and restore it back into the fully functional mode.
Ransomware removal sequence of steps:
- Restart your system into Safe Mode with Command Prompt. While your PC is booting hit “F8 key” on your keyboard repeatedly. This will lead you to “Windows Advanced Options Menu” as depicted below. Apply your arrow keys to go to Safe Mode with Command Prompt and then hit Enter key. Important! You need to login as the same user you were previously logged in with in the normal Windows mode. Please find more detailed information on rebooting into safe mode in this guide.
- While Windows boots the Windows command prompt will appear as depicted in the screenshot below. In the command prompt you need to type “regedit” (without quotation marks) and hit Enter. The Registry Editor window comes up.
- Find the following registry entry:
- Once the value of this registry entry was modified to “Explorer.exe” plese shut down the Registry Editor and reboot your PC now. To reboot use the command “shutdown /r /t 0” (without quotation marks) and hit Enter.
- This should unlock your desktop from ransomware virus. Now make sure to scan your PC with reliable and powerful anti-virus software that will detect and remove other infected files of this virus.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the righthand panel select the registry key named Shell. Right click on this registry key and select Modify.
The default value should be Explorer.exe, but it was modified by the ransomware program in the following manner:
mahmud.exe
Instead of this registry entry value “C:\Documents and Settings\[your account name]\Application Data\mahmud.exe” type-in “Explorer.exe“. The name of this registry entry may be different from what is depicted at the screenshot above.
Important! If this ransomware removal solution did not help you please consider another similar guide available here.
