Tietoverkkorikosten Tutkinnan Yksikko is the title of a new ransomware-type virus that now attacks Finland. Not so many security sites tell about this problem, by the way. Even those that do enlighten this issue often fail to provide good malware removal instructions, thus leaving users without professional help and assistance on restoration of their computers back to the normal, fully-functional mode. Regretfully, quite a large number of computers in Finland and, possibly, some other European countries have suffered from the attack of this serious infection that takes the infected computer hostage and locks it completely, without giving a chance to do anything with it. Here is what the ransomware virus says in Finnish:
Poliisi
Tietoverkkorikosten Tutkinnan Yksikko
Huomio!
Tämä käyttöjärjestelmä on lukittu Suomen lain rikkomisen syystä! On todistettu seuraavat rikokset:
Sinun IP-osoite “[removed]“. Tästä IP-osoittesta on käyty sivuilla, jotka sisältävät pornografiaa, lapsipornografiaa, eläinpornografiaa ja lasten pahoinpitelyä. Sinun koneessasi on videotiedostoja, jotka sisältävät pornografiaa, lapsipornografiaa, eläinpornografiaa ja lasten pahoinpitelyä. Sen lisäksi sinun sähköpostistasi on lähetetty spam-viestiä, jotka sisältävät terrorismiin liittyviä asioita.
Tämän lukituksen tavoitteena on rikostoiminnan estäminen.Tietokone voidaan vapauttaa lukituksesta maksamalla sakko suuruudeltaan 100 euroa.
Sinun on maksettava menetetyksi kautta Paysafecard:
Syötä 16-merkkinen koodi (tarvittaessa syötä salasanakin) OK (jos sinulla on muutama koodi, syötä ne kaikki vuorollaan ja paina OK).
Jos maksamisessa syntyy virhe, laheta koodit sahkopostitse osoitteeseen: talletus@cybercrime.gov.
You should realize that this message you now see was developed by the team of cyber hackers that simply want your money. The scary notification has nothing to do with the Finnish Police (Poliisi) and its special subdivision known as Tietoverkkorikosten Tutkinnan Yksikko. The names of the Finnish Police law enforcement bodies and agencies are simply being used by criminals to scare you with the contents of the warning you see quoted above. So, do not pay any money via Paysafecard payment system into the pockets of these malware developers. Performing the instructions of these virus makers is a serious mistake and the waste of your money (100 Euros). In order to delete this virus from your computer and to unlock it effectively please follow this removal guide stipulated below. In the case if has turned to be ineffective please try other ransomware removal solutions that can be found by clicking “ransomware” category in the upper part of this blog. But first, try this removal guide and follow it carefully.
Ransomware removal sequence of steps:
- Restart your system into Safe Mode with Command Prompt. While your PC is booting hit “F8 key” on your keyboard repeatedly. This will lead you to “Windows Advanced Options Menu” as depicted below. Apply your arrow keys to go to Safe Mode with Command Prompt and then hit Enter key. Important! You need to login as the same user you were previously logged in with in the normal Windows mode. Please find more detailed information on rebooting into safe mode in this guide.
- While Windows boots the Windows command prompt will appear as depicted in the screenshot below. In the command prompt you need to type “regedit” (without quotation marks) and hit Enter. The Registry Editor window comes up.
- Find the following registry entry:
- Once Windows OS boots you will not see any desktop icons. Do not panic, this problem will be resolved soon. First of all, use the key combination “Ctrl+Alt+Del” or “Ctrl+Shift+Esc” (recommended) and launch Task Manager. Click File → New Task (Run…)
- This would open Internet Explorer broswer. Now you must download clean explorer.exe file and over-write the existing one which is infected. Please make sure you download the correct file for your version of Windows OS:
- Important! At this stage it is also strongly recommended that you download and scan your PC with realiable anti-virus software.
- Remove all detected infections but do not reboot PC yet.
- Open up Task Manager once again. For this purpose click File → New Task (Run…) as you made in previous steps.
- Type in regedit and click OK to open Registry Editor.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the righthand panel select the registry key named Shell. Right click on this registry key and select Modify.
The default value is Explorer.exe.
Now you must amend the value data to iexplore.exe. Click OK to save your changes and now quit (shut down) the Registry editor.
Now return to “Normal Mode“. In order to reboot your PC, at the command prompt, type “shutdown /r /t 0” (without quotation marks) and hit Enter.
Type in iexplore and hit OK or click Enter keyboard button.
Click on the link to download the file. Select Save. Then go to C:\Windows folder and select available explorer.exe file. Click Save to overwrite the malicious explorer.exe file.
Find the same registry entry referred to in the step 3 of this tutorial.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the righthand panel choose the registry entry with the name Shell. Right click on this registry entry and select Modify. Delete iexplore.exe and type in Explorer.exe as it was initially. Click OK to save performed amendments.
Shut down Registry Editor and reboot your PC now. This should reslove your problem. The last but not the least – make sure to scan your PC with reliable and powerful anti-virus software.
Important! If this ransomware removal solution did not help you please consider another similar guide available here. If this guide didn’t work either, then try other solutions available under the “Ransomware” category of this blog.
