Search This Blog

Tuesday, January 15, 2013

‘You have 72 hours to pay the fine’ virus

There are many ransomware virus infections in the cyber world today that scare users with this indeed horrifying message “you have 72 hours to pay the fine”. The fine for committing what crimes, by the way? The ransomware warning is often presented as some fake warning from the police, however, it has nothing to do with any of the law enforcement bodies. The fact is that this locker is the direct product of hackers who want to scare you into paying funds in their favor. This “fine” is not the fine, this is the ransom that hackers want you to pay in order to have your system unlocked.

Ransomware virus lockers are becoming more and more widely spread in the world today. The majority of European countries are being attacked by this scam, with various degrees of severity that differ with time. However, the United States of America, Canada, Australia are also being bombarded by this malware. The purpose of the ransomware locker is to make users scared with the faulty accusation expressed in the fake police warning about user committing some crime through the use of the locked computer, thus explaining the reason for the locked status. The faulty accusations in the majority of the cases are as follows:

  • watching illegal sinful information over the Internet;
  • spreading unsolicited spam;
  • visiting the sites of terrorist organizations for the purpose of supporting them;
  • downloading illegal audio and video samples and spreading them around the Internet;
  • downloading illegal software and spreading it over the world wide web.

All these accusations are faulty, users have never committed any of the crimes listed above. However, to receive such a warning is indeed very scary for all those users who don’t realize that this is a fake police warning, who don’t know that this message is the product of cyber hackers. Regretfully, some users have been so scared to death that they decided to pay the ransom in favor of the crooks. Hopefully, this will not be the case with you.

We understand the need to assist our users in ransomware virus removal. We hope that the information listed below be beneficial to you and will help you unlock your system effectively from ransomware virus infection. There are various methods described, both automatic and manual. Feel free to try them all until your system is completely unblocked.

Removal steps:

Important! This tutorial is effective for all GreenDot MoneyPak, Ukash and Paysafecard ransomwares.

  1. Restart your system and press F8 while it is restarting.
  2. Select Safe Mode with Networking.
  3. Press Start menu and choose Run, or press [Win]+R hotkey combination on keyboard.
  4. Type msconfig
  5. Disable all startup items rundll32 that launch any application from Application Data.
  6. Reboot your system once again.
  7. Scan your computer with GridinSoft Trojan Killer immediately to identify the infected file and delete it.

Important! Certain versions of these viruses disable all safe modes, but give a short gap that you can use to run antivirus tools. If this is the case, do following:

  1. Restart normally.
  2. Click Start and select Run.
  3. Enter the text specified in the quotation below. If malware is loaded, just press Alt+Tab once and keep entering the string blindly; then press Enter.
  5. Press Alt+tab and then R (letter) a couple of times. The process of ransomware virus should be killed after you succeed to download, install our recommended software and scan your system with it.

Recommended software for DOJ (Department of Justice) virus removal:

Department of Justice virus removal tool

Alternative automatic removal solution:

  1. Go to your friend, relative or anybody else who has computer with Internet connection.
  2. Take your USB flash drive / Memory Stick with you.
  3. Download GridinSoft Trojan Killer installation file from this site and save it to your USB flash drive / Memory Stick.
  4. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
  5. Perform hard reset (press reset button on your computer) if your infected PC has been on with ransomware's background. If not, then simply turn your PC on.
  6. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
  7. In the window that appeared select “Safe mode with command prompt” option and press Enter.
  8. Choose your operating system and user account which was infected with ransomware virus.
  9. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
  10. Select “My Computer” and choose your USB flash drive / Memory Stick.
  11. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
  12. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
  13. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
  14. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  15. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing ransomware virus to infect your PC.

Similar automatic removal video:

Alternative manual removal milestones (optional and might not be effective):

  1. Restart your system into "Safe Mode with Command Prompt". While the PC is booting press the "F8 key" continuously, which should present the "Windows Advanced Options Menu" as presented in the image below. Apply the arrow keys in order to move to "Safe Mode with Command Prompt" and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word "explorer", and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  3. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word "regedit" and hit Enter button of your keyboard. The Registry Editor should open.
  4. Find the following registry entry:
  5. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
  6. In the right-side panel select the registry entry named Shell. Right click on this registry key and select "Modify" option. Its default value should be "Explorer.exe". However, ransomware virus did its job, and so after you click "Modify" you would see totally different value of this registry entry.
  7. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of ransomware virus is located.
  8. Modify the value of the registry entry back to "explorer.exe" and save the settings of the Registry Editor.
  9. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step.
  10. Get back to "Normal Mode". In order to reboot your PC, when at the command prompt, type-in the following phrase "shutdown /r /t 0" (without the quotation marks) and hit Enter button.
  11. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.

Similar manual removal video:

Associated virus files to be removed:


Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"

No comments:

Post a Comment