Search This Blog

Monday, February 25, 2013

New Zealand Police virus. How to remove

It is quite a surprising fact that recently new countries have been added by hackers into the list of those attacked by their ransomware lockers. This time New Zealand suffers as well, being actively targeted by ransomare attacks. The warning suddenly comes up on the compromised PC, supposedly originating from New Zealand Police. It is also known as Ngā Pirihimana O Aotearoa in the native language. The methods of scaring users have not changed dramatically in this ransomware sample. Similar to other versions of this infection, New Zealand Police virus accuses users of performing various sorts of crimes online, and this is how the locker explains the reason for the computer being blocked. Surely, the first thing in the mind of computer user is that indeed the system got locked by the police. However, the deep analysis of this scam gives us all the grounds to assert that this scary warning isn’t associated with the Police of New Zealand at all. Instead, it is the product of cyber frauds who want to gain possession over your funds. The tricks of the crooks are surely instrumental.

First, the accusation is given in front of user’s eyes, saying that he/she has performed all sorts of illegal activities (see quotation from the scary warning below). The alert instructs users to pay the fine of NZD $100 within the next 72 hours, promising the system to be unlocked afterwards. However, there’s no such guarantee on the part of the crooks. And, most probably, the same locked status will eventually remain even after users mistakenly pay this fake fine. We say ‘fake’ because the money in this case doesn’t go into the state budget of New Zealand. Instead, it all goes into the pockets of cyber crooks and frauds.

Summarizing the above-mentioned information, please do not pay any funds in favor of the crooks through Ukash of Paysafecard payment systems as instructed by the New Zealand Police ransomware. Instead, please carefully follow the malware removal guide that we’ve specifically developed recently to assist users in unlocking their systems after ransomware virus hijacked them.

Screenshot of New Zealand Police virus:

Quotation from fake New Zealand Police scary alert:

New Zealand Police
Ngā Pirihimana O Aotearoa
ATTENTION! Your PC is blocked due to at least one of the reasons specified below.
You have been violating “Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article 128 of the Criminal Code of New Zealand.
Article 128 of the Criminal Code provides for a fine of 200 to 500 minimal wages or a deprivation of liberty for 2 to 8 years.
You have been viewing or distributing prohibited Pornographic content (Child Porn/Zoophilia and etc). Thus violating Article 202 of the Criminal Code of New Zealand.
Article 202 of the Criminal Code provides for a deprivation of liberty for 4 to 12 years. Illegal access to computer data has been initiated from your PC, or you have been…
Article 208 of the Criminal Code provides for a fine of up to NOD S100,000 and/or a deprivation of liberty for 4 to 9 years.
Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law On Neglectful Use of Personal Computer.
Article 210 of the Criminal Code provides for a fine of NOD 52,000 to NOD $8,000.
Spam distribution or other unlawful advertising has been effected from your PC as a profit-seeking activity or without your knowledge, your PC may be infected by malware.
Article 212 of the Criminal Code provides for a fine of up to NZD S250,000 and a deprivation of liberty of up to 6 years. In case this activity has been effected without your knowledge, you fall under the above-mentioned article 210 of the Criminal Code of New Zealand.
Your personality and address are currently being identified, a criminal case is going to be initiated against you under one or more articles specified above within the next 72 hours.
Pursuant to the amendment to the Criminal Code of New Zealand of February 04, 2013, this law infringement (if it is not repeated – first time) may be considered as conditional in case you pay the fine to the State.
Fines may only be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!
The amount of fine is NZD $100. You can pay a fine Ukash.
When you pay the fine, your PC will get unlocked in Ito 72 hours after the money is put into the State’s account.

Automatic removal solution (recommended):

  1. Go to your friend, relative or anybody else who has computer with Internet connection.
  2. Take your USB flash drive / Memory Stick with you.
  3. Download GridinSoft Trojan Killer installation file from this site http://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.
  4. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
  5. Perform hard reset (press reset button on your computer) if your infected PC has been on with ransomware's background. If not, then simply turn your PC on.
  6. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
  7. In the window that appeared select “Safe mode with command prompt” option and press Enter.
  8. Choose your operating system and user account which was infected with ransomware virus.
  9. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
  10. Select “My Computer” and choose your USB flash drive / Memory Stick.
  11. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
  12. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
  13. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
  14. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  15. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing ransomware to infect your PC.

Automatic removal video:

Ransomware manual removal milestones (optional and might not be effective):

  1. Restart your system into "Safe Mode with Command Prompt". While the PC is booting press the "F8 key" continuously, which should present the "Windows Advanced Options Menu" as presented in the image below. Apply the arrow keys in order to move to "Safe Mode with Command Prompt" and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word "explorer", and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  3. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word "regedit" and hit Enter button of your keyboard. The Registry Editor should open.
  4. Find the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ In the right-side panel select the registry entry named Shell. Right click on this registry key and select "Modify" option. Its default value should be "Explorer.exe". However, ransomware did its job, and so after you click "Modify" you would see totally different value of this registry entry.
  5. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of ransomware is located.
  6. Modify the value of the registry entry back to "explorer.exe" and save the settings of the Registry Editor.
  7. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, ransomware's virus file was located and running from the Desktop. There was a file called "contacts.exe", but it may have different (random) name.
  8. Get back to "Normal Mode". In order to reboot your PC, when at the command prompt, type-in the following phrase "shutdown /r /t 0" (without the quotation marks) and hit Enter button.
  9. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.

Manual removal video:

Associated virus files to be removed:

[random].exe

Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"
Posted by Andrew McPherson at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)