The PCs located in Germany and other German-speaking countries are nowadays being attacked with another example of ransomware virus. Its previous (alternative) versions are known as Metropolitan Police virus or La Policia Espanola scareware alert. This malware sample follows the same sequence of tricks as its other previous modifications. In particular, it hijacks the desktop and does not allow users to do anything with it. It actually accuses the users of doing many evil and sinful sins, including watching certain illegal materials, videos, sending, spreading spam and even having to do with supporting the terrorist activities. It is amazing how instrumental the cyber hackers can be in inventing the new scareware stories aimed to rip you off. This program is the typical example of quite a new tendency in infecting the PCs worldwide – the restoration of ransomware PC hijackers.
This computer hijacking virus bearing the name of Achtung! Aus Sicherheitsgründen wurde Ihr Windowssystem blockiert tells you that after you’ve been noticed to watch illegal materials over the Internet your system has been damaged with Trojans and viruses and that you need to run special update of your operating system which will deal with all those supposed virus problems. However, in order to do it you are instructed to first effect the payment for a which amounts to 50 Euro by means of Ukash vouchers or Paysafe PIN-code. It says that after you indicate this financial information the computer would be restored to the normal condition and you will no longer experience the problem. We’ve not tested whether this trick really works or not, but the reality is that this is a virus designed to get money from you. You should not trust this scam application but rather remove it immediately, upon the very first detection.
Below please find the screenshots of what this hoax actually accuses you of:
Achtung! Aus Sicherheitsgründen wurde Ihr Windowssystem blockiert.
Durch das Besuchen von Seiten mit infizierten und pornografischen Inhalten ist das Computersystem an eine kritische Grenze angekommen, nach der das System zusammenbrechen und die ganzen Dateien verloren gehen können. Um das System wiederherstellen zu können, müssen Sie ein zusätzliches Sicherheitsupdate herunterladen.
Dieses Update ist ein kostenpflichtiges Upgrade für besonders infizierte Windowssysteme. Es beschützt das System vollständig von Virus und Schadprogrammen, stabilisiert Ihr Computersystem und verhindert den Datenverlust.
Damit Ihr Computersystem schnellstens verbessert wird, geben Sie bitte weiter unten einen Code für 50,-Euro Ukash oder Paysafe ein. Diese können Sie an fast jeder Tankstelle oder einen Kiosk in Ihrer Nähe kaufen. Diese Codes gibts auch überall da. wo Sie Handyaufladekarte erwerben können. Sofort nach der Eingabe und der Gültigkeitsprüfung wird Ihr Computer komplett aktualisiert und gesichert – alle Trojaner und Viren werden gelöscht.
In order to successfully eliminate this horrible virus belonging to the ransomware malware group please carefully follow our special virus removal guidelines provided below. Please do not hesitate to contact us at any time if you require any help on our part.
Automatic removal solution (recommended):
- Go to your friend, relative or anybody else who has computer with Internet connection.
- Take your USB flash drive / Memory Stick with you.
- Download GridinSoft Trojan Killer installation file from this site http://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.
- Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
- Perform hard reset (press reset button on your computer) if your infected PC has been on with ransomware background. If not, then simply turn your PC on.
- Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
- In the window that appeared select “Safe mode with command prompt” option and press Enter.
- Choose your operating system and user account which was infected with ransomware virus.
- In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
- Select “My Computer” and choose your USB flash drive / Memory Stick.
- Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
- When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
- In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
- Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
- However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing ransomware virus to infect your PC.
Automatic removal video:
Ransomware manual removal (optional):
- Restart your system into “Safe Mode with Command Prompt”. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
- Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer”, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
- Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit” and hit Enter button of your keyboard. The Registry Editor should open.
- Find the following registry entry:
In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe”. However, ransomware virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.
- Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of ransomware virus is located.
- Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
- Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, ransomware virus file was located and running from the Desktop. There was a file called “contacts.exe”, but it may have different (random) name.
- Get back to “Normal Mode”. In order to reboot your PC, when at the command prompt, type-in the following phrase “shutdown /r /t 0” (without the quotation marks) and hit Enter button.
- The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.
You know how it normally looks like, don’t you? Well, here is the screenshot of it:
Associated virus files to be removed:
Associated virus registry entries to be removed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"