Saturday, May 22, 2010

How to remove Windows activation ransomware (Uninstall guide)

Today we want to draw you attention to a new piece of Windows activation ransomware that locks up your system and prompts you to enter your billing details and credit card information to re-activate your copy of Windows. Basically, it's a Trojan virus that displays a fake pop-up (which looks quite legitimately by the way) and claims that you are running a pirated version of Windows. Of course that's not true. If you choose to activate Windows later, your computer reboots. Thankfully, we've got removal instructions to help you. This Windows activation ransomware can be removed from your computer for free using legit anti-malware programs. Please follow the removal instructions below.



The text of the fake Windows activation pop-up:
"Microsoft Windows Activation
Microsoft Piracy Control


Your copy of Windows was activated by another user. To help reduce software piracy, please re-activate your copy of Windows now. We will ask for your billing details, but your credit card will NOT be charged. You must activate Windows before you can continue to use it. Microsoft is committed to your privacy. For more information, www.microsoft.com/privacy.


Do you want to activate Windows now?"

And it should be obvious that you shouldn't submit your credit card information because it can be used for identity theft or your credit card can be charged for an unknown amount of money. Either way, that sounds bad, right? In order to remove the Fake Windows Activation or Microsoft Piracy Control screen you need to reboot your computer is Safe Mode with Networking and either remove the ransomware manually or download and scan your PC with reputable and legit anti-malware software. Most importantly, don't submit your credit card information! If you have any questions or additional information about this ransomware, please leave a comment. Good luck and be safe!


Windows activation ransomware removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download and scan your computer with at least one anti-malware program listed below:
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!


Windows activation ransomware associated files and registry values:

Files:
  • C:\WINDOWS\system32\.exe
  • %UserProfile%\Application Data\mtl.dll
Registry:

  • HKEY_CURRENT_USER\Software\AntiPiracy
  • HKEY_CURRENT_USER\Software\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
Please share this information with other people:

No comments:

Post a Comment