Tuesday, May 24, 2011

Remove Die offizielle Mitteilung des Bundeskriminalamtes (Uninstall Guide)

"Die offizielle Mitteilung des Bundeskriminalamtes" is a Trojan (ransomware) targeting Internet users in Germany. The Trojan replaces the Windows desktop with a fake warning from the German Federal Police claiming that child pornography has been found on your computer. The system will be unlocked on payment of 100 Euros in Ukash vouchers within 24 hours. And if you don't pay the ransom, your files will be deleted. Don't worry, the Trojan is not capable of doing this. Cyber criminals behind this Trojan want to scare you into paying the ransom. "Die offizielle Mitteilung des Bundeskriminalamtes" Trojan blocks pretty much everything on your computer, so you can't use Task Manager or any other Windows utility to disable this Trojan, at least in Normal Mode and Safe Mode. Thankfully, you can restart your computer in Safe Mode with Command Prompt and remove the "Die offizielle Mitteilung des Bundeskriminalamtes" Trojan manually. For more information, please follow the removal instructions below. Good luck and be safe online!



Related malware: BUNDESPOLIZEI Ransomware


Die offizielle Mitteilung des Bundeskriminalamtes removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to Trojan Ransomware executable file.



Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.

5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. In our case, "Die offizielle Mitteilung des Bundeskriminalamtes" was run from the Desktop. There was a file called movie.exe.

Full path: C:\Documents and Settings\Michael\Desktop\movie.exe



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Die offizielle Mitteilung des Bundeskriminalamtes files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"
Share this information with other people:

No comments:

Post a Comment