Ihr Computer ist gesperrt. GVU virus removal tool

1 Star2 Stars3 Stars4 Stars5 Stars (72 votes, average: 5.00 out of 5)
Loading...

Today there is a serious virus crossing around German-speaking countries called GVU. Of course, it has nothing to do with GVU. Hackers use the good name of this governmental agency for the purpose of reaching their many evil goals. This GVU Trojan is also called ransomware, i.e. the program that completely disables the desktop of the attacked computer and asks for the ransom to be paid by user in favor of hackers. Removal of GVU scam and unlocking your computer is the subject of today’s article.

GVU virus screenshot

GVU trojaner

Text of GVU virus scary warning:

Ihr Computer ist gesperrt
Sie begingen Strafhandlungen die gesetzeswidrig sind und die strafrechtlich geahndet werden.
Die Funktionen Ihres Computers wurden aus Gründen unbefugter Netzaktivitäten ausgesetzt. Im Weiteren sind mögliche Ursachen angegeben: Artikel – 174. Urheberrecht Freiheitsentzug von 2 bis zu 5 Jahren (Nutzung oder Verbreitung von urheberrechtlich geschütztem Material) Geldstrafe in Höhe von 18000 Euro bis 23000 Euro. Artikel – 183. Pomografie Freiheitsentzug von 2 bis zu 3 Jahren (Nutzung oder Verbreitung von pornografischen Dateien) Geldstrafe von 18 000 Euro bis zu 25 000 Euro. Artikel – 184. K/nderpomogrsfie (unter 18 Jahren) Freiheitsentzug von 10 bis zu 15 Jahren (Nutzung oder Verbreitung von Dateien mit Kinde rpornografie). Geldstrafe in Höhe von 20 000 Euro bis zu 40 000 Euro. Artikel – 104. Terrorismusförderung Freiheitsentzug von 25 Jahren ohne Recht auf Revision (Besuchen von Seiten von terroristischen Vereinigungen). Geldstrafe von 35 000 Euro bis 45 000 Euro mit Beschlagnahmung von Eigentum. Artikel – 68. Verbreitung von Virenprogrammen Freiheitsentzug bis zu 2 Jahren (Erstellen von Virenprogrammen, die anderen Computern Schaden zufügen). Geldstrafe von 15 000 Euro bis 28 000 Euro. Artikel – 113. Verwendung von nichtlizensierter Software Freiheitsentzug bis zu 2 Jahren (Verwendung von nichtlizensierter Software). Geldstrafe von 10 000 Euro bis 22 000 Euro. Artikel – 99. Betrug mit Zahlungskarten Freiheitsentzug bis zu 5 Jahren (Handlungen mit der Nutzung von Zahlungskarten oder dessen Reguisiten, die nicht vom Eigentümer getätigt worden sind). Geldstrafe von 30 000 Euro bis 75 000 Euro mit Beschlagnahmung von Eigentum. Artikel 156. Verschicken von Spamnachrichten mit pornografischem Inhalt Freiheitsentzug bis zu 2 Jahren (Verschicken von Spamnachrichten mit pornografischem Inhalt durch Emails oder soziale Netze). Geldstrafe von 16000 Euro bis zu 38000 Euro Bitte beachten Sie: Die Geldbuße kann nur innerhalb von 48 Stunden beglichen werden, wenn die Geldbuße innerhalb von 48 Stunden nicht beglichen worden ist wird es nicht mehr möglich sein den Computer zu entsperren. In diesem Falle wird gegen Sie automatisch ein Strafverfahren eingeleitet.

GVU virus spreads in various countries. This malware is categorized as Reveton Trojan. There are many other similar modifications of this scam in many other countries. In all cases the virus message is presented as the one supposedly coming from the police. Of course, it is very scary for user to encounter such a scary alert. The fake police warning tells that user was found to perform a lot of illegal activities through the infected computer. The locker says that this illegal activity is the reason for the locked status of the computer.

The purpose of GVU ransomware developed by hackers is to collect money from deceived and tricked users. The text of the scary warning tells that users must indicate certain Ukash or Paysafecard voucher (PIN) code in the respective section of the locker. Doing so is a serious mistake. Ukash and Paysafecard payment processing companies have nothing to do with development of distribution of this scam.

In order to unlock your computer from GVU malware we strongly recommend you to follow the guidelines that we’ve developed specifically to assist users in ransomware removal. You may find them listed below. Keep in mind that automatic removal of this scam is never possible by simply running the security software, because the virus completely disables the desktop of your computer. So, you first need to undertake certain manual steps, before running the security program of your choice. The alternative solution is to completely remove this malware by means of some manual steps, even without participation of security program. The choice is all yours, however, we believe that automatic removal is a better approach for thorough system cleanup.

Ransomware removal solutions

Solution 1 (automatic)

NB! This solution is applicable for all GreenDot MoneyPak, Ukash and Paysafecard ransomwares.

    1. Reboot your system and press F8 repeatedly while it is restarting.
    2. Select Safe Mode with Networking.

Safe Mode with Networking

    1. Click Start and in the open space type Run, or press [Win]+R on keyboard.

Start - Run

    1. Type msconfig and press “OK“.

msconfig

  1. Disable startup items rundll32 turning on any application from Application Data.
  2. Reboot your computer once again.
  3. Scan your system with GridinSoft Trojan Killer to identify the infected file and delete it.

NB! Some versions of these viruses disable all safe modes, but give a short gap that you can use to run anti-malware tools. Then act as follows:

    1. Reboot normally.
    2. Click Start and in the open space type Run.

Start - Run

    1. Enter the text https://trojan-killer.net/download.php in the open field.

Download link for Trojan Killer

  1. If the malware is loaded, just press Alt+Tab once and keep entering the string blindly then press Enter. Press Alt+tab and then R (letter) a couple of times. The process of ransomware virus should be killed after you succeed to download, install our recommended software and scan your system with it.

Solution 2 (automatic)

    1. Go to your friend, relative or anybody else who has computer with Internet connection.
    2. Take your USB flash drive / Memory Stick with you.
    3. Download GridinSoft Trojan Killer installation file from this site https://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.
    4. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
    5. Perform hard reset (press reset button on your computer) if your infected PC has been on with ransomware’s background. If not, then simply turn your PC on.
    6. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
    7. In the window that appeared select “Safe Mode with Command Prompt” option and press Enter.

Safe Mode with Command Prompt

    1. Choose your operating system and user account which was infected with ransomware virus.
    2. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
    3. Select “My Computer” and choose your USB flash drive / Memory Stick.
    4. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
    5. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
    6. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.

shutdown /r /t 0

  1. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  2. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing ransomware virus to infect your PC.

Similar automatic removal video

Solution 3 (manual)

    1. Restart your system into “Safe Mode with Command Prompt“. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” (for Windows XP) or “Advanced Boot Options” (for Windows 7 and Vista) as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.

Safe Mode with Command Prompt

    1. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer.exe“, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.

explorer.exe

    1. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit.exe” and hit Enter button of your keyboard. The Registry Editor should open.

regedit.exe

    1. Find the following registry entry:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

    1. In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe“. However, ransomware virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.
    2. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of ransomware virus is located.
    3. Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
    4. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step.
    5. Get back to “Normal Mode“. In order to reboot your system, when at the command prompt, type-in the following phrase “shutdown /r /t 0” (without the quotation marks) and hit Enter button.

shutdown /r /t 0

  1. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer.

Similar manual removal video

You may also like...

1 Response

  1. Pete says:

    I received one of these in a Christmas card email which blocked my computer with the camera light on. I shut the computer then restarted constantly tapping F8 key (Windows 8.1) then booted in safe mode. When logged in I ran Spyhunter which found the ransomware immediately and eliminated it. The computer was back to normal. No need to boot in safe mode with command if you have Spyhunter or other killer installed and no need to system restore. Only thing that worries me is how it got hrough my AVG antivirus.

Leave a Reply