Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Thursday, November 1, 2012

Oficina Virtual de Denuncias virus removal

Tell your friends:
Oficina Virtual de Denuncias virus is a Spanish variant of a ransomware infection that masquerades as local law enforcement agency and tells you that you've been caught accessing illicit material online. It's a clever decision that already works perfectly fine in most English speaking countries, so obviously it should work just fine in other countries as well. In such way the ransom becomes a fine. Infected computer becomes unusable until you pay the ransom, and we’re speaking about 100 euros or even more. It depends, but usually scammers ask to pay either 100 euros in Europe and 100 dollars in the United States and also Canada.



Oficina Virtual de Denuncias virus is distributed in various ways. Recently, we've got numerous PCs infected with the TrojanDownloader:Win32/Dofoil.R malware. It's a Trojan horse that silently downloads malicious applications without consent. This could include the installation of additional malware components to an affected computer according to Microsoft. This could be anything, ransomware, spyware or even rootkits. This Trojan horse was first detected this year, back in June or July if I'm not mistaken. I couldn't say it was used to distributed ransomware until recent months. Now, cyber criminals use this Trojan horse to distribute Oficina Virtual de Denuncias virus and similar ransomware as well.

Once this Trojan horse executes additional Spanish ransom ware components, affected users' computers become unusable. The ransomware component displays completely false notification about illicit material found on your computer. It uses Spanish police logo as a part of the scam to add more trustworthiness. Cyber crooks have also implemented a flash component that can access your web camera, if you have one of course, and display either your face or part of your room. I'm sure that this web cam component rarely works but when it does it can scare the living hell out of someone. The fake Oficina Virtual de Denuncias message says:
El ordenador suyo está bloqueado por el sistema d control informativo automatizado q está relacionado con la policía.
The ransom can be paid using either Pay Safe Card or Ukash. El ordenador suyo está bloqueado ukash is usually what users of an infected computers search for when trying to remove this virus. Both Ukash and Pay Safe Card vouchers are available to buy on various stores around the country. Nevertheless, DO NOT pay the ransom. The fake notification has nothing to do with the local authorities and besides, you've probably didn't do anything wrong whatsoever. What is more, Ukash and Pay Safe Card cannot dispute the charges. This is one of the reasons why scammers are using these services instead of Master Card and Visa payments processors.

Some variants of Oficina Virtual de Denuncias virus work in Safe Mode with Networking while others don't. First, reboot your computer in Safe Mode with Networking or Comman Prompt and try to restore your computer to an earlier date when the system was clean. If you can't do this or the virus blocks any attempts to remove it, use Kaspersky Rescue Disk or similar software if you like. Please follow detailed Oficina Virtual de Denuncias virus removal instructions below.


Oficina Virtual de Denuncias virus removal instructions (System Restore, may not work for all users):

1. Unplug your network cable and manually turn your computer off. Reboot your computer is Safe Mode with Command Prompt. As the computer is booting tap the F8 key continuously which should bring up the Windows Advanced Options Menu as shown below. Use your arrow keys to move to Safe Mode with Command Prompt and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the Oficina Virtual de Denuncias virus will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Oficina Virtual de Denuncias virus and associated malware.


Oficina Virtual de Denuncias virus removal using Kaspersky Rescue Disk:

1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.

2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.

For demonstration purposes we will use ImgBurn.

So, open up ImgBurn and choose Write image file to disc.



Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.



OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.



3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.



The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.

If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.



Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.



4. Let's boot your computer from Kaspersky Rescue Disk.

Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.



5. Select your language and press Enter to continue.



6. Press 1 to accept the End User License Agreement.



7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.



8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Oficina Virtual de Denuncias virus. It won't take very long.



9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.



10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.



11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.



12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.



13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Oficina Virtual de Denuncias virus and associated malware.


Associated Oficina Virtual de Denuncias virus files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
Tell your friends:

0 comments: