Tuesday, 3 May 2011

Trojan.Ransom Fake Federal German Police (BKA) notice variante

This trojan blocker ( MD5: dcc4501e3348c4665391ff126d7c2fb1 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.

According to VirusTotal this sample is detected by just 1 Antivirus: http://www.virustotal.com/file-scan/report.html?id=6936ad765d92f29e6f0db79aec572f62578a4f36db213ee8e5bc893b4683f421-1304434982

Unfortunately, like the previous version, the unlock code is not stored inside, there is no way to get it with reverse engineering.
And now the escrow accept paysafecard... (Oldest versions have only one way to pay: Ukash)

Manual remove:
1) Restart your pc
2) Before the Windows XP splash screen, press the F8 key to enter the Windows Advanced Options Menu and choose: Safe Mode With Command Prompt
3) Type 'regedit' in the console and go here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
4) Find the key 'Shell' and replace the value by 'Explorer.exe'
5) Reboot your pc.

Fake BKA notice on the past:
Trojan.Ransom Fake Federal German Police (BKA) notice


  1. Maybe unlock code not included at all :)

  2. Hi. I am trying to do this but since my computer is german language, when I type regedit, is looks like this ?eged?t, how do I fix this thanks!

  3. Hello

    I have similar problem, I am in Germany and I got this Trojan - but the warning comes from spanish police. Does anybody know what is the key there?

  4. Hey Steven !

    Je ne comprends pas ou il faut taper redigit, je n'ai rien qui s'affiche et aucne boite de dialogue ! Peux-tu m'aider ?? merci !

  5. Tu le tape dans ta console quand tu et en safe mode
    ça: http://postfiles16.naver.net/20110415_287/kbcampustar5_1302833611189Eqdn1_JPEG/cmd_regedit.jpg?type=w1