Search this blog

Thursday, January 12, 2012

Activité illicite demelee virus

At present time many computers in France are being attacked with a new ransomware virus program developed by criminals in order to trick users and make them pay money in the form of ransom. This Trojan is the successor of another one previously described by us. It is known as Votre ordinateur a été bloqué pour violation de la loi Française virus. The new malware titled as Activité illicite demelee has not been changed much though. Its form of activity remained the same. When the virus infects the PC it completely blocks the computer and asks user to pay the ransom to restore and to unlock it. Here is the quotation of what it says in the very beginning:

Activité illicite demelee!
Ce blocage de l'ordinateur sert a la prevention de vos actes illégaux. Le systeme d'exploitation a ete bloque a cause de la dérogation de lois de la Republique Française!

It also accuses the user of doing many bad things – spreading spam, watching extremely sinful information, photos and videos and sharing this filthy data with others. Needless to say, to hear such accusation in such a form is really unexpected for all people. The virus would tell you that if you do not effect the payment in the manner offered by them you would be reported to the police for your supposed crimes. Of course, these accusations have nothing to do with the truth. The malware has the only goal – to fool as many users as possible, and for this reasons it tells a lot of lies about you and your behavior. So, you need to completely ignore this virus and what it actually tells you to do. The important thing is to remove the malware immediately. From our previous article about the virus called Votre ordinateur a été bloqué pour violation de la loi Française we know several techniques how to effectively delete the malware from your system. There are several options, by the way. One is automatic and the other is completely manual, even though both of these options include manual interference. If your PC suffers from Activité illicite demelee virus please carefully follow these guidelines and remove the scam immediately.

Automatic removal solution (recommended):

  1. Go to your friend, relative or anybody else who has computer with Internet connection.
  2. Take your USB flash drive / Memory Stick with you.
  3. Download GridinSoft Trojan Killer installation file from this site and save it to your USB flash drive / Memory Stick.
  4. malware removal tool

  5. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
  6. Perform hard reset (press reset button on your computer) if your infected PC has been on with Activité illicite demelee virus background. If not, then simply turn your PC on.
  7. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
  8. In the window that appeared select “Safe mode with command prompt” option and press Enter.
  9. Choose your operating system and user account which was infected with Activité illicite demelee virus.
  10. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
  11. Select “My Computer” and choose your USB flash drive / Memory Stick.
  12. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
  13. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
  14. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
  15. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  16. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing Activité illicite demelee virus to infect your PC.

Automatic removal video:

Activité illicite demelee manual removal milestones (optional and might not be effective):

  1. Restart your system into "Safe Mode with Command Prompt". While the PC is booting press the "F8 key" continuously, which should present the "Windows Advanced Options Menu" as presented in the image below. Apply the arrow keys in order to move to "Safe Mode with Command Prompt" and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Safe Mode with command prompt
  3. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word "explorer", and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  4. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word "regedit" and hit Enter button of your keyboard. The Registry Editor should open.
  5. You know how it normally looks like, don't you? Well, here is the screenshot of it:

  6. Find the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ In the right-side panel select the registry entry named Shell. Right click on this registry key and select "Modify" option. Its default value should be "Explorer.exe". However, Activité illicite demelee virus did its job, and so after you click "Modify" you would see totally different value of this registry entry.
  7. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of Activité illicite demeleevirus is located.
  8. Modify the value of the registry entry back to "explorer.exe" and save the settings of the Registry Editor.
  9. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, Activité illicite demelee virus file was located and running from the Desktop. There was a file called "contacts.exe", but it may have different (random) name.
  10. Get back to "Normal Mode". In order to reboot your PC, when at the command prompt, type-in the following phrase "shutdown /r /t 0" (without the quotation marks) and hit Enter button.
  11. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.

Manual removal video:

Associated virus files to be removed:


Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"

1 comment:

Gabriel said...

What should I do if the virus is not allowing me to access the command prompt? It blocks the pc before I can type "explorer".

Post a Comment

Search this blog