Written by Tomas Meskauskas
Damage level: Severe
"GEMA: Your computer has been locked!" Virus - how to remove it?
What is GEMA?
GEMA is one of the largest societies of authors for works of music worldwide. Cyber criminals, however, are using the name of GEMA in their ransomware to trick unsuspecting PC users into paying a bogus fine, supposedly for downloading copyrighted material from the Internet. GEMA has no connection with this computer locker - Cyber criminals exploit the name of this company in order to make their deceptive message appear authentic. The text within this fake message asserts that you have downloaded copyrighted material from the Internet, thereby committing a criminal offence. This message is a scam - do not trust it.
If you pay this fine you will send your money to Cyber criminals and your computer will remain locked. This ransomware is categorized as a Euro Winlocker and previous variants of this scam exploited the name of the International Police Association. Commonly, ransomware infections such as Gema - Your computer has been locked! are localized. These PC infections are able to identify your computer's IP address and thus present the deceptive message in your language.
To distribute GEMA ransomware, Cyber criminals use Trojans and malicious websites. To prevent these infections from entering your computer, use legitimate antivirus and anti-spyware software. Ransomware infections have become a profitable business for Internet criminals and they continue to develop and distribute new versions of these computer lockers. Do not trust any screen lockers - no authorities use these methods to collect fines for infringements. If your PC is already infected with this ransomware, use this removal guide to eliminate it and unlock your PC.
A fake message shown within the GEMA ransomware:
All activity of this computer has been recorded. If you use a web cam, video and pictures were saved for identification. You can be clearly identified by resolving your IP address and the associated host-name. Your computer has been locked! Illegally downloaded material (MP3's, Movies or Software) has been located on your computer. By downloading, those were reproduced, thereby involving a criminal offense under Section 106 of the Copyright Act. The downloading of copyrighted material via the Internet or music-sharing networks is illegal and is in accordance with Section 206 of the Copyright Act subject to a fine or imprisonment for a penalty of up to 3 years. Furthermore, possession of illegally downloaded material is punishable under Section 184 paragraph 3 of the Criminal Code and may also lead to the confiscation of the computer, with which the files were downloaded. To unblock your computer and to avoid other legal consequences you are obligated to pay a release fee of 100 euro. Payable through Paysafecard or Ukash. After successful payment your computer will automatically unlock. Failure to adhere to this request could involve criminal charges and possible imprisonment.
To unlock your computer and to avoid other legal consequences you are obligated to pay a release fee of 100 euro. Payable through Paysafecard or Ukash. After successful payment your computer will automatically unlock. Failure to adhere to this request could involve criminal charges and possible imprisonment.To perform the payment, enter the acquired Paysafecard or Ukash code in the designated payment field and Press the "OK" button.
- What is GEMA?
- STEP 1. "GEMA" virus removal using safe mode with networking.
- STEP 2. "GEMA" ransomware removal using safe mode with command prompt.
GEMA ransomware removal:
Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Log in to the account infected with GEMA ransomware. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all the entries detected.
After completing these steps your computer should be clean. Reboot your computer in Normal Mode.
Alternative GEMA ransomware removal guide:
If this ransomware blocks your screen when you start your computer in Safe Mode with Networking, try starting your PC in Safe Mode with Command Prompt.
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. In the opened Command Prompt, type explorer and press Enter. This command will open the Explorer window - do not close it and continue to the next step.
3. In the Command Prompt, type regedit and press Enter. This will open the Registry Editor window.
4. In the Registry Editor window, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
5. In the right side of the window, locate "Shell" and right click on it. Click on Modify. The default value in the Data column is Explorer.exe - if you see something else displayed in this window, remove it and type Explorer.exe (take a note of whatever else was displayed in the Data column - this is the path of the rogue execution file). Use this information to navigate to the rogue executable and remove it.
6. Restart your computer, download and install legitimate anti-spyware software and perform a full system scan to eliminate any remnants of GEMA ransomware.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode, making its removal more complicated. For this step, you need access to another computer. After removing GEMA ransomware from your PC, restart your computer and scan it with legitimate antispyware software to remove any possible remnants of this security infection.
Anti-spyware programs known to detect and remove GEMA ransomware: