"GEMA: Your computer has been locked!" Virus - how to remove it?
GEMA is one of the largest societies of authors for works of music worldwide. However Cyber criminals has started using the name of GEMA in their ransomware and they are trying to trick unsuspecting PC users into paying a non existent fine supposedly for downloading copyrighted material from Internet. You should realize that GEMA doesn't have anything to do with this computer locker, Cyber criminals are exploiting the name of this company to make their deceptive message appear more legitimate. The text in this fake message states that you have downloaded copyrighted material from Internet thereby involving a criminal offense. This message is a scam - you shouldn't trust it.
If you pay this fine you will send your money to Cyber criminals and your computer will remain locked. This ransomware is categorized as Euro Winlocker, previous variants of this scam exploited the name of International Police Association. Most commonly ransomware infections such as Gema - Your computer has been locked! are localized - such PC infections are able to identify your computer's IP address and present the deceptive message in your language.
To distribute GEMA ransomware Cyber criminals are using Trojans and malicious websites. To prevent such infections from entering your computer you should use a legitimate antivirus and anti-spyware software. Ransomware infections has become a very profitable business for Internet criminals so they continue to create and distribute new versions of these computer lockers. You shouldn't trust any of such screen lockers - none of the authorities are using such methods to collect fines for any law infringements. If you PC is already infected with this ransomware use this removal guide to eliminate it and unlock your PC.
Fake message shown in GEMA ransomware:
All activity of this computer has been recorded. If you use a web cam, video and pictures were saved for identification. You can be clearly identified by resolving your IP address and the associated host-name. Your computer has been locked! Illegally downloaded material (MP3's, Movies or Software) has been located on your computer. By downloading, those were reproduced, thereby involving a criminal offense under Section 106 of the Copyright Act. The downloading of copyrighted material via the Internet or music-sharing networks is illegal and is in accordance with Section 206 of the Copyright Act subject to a fine or imprisonment for a penalty of up to 3 years. Furthermore, possession of illegally downloaded material is punishable under Section 184 paragraph 3 of the Criminal Code and may also lead to the confiscation of the computer, with which the files were downloaded. To unblock your computer and to avoid other legal consequences you are obligated to pay a release fee of 100 euro. Payable through Paysafecard or Ukash. After successful payment your computer will automatically unlock. Failure to adhere to this request could involve criminal charges and possible imprisonment.
To unlock your computer and to avoid other legal consequences you are obligated to pay a release fee of 100 euro. Payable through Paysafecard or Ukash. After successful payment your computer will automatically unlock. Failure to adhere to this request could involve criminal charges and possible imprisonment.To perform the payment, enter the acquired Paysafecard or Ukash code in the designated payment field and Press the "OK" button.
GEMA ransomware removal:
Start your computer in safe mode. Click Start, then click Shut down. Select Restart and click OK. During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with networking from the list and press ENTER.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Log in to the account that is infected with GEMA ransomware. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all the entries that it detects.
After completing these steps your computer should be clean, reboot your computer in normal mode.
Alternative GEMA ransomware removal guide:
If this ransomware blocks your screen when you start your computer in safe mode with networking, try starting your PC in safe mode with command prompt.
1. During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.
2. In the opened command prompt type explorer and press Enter. This command will open explorer window, don't close it and continue to the next step.
3. In the command prompt type regedit and press Enter. This will open the registry editor window.
4. In the registry editor window you should navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
5. In the right side of the window locate "Shell" and right click on it. Click on Modify. The default value data is Explorer.exe if you see something else written in this window remove it and type in Explorer.exe (you can write down whatever else was written in the value data section - this is a path of the rogue execution file) - use this information to navigate to the rogue executable and remove it.
6. Restart your computer, download and install a legitimate anti-spyware software and perform a full system scan to eliminate any left remnants of GEMA ransomware.
If you can't start your computer in safe mode with networking (or with command prompt) you should boot your computer using a rescue disk. Some variants of ransomware disables safe mode making it's removal more complicated. For this step you will need access to another computer. After removing GEMA ransomware from your PC restart your computer and scan it with a legitimate antispyware software to remove any possibly left remnants of this security infection.
Anti-spyware programs known to detect and remove GEMA ransomware: