Guardia Civil virus - How to remove?
Guardia Civil virus is a ransomware that infiltrates into random computers trying to steal money from their users. It attacks computers located in Spain and uses the name of Spanish military force in order to gain trust and reach its aims easier. The program blocks computers and warns that you are accused of using illegal content on your computer and for this reason you should pay a fine. Here is how the message by Guardia Civil virus looks like:
Su ordenador ha sido bloqueada debido a la sospecha de descarga y distribución de contenido ilegal.
El contenido ilegal mencionado (610 Mb de archivos de vídeo) ha sido clasificado automáticamente como pornografía infantil.
Dichas acciones violan total o parcialmente las siguiente leyes españolas: Libro II; Título VIII; Capítulo VII La pornografía infantil se regula en el artículo 189 del Código Penal Español: 1. Será castigado con la pena de prisión de uno a tres afros) a) El que utilizare a menores de edad o a incapaces con fines o en espectáculos exhibicionistas o pornográficos, tanto públicos como privados, o para elaborar cualquier clase de material pornográfico, o financiare cualquiera de estas actividades. El que produjere, vendiere, distribuyere, exhibiere o facilitare la producción, venta, difusión o exhibición por cualquier medio de material pornográficos en cuya elaboración hayan sido utilizados menores de edad o incapaces, aunque el material tuviere su origen en el extranjero o fuere desconocido. El que haga participar a un menor o incapaz en un comportamiento de naturaleza sexual que perjudique la evolución o desarrollo de la personalidad de éste, será castigado con la pena de misión de seis meses a un año o multa de seis a doce meses.
Beware that it is a fake message. It has nothing to do with Spanish authorities, in fact it was designed by criminals. At the end of the message users are asked to pay 100 euros if they want to unblock their computer and avoid further bigger fines or even going to jail. Unfortunately, it does not mean that after paying the problem will be solved. Guardia Civil virus only tries to get some money from you and once the transfer is made, their goal is reached. However, it does not enable to use your computer normally again.
Guardia Civil virus is installed to computers with a help of Trojan viruses. Users are not able to detect it at the stage of infiltration, so they notice it only when computer is already locked. It is not easy to remove Guardia Civil virus since it blocks your system entirely and does not allow using any of your programs. Below we provide a few methods how to eliminate this malicious program. Choose the one that works for you.
Guardia Civil Virus removal guide
If your computer has more than one user account and not all of them are locked, scan whole PC with anti-malware programs, e.g. spyhunter, by logging to the account that is not blocked. Another option is to use system restore. If none of these methods worked for you, do the following:
- Restart your computer;
- Press F8 while it is still restarting;
- Choose between safe modes in following order: Safe mode, Safe mode with command prompt
Then follow the guides below:
If your computer runs in Safe mode or Safe mode with networking
- Launch MSConfig.
- Disable startup items rundll32 turning on any application from Application Data. Note, that these are typical locations for Guardia Civil Virus but some others might be used.
- Restart the system once again.
- Scan with http://www.2-viruses.com/downloads/spyhunter-i.exe to identify Guardia Civil Virus files and delete it.
Here is a video showing how to complete the steps:
If your computer runs in Safe mode with command prompt
- Run Regedit.
- Search for WinLogon Entries. Write down all files it references that are not explorer.exe or blank. Replace them with explorer.exe
- Search registry for Guardia Civil Virus files and delete the registry keys referencing the files
- Try to reboot and scan with Reimage, SpyHunter.
- If this fails, try doing system restore from safe mode with command prompt (rstrui.exe)
If none of safe modes could be launched
Some versions of Guardia Civil Virus disable all safe modes, but give a short gap that you can use to run anti-malware programs:
- Reboot normally.
- Enter: http://2-viruses.com/downloads/spyhunter-i.exe . If malware is loaded, just press alt+tab once and keep entering the string blindly. Press Enter.
- Press Alt+tab and then R couple times. Guardia Civil Virus process should be killed.
Here is a video detailing this approach:
Hitman Pro USB disk
If you did not succeed using any of the methods above, try scanning PC with a bootable USB or DVD disk. These should be able to remove all versions of Guardia Civil Virus, but will not work if your hard drive is encrypted.
For that, we recommend using Hitman Pro Kickstarter USB.
- Download Hitman Pro on uninfected PC.
- Run Hitman and ask to create Kickstarter USB (option on initial screen)
- When USB ready, reboot infected PC with USB attached and press DEL
- Choose USB as primary boot device.
- Boot normally.
- Run Hitman Pro and http://www.2-viruses.com/downloads/spyhunter-i.exe . One of these programs should detect and remove malware from your PC.