Wednesday, 4 May 2011

Remove BUNDESPOLIZEI Ransomware (Uninstall Guide)

"BUNDESPOLIZEI Achtung! Ein Vorgang illegaler Aktivitaten wurde erkannt." My German is not very good but I think this sentence means that German Federal Police caught you doing something wrong. It is not very often that we see ransomware that targets Internet users in Germany. It states that you were watching pornography and doing other illegal activities. The Trojan horse demands payment (100 Euro) in exchange for the unlock key. You can send money via Ukash or PaySafeCard. It also displays your IP, ISP, location and the version of web browser you're using to make you think you're in big trouble. The ransom Trojan blocks pretty much everything, even in safe mode. Don't fall victim to the BUNDESPOLIZEI scam. Spend your 100 Euros on something else. We've got the removal instructions to help you to remove this "BUNDESPOLIZEI" ransomware for free. Please follow the steps in the removal guide below. Good luck and be safe online!

BUNDESPOLIZEI ransomware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.

2. Open Windows Registry editor using the Windows command prompt. Type regedit and press Enter. The Registry Editor opens.

3. Locate the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.

Default value is Explorer.exe.

Modified value data points to BUNDESPOLIZEI executable file.

Please note the file name, in our case it was "contacts.exe". Then change value data to Explorer.exe.

4. Choose EditFind (or press Ctrl+F). Registry Editor displays the Find dialog box. Type in the file name that you noted in the previous step and click the Find next button. Remove all found entries from Windows registry related to this file.

We found two additional registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603


Exit the Registry editor.

5. At the command prompt, type shutdown /r /t 0 and press Enter. It restarts computer into normal mode.

6. Download recommended anti-malware software (direct download) to remove the leftovers of this ransomware.

Read more about Trojan.Ransomware.

Associated BUNDESPOLIZEI Ransomware files and registry values:

  • [RANDOM].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell = [RANDOM].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 "000 = [RANDOM].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "[RANDOM].exe"
Share this information with other people:

No comments:

Post a Comment