Getting rid of the Buma Stemra ransomware malware

Categories Malware

Since a week or so a new Dutch version of some ransomware malware is active in the Netherlands. This malware claims to be from The Buma Stemra, but of course has nothing to do with the real Buma Stemra.  The malware successfully takes over the system by replacing the start of explorer.exe with itself, so as soon as the system starts the malware will be loaded instead of the normal Windows environment. The malware further disables editing the registry, accessing the task manager and getting access to the system in any way. When infected with the malware you can not access your own system anymore, the only thing the system will do is show the screen below.

Buma_Stemra_malware_1

Some news coverage of this malware can be found on WebWereld and a nice overview of how to get rid of this malware can be found on pcwebplus.nl. The approach on pcwebplus.nl includes starting your system from the Kaspersky boot CD, which is a good approach, but it needs you to be able to download this boot CD and be able to burn it. The approach described in this article is mostly based on the approach described on the pcwebplus.nl website, but it shows a way of cleaning your system without having to boot from a boot CD. This approach has been tested on Windows XP, the approach for Windows 7 can be found here. At the end of this page there is a video showing all the steps.

 

Step 1: Get access to an explorer window

To be able to break out of the malware’s grip we will need to get access to some kind of explorer window. One approach to do this is to get access to a print pop-up. This can be done by pressing Ctrl-P or by selecting some text and pressing the right mouse button, the pop-up will then show the option to print the selected text. In the print pop-up we can select the print to file option, [press print] which then opens an explorer window. The Ctrl-P option might take a while to load and pressing it a couple of times won’t hurt, but the selecting text option seems to work a bit better.

The following screenshots show the steps to take.

Step 2: Replace the malware

Now that we got the above shown window where we can browse files we got (crippled) access to our machine again. The next step is to replace the malware file, we will do this by copying explorer.exe and renaming it to our malware file. This way instead of the malware the system will run explorer.exe on the next boot. To replace the malware we will need to go through the following steps:

  1. Browse to C:\Windows\
  2. Type *.exe in the File name field
  3. Select explorer.exe
  4. Copy the file by pressing Ctrl-C (the right mouse button doesn’t work very well in this window)
  5. Browse to the “Application Data” directory of the current user
    (for Administrator user: C:\Documents and Settings\Administrator\Application Data\ )
  6. Paste the copied explorer.exe file by pressing Ctrl-V
  7. Rename the malware file, just adding an underscore behind is will be enough
  8. Rename the explorer.exe  file to the malware file name
  9. Reboot

Since we do not have access to the Shutdown controls you need to hold the power button of the system for 7 seconds to turn it off. Then turn the machine back on.

The following screenshots provide some more information to the above named steps.

 

 

Step 3: Enable RegEdit

After the reboot we get some slightly less crippled access to the system. However there are still quite some steps to be taken before we can start using Windows normally again. The next step is to enable us to access the Registry again. The malware blocks access to RegEdit and thus also does not allow us to run .reg files, to enable RegEdit again we need access to the Registry so it seems we are stuck here. However, it seems we can access the Registry from other programs or scripts. To enable RegEdit again we will create a small VBS script which changes the registry where RegEdit is blocked. The steps to do this are:

  • Create a new file with  Right mouse button New –> Text Document
  • Name the file fix.vbs
  • Edit the file and add the following data to it, make sure it is all on one line, it is only shown here on two lines because of the layout:
 WScript.CreateObject("WScript.Shell").RegWrite
 "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD"
  • Save and run the file by double clicking it.

The following screenshots provide some more information to the above named steps.

 

Step 4: Get full access to Windows

After running the VBS file we can access the Registry again with RegEdit. You can start RegEdit by browsing to the C:\Windows directory and double clicking regedit.exe

Using RegEdit, DELETE the following keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VX2bt1oYNKCLnkO
  • HKEY_USERS\Administrator\Software\Microsoft\Windows\Current Version\Policies\Explorer\NoDesktop
  • HKEY_USERS\Administrator\Software\Microsoft\Windows\Current Version\Policies\System\DisableTaskMgr
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\VX2bt1oYNKCLnkO

Then CHANGE the following keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\Winlogon
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon

Change the value of “Userinit”  to “C:\Windows\System32\Userinit.exe,”

Change the value of “Shell” to “Explorer.exe”

 

With different versions of the malware the Registry locations might be different than displayed above. The best way to search for any remaining registry information set by the malware is to search for the malware name.

After all these changes reboot the system, this can be done by bringing up the Task Manager (which has now been enabled again) with Ctrl-Shift-Esc and then choose Shutdown and then Restart.

Step 5: Clean your system

After the reboot you got full access to the system again, however your Desktop will still be empty, to get the Desktop items back click the right mouse button on the desktop and select Arrange Icons By and then Show Desktop Icons.

The next thing to do is scan your whole system for any remaining malware. Microsoft Security Essentials for example recognizes this specific malware since March 2, 2012, so it should be able to remove the malware files. I would still recommend to do a full reinstall of the system after you recovered all your data, malware often does not come alone. Since the malware might have infected your system by a Drive-By Download it makes sense to make sure all your software is up to date (pay special attention to Windows Update, Adobe Flash, Adobe PDF Reader and Java). This might also be a good moment to start thinking about creating some backups 😉

 

Video of the whole process

 


 



 

Update May 2012

It seems that the malware is now targeting other countries as well besides the Netherlands, it now also fakes to be from the following parties:

  • SUISA (Switzerland)
  • GVU (Germany)
  • AKM (Austria)
  • PRS (United Kingdom)
  • SACEM (France)

More info can be found on abuse.ch: http://www.abuse.ch/?p=3718

Buma Stermra Virus verwijderen, malware, ransomware, ransom-ware, computer, PC, gelockt, gelocked, geblokkeerd, politie. BUMA-STEMRA (Netherlands) SUISA   (Swiztzerland) GVU (Germany) AKM (Austria) PRS  (United Kingdom)  SACEM (France) locked PC, remove malware, get rid off malware, malware removal,

62 Comments

  • Thice.nl » Getting rid of the Buma Stemra ransomware malware – Windows 7
    09/03/2012

    […] reached me that my approach to get rid of the Buma Stemra Ransomware malware did not work on Windows 7. I initially only tested the approach on Windows XP, but I now took the […]

  • Roberto
    12/03/2012

    I executed all these steps. However after I deleted every entry in the registry the following happens:

    1) The desktop will and the start menu do not appear
    2) In the taskbar the executable is running but this is already deleted: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VX2bt1oYNKCLnkO

    How can I resolve this?

  • Thice
    12/03/2012

    @Roberto
    Could you tell me which Windows version you got and maybe provide the malware file to me (renamed and in encrypted rar file)?

    Did you check for any other occurrence of NoDesktop in the registry? Did you change all the occurrences of ‘Userinit’ and ‘Shell’?

  • Roberto
    12/03/2012

    I use Windows XP. The Malware file is the file like VX2bt1oYNKCLnkO related to the executable?

    The following is executed:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (passed)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (passed)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VX2bt1oYNKCLnkO (passed)
    HKEY_USERS\Administrator\Software\Microsoft\Windows\Current Version\Policies\Explorer\NoDesktop (not available)
    HKEY_USERS\Administrator\Software\Microsoft\Windows\Current Version\Policies\System\DisableTaskMgr (not available)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\VX2bt1oYNKCLnkO (passed)

    Then CHANGE the following keys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\Winlogon
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon

    Change the value of “Userinit” to “C:\Windows\System32\Userinit.exe,” (passed)

    Change the value of “Shell” to “Explorer.exe” (passed)

  • Roberto
    13/03/2012

    The keys were not changed: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon

    After the change everything looks fine. Thank you for providing the information!

  • Ilias
    13/03/2012

    You guys, just made my day man..
    This tutorial was excellent, and without it I wouldve gone crazy

    Loveee!

  • computerdood
    15/03/2012

    Damnit i got rid of all the registry stuff but i cant find the file thats supposed to be in the application data cause im on windows 7 can somebody help i’m going completely mental been looking for a solution 3 days straight now

  • Thice
    15/03/2012

    @computerdood
    Check C:\Users\[username]\AppData\Roaming\

    Check for more details on Windows 7 here:
    http://www.thice.nl/getting-rid-of-the-buma-stemra-ransomware-malware-windows-7/

  • Bol.a.Wale
    07/04/2012

    Thanks for this, It was very useful. I must also mention that one can use registry editor remotely to make the registry changes.

  • jorieke
    11/04/2012

    Hello,
    I can’t get further than step 2 – 2.
    Ik can’t locate *.exe
    What can i do now?

    please help..

  • Ermo
    16/04/2012

    What a F*cked up piece of MALWARE. But I solved it!
    I approached it a little bit differently then mentioned above though! So I thougt I should share it wit you guys! I just simply rebooted my pc, hit f8 a few times, then choose safemode with command prompt! Then I accesed system recovery by typing “%systemroot%\system32\restore\rstrui.exe”. After the recovery it workes just fine! I checked my pc for any traces, but couldn’t find any!

  • Peter
    18/04/2012

    Thanks for the help. I searched in regedit for soundblaster_fx648 as an .exe with the same name seemed to cause all the trouble.

    But I wonder: given that my system was compromised, would it be best to reinstall OS? What about my data? Some websites claim there might be some backdoor open for hackers, government, and the such. Or that there is more malware, virusses, … hidden in the system now.

    While I believe these claims to some degree, I wonder if reinstalling will be worth the effort – drive-by infections (that you notice just as little as the ones that are on there now) can be back in an instant and all the work has been for nothing.

    How do you guys cope with that?

  • Thice
    20/04/2012

    @Peter
    Hi Peter,

    I would always recommend to fully reinstall a system that has been infected with malware. Malware often doesn’t come alone and the only way to be sure you remove everything is by reinstalling the system. You can of course first backup your important data so you do not lose any important files. But be sure to scan all your data before copying it to your newly installed system again.

    To protect against drive-by infections make sure that your Windows installation as well as any browser plugins or other software is fully up to date. Besides that always use an antivirus product and be careful with what sites you visit.

  • Thice
    20/04/2012

    @jorieke
    Are you using Windows XP or another Windows version? Can you find the directory from the tutorial?

  • Martijn
    03/05/2012

    Dear,

    I think they modified the malware because I am not allowed to type something in the File name-field …

    Martijm

  • Martijn
    03/05/2012

    I do not understand what you mean with the mentioned file names starting with “h6s5” …

    Could you explain?

  • Martijn
    03/05/2012

    I know managed to type in the file name field. I don’t know why it worked out this time …

    I copied the explorer-file and pasted it in the application data folder of the administrator. I changed the file name in explorer_.exe and did the same in the folder c:/windows. After reboot I got the same buma stemra screen.

    What went wrong.

    Now again it does not work out to type in the file name field unfortunately.

    Thanks for your assistance.

  • Thice
    04/05/2012

    @Martijn
    Please check the instructions carefully again, I got the idea you are not following them. In case this is another version of the malware, please send me the malware file (renamed in a protected RAR file or something) and I will investigate.

  • Dannyq
    04/05/2012

    Dear Thice,

    I’ve been using ur method and it was working but now I am currently stuck at the part where you enable regedit,
    The fix.vbs is not working for me..
    This is the command inside the fix.vbs”
    WScript.CreateObject(“WScript.Shell”).RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”, 0, “REG_DWORD”
    Every time I execute it it gives me this messagebox:

    Script: C:\Users\”nameofpc”\Documents\fix.vbs
    Line: 1
    Char: 1
    Error: Invalid root in registry key
    “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”.
    Code: 80070005
    Source: WshShell.Regwrite

    I also tried to execute a different code to enable regedit which included these lines (found this on the internet):
    ‘Enable/Disable Registry Editing tools

    Option Explicit
    ‘Declare variables
    Dim WSHShell, rr, rr2, MyBox, val, val2, ttl, toggle
    Dim jobfunc, itemtype

    On Error Resume Next

    Set WSHShell = WScript.CreateObject(“WScript.Shell”)
    val = “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”
    val2 = “HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”
    itemtype = “REG_DWORD”
    jobfunc = “Registry Editing Tools are now ”
    ttl = “Result”

    ‘reads the registry key value.
    rr = WSHShell.RegRead (val)
    rr2 = WSHShell.RegRead (val2)

    toggle=1
    If (rr=1 or rr2=1) Then toggle=0

    If toggle = 1 Then
    WSHShell.RegWrite val, 1, itemtype
    WSHShell.RegWrite val2, 1, itemtype
    Mybox = MsgBox(jobfunc & “disabled.”, 4096, ttl)
    Else
    WSHShell.RegDelete val
    WSHShell.RegDelete val2
    Mybox = MsgBox(jobfunc & “enabled.”, 4096, ttl)
    End If

    Once I executed this file (.vbs) a message box pops up saying: Registry editing tools are now enabled, but it is not..
    And every time I open Regedit it says It’s disabled by your administrator..

    TL:DR? (Shortly said):
    I’ve finished copying and pasting the explorer and renaming it to the malware,
    Rebooted the pc and am now stuck with a black desktop and now I cant seem to enable regedit

    I hope you can help,
    Thanks for reading and sorry for the long post.

    PS: The malware did not have a random name, it was named itunes_service01 which is pretty dodgy.. Not sure if this changes the situation but stated this just to make sure.

  • Thice
    05/05/2012

    @Dannyq
    Hi Dannyq,

    Could you send me the malware file so I can take a look what is different in this version? What Windows version are you running?
    If you got another machine on the same local network you could try to remotely access the registry to change the settings through that.

  • Dannyq
    05/05/2012

    Hey Thice,

    I’m sorry to say but I’ve already fixed the problem so I do not have the malware file anymore which is a shame because you could have looked at it and maybe help people in the future with the variations of this malware..

    Anyway thanks alot the guide helped.

    I fixed the no-access regedit problem with the Kaspersky Rescue Disk 10 which is to be found on: http://support.kaspersky.com/viruses/rescuedisk?level=2 (please delete link if I’m not allowed to link it here)

    It is basically a rescue OS which has access to your computer files and has a built-in registry editer,
    After I had access to the regedit I continued to follow your steps (from step 4 and beyond) and It worked out fine!

    Thank you again Thice for this great guide 🙂

    PS: For the new people who get this malware, in the appdata folder you may not find a random named file, try to look for suspicious named files (Mine was named: itunes_service01). I was able to find the malware because of the time it stated, which is only able to be seen on Windows 7? It said date modified: 4/5/2012 16:44 PM which was the time my brothers pc got locked by the malware.

  • John D
    06/05/2012

    I’m trying the steps, copied the explorer.exe file in the WINDOWS folder. But I can’t get the Application data folder to show. I know where it’s supposed to be. But I can’t get to the show hidden files option because the virus isn’t letting me go anywhere.

    Any options on how I can get to the Application folder or how I can get it to show?

  • John D
    06/05/2012

    I’m using windows xp and it’s a mini laptop without a cd drive.. so i can’t try the other option with the cd..

    Hope you guys can help me

    Thanks,

    John D

  • Thice
    07/05/2012

    @John D
    Did you check your username? In case it is different than Administrator you will need to open a different Application Data folder.
    To avoid enabling hidden files just type the folder name in the bar and press enter, like I am doing in the Windows 7 version here: http://www.thice.nl/getting-rid-of-the-buma-stemra-ransomware-malware-windows-7/

  • Luke H
    07/05/2012

    The malware is not letting me type so i cant rename the files which is sad please help ive had this since 4.5.12

    Luke H

  • Luke H
    07/05/2012

    @Dannyq this is strange as we got the malware at the same time no joke so how did that happen?!

    Luke H

  • John D
    08/05/2012

    Thanks for your response Thice.

    Yes I am the Administrator..

    I’m at work now, so I’ll try it tonight. Another problem is though that it won’t allow me to type… I have to copy the letters from the Buma Stemra page so I can make the words… very annoying…

    The video in the link shows me I have to typ AppData if I’m correct?

    I’ll let you know if it works tonight.

  • Thice
    09/05/2012

    @Luke H
    Without analysing the newer version of the malware I do not know what it is blocking and how it does that. You might want to try the copy and paste approach named above.

  • Thice
    09/05/2012

    @John D
    The App Data folder is for Windows 7, on Windows XP you need to type the full “Application Data” directory. If you manage to remove the malware please save a copy of it so I can analyse it.

  • Luke H
    09/05/2012

    @Thice
    it wont even copy paste and i tried kaspersky rescue disk 10 but i tried usb version and it wont detect files and my diskdrive never opens i think i may have to wipe. im on xp service pack 3.

    Luke H

  • Spiral
    22/05/2012

    Yesterday a friend asked me to look at this malware I came up with the following:
    OS: Windows XP Home
    1. As mentioned used CTRL+P to load the print dialog.
    2. With the Print Dialog opened, I could open the Taskmanager with ctrl+shift+esc
    3. Located the process called setup.exe and terminated it. Got control back to the operating system
    4. Looked with regedit, but could not found any of those keys/values
    5. Nothing to be found at the Application Data
    6. Started MalwareBytes and it removed the malware.
    7. Restarted the system it works as before
    8. Updated Flash player and removed Java JRE (because he didn’t used it).

  • Niels A
    29/05/2012

    Hi,

    Working with windows 7 and got infected yesterday.
    I am in the AppData directory, but no .exe file and also no other files that have been changed in the last 12 months.
    (only mdbu.bin / wklnhst.dat / GhostObjGAFix.xml are in the directory and some folders)

    Any ideas please?

  • bob
    02/06/2012

    Please help,

    Remove ‘PRS for Music’ Scam Ransomw. I have windows Vista. I have logged on to windows safe mode with network. I have pressed ctrl+p then clicked print file to location, gone to computer c then window and I can’t fine internet explorer symbol to move onto the next steps that I have seen on different websites.

    The steps seem to all be geared towards windows xp.

    Can someone help with vista?

  • gert
    02/06/2012

    heey,

    i got the same buma/stemra virus but i cant find the virus file in my app data i checked all my users but i cant find it,
    do you know how i can solve this problem now? i also tried kaspersky but it also couldt find it, i am using windows 7.

    gert

  • Thice
    04/06/2012

    @bob
    Hi bob, did you check the Windows 7 tutorial here?
    http://www.thice.nl/getting-rid-of-the-buma-stemra-ransomware-malware-windows-7/

    It might work with Vista as well.

  • pukje
    05/06/2012

    Hi all, I got stuck with the same malware today on my XP machine 🙁
    I first tried to make a Kaspersky boot-CD but that didn’t work… maybe I did something wrong with that, but I’ve no idea what could go wrong: download the .iso file on my other laptop, put it on a brand new CD-R (together with the .html to have the manual at hand when needed, maybe that is not allowed on a boot disk???) set the boot order of the XP machine to CD first (and yes, he is looking for what is in my CD drive) but then I still get that Buma screen instead of Kapersky…
    Luckily I found this webpage with an alternative way to get rid of it! But unlucky me: I have no printer installed (though I thought I had at least a .pdf creator?) and I cannot add a printer too, so printing to a file is no option and thus I have no crippled access to any explorer screen. Also the Ctrl+Shift+Esc does not work, it has the same message as the regular Ctrl+Alt+Del returns (when pressed before the Buma screen appears), saying that TaskMgr is switched off by my admin…
    Anyone a next idea to try? Or a tip to do something different in what I described?

  • Thice
    05/06/2012

    @pukje
    To burn an ISO file you can not just copy the file to a CD, you have to burn it as a CD image.
    Also, there should be no need to have a printer installed to do the printer trick.

  • Mark
    06/06/2012

    My girlfriend was logged in via citrix remote client tot her company’s network yesterday evening. From the virtualdesktop she openened internet explorer en after a while the Buma Stemra malware popped up. She noted the stated IP adres and thor thing en than quited the application. Our laptop seemed to function well still. We looked up our IP adres and it was a different adres than the malware stated. I assume it’s the IP adres of her company, as she browsed the internet via the remote desktop. At first everything looked normal, just slow. extraordinaryly slow. Browsing the internet is extremely slow. So something is wrong there. And it’s not our ISP or router; other apparel works fine. Microsoft security suite is up to date (one day old definitions) and didn’t find malware. However it didn’t update again when i asked it to but replied “there seems tot be no connection”. But How do I know for sure we’re infected or not? OS: Vista Browser: Firefox

  • Thice
    06/06/2012

    @Mark
    You probably want to inform the company involved. Then they can investigate this internally.
    You might want to try a stand alone Virus Scanner such as DrWeb for your own system:
    http://www.freedrweb.com/download+cureit+free/beta/

  • monique polman
    06/06/2012

    I get a white screen saying: Please wait while the connection is beeing established. Bitte warten Sie waehrend die Verbindung hergestellt wird.
    It doesn’t matter whether the internet is switched on or off, the same message appears. Control P or right mouse click or whatever doesn’t work. Help!!!!!

  • Richard Honeywell
    06/06/2012

    Got infected with the buma stemra virus, managed to get out of the system and reboot in safemode with networking but got different screen now, “please wait while a connection is beeing established” Note spelling mistake is deliberate. Now I cannot even use the cntrl +P option to access anything.
    Using windows XP with service pack 3, only got my phone left, internet access is limited and downloads impossible. Friend is making me a rescue disc but don’t know when I will get it. Anybody got any other options?

  • pukje
    06/06/2012

    Hi Thice, thank you for your quick reply!

    First point: I found out that already (but I litterally did it as mentioned on Kaspersky’s site: “Record the image to a CD/DVD” no word there about making it a bootable disk)… Alright it cost me a blank CD but that is not a big loss in this case. So I gave it another try with Roxio Creator 9 LE (2006) which was pre-installed om the Vista machine I’m now working on. When I click the button ‘bootable’ it says (Dutch version, try to give a true translation 🙂 “Choose whether you want to use a bootable floppy disk A; or an image file on the harddisk.” We need the last option of course. Then you are forced to browse for a file before you can click the OK button. The explorer window prefers the following file formats: .img, .bin, .ima – so NO .iso as the Kaspersky file is… I can select it though, by choosing All file types. All looks fine, but when I insert and boot the infected XP machine it says there is no operating system found and that’s it. It does not switch to my HD by the way. I suppose that Roxio did in a way rename the file to one of the mentioned types? But I cannot check that, since the boot sector is not displayed in explorer… Of course I could download and install another CD writing programm, but which one would you advise?

    Second point: there truly has to be at least 1 printer installed, otherwise the checkbox Print to file is disabled! At least on my screen…

    I spoke to a friend of mine yesterday evening and he suggested me to use Windows Defender Oflline [http://download.microsoft.com/download/E/A/4/EA4EE5EC-C119-4132-BD4D-620A400B0B72/mssstool32.exe] to create a boot CD itself. I ran that one too but got stuck, as it says it could not update the database: not connected to the internet?! And without up-to-date database it refuses to start a scan… I tried it several times and hoped it could get reconnected, but no result. I do have troubles with the wifi, so I always use a cable to get connected and I did not change that after it was infected. Can the trojan block that as well?

    Hope you can help me out!
    pukje

  • Richard Honeywell
    07/06/2012

    Just what to let people know I got back in with the kaspersky Rescue CD. Then deleted all occurrence of my malware both on the main drive and registry, reset everything and I am finally back up and running, Not bad its only been 10 hours work!!!!!

    Did notice though this particular version stop the ransom demand but locked me completely out, however, internet usage was enormous.
    Found over 800 new directories in the application data folder, suspect that I will be spending many more hours / days cleaning this lot off as well.

    So far run everything through CCleaner and its proving effective.

    Was running McFee and spybot2 but this Buma Stema virus just walked straight throught the lot without a hickup. Going to have to rethink my Virus protection!!! (more money)

    many, many thanks to all the above posts, the info really made the difference

  • Anonymous
    07/06/2012

    I simply cannoy find the freakin’ virus file. I searched for hours on my whole computer, but it’s impossible to find the h6.exe file you’re talking about. Where is it arghhhh this it’s giving me an headache. I really don’t understand why people make malware like this..

  • Thice
    07/06/2012

    When the instructions on this site don’t work for you check the excellent alternative instructions on the following website:
    http://www.pcwebplus.nl/phpbb/viewtopic.php?f=222&t=5927

    If possible please send the malware file to me if you can. Also, please send the malware location so other people can find the malware on their systems.

  • ianto
    16/06/2012

    I had this problem with my laptop running windows xp, but because i am not a pro and did not know what to do at the time i just switched the computer off. When i restarted after few days there is no prs notice but i have a message ‘navigation to the web page cancelled’ and a blank screen. same when i try to use the safe mode. i cannot do anything 🙁 please help !

  • Anne
    20/06/2012

    In my case, the virus doesn’t show itself if I start up my laptow while blocking all possible internet connections (closing the wireless router and pulling out the cable) , so I can still easily reach all my files and even use them. The computer is however, a bit slower and I can’t use any internet functions (the moment I’ve got internet again it’s back).
    You’d think that would make it easier to remove the viruse but I can’t find the file that contains the virus. I’ve checked AppData (I’ve got Windows 7) but if it’s there I can’t find it and that makes using the rest of the instructions kinda hard. Any tips?

  • Chapiyo
    20/06/2012

    I can’t even make it through the first step. Ctrl P is not working as well as the right mouse button. Who has some answers??

  • Thice
    21/06/2012

    @ianto
    The white screen is shown when the malware can not reach the website it gets its information from. This happens when the website is down or when there is no internet connection.

  • Daan
    21/06/2012

    I’ve got the same problem as Chapiyo: the right mouse button doesn’t work and I can’t use Ctrl-P. Could you please help me?

Leave a Reply

Your email address will not be published. Required fields are marked *