Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, May 4, 2011

Remove BUNDESPOLIZEI Ransomware (Uninstall Guide)

Tell your friends:
"BUNDESPOLIZEI Achtung! Ein Vorgang illegaler Aktivitaten wurde erkannt." My German is not very good but I think this sentence means that German Federal Police caught you doing something wrong. It is not very often that we see ransomware that targets Internet users in Germany. It states that you were watching pornography and doing other illegal activities. The Trojan horse demands payment (100 Euro) in exchange for the unlock key. You can send money via Ukash or PaySafeCard. It also displays your IP, ISP, location and the version of web browser you're using to make you think you're in big trouble. The ransom Trojan blocks pretty much everything, even in safe mode. Don't fall victim to the BUNDESPOLIZEI scam. Spend your 100 Euros on something else. We've got the removal instructions to help you to remove this "BUNDESPOLIZEI" ransomware for free. Please follow the steps in the removal guide below. Good luck and be safe online!





BUNDESPOLIZEI ransomware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.



2. Open Windows Registry editor using the Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



3. Locate the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to BUNDESPOLIZEI executable file.



Please note the file name, in our case it was "contacts.exe". Then change value data to Explorer.exe.

4. Choose EditFind (or press Ctrl+F). Registry Editor displays the Find dialog box. Type in the file name that you noted in the previous step and click the Find next button. Remove all found entries from Windows registry related to this file.



We found two additional registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603



HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache



Exit the Registry editor.

5. At the command prompt, type shutdown /r /t 0 and press Enter. It restarts computer into normal mode.



6. Download recommended anti-malware software (direct download) to remove the leftovers of this ransomware.

Read more about Trojan.Ransomware.


Associated BUNDESPOLIZEI Ransomware files and registry values:

Files:
  • [RANDOM].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell = [RANDOM].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 "000 = [RANDOM].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "[RANDOM].exe"
Share this information with other people:

43 comments:

Anonymous said...

It worked! Thanks a lot!!!

Anonymous said...

its not working for me

Anonymous said...

worked for me, the file was called "jashla.exe" though...thanks!

Anonymous said...

When i restart and login..it remains on a black screen showing only the mouse..why?

YC said...

oh my god thank you so so much saved my bacon you did! Yeah mine was just 'jashla.exe' as well and did not have any other associated keys...

Anonymous said...

i must mention a special thanks to you Michael. I am an Indian and had come to Germany for a meeting. While rviewing for the meeting a day before it was supposed to happen, i got infected with this virus. And that too in German language! Honestly i was scared because i could make out words like 'porn' and 'terrorism'. Thankfully, the hotel staff caled up German police and cofirmed its just a virus, BUT they told me it could lead to all my data loss. i was sweating and googling frantically to get a solution. Thankfully i saw this blog, and God bless you!! Thanks a lot. really helpful. Keep up the good work.
Shukriya :)

Anonymous said...

Thanks very much for this solution, as my laptop was infected.

However, I don't understand what I need to do at step 3 and further on. I have the window with 'Value name: Shell' and 'Value data: Explorer.exe'.

What do I need to do next? I don't understand the instruction: 'Modified value data points to BUNDESPOLIZEI executable file.' (step 3)

Thanks again for your help!

Anonymous said...

Thx,you are very very good!!it's work for me!

Amanda said...

Thank you, thank you, thank you! Luckily I was able to view your website on my phone whilst I followed the instructions to fix my laptop. Virus upgraded to cover UK, now charging £100 instead of €100!

Anonymous said...

Thank you very much for this life saver !

Anonymous said...

Followed your instructions after receiving an english version of this featuring the Metropolitan Police. It was hiding under file name sejrru56surtxju.exe. Sadly, following the instructions did not remove the problem and I am now unable to boot the computer at all. Hey ho!!

Thanks any way!

Moschops said...

I got hit by this a few weeks ago before finding this blog. Locked out everything with their fake warning on whole screen. I knew it was Scareware
/Ransomware. I shut down and was able to boot into Safe Mode. I ran Spybot Search&Destroy and Malwarebytes (both are free and are HIGHLY recommended). Malwarebytes found the rogue entries and kicked their asses, er, I mean removed them. Must emphasise though, these things are total SCAMS. NEVER, never, never send any money. If you do you won't get any 'unlock' key or whatever. All that will happen is that the fraudster will have your money and your computer will be exactly as it was before you paid. Always shut down and try to get into Safe Mode so you can run scans to remove or manually remove, in this case, using the excellent instructions above. BTW, if you don't have Spybot or Malwarebytes try to shut down and go into Safe Mode With Networking. It's basically Safe Mode but with your Internet. You can then d/load Spybot and/or Malwarebytes, install and run full system scans. If I ever catch the fraudster I will demonstrate Rebooting using my size 9 steel toecap CAT boots!!

Anonymous said...

How can remove it if i am using windows xp. Anyone can help please?

Anonymous said...

Got hit with this. Tried to follow the steps but also had some issues with Step 3. Tried Moschops recommendation and downloaded malwarebytes and it worked.

Anonymous said...

Got hit last night. Tried the steps but also had issues with Step 3. Did as Moschops recommended. Downloaded Malwarebytes and it worked! Thanks guys.

Anonymous said...

I couldnt find the name of the file on my pc. For example in your description it is "contacts.exe". I didn't read his part of the instruction and changed the name into "explorer.exe" too early...
Is there any way to get rid of it even though?
Thanks in advance for your help.

Anonymous said...

got hit 10 days ago by UK pound version, but fixed with above - installed STOPzilla, but didn't like it in the end so going without that at the moment...

Many thanks for your instructions - very helpful. UK version - for me virus was mahmud.exe

Anonymous said...

Thanks for this, got hit with it yesterday. Whoever it was was using a filename of mahmud.exe, so watch out for that one as well

Anonymous said...

I've just been hit by this.
Same as the above poster I got mahmud.exe blocked by the firewall, but too late - I got locked out.
Can't access task manager and can't boot in safe mode.
Very little info so far on how to get past this when you can't boot in safe mode.
Just about to try AVG Rescue Disc...

Anonymous said...

Hi... me again (previous comment not approved yet)
While I was downloading AVG Rescue Disc I ran Win 7 Repair Disc.
Didn't restore to any previous backups - just let it do it's thing.
PC rebooted and MS Security Essentials picked up mahmud.exe straight away.
Clean now and seems fine but running Malwarebytes just in case.
Hope this helps.

Anonymous said...

Hey I was messing around with this before i read forums, and i have deleted the "shell" and i cant find what the .exe was called. Any help where i can refind it?

Anonymous said...

Thank you very much, it worked.
I opened windows 7 in the safe mode, run regedid and found bastard in the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
it's name was mahmud.

Anonymous said...

As soon as I translated it into English and found that it is not referring to my online activities, I knew it was some kind of an online scam. I rebooted my computer and went to Safe mode, then did a system restore to any past system restore date, restarted the computer and the virus/ransomware was gone. Perhaps it restored the computer to the 'explorer.exe'. Thanks for the post. Glad to view a lot of smart people in this blogspot. Thanks.

Anonymous said...

tried all the above - cant find any of the files mentioned here - any further ideas?

Anonymous said...

Hi,
Same as some people above. I didnt understand the instructions clearly and forgot to see what the file was and what i need to change it to? Message does not pop up anymore when i switch computer on but i just get a black screen with mouse cursor and i can only press ctrl+alt+del - cant do anything else? please help!

Anonymous said...

I was able to follow these instructions but got bogged down at satge 3 also, tried malwarebytes problem solved!

Larry

Anonymous said...

Incredible! Thankyou very much!!!

Bisay said...

I forgot to note the name of the file. Can u pls help me through

Anonymous said...

А чё по-русски нету описания?

Anonymous said...

Great blogspot and a Saviour!
To simplify, and what worked for me (although I think there are several variants of this" virus).
Turn your computer on and press F8, the select "safe mode with networking". Let the computer load into windows then open up your web browser. Download the free versions of "malwarebytes" and Spybot's "search and destroy". And run both on your computer. Either one should detect the suspect files and allow you to remove them at the press of a button. Here are the links to the free files.

http://www.malwarebytes.org/products/malwarebytes_free

http://www.safer-networking.org/en/spybotsd/index.html

Lucy needs help said...

My name is Lucy and it didn't work for me... please help damsel in distress. I have it in the UK version, couldn't find anything in the regedit, explorer.exe was the same and i couldn't delete any of the files mentioned in other instructions... HEEEEEEEEELLLLPPP!!!!

ombra said...

Hi, it worked for me, but when I restarted the computer everything on my desktop has disappeared. I can run the programs using taskmanager, but how can I restore my desktop? Can anyone help me?

Anonymous said...

It's changed the name again, I got hit with 'vasja'

Anonymous said...

Thanks alot
i didnt know what to do at first
found this but was stuck in step 3 also. Then i tried the names what were mentioned here and found the trojan with the name "vasja"

Anonymous said...

This didn't work for me - the SHELL value hadn't been changed. However, malwarebytes, as recommended by moschops in the comments, got rid of it. (Free trial version from CNET was all it took, although I shall be checking it out further and seriously considering paying for the full version.)

Thanks for the help!

Anonymous said...

how do you get to the contacat.exe thingy?

Kimansuper said...

Don't look for any files, that's may work but is too difficult. Just log into SAFE MODE WITH NETWORKING (to have access to internet) by pressing F8 when Windows is rebooting and download "Spybot search and destroy", and "Malwarebytes". Install and run these two softwares, it works good even it takes a few hours to check all your files.

Many thank to all authors of comments for their helpful comments

Anonymous said...

In my case no registry entry was changed by the virus. I ran Windows 7 in Safe mode with networking and downloaded Malwarebytes anti-malware. This program was able to get rid of the virus, which hid itself in a file named 0.6737048700055457.exe that was run by Win 7 automatically at startup!

Anonymous ;) said...

for those that it won't work with thjis method

just do system recovery

and it gets back to an old date save

do not worry all ur documents, foto's will not be deleted

only the last files will be uninstalled from your computer!

easy trick to get rid of the fake bundespolice screen lock and the virus at the same time ;)

good luck m8's hope this will help ya

hope they fcking get these fcking faggots and get em back good

Anonymous said...

I didn't find that voice and my Shell kye wasn't modified.. i just started the pc on provvisory mode by pressing F8 at the loading and started SpybotS&D it found the virus as Dyxua Folder -> zeoral.exe file..
Antivir freeantivirus didn't find it at the scan, but i think it's because i didn't update it ^^'

Anonymous said...

This has happened to my laptop aswell in the english version do i just follow your steps and it should work and also i was wondering if any of my files on my laptop would get removed thanks

Anonymous said...

In my case it is not working out at all, after doing changes using command option it is not shutting down at all, with the commands, i tried recovering there also it couldn't able to resolve, I think mine is advanced virus, i cant see desktop screen only.
Could any one help me, even i dont have a OS cd and i am a indian on work i have come to german, any waya i lost 100 € unknowingly.

Anonymous said...

This just happened to me but shell was already explorer.exe and malwarebytes cant find anything