Buma/Stemra-malware ransomware virus

Er zijn verschillende manieren om het eenvoudige (maar lastig of vervelende) ransomware virus te verwijderen of op te lossen. Hieronder staat de kortste beschrijving. Maar uiteindelijk komen alle oplossing op het zelfde neer. Namelijk de shell van het OS is vervangen door een variant van het virus en wordt automatisch gestart.
Of deze tip en trick kan ook.
1. Browse to C:Windows
2. Type *.exe in the File name field
3. Select explorer.exe
4. Copy the file by pressing Ctrl-C (the right mouse button doesn’t work very well in this window)
5. Browse to the “Application Data” directory of the current user (for Administrator user: C:Documents and SettingsAdministratorApplication Data )
6. Paste the copied explorer.exe file by pressing Ctrl-V
7. Rename the malware file, just adding an underscore behind is will be enough
8. Rename the explorer.exe file to the malware file name
9. Reboot
10. Enable registry: WScript.CreateObject("WScript.Shell").RegWrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools", 0, "REG_DWORD"
 11. Using RegEdit, DELETE the following keys:
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunVX2bt1oYNKCLnkO
• HKEY_USERSAdministratorSoftwareMicrosoftWindowsCurrent VersionPoliciesExplorerNoDesktop
• HKEY_USERSAdministratorSoftwareMicrosoftWindowsCurrent VersionPoliciesSystemDisableTaskMgr
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunVX2bt1oYNKCLnkO
12. Then CHANGE the following keys:
• HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrent VersionWinlogon
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrent VersionWinlogon
13. Change the value of “Userinit” to “C:WindowsSystem32Userinit.exe,”
14. Change the value of “Shell” to “Explorer.exe”

Comments are closed.