PUM.UserWLoad – Trojan.Ransom removal instructions

By | juli 12, 2013
Please share to help other people!

PUM.UserWLoad is a difficult to remove remnant of the Trojan.Ransom infection. PUM.UserWLoad is a register reference which the permissions are modified so that they can not be removed in the normal way. When you run a scan with Malwarebytes Anti-Malware and over again the same items are detected, when PUM.UserWLoad and Trojan.Ransom should be deleted on restart then will have to be removed in a different way.

PUM.UserWLoad is the malicious registry entry belonging to one of the ransomware variants like Reveton or Urausy of the FBI Moneypak virus, Department of Justice or other police departement. Below is an example of these items that are detected by Malwarebytes Anti-Malware

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\Username\LOCALS~1\Temp\mshquob.com -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\Username\LOCALS~1\Temp\mshquob.com -> Delete on reboot.

If you can not remove the PUM.UserWLoad – Trojan.Ransom items, follow the instructions below so you can remove these items succesfully from your computer with the Kaspersky Rescue CD.

PUM.UserWLoad - Trojan.Ransom

PUM.UserWLoad – Trojan.Ransom

PUM.UserWLoad – Trojan.Ransom removal instructions

To create a bootable Kaspersky Rescue Disk, you will need a blank CD or DVD and a CD or DVD burner. It is also possible to create the Kaspersky Rescue Disk on a USB-Stick.

  • First download the Kaspersky Rescue Disk ISO from link below:
  • Kaspersky Rescue Disk downloaden.
  • To burn the ISO / bootable rescue disk, we will need to use the ImgBurn program.(You can also use the ISO / Image burner in Windows 7)
  • You can download ImgBurn from the link below.
  • IMG-Burn downloaden
  • When the download is ready install the IMG Burn program on your computer.
  • Insert your blank CD or DVD in your burner, then start ImgBurn and click on the Write image file to disc button.
  • Under Source click on the Browse for file button, then navigate to the location where you previously saved the Kaspersky Rescue Disk utility (ISO), then click on the Write button.

  • ImgBurn will now begin writing your bootable Kaspersky Rescue Disk (ISO).
  • When this is ready you need to setup the BIOS settings so that the computer can boot from the Kaspersky Rescue Disk.

1. How do I set the BIOS to boot from CD?

  • To start the computer from the Kaspersky Rescue Disk the optical drive should be the first boot device in the BIOS.
  • You enter the BIOS by pressing a specific key. During the starting phase What is this key depends on the type of BIOS, but the most common are the Del and F2 keys.
  • What is it you can see the first screen that appears on the PC and the switch it on. Often something like Press Del to enter Setup.
  • If all goes well you end up a screen as shown below. Please note, there are various types and brands, which also look different.
  • But you will find the boot options under Advanced BIOS Features or integrated peripherals

2. Start your computer from the Kaspersky Rescue Disk

  • Once you’ve insert the Kaspersky Rescue Disck into the infected computer, restart the computer.
  • As soon as you power it on, you will see a screen that tells you to press any key to enter the menu, so please tap any key to boot your machine from the Kaspersky Rescue Disk so as you can see on the screenshot below.

  • In the next screen, you will need to choose a language, and press enter.
  • Then press ‘1‘ to accept the agreement
  • And in the next screen you choose the Graphic Mode and press enter.

  • When the following warning prompts presse the continue button.

  • Within a few short seconds you should see the full working environment, with the Kaspersky Registry Editor.
  • Double click on the Kaspersky Registry Editor icon on the desktop.
  • Next, navigate to the following register key.
  • HKEY_USERS\SOFTWARE\Microsoft\Windows NT\Current Version\Windows

  • Delete here the malicious item with the name “Load” PUM.UserWLoad  en confirm this by pressing the “Yes” button.
  • Restart the computer and remove the Kaspersky Rescue Disk from your system.

3. Update Malwarebytes Anti-Malware and run a full systemscan to check the presence of PUM.UserWLoad – Trojan.Ransom

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\Logs\mbam-log-date (time).txt
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
  • Click OK to either and let MBAM proceed with the disinfection process.
  • If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • After the restart in Normal mode, start Malwarebytes Anti-Malware again and perform a Full System scan to verify that there are no remaining threats.

4. Run a scan with HitmanPro to double-check your system of any remnants of the Trojan.Ransom infection.

Please download HitmanPro to your desktop from one of the following links
HitmanPro (32bit) – Direct download link
HitmanPro (64bit) – Direct download link

  • Double click on HitmanPro to start the program, if you are experiencing problems while trying to start HitmanPro, you can use the Force Breach mode.
  • To start HitmanPro in Force Breach mode, hold down the left CTRL-key when you double click on HitmanPro and all non-essential processes will be terminated, including the malware processes.
  • HitmanPro will start and you’ll need to follow the prompts (by clicking on the Next button) to start a system scan with this program.
  • The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
  • Click on the next button and choose the option activate free license
  • Click on the next button and the infections where will be deleted.

  • Click now on the Save Log option and save this log to your desktop.
  • Click on the next button and restart the computer.

5. Alternate instructions with HitmanPro.kickstart to remove the Trojan.Ransom

Please download HitmanPro to your desktop.
Press this link for the complete “User Manual” for HitmanPro.Kickstart.

  • Start the program by double clicking on HitmanPro.exe. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
  • Click on the “HitmanPro.Kickstart” button to create a bootable USB-stick with HitmanPro.Kickstart (see the screenshot below).

  • Now insert the USB flash drive that you will use to write the HitmanPro.Kickstart files to.
    • As soon as one or more USB flash drives are detected, a selection screen will be presented.

  • Now select the USB flash drive on which you want to place the HitmanPro.Kickstart files and press the button Install Kickstart.
  • Important! Be aware that that all contents of the selected flash drive will be erased before the HitmanPro.Kickstart files are written.
  • If you press the ‘Yes’ button now, the selected USB flash drive will be formatted and all necessary HitmanPro.Kickstart files will be retrieved from the HitmanPro servers and written to the flash drive

  • Once the process is completed you can now remove the USB flash drive from the PC and use it to remove the malware from a ransomed PC.
  • Now insert the HitmanPro.Kickstart USB flash drive into a USB port of the ransomed PC and start the PC.
  • During the startup of the PC, enter the (BBS) Bios Boot Selector menu with F10 or F11 and select the USB flash drive that contains HitmanPro.Kickstart to boot from.
    • If it’s not possible to enter the BBS go into the BIOS and set the USB option as your first boot-device by the boot-sequence.
  • The default way to boot is option 1, which skips the master boot record of your hard drive. If you do not press any key, the process will continue after 10 seconds using the default boot selection.

  • If you see a logon screen you can either select a user and logon, or if you wait approximately 15 seconds, HitmanPro will be started on your Windows logon screen.

  • Click on the next button. You must agree with the terms of EULA.
  • Check the box beside “No, I only want to perform a one-time scan to check this computer“.
  • Click on the next button.
  • The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
  • Click on the next button and choose the option activate free license
  • Click on the next button and the infections where found will be deleted.
  • Click now on the Save Log option and save this log to your desktop.
  • Click on the next button and restart the computer.

6. Information

Some of the programs that we used in our malware removal guides would be a good idea to keep and used often in helping to keep the computer clean. Malwarebytes Anti-Malware is one of the most powerful anti-malware tools. It is totally free but for real-time protection you will have to pay a small one-time fee. The license of Malwarebytes Anti-Malware is life-time so you have to buy it once, and because Malwarebytes Anti-Malware is a great addition to your regular virusscanner of security programs.

Incoming search terms:

  • beeg com
  • PUM UserWLoad
  • beeg com malware
  • how to remove pum userwload
  • pum userwload removal tool
  • pum userwload removal
  • Ransom!remnant
  • bee g com
  • trojan ransom
  • pum removal
  • beeg@com
  • ransom remnants trojan
  • trojan ransom malwarebytes
  • ransom remnant
  • beeg com /