Delete Virus Interpol

This time we have the virus’ “Carabinieri – Interpol – National Anti-Crime Computer Centre for Critical Infrastructure Protection” …. here are some photos of a pc and I ‘arrived this morning .. nice eh?

There is also even Napolitano on display …

eliminate viruses Carabinieri Interpol

 

block viruses Carabinieri Interpol

 

This and ‘one of the many variants of the virus Of State Police, Financial Police, Prison Police and so on and so forth ..

These viruses are very ingenious. Just surf on some site, discharge any content (music, video, images ..) and POF !! In many cases, however, just click a link to a few emails that will arrive, often very inviting ..

Maybe an accomplice anvirus obsolete, the fact is that when you restart your PC every now can see a screen similar to the previous where invite you to ‘pay’ to restore the PC .. A Virus trivial but very original.

Even in the version Carabinieri Interpol will activate the WebCam and sympathetically makes you think of being observed …

To deactivate the virus and restore the PC there are different procedures.

But first council groped with a RESTORE THE OS from a restore point to a few days before: sometimes it works and it takes very little.

How do? Press F8 at boot and – if available among the choices presented to you (usually the first), select “System Restore” then select “System Restore” and select one of the last available. Confirm and restart. Running time: about 5 minutes.

Otherwise you can follow the various procedures listed here from the first .. or skip to Method 4 for sure the most effective!

Method 1: (safe mode operation – method published by VERA financial police)

  • Turn off the computer and restart it in “safe mode” by holding down the “F8″ during the ignition phase.Pressing this button will display a list of choices, just select ‘Safe Mode’
  • Once you start Windows, click with the mouse on START (or START, or the Windows icon) at the bottom left of the taskbar
  • Opening the dropdown menu vertical click “All Programs”, so as to open the list of installed software
  • Look for the folder “Startup” and, once detected, click on the corresponding icon with the mouse
  • The screen displays the list of programs configured to start automatically when the computer
  • You should see, among others, the file “WPBT0.dll” or a file with the name that identifies the type “0 <a series of other numbers> .exe” (the file can be presented in other syntactic variants)
  • Select the file and delete it by pressing the “Delete” or “DEL” or moving the file to the trash on the desktop computer. Anyway I recommend you remove everything you do not know!
  • Use the mouse to the “trash” on the desktop and click the right button when the dialog at the basket, select “empty trash” so as to proceed to the final elimination of malware
  • Turn off the computer and restart it normally, so you can see the actual restoration of the smooth operation of the apparatus available
  • On restart installed or updated antivirus and made a full system scan

Not working? We pass to the second!

Method 2: ( Safe Mode Operation )

  • Turn off the computer and restart it in “safe mode” by holding down the “F8″ during the ignition phase.Pressing this button will display a list of choices, just select ‘Safe Mode’
  • Once you start Windows, click with the mouse on START (or START, or the Windows icon) at the bottom left of the taskbar
  • In the ‘search programs and files’ (or START-> RUN if there is this window), type ” msconfig.exe
  • Navigate to the fourth column “Services” and disable services or otherwise suspicious in which as a producer there is no voice or whose startup item has a name inconsistent (type:aaaaaaaeaeaaaaa.exe )
  • Click OK and restart.
  • On restart installed or updated antivirus and made a full system scan

Not working? We pass to the 3!

Method 3: ( Safe Mode not working )

In this case, the PC can not get into safe mode because the virus has disabled its activation with F8 key.

Step 1

 

Before losing a lot of time with kaspersky cd, try to see if it enters the MODE ‘PROVISIONAL WITH COMMAND PROMPT.

 

If successful, you will see a black screen with the prompt (cursor). in this case you can run from the command prompt: “regedit.exe” and skip to step 3 to edit the registry (in this case the log will be edited directly from ‘regedit.exe’ rather than from CD kaspersky – the mechanism is identical).

If it does not work the command prompt, go to step 2.

Step 2

We must then drop us (from another pc of course …) the image of a disk antivirus did it on purpose, like the one on the website kaspersky:

http://support.kaspersky.com/faq/?qid=208282173

and then burn the .iso file with any burning program.

The CD / DVD will autorun boot from pc.

Once you burn the ISO image, you have to start the PC with the CD you just created.

Usually the startup configuration of the PC provides default boot from the CD / DVD but if not should be so, power-enter the bios and change this setting.

On some pc is anke can press a button to select the beginning the boot drive.

At this point if you have properly set the start, the CD is read and the main screen appears Kaspersky Rescue Disk where you are asked to select the language, license, etc.

Eventually you will see a green desktop; run Kaspersky Registry Editor present on it.

Step 3

Very carefully, you have to change some registry keys.

Position yourself on the following key to reactivate the TaskManager:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system and check the value DisableTaskMgr must be set to 0 (zero).

If you do this you can add the new value of type DWORD 32bit / REG_DWORD calling DisableTaskMgr and assigning a value of 0 (zero).

Check the following keys:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunEX

And, If Present, Also These:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Analyzing, inside (on the right) we can see the pointings to executable programs with strange names.

Subsequently always from the desktop system Kaspersky try:

-navigare on disk C:

-seek on disk C:

-Eradicate from the C drive (or simply rename) the following files:

mahmud.exe

skype.dat (normally the file-virus resides in C: \ users \ user \ AppData \ Roaming, or C: \ Documents and Settings \ user \ Application Data \)

icq.dat

 

Not working? We pass to the 4! (Hoping the time is good !!)

Method 4: ( if there still works a tube … )

A latest evolution of this virus caused me to lose a lot of time. Despite having turned off all programs that started at boot, reactivated the TaskManager, performed a system restore (useless … at best you start a few times then returns to the magical virus ..) at the end I succeeded.

Startup (even in safe mode) appeared to me the white screen and then after a while the page again the fake state police. In this case, follow this procedure:

– Unload with another pc ComboFix , a good antivirus useful in these cases, and that you will run only once, and that solves the problem 100%.

Download it from this site:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

– Copy it on a stick (eg F :) then you start the pc this time with MODE ‘PROVISIONAL WITH COMMAND PROMPT (strano..ma will seem like this is the only mode that made me run.

– You will see the command prompt. Move to the key where you saved ComboFix typing:

cd F: (where F: is the letter that distinguishes your stick and which may also be different of course)

Then type:

combofix .exe / killall

and let it run until the end … after a reboot will solve the problem !! TESTED

Notes:

from the command prompt, if you wish, you can also view the desktop by typing:

explorer.exe

or with the registry editor:

regedit.exe

 

Add Comment