Delete Virus Virus State Police – Analysis Unit Cybercrime

This time I met an uncommon version of the various viruses state police, financial police, police, etc.

The virus has the title: “Virus State Police – Analysis Unit cybercrime”.

It must be said that this is the worst variant of this virus and also one made ​​worse really .

Bad because charges of pedophilia and show explicit pictures of minors; made worse because already it is clear that the text is a FAKE as it is written in a very Italian stentatissimo probably translated from a bad automatic translator (google would do better …)

Here are some photos of the virus that obviously I proceeded to censor.

Virus Removal State Police - Analysis Unit Cybercrime

Even this virus shows an article (fake of course) about a stop in the capital of suspects to watch pornographic films involving children.

remove Virus State Police Unit analysis cybercrime

Then at the end of the usual request for money and ways to pay.

Virus problem Police Unit analysis cybercrime

To deactivate the virus and restore the PC there are different procedures.

But first council groped with a RESTORE THE OS from a restore point to a few days before: sometimes it works and it takes very little.

How do? Press F8 at boot and – if available among the choices presented to you (usually the first), select “System Restore” then select “System Restore” and select one of the last available. Confirm and restart. Running time: about 5 minutes.

Otherwise you can follow the various procedures listed here from the first .. or skip to Method 4 for sure the most effective!

Method 1: (safe mode operation – method published by VERA financial police)

  • Turn off the computer and restart it in “safe mode” by holding down the “F8″ during the ignition phase.Pressing this button will display a list of choices, just select ‘Safe Mode’
  • Once you start Windows, click with the mouse on START (or START, or the Windows icon) at the bottom left of the taskbar
  • Opening the dropdown menu vertical click “All Programs”, so as to open the list of installed software
  • Look for the folder “Startup” and, once detected, click on the corresponding icon with the mouse
  • The screen displays the list of programs configured to start automatically when the computer
  • You should see, among others, the file “WPBT0.dll” or a file with the name that identifies the type “0 <a series of other numbers> .exe” (the file can be presented in other syntactic variants)
  • Select the file and delete it by pressing the “Delete” or “DEL” or moving the file to the trash on the desktop computer. Anyway I recommend you remove everything you do not know!
  • Use the mouse to the “trash” on the desktop and click the right button when the dialog at the basket, select “empty trash” so as to proceed to the final elimination of malware
  • Turn off the computer and restart it normally, so you can see the actual restoration of the smooth operation of the apparatus available
  • On restart installed or updated antivirus and made a full system scan

Not working? We pass to the second!

Method 2: ( Safe Mode Operation )

  • Turn off the computer and restart it in “safe mode” by holding down the “F8″ during the ignition phase.Pressing this button will display a list of choices, just select ‘Safe Mode’
  • Once you start Windows, click with the mouse on START (or START, or the Windows icon) at the bottom left of the taskbar
  • In the ‘search programs and files’ (or START-> RUN if there is this window), type ” msconfig.exe
  • Navigate to the fourth column “Services” and disable services or otherwise suspicious in which as a producer there is no voice or whose startup item has a name inconsistent (type:aaaaaaaeaeaaaaa.exe )
  • Click OK and restart.
  • On restart installed or updated antivirus and made a full system scan

Not working? We pass to the 3!

Method 3: ( Safe Mode not working )

In this case, the PC can not get into safe mode because the virus has disabled its activation with F8 key.

Step 1

 

Before losing a lot of time with kaspersky cd, try to see if it enters the MODE ‘PROVISIONAL WITH COMMAND PROMPT.

 

If successful, you will see a black screen with the prompt (cursor). in this case you can run from the command prompt: “regedit.exe” and skip to step 3 to edit the registry (in this case the log will be edited directly from ‘regedit.exe’ rather than from CD kaspersky – the mechanism is identical).

If it does not work the command prompt, go to step 2.

Step 2

We must then drop us (from another pc of course …) the image of a disk antivirus did it on purpose, like the one on the website kaspersky:

http://support.kaspersky.com/faq/?qid=208282173

and then burn the .iso file with any burning program.

The CD / DVD will autorun boot from pc.

Once you burn the ISO image, you have to start the PC with the CD you just created.

Usually the startup configuration of the PC provides default boot from the CD / DVD but if not should be so, power-enter the bios and change this setting.

On some pc is anke can press a button to select the beginning the boot drive.

At this point if you have properly set the start, the CD is read and the main screen appears Kaspersky Rescue Disk where you are asked to select the language, license, etc.

Eventually you will see a green desktop; run Kaspersky Registry Editor present on it.

Step 3

Very carefully, you have to change some registry keys.

Position yourself on the following key to reactivate the TaskManager:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system and check the value DisableTaskMgr must be set to 0 (zero).

If you do this you can add the new value of type DWORD 32bit / REG_DWORD calling DisableTaskMgr and assigning a value of 0 (zero).

Check the following keys:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunEX

And, If Present, Also These:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Analyzing, inside (on the right) we can see the pointings to executable programs with strange names.

Subsequently always from the desktop system Kaspersky try:

-navigare on disk C:

-seek on disk C:

-Eradicate from the C drive (or simply rename) the following files:

mahmud.exe

skype.dat (normally the file-virus resides in C: \ users \ user \ AppData \ Roaming, or C: \ Documents and Settings \ user \ Application Data \)

icq.dat

 

Not working? We pass to the 4! (Hoping the time is good !!)

Method 4: ( if there still works a tube … )

A latest evolution of this virus caused me to lose a lot of time. Despite having turned off all programs that started at boot, reactivated the TaskManager, performed a system restore (useless … at best you start a few times then returns to the magical virus ..) at the end I succeeded.

Startup (even in safe mode) appeared to me the white screen and then after a while the page again the fake state police. In this case, follow this procedure:

– Unload with another pc ComboFix , a good antivirus useful in these cases, and that you will run only once, and that solves the problem 100%.

Download it from this site:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

– Copy it on a stick (eg F :) then you start the pc this time with MODE ‘PROVISIONAL WITH COMMAND PROMPT (strano..ma will seem like this is the only mode that made me run.

– You will see the command prompt. Move to the key where you saved ComboFix typing:

cd F: (where F: is the letter that distinguishes your stick and which may also be different of course)

Then type:

combofix .exe / killall

and let it run until the end … after a reboot will solve the problem !! TESTED

Notes:

from the command prompt, if you wish, you can also view the desktop by typing:

explorer.exe

or with the registry editor:

regedit.exe

 

Add Comment