In the last year, a really dangerous virus for Windows PC was diffused around the world. This virus was baptized Police Virus, because first time it appears shows a page where you see a police alert that give notice to pay in order to avoid some sanctions. The next times this virus are going to block your computer with white screen.
Italian version: Come rimuovere tutte le versioni del Virus Polizia di Stato.
Italian version: Come rimuovere tutte le versioni del Virus Polizia di Stato.
Keep calm please: to pay is the worst solution that someone can make, because it doesn't change anything and computer will be still blocked. Unfortunately this virus can manifest itself in some variants, and so I collected all methods to remove its.
This image shows you as virus appear the first time:
This image shows you as virus appear the first time:
Now I'll describe all variants and all possibles solutions to remove this virus:
METHOD ADVISED BY POSTAL POLICE
METHOD WITH REGISTRY KEYS
METHOD ADVISED BY POSTAL POLICE
- To start computer in Safe mode (Press f8 key when screen turns on);
- Press on Start -> All programs and search directory "Startup" (If you have XP, go to C:\Documents and Settings\USER\Start menu\Programs\Startup);
- Now you show the programs that start on system boot and you should see the file "WPBT0.dll" or a file such as this: "0.< some numbers >.exe";
- Delete this file and reboot the PC.
METHOD WITH REGISTRY KEYS
- Turn on PC in Safe Mode and go to Start -> Run, write regedit and press enter; Now go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon and press the Shell label twice. In window appears write explorer.exe (or Explorer.exe in XP).
- If you use Windows XP or 2000, go to Commands Prompt and write:
cd "Applications data" and press enter key;
then write del mahmud.exe (and press enter). - If you use Windows Vista, 7 or 8, go to Commands Prompt and write:
cd Appdata and presse enter key;
then write cd roaming and press enter;
finally write del mahmud.exe (and press enter).
EDIT 05/26/2013: since 05/26/2013 virus's name has been changed and now (in some variants) you have to write del skype.dat and not del mahmud.exe (the file is in: C:\users\USER\AppData\Roaming).
Edit 06/12/2013: now the virus's name has changed again and it is: icq.dat.
METHOD WITH TASK MANAGER AND MSCONFIG (IF YOU HAVE ENOUGH TIME)
- In this case you guys are been lucky, because have to quickly press Ctrl + Alt + Canc on startup Windows interface and kill process explorer.exe to have more time; now go to Start -> Run, write msconfig and press enter key (instead, if you have a really long time before PC's block, go immediately to write msconfig);
- Now go to Configuration system -> Startup panel and click on Disables All; then click on Applies, finally click on Ok and then reboot PC.
METHOD WITH MSCONFIG
- If you access to Safe Mode (see above), write msconfig in Start -> Run and under the tab "Configurations system" disable "Load startup elements" label and then click on Applies.
- Now go to section Service, hide all Microsoft Services (with the button) and disable all services with "strange" names or without certificate software house;
- Finally go to tab Startup and disable all services that run itself at system startup without your command; take attention to service ctfmon (I advise to remove it).
MANUAL METHOD IN DIRECTORY C:
- If you haven't solved yet, try to go to C:\Users\ and remove all strange files in directory Temp, Startup and Application Data (I also advise to remove directory C:\Windows\Prefetch and C:\Windows\Temp;
- Moreover take a search in your PC to find and remove ctfmon program (this program is included in directory System32).
USE COMBOFIX ON SAFE MODE
Many users have removed this virus with the software Combofix, which search, find and remove all virus files; to download it visit this site. Then put it in USB key:
- Now start Windows in Safe Mode (Using Administrator Account) and insert the USB key with Combofix;
- Then open Task Manager with Ctrl + Alt + Canc and stop active application; in process, instead, stop userinit process;
- Finally disable all antivirus you have and run application Combofix; you mustn't stop it for no one reason and at the end reboot system.
USE KASPERSKY CD IF SAFE MODE DOESN'T RUN
- Download the Kaspersky Rescue Disk software by use this guide (unfortunately it's only write in italian language) and burn it on CD;
- Now at system startup press f2 to go into the BIOS and select CD-ROM as main startup mode;
- Finally you'll show a Operative System simulation, so run Kaspersky Registry Editor; now open Task Manager with Ctrl + Alt + Canc and then you have to control these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEx
And, if present, also this keys for all users:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Among these keys there are some services that start at boot and probably you'll see the virus; so remove strange keys with right button -> delete. Finally reboot PC.
USE AN ADMINISTRATOR ACCOUNT IF SAFE MODE DOESN'T RUN
If the Police Virus has also blocked the Safe Mode, you have to activate the default administrator account (with full power) and go to Safe Mode with this account.
To create the administrator account, go to Commands Prompt (startup systems with option: Safe Mode with Commands Prompt after press f8 key) and write:
net user administrator / active: yes
Now press enter key and reboot the system in Safe Mode with this account; this user dont' have the virus, so you can try to delete it with all methods wrote above or with method write below.
USE ADMINISTRATOR ACCOUNT ON SAFE MODE TO CREATE AN OTHER USER WITHOUT THE VIRUS
I don't know why I haven't thought before this solution, which is very quickly and simply; I used this method to remove the virus because all methods above have failed. To use this method you have to startup PC in Safe Mode with Administrator Account:
- Now go to Control Panel -> User account -> Edit account -> Create new account
- Now copy all images, videos, songs and also the most important files you have;
- Reboot PC and at startup choose the new account you have made;
- This account, creating by an other administrator account, inherited old user's programs, but obviously not the Police Virus! So it isn't a system reset, like someone could think, because all programs remain;
- Now you can definitely delete the infected user and so the virus.
USE MALWAREBYTES ON SAFE MODE
Among all variants of Police Virus, there is also a really powerless version, simply deleted by many users using the software Malwarebytes:
- Go to Safe Mode and put the key with Malwarebytes;
- I advise to disable your antivirus;
- Run system scan and wait for end;
- Now reboot the system.
I hope this guide is helpful and I invite you guys to leave a lot of comments with your solutions, to help other people infected.
Italian version: Come rimuovere tutte le versioni del Virus Polizia di Stato.
Edited by Pumo Matteo
Google+: Matteo Pumo