P C E U not removed by Kaspersy

[nwcarter]

Hi, was sent here after using MalwareTips guide to removing the PCEU virus by using Kaspersky.
Couldn't use update because my PC is wireless internet connection which wasn't made by RescueCD.
It did find one thing then took 5hrs scanning C drive. A couple of other things deleted.
So very disappointed when PCEU came up again after rebooting Windows!
Wynne :huh:

 

[Plexx]

Have you ran Malwarebytes after using Kaspersky's Rescue disk?

 

[nwcarter]

Have you ran Malwarebytes after using Kaspersky's Rescue disk?

Yes I have and it removed one item.

 

[Jack]

Hello Carter,
Did you run the Kaspersky WindowsUnlocker ?
Did you remove the lock screen/malicious registry key?Can you log in into Normal Mode?

 

[nwcarter]

Hello Carter,
Did you run the Kaspersky WindowsUnlocker ?
Did you remove the lock screen/malicious registry key?Can you log in into Normal Mode?

Before using Kaspersky I couldn't avoid the virus by booting in any safe mode etc.

I think I managed to find WindowsUnlocker but it wasn't in the menu as shown in the instructions screen shots.
I think I managed to do all of the things asked but honestly not sure now.
Is it worth trying again?

 

[Jack]

Hello Carter,
Did you run the Kaspersky WindowsUnlocker ?
Did you remove the lock screen/malicious registry key?Can you log in into Normal Mode?

Before using Kaspersky I couldn't avoid the virus by booting in any safe mode etc.

I think I managed to find WindowsUnlocker but it wasn't in the menu as shown in the instructions screen shots.
I think I managed to do all of the things asked but honestly not sure now.
Is it worth trying again?

Boot again into the Kaspersky and try to run the Kaspersky WindowsUnlocker.
You can use the instructions from this guide : http://malwaretips.com/blogs/remove-police-central-e-crime-unit-pceu/

<hr />
If you can't find the Kasprsky WindowsUnlocker shortcut then,you can manually start this process, perform the following actions:
<ul>
<li><span style="color: black;">If you booted <>Kaspersky Rescue Disk</> in the graphic mode, </span><span style="color: black;">click the button <>К <img src="http://support.kaspersky.com/images/home/krd_8005_03_1_en.png" alt="" width="28" height="28" border="0" />;</> in the bottom right corner of the screen and in the </span>menu select <>Terminal</>. In the command prompt enter the command <>windowsunlocker</> and press <>Enter</> on the keyboard.</li>
</ul>
<img src="http://support.kaspersky.com/images/home/krd_8004_03_en.png" alt="" width="221" height="287" border="0" />

<img src="http://support.kaspersky.com/images/home/krd_8004_01_en.png" alt="" width="596" height="416" border="0" />
<ul>
<li>If you booted <>Kaspersky Rescue Disk</> in the text mode, press <>F10</> to close the menu. At the bottom of <>Midnight Commander</> in the command prompt enter <>windowsunlocker </>and press <>Enter</> on the keyboard.</li>
</ul>
<img src="http://support.kaspersky.com/images/home/krd_8005_02_en.png" alt="" width="600" height="450" border="0" />

<img src="http://support.kaspersky.com/images/home/krd_8005_03_en.png" alt="" width="600" height="450" border="0" />

After the utility start the menu with the commands will appear in the <>Terminal</> window (to select a command, press the corresponding key and then press <>Enter</> on the keyboard):

<img src="http://support.kaspersky.com/images/home/krd_8005_05_en.png" alt="" width="510" height="365" border="0" />

&nbsp;
<ul>
<li><>1 – Unblock Windows</> (the utility will clean the registry and will display results in the window).</li>
</ul>
<em><img src="http://support.kaspersky.com/images/alerts/info1.gif" alt="Замечание" width="25" height="25" align="left" border="0" /><>Kaspersky Lab</> experts ly recommend performing this action.</em>

&nbsp;

<img src="http://support.kaspersky.com/images/home/krd_8005_06_en.png" alt="" width="551" height="449" border="0" />
<ul>
<li><>2 – Save boot sector copies</> (the utility will copy boot sectors into the Quarantine folder. The path to the created files<>(/var/kl/WUnlocker.1.2.0.0_%dd.mm.yy_hh.mm.ss_quarantine/</> will be displayed on the screen).</li>
</ul>
<img src="http://support.kaspersky.com/images/home/krd_8005_07_en.png" alt="" width="551" height="384" border="0" />
<ul>
<li><>0</> - <>Exit</>.</li>
</ul>

If it doesn't work , then please reply to this thread and we will try to manually remove the malicious registry key.

 

[nwcarter]

Thank you for such prompt and helpful response.
I will try again following your advice and let you know.
cheers,
Wynne

 

[nwcarter]

Thank you for such prompt and helpful response.
I will try again following your advice and let you know.
cheers,
Wynne

Well I did the unlock windows again and recognised it from first time around.
I'm afraid I still get the PCEU and locked system towards the end of opening Windows.

 

[Jack]

Ok... try this :


<h3><span style="font-weight: bold;">STEP 1 :</span> Start your computer in <span style="font-weight: bold;">Safe Mode with Command Prompt</span></h3>
<ol type="1">
<li>Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.</li>
<li>Do one of the following:
<ul>
<li>If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press <span style="font-weight: bold;">F8</span> before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.</li>
<li>If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to start in safe mode, and then press <span style="font-weight: bold;">F8</span>.</li>
</ul>
</li>
<li>On the Advanced Boot Options screen, use the arrow keys to highlight <span style="font-weight: bold;">Safe Mode with Command Prompt</span>, and then press <span style="font-weight: bold;">ENTER</span>. For more information about options, see <a href="http://windows.microsoft.com/en-US/windows-vista/Advanced-startup-options-including-safe-mode" rel="nofollow">Advanced startup options (including safe mode)</a>.
<img src="http://i.imgur.com/lGBtd.jpg" alt="[Image: lGBtd.jpg]" border="0" /></li>
</ol>
&nbsp;

<hr />

<h3>STEP 2: Remove the malicious registry key and file</h3>
<ol type="1">
<li>When Windows loads in 'Safe Mode with Command Prompt', the Windows command prompt will show up as show in the image below. At the command prompt, type <span style="font-weight: bold;">explorer.exe</span>, and press <span style="font-weight: bold;">Enter</span>.
<img src="http://i.imgur.com/cPSFH.png" alt="[Image: cPSFH.png]" border="0" />
<span style="font-weight: bold;">The Windows Explorer will open, do not close this window. </span></li>
<li>Using the same Windows command prompt,type <span style="font-weight: bold;">regedit</span> and press <span style="font-weight: bold;">Enter</span>.
<img src="http://i.imgur.com/0Lwph.png" alt="[Image: 0Lwph.png]" border="0" /></li>
<li>The Registry Editor will now open and you'll need to browser to :
<span style="font-weight: bold;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\</span> and search on the list to the right for an registry entry named <span style="font-weight: bold;">Shell</span>.
<img src="http://i.imgur.com/trAD8.png" alt="[Image: trAD8.png]" border="0" /></li>
<li>Right click on this registry key and select the “<span style="font-weight: bold;">Modify</span>” option. Its default value should be '<span style="font-style: italic;">explorer.exe</span>' however this infection modified this entry.</li>
<li>Before you rename this registry entry to '<span style="font-style: italic;">explorer.exe</span>' , copy the location of the modified value to a piece of paper or Notepad because this value will point you to the ransomware executable file ,which needs to be removed.
In our case, the malicious file is running from the Desktop and it's called “<span style="font-style: italic;">contacts.exe</span>”, but the cyber crimanls may have changed the file name in your case so it might have a different name.
<img src="http://i.imgur.com/nlgsb.png" alt="[Image: nlgsb.png]" border="0" /></li>
<li>Modify the value of the registry entry back to '<span style="font-style: italic;">explorer.exe</span>'. Click <span style="font-weight: bold;">OK</span>to save your changes and exit the Registry editor.<img src="http://i.imgur.com/vMPAe.png" alt="[Image: vMPAe.png]" border="0" /></li>
<li>Browse to the location indicated in the value of modified registry entry and delete the malicious file. In our case, the malicious file was running from the Desktop and it was called “<span style="font-style: italic;">contacts.exe</span>”.
<img src="http://i.imgur.com/0nKTO.png" alt="[Image: 0nKTO.png]" border="0" /></li>
<li>Go back into "Normal Mode". To restart your computer, at the command prompt, type <span style="font-weight: bold;">shutdown /r /t 0</span> and press <span style="font-weight: bold;">Enter</span>.
<img src="http://i.imgur.com/JQx7q.png" alt="[Image: JQx7q.png]" border="0" /></li>
</ol>
&nbsp;

 

[nwcarter]

I'm afraid booting into safe mode still goes to blue screen Stop 0x000000007 etc.

Should I try the registry edit using the Kasperky cd 's registry editor option?
Wynne

 

[Jack]

I'm afraid booting into safe mode still goes to blue screen Stop 0x000000007 etc.

Should I try the registry edit using the Kasperky cd 's registry editor option?
Wynne

Yes, you can also do that by using the Kapersky CD.
Make sure you write down the malicious file name and location before adding the 'explorer.exe' value ..so that we will know from where we can remove it.

 

[nwcarter]

Well I found how to get wireless networking on so I updated Kaspersky and ran it. It found one & I deleted.
Then did windowsunlock and boot save.
Didn't find anything with Registry editor. Removed a few temp files.

Restarted and have my m/c back.
What would you recommend I run now to be sure its away?
Many thanks for your help by the way!

 

[Jack]

Ok,great....
Lets make sure this PC is clean.... Please run a scan with Malwarebytes and HitmanPro .....

<h2>STEP 1: Run a scan with Malwarebytes Anti-Malware</h2>
<li><>Download the latest official version of Malwarebytes Anti-Malware FREE</>.
<a href="http://www.malwarebytes.org/products/malwarebytes_free" rel="nofollow" target="_blank"><>MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download Malwarebytes Anti-Malware Free)</em></li>
<li>Start the Malwarebytes' Anti-Malware installation process by <>double clicking on mbam-setup</> file.
<img title="Malwarebytes Anti-Malware Installer" src="http://malwaretips.com/images/removalguide/malwarebytes-setup.png" alt="[Image: Malwarebytes Installer]" width="74" height="72" /></li>
<li>When the installation begins, <>keep following the prompts</> in order to continue with the setup process. <>Do not make any changes to default settings</> and when the program has finished installing, make sure you leave both the <>Update Malwarebytes' Anti-Malware</> and <>Launch Malwarebytes' Anti-Malware</> checked. Then click on the <>Finish </>button. If Malwarebytes' prompts you to reboot, please do not do so.
<img title="Malwarebytes last setup screen" src="http://malwaretips.com/images/removalguide/update-malwarebytes.png" alt="[Image: Finishing Malwarebytes installation]" width="405" height="313" /></li>
<li>Malwarebytes Anti-Malware will now start and you'll be prompted to start a trial period , please select '<>Decline</>' as we just want to use the on-demand scanner.
<img title="Decline trial period in Malwarebytes Anti-Malware" src="http://malwaretips.com/images/removalguide/malwarebytes-trial.png" alt="[Image: Decline Malwarebytes trial]" width="516" height="392" /></li>
<li>On the <>Scanner</> tab,select <>Perform full scan</> and then click on the <>Scan</>button to start scanning your computer.
<img title="Perform a Full System Scan with Malwarebytes Anti-Malware" src="http://malwaretips.com/images/removalguide/start-scan-malwarebytes.png" alt="[Image: Starting a full system sca]" width="516" height="393" /></li>
<li>Malwarebytes' Anti-Malware will now start scanning your computer for malicious files as shown below.
<img title="Malwarebytes Anti-Malware scanning " src="http://malwaretips.com/images/removalguide/scan-malwarebytes.png" alt="[Image: Malwarebytes scanning for malicious files]" width="516" height="393" /></li>
<li>When the scan is finished a message box will appear, click <>OK </>to continue.<img title="Malwarebytes when the system scan has finished" src="http://malwaretips.com/images/removalguide/results-malwarebytes.png" alt="[Image: Malwarebytes scan results]" width="516" height="393" /></li>
<li>You will now be presented with a screen showing you the malware infections that Malwarebytes' Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.Make sure that everything is <>Checked (ticked)</> and click on the <>Remove Selected </>button.
<img title="Removing the infections found by Malwarebytes" src="http://malwaretips.com/images/removalguide/detection-malwarebytes.png" alt="[Image: Infections found by Malwarebytes]" width="516" height="393" /></li>
<li>Malwarebytes' Anti-Malware will now start removing the malicious files.After completing this task it will display a message stating that it needs to reboot,please allow this request and then let your PC boot in Normal mode.</li>
</ol>
<h3>STEP 2: Double check your system for any left over infections with HitmanPro</h3>
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/downloads/" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li><>Double click on the previously downloaded file</>to start the HitmanPro installation.
<img title="HitmanPro Installer" src="http://malwaretips.com/images/removalguide/hpro1.png" alt="[Image: hitmanpro-icon.png]" width="54" height="58" />
<>IF</> you are experiencing problems while trying to starting HitmanPro, you can use the "<em>Force Breach</em>" mode.To start this program in Force Breach mode,<> hold down the left CTRL-key when you start HitmanPro</> and all non-essential processes are terminated, including the malware process. (<a href="http://www.youtube.com/watch?feature=player_embedded&v=m6eRWTv2STk" target="_blank">How to start HitmanPro in Force Breach mode - Video</a>)</li>
<li>Click on <>Next </>to install HitmanPro on your system.
<img title="HitmanPro installation process" src="http://malwaretips.com/images/removalguide/hpro2.png" alt="[Image: installing-hitmanpro.png]" width="532" height="421" /></li>
<li>The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on <>Next </>to start a system scan.
<img title="HitmanPro setup options" src="http://malwaretips.com/images/removalguide/hpro3.png" alt="[Image: hitmanpro-setup-options.png]" width="532" height="421" /></li>
<li>HitmanPro will start scanning your system for malicious files as seen in the image below.
<img title="HitmanPro scanning" src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanpro-scanning.png]" width="532" height="421" /></li>
<li>Once the scan is complete,you'll see a screen which will display all the malicious files that the program has found. Click on <>Next</> to remove this malicious files.
<img title="HitmanPro scan results" src="http://malwaretips.com/images/removalguide/hpro5.png" alt="[Image: hitmanpro-scan-results.png]" width="532" height="421" /></li>
<li>Click <>Activate free license </>to start the free 30 days trial and remove the malicious files.
<img title="Activate HitmanPro free license to remove detected infections" src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanpro-activation.png]" width="532" height="421" /></li>
<li>HitmanPro will now start removing the infected objects.If this program will ask you to restart your computer,please allow this request.</li>
</ol>

 

[nwcarter]

Ok,great....
Lets make sure this PC is clean.... Please run a scan with Malwarebytes and HitmanPro .....

I've done that and indeed this post comes from the affected m/c.
Many thanks indeed,
Wynne

 

[Jack]

Ok,great....
Lets make sure this PC is clean.... Please run a scan with Malwarebytes and HitmanPro .....

I've done that and indeed this post comes from the affected m/c.
Many thanks indeed,
Wynne

If everything is fine now,then please start a thread in our Security Configuration forum >>> http://malwaretips.com/Forum-Security-Configuration-Wizard .. it's time to properly secure your computer!!

Again Welcome to MalwareTips! :drinks:

 

[malwarekiller]

Welcome to our HeadBanger's Clan:dash1: :lolz:

 

[McLovin]

Hello and welcome to MalwareTips.

Enjoy!