Pages

Manually Remove the Police Virus Using Another User on the Same PC

  1. This procedure will function on a Windows 7 when another user on that computer is still not-virused and it is an Administrator user.
  2. Start or switch using the non-infected user's name.
  3. Start Registry Editor : C:\Windows\Regedit.exe
  4. In Regedit : highlight the HKEY_USERS key and go to menu File.Load Hive
  5. Go to : C:\Users\<user>\ where <user> is the name of the infected user
  6. Open the "ntuser.dat" or "ntuser.dat.bhv" file (usually a hidden file)
  7. You'll be asked for a "Key Name" . You can use anything you want but maybe the safest is the infected user's name
  8. Expand the Hive you just loaded
  9. Find a folder named "Winlogon" in the left list . The full name of the folder should be something like "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
  10. on the right list find a registry key named "Shell" . The complete filename there should include something like "C:\Documents and Settings\username\desktop\Bleah.exe"
  11. Write down on a paper the EXACT file name. At the end my filename was "Skype.exe" instead of "Bleah.exe" . You can find any name of an important file or program. It is a FAKE name!
  12. Right-click the word "Shell" and select Modify. You will see a dialog box the value data. In my case: "C:\Documents and Settings\username\Desktop\Skype.exe"
  13. Modify this value to "Explorer.exe" instead of anything it is already there.
  14. Go to Edit.Find menu and type the virus info you wrote down. In my case it was "Skype.exe". Make sure that Keys, Values and Data are ALL checked in the options.
  15. Hit Find Next to find all the registry keys containing the virus info. When you find one right-click the name and use Delete.
  16. Brutally shutdown the computer by holding down the PowerOff button on the keyboard. Restart the computer normally or in the Safe Mode. It will work OK
  17. Delete the virus files. Go to the folder containing the files. You have it wrote on paper (in my case: "C:\Documents and Settings\username\desktop") You should find there one or several files with the fake name. In my case I found 2 files: "Skype.exe" and "Skype.dat"
  18. Rename or delete the files. I choose to rename them to "___Skype___.exe" and "___Skype___.dat"
  19. After everything is checked and OK you should completely delete the virus files. In my case: "___Skype___.exe" and "___Skype___.dat"
Posted by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)