Saturday 28 July 2012

Remove Windows Ultra Antivirus (Uninstall Guide)

It's been a while since we've last seen a rogue security program from scareware families other that Fakevimes and Winwebsec. Ransomware applications have been roaming around the net for a while replacing (only partly) fake antivirus programs. Our guess is that ransomware scams became more profitable than rogue AVs. However, yesterday we stumbled upon a new rogue anti-virus program called Windows Ultra Antivirus which only proves that affiliate scareware networks are still active and not leaving anytime soon.



Windows Ultra-Antivirus is not a particularly nasty piece of malware. It's a typical fake antivirus program which claims that your computer is infected with viruses. Once installed, the rogue program pretends to scan your machine for malicious software. It randomly displays genuine Windows files and assigns assumed malware infections for each of those files. The rogue program rarely detects less then ten malware infections even on a perfectly clean computer with freshly installed Windows on it.

Unlike most fake antivirus programs, Windows Ultra Antivirus provides short threat descriptions for all the infections found during the scan. Not sure why malware authors did that but again we can guess they are trying to drive more sales by adding some extra reliability to their useless software.

Win32/Exploit.CVE-2010-3333.0 threat description:



Win32/Agent.TMP threat description:



Windows Ultra Antivirus is promoted through the use of fake online virus scanners and Trojan horses that masquerade as a legitimate Microsoft updates. The rogue application is configured to run automatically when Windows starts. The most worrying part is a rookit infection which comes bundled with this fake antivirus program. The malicious randomly named .sys file is dropped in C:\WINDOWS\system32\drivers folder. The file is locked so you can’t remove it manually.



In our case, the rootkit was detected as Gen:Variant.Zusy.8505 by GData ((Engine A).

Startup properties:
HKLM\SYSTEM\ControlSet001\Services\52fb2397ad5bf9eb\

The Windows Ultra Antivirus itself was detected as Trojan.FakeAlert.CYD, BackDoor.Bulknet.713, and Trojan-Dropper!IK by three different antivirus engines.

Normally, in order to remove found malware, victims are asked to purchase rogue AV programs. Windows Ultra-Antivirus scam works the same way but the problem is that at least at the time we tested this scareware, the payment page was unavailable.

hxxp://www.zokaisoft.com/payments/buynow.php?vendorId=1



So, it’s either a sign of a poorly organized scareware attack or they have some serious problems with payment processing.

Zokaisoft.com was registered by Aleksandr Bakcheev from Russia just a few weeks ago. But the whois information is probably false. We don't think such person even exists, unless cyber criminals used stolen credit card and personal details to register this domain.

So, what to do if you got infected by this annoying malware? First and foremost, do not attempt to remove Windows Ultra Antivirus manually. If you don't remove all malware components, malware authors can do anything while on your computer including reading your key strokes and getting personal identification information. To remove this malware from your computer properly, please follow the removal instructions below. Comments and questions are welcome. Good luck!


Windows Ultra Antivirus removal instructions:

1. First of all, we need to remove the rootkit. Download TDSSKiller and save it on your desktop.

2. Double-click on it to start TDSSKiller. NOTE: sometimes, rootkits block this utility to avoid removal. If you can't run this utility, simply rename tdsskiller.exe to iexplore.exe and run it again.

3. Once started, TDSSKiller may display an error message stating that it Can't Load Driver. Don't worry about that, simply click OK to continue.



4. Click on the Start Scan button to begin scanning your computer for rootkits.



5. When the scan is over, the utility outputs a list of detected objects with description. You should see a locked service which is the actual rootkit we need to remove.

Choose to Delete this rootkit and click on the Continue to remove delete the rootkit.



6. A reboot might require after disinfection. Click on the Reboot computer button.



7. TDSSKiller will now reboot your computer, but instead going into normal Windows mode reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

8. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus and associated malware from your computer.

NOTE: don't forget to update anti-malware software before scanning your computer.


Associated Windows Ultra Antivirus files and registry values:

Files:

Windows XP:
  • C:\Windows\System32\[SET OF RANDOM CHARACTERS].exe
  • C:\Windows\System32\drivers\[SET OF RANDOM CHARACTERS].sys
Registry values:
  • HHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Tell your friends:

Friday 27 July 2012

SearchYa! Toolbar and Searchya.com (Uninstall Guide)

SearchYa! is a web search engine owned by Ironsource Ltd., based in Israel. There's also a browser toolbar with the same name SearchYa! toolbar. Both products come bundled with freeware and third-party applications. This software marketing strategy is very controversial, some experts say it should be unallowed while others think it's acceptable as long as EULA and opt-out options are presented in a very clear, concise, and easy to understand way. Maybe they are right, but what we know for sure, not all software developers follow these directions and sometimes they knowingly 'pushes' their software through silent installers and similar applications.



Speaking of SearchYa, it came bundled with a free FLV player application (both the toolbar and web search engine). Once installed, it changes default search engine in Internet Explorer and Mozilla Firefox. It changes home page as well (redirects to searchya.com). Searching directly from the address bar redirects to searchya.com too. That's why some people call it the searchya redirect virus. Google Chrome stays unaffected. The search results are surprisingly good but we suspect that they use Google custom search technology or something very similar to deliver quality search results. However, we don't know for sure.

SearchYa toolbar works in IE and Firefox. Chrome gets Speed Dial 4.0 extension instead of toolbar. So far, everything looks not bad, so where's the problem? The problem is that they do not have a properly working uninstaller. Users gave to remove web browser extensions and restore default settings manually. SearchYa Web Search removal might be specially difficult for Mozilla Firefox users.

To remove SearchYa web search and toolbar from your computer, please follow the removal instructions below. If you have any questions or valuable remarks, please leave a comment below. Good luck and be safe online!


SearchYa! toolbar and Web Search removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



3. Search for SearchYa! Web Search in the list. Select the program and click Remove button.

If you are using Windows Vista/7, click Uninstall up near the top of that window.



Alternate removal: run C:\Program Files\SearchYa!\1.5.20.0*\uninstall

* This is the version of the toolbar you downloaded.


Remove SearchYa! in Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons.



2. Select Search Providers. First of all, choose Bing or Live Search search engine and make it your default web search provider (Set as default).



3. Remove SearchYa! web search providers. Close the window.



4. Go to ToolsInternet Options. Select General tab and click Use default button or enter your own website, e.g. google.com instead of http://www.searchya.com. Click OK to save the changes. And that's about it for Internet Explorer.




Remove SearchYa! in Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Remove searchya.com 1.5.0 toolbar. Close the window.




3. Click on the magnifying glass search icon as shown in the image below and select Manage Search Engines....



4. Choose Search from the list and click Remove to remove it. Click OK to save changes.



5. Go to ToolsOptions. Under the General tab reset the startup homepage or change it to google.com, etc.



6. In the URL address bar, type about:config and hit Enter.



Click I'll be careful, I promise! to continue.



In the filter at the top, type: searchya



Now, you should see all the preferences that were changed by SearchYa!. Right-click on the preference and select Reset to restore default value. Reset all found preferences!



And that's it for Mozilla Firefox!


Remove Speed Dial 4.0 in Google Chrome:

1. Click on Customize and control Google Chrome icon. Go to ToolsExtensions.



2. Select Speed Dial 4.0 and click on the small recycle bin icon to remove the toolbar.




Associated SearchYa! toolbar and Web Search files and registry values:

Files:
  • C:\Program Files\SearchYa!\1.5.20.0\escortShld.dll
  • C:\Program Files\SearchYa!\1.5.20.0\FavIcon
  • C:\Program Files\SearchYa!\1.5.20.0\searchyaApp.dll
  • C:\Program Files\SearchYa!\1.5.20.0\searchyaEng.dll
  • C:\Program Files\SearchYa!\1.5.20.0\searchyasrv
  • C:\Program Files\SearchYa!\1.5.20.0\searchyaTlbr.dll
  • C:\Program Files\SearchYa!\1.5.20.0\uninstall
  • C:\Program Files\SearchYa!\1.5.20.0\bh\searchya.dll
Registry values:
  • HKEY_CLASSES_ROOT\esrv.searchyaESrvc
  • HKEY_CLASSES_ROOT\esrv.searchyaESrvc\CurVer
  • HKEY_CLASSES_ROOT\ironsource.searchyaappCore
  • HKEY_CLASSES_ROOT\ironsource.searchyaHlpr
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.searchyaESrvc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar "SearchYa Toolbar"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\searchya
Tell your friends:

Boxore Adware (Uninstall Guide)

Today we came across another adware application called Boxore. It's distributed the old-fashioned way: people search for free online movie streaming sites where they could watch their favorite movies and TV shows without actually downloading them. Let's take The Dark Knight Rises as an example which stormed its way to the top of the US box office. There are many websites that allow you to watch this movie online and for free. Sounds good to be true? You betcha!

Most of the time, you either have to buy credits or download their "player" that is supposedly necessary to watch the movie. One of such streaming websites generated an error message claiming that we can't watch the movie because we don't have some fancy codecs installed on our machine. But that's not a problem, they immediately told us to download this free multimedia player called Player Plus which fixes everything right away. So, we did.

Surprisingly, the Player Plus setup wizard was in French even thought we were redirected from a video streaming site in English and the official download page was also in English. As you can see in the image below, we could choose not to install Boxore client and Babylon Toolbar but let's just say we were so excited or maybe inattentive and missed that option.



Everything went smoothly, we went back to the streaming site, clicked play button again and for our great disappointment we were able to watch The Dark Knight Rises trailer only, not the full movie. Darn scammers!

So, after all, we ended up with the Babylon toolbar and Boxore adware on our computer. You can read more about Babylon toolbar and Babylon search engine here. Now, let's have a look at Boxore client. There are two main components of this software: boxore.exe (client) and Update.exe (service). Both are set to start up automatically whenever you turn on your computer.

Going through boxore.exe file properties, comments section, quickly reveals what it's all about:
Get offers and recommendations matching with what you like (videos, games, music, ...)


The same information can be found at boxore.com. Furthermore, Boxore adware authors assure that their product is 100% safe, free and anonymous. It doesn't collect any information about the users. Boxore simply scans all the websites you visit searching for keywords that could help them determine what kind of topics you are interested in when browsing the net.

Boxore.exe sends ad requests regularly. If there's no ad available at that moment, it keeps monitoring your browsing habits. But we didn't have to wait very long for the first ad to show up. This advertisement (see the image below) was loaded after twenty or so minutes.



The ad came from openadserving.com. This website is currently ranking among 4000 most popular sites in the world. Even though, this data isn't very reliable we can still assume that Boxore network is serving ads to thousands of users each day.



And finally, one interesting fact about the multimedia player we downloaded: there are actually two versions of the Player Plus. If you download Player Plus from playerplus.com then you will get a clean version of this application. No toolbars, adware, etc. However, if you download Player Plus from a streaming site then you will get the evil version Player Plus X.



Last but but least, along with the Boxore adware came this Chrome extension called Smart Displat 1.1. We are not sure what it is, and we could find any information about this extension because it was removed from Chrome store. One way or another, this extension should be removed as well.

To remove Boxore adware and associated applications from your computer, please follow the removal instructions below. Good luck!

Source: http://deletemalware.blogspot.com


Boxore removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



3. Search for Boxore Client in the list. Select the program and click Remove button.

If you are using Windows Vista/7, click Uninstall up near the top of that window.



4. To remove Babylon toolbar and Babylon Search, please follow this removal guide.

5. Remove Smart Display 1.1 extension in Google Chrome.

 Click on Customize and control Google Chrome icon. Go to ToolsExtensions.



Select Smart Display 1.1 and click on the small recycle bin icon to remove the toolbar.



6. And finally, download recommended anti-malware software and run a full system scan to remove any associated malware or potentially unwanted applications from your computer.


Associated Boxore Adware files and registry values:

Files:
  • C:\Program Files\Boxore
  • C:\Program Files\Boxore\BoxoreClient
  • C:\Program Files\Boxore\BoxoreClient\boxore.exe
  • C:\Program Files\Boxore\BoxoreClient\COPYING
  • C:\Program Files\Boxore\BoxoreClient\index.dat
  • C:\Program Files\Boxore\BoxoreClient\rules.dat
  • C:\Program Files\Boxore\SmartDisplay\SmartExtensions\GoogleChrome\SmartDisplayExtension.crx
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Boxore
  • HKEY_LOCAL_MACHINE\SOFTWARE\Boxore\BoxoreClient
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\jeaihkehdlhkocphopopahkfjcfcphef
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Boxore Client"
Tell your friends:

Wednesday 25 July 2012

Remove Welcome to Nginx! (Uninstall Guide)

Our guess is if you're reading this, you've probably encountered a plain white web page referring to "Welcome to Nginx!" in your web browser. Further post will provide more details about this apparently very common problem and hopefully will help you solve it.

Nginx is rather popular open source web server software. It improves web servers' performance and stability. As a result, websites load faster and generate fewer errors. One out of ten website are delivered by web servers using this software. Needless to say, it’s a useful piece of code.

"Welcome to Nginx!" is basically a diagnostic web page. It indicates that Ngnix software was successfully installed on a web server. NOT your computer!



Normally, it's not a threat. It's nothing more than just a web page. You can encounter it while browsing the net. That's normal. However, if you are being constantly redirecting to Welcome to Nginx! web page then it's about time to raise red flags. This should not happen if your computer and network are clean and safe.

Of course, it's not necessary a malware infection. Sometimes, it's a web browser specific problem. Dumping web browser's cache and browsing history solves the problem quite easily. Toolbars and web browser add-ons may also cause "Welcome to Nginx!" message to appear in your web browser, especially when they have predefined start pages, etc. If it affects multiple browsers, you would like to flush your DNS cache, restore default settings or restart your router. It might actually help, just give it a try.

Typically, when a malicious software infection occurs, it will become obvious to you right away. Suddenly, your computer speed isn't fair. Strange pop-ups, search redirects, shady sites, you name it. But it might not be so obvious when the only sign of malware infection is the Welcome to Nginx! page. That's why most people say they got the Welcome to Nginx! virus. And they are right (sort of).

We can confirm there's malware that modifies Windows Hosts file and redirects users to malicious websites. Normally, this malware displays ads on the infected computer and redirects search results. Sometimes, malware redirects users to websites that encounter temporary outage or are moved to other location. This happens very often for numerous reasons.

First of all, scammers have to change their web servers or hosting providers quite often to keep their business up and running smoothly. Secondly, they might be loading ads from websites they cannot control. In other words, they are affiliates generating false clicks and ad impressions. Of course, there are more reasons, both technical and tactical, but these two are usually the most common. One way or another, you need to remove the Welcome to Nginx! virus from your computer because vividly speaking cyber criminals have a living gent inside your computer and they can do whatever they want to do. For example, they can secretly install spyware modules or use your computer for DDoS attacks. And that's not good.

To fix the Welcome to Nginx! problem and remove any malware that could cause it, please follow the steps in the removal guide below. If you have any questions or need further assistance, please leave a comment below. Good luck and be safe online!


"Welcome to Nginx!" removal instructions:

1. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus and associated malware from your computer.

2. Check Windows HOSTS file.

Go to: C:\WINDOWS\system32\drivers\etc.
Double-click "hosts" file to open it. Choose to open with Notepad.



The "hosts" file should look the same as in the image below. There should be only one line: 127.0.0.1 localhost in Windows XP and 127.0.0.1 localhost ::1 in Windows Vista/7. If there are more, then remove them and save changes. Read more about Windows Hosts file here: http://support.microsoft.com/kb/972034



Alternate method: to reset the Hosts file back to the default automatically, download and run Fix it and follow the steps in the Fix it wizard.

3. If the problem persists, please read this web document and follow the steps carefully: http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html

Tell your friends:

Tuesday 24 July 2012

Remove Police Central e-crime Unit Virus (Uninstall Guide)

Picture this, you turn on your computer and there's a message from Police Central e-crime Unit accusing you of an internet crime (illegally distributing copyrighted files and pornography) and then it demands money. If you were faced with this fake message then your computer is infected with a virus called ransomware. And you're certainly not alone. These scams are spreading like wild fire and can definitely cause you trouble whether you give your money to the scammers or not.

Similar scams have also been out there claiming to be from FBI and U.S. Justice Department. Whether it would be the Police Central e-crime Unit virus or any other similar scam they all have one thing in common, they lock down your computer and then demand money. If you pay the scammers to unlock your computer, they may actually dot but will most likely continue to use your computer secretly to launch even more virus attacks and internet scams.

So far, we've seen two slightly different variants of Police Central e-crime Unit ransomware. The first variant belongs to the Win32/Weelsof malware family. Basically, it's a Trojan that allows hackers to perform a number of actions on the infected computer. And they certain can launch such fake Police warnings as shown in the image below.



While this one is clearly targeting UK users, scammers have very similar scams ready to be used in other countries as well.

The Weelsof Trojan is a new piece of malware. It was documented earlier this year (June, 2012). Please note that ransomware scam is only one of its payloads. Fortunately, most antivirus programs will detect this ransomware right away but if your computer caches this virus then you need to get a better protection.

The second variant of Police Central e-crime Unit (PCeU) ransomware belongs to the Win32/Reveton malware family. As you can see, the fake waning is slightly different, more sophisticated, claiming to be from Specialist Crime Directorate rather than Metropolitan Police.



They even added a web cam image to give the impression that the victim is under surveillance. Of course, they do not actually activate your web cam even if you have it. Scammers display the same picture on every infected machine. So, don’t worry about that.



Very often, people download and install such scams voluntarily. Malware applications are usually disguised as a software upgrade. People don't know what that is and they think they need it because it looks like they do. Besides, something as simple as opening PDF file can infect computer or allow scammers to download Police Central e-crime Unit virus on your computer. Keep in mind that other software applications are vulnerable too.



Scammers exploit Java and Flash vulnerabilities to load the malicious code on targeted computers. It's very important to keep your machine updated. What is more, cyber criminals use valid software certificates and other possible methods to avoid detection and to infect as many computers as possible.

So, if you got infected with this fake Police Ukash virus, please follow the steps in the removal guide below. Sometimes, users can restart infected computers in Safe Mode. That makes the removal procedure a lot easier. Unfortunately, most of the time this ransomware comes bundled with other malware that locks down the computer completely. In such case, Live CD is the only option. We will show you how to remove Police Central e-crime Unit virus using Kaspersky Rescue Disk. Hopefully, this virus will only cost you time without taking your money too.

If you have any questions about this infection or need help removing it, please leave a comment below. Good luck!

Source: http://deletemalware.blogspot.com


Method 1: Police Central e-crime Unit virus removal instructions using System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the Police Central e-crime Unit ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Police Central e-crime Unit virus.


Method 2: Police Central e-crime Unit virus removal instructions using System Restore in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
  • Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
  • Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
3. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.

4. Select a restore point from well before the Police Central e-crime Unit virus appeared, two weeks should be enough.

5. Restore it. Please note, it can take a long time, so be patient.

6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the Police Central e-crime Unit virus.


Method 3: Police Central e-crime Unit virus removal instructions using MSConfig in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

4. Disable the malicious entry and click OK to save changes.

5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake Police Central e-crime Unit virus screen.

6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the Police Central e-crime Unit virus.



Method 4: Police Central e-crime Unit Ransomware removal using Kaspersky Rescue Disk:

1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.

2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.

For demonstration purposes we will use ImgBurn.

So, open up ImgBurn and choose Write image file to disc.



Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.



OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.



3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.



The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.

If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.



Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.



4. Let's boot your computer from Kaspersky Rescue Disk.

Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.



5. Select your language and press Enter to continue.



6. Press 1 to accept the End User License Agreement.



7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.



8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Police Central e-crime Unit virus. It won't take very long.



9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.



10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.



11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.



12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.



13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Police Central e-crime Unit virus and to protect your computer against these types of threats in the future.

For for information about ransomware threats and possible removal methods, please read the general ransomware removal guide.

Tell your friends: