Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Tuesday, July 24, 2012

Remove Police Central e-crime Unit Virus (Uninstall Guide)

Tell your friends:
Picture this, you turn on your computer and there's a message from Police Central e-crime Unit accusing you of an internet crime (illegally distributing copyrighted files and pornography) and then it demands money. If you were faced with this fake message then your computer is infected with a virus called ransomware. And you're certainly not alone. These scams are spreading like wild fire and can definitely cause you trouble whether you give your money to the scammers or not.

Similar scams have also been out there claiming to be from FBI and U.S. Justice Department. Whether it would be the Police Central e-crime Unit virus or any other similar scam they all have one thing in common, they lock down your computer and then demand money. If you pay the scammers to unlock your computer, they may actually dot but will most likely continue to use your computer secretly to launch even more virus attacks and internet scams.

So far, we've seen two slightly different variants of Police Central e-crime Unit ransomware. The first variant belongs to the Win32/Weelsof malware family. Basically, it's a Trojan that allows hackers to perform a number of actions on the infected computer. And they certain can launch such fake Police warnings as shown in the image below.

While this one is clearly targeting UK users, scammers have very similar scams ready to be used in other countries as well.

The Weelsof Trojan is a new piece of malware. It was documented earlier this year (June, 2012). Please note that ransomware scam is only one of its payloads. Fortunately, most antivirus programs will detect this ransomware right away but if your computer caches this virus then you need to get a better protection.

The second variant of Police Central e-crime Unit (PCeU) ransomware belongs to the Win32/Reveton malware family. As you can see, the fake waning is slightly different, more sophisticated, claiming to be from Specialist Crime Directorate rather than Metropolitan Police.

They even added a web cam image to give the impression that the victim is under surveillance. Of course, they do not actually activate your web cam even if you have it. Scammers display the same picture on every infected machine. So, don’t worry about that.

Very often, people download and install such scams voluntarily. Malware applications are usually disguised as a software upgrade. People don't know what that is and they think they need it because it looks like they do. Besides, something as simple as opening PDF file can infect computer or allow scammers to download Police Central e-crime Unit virus on your computer. Keep in mind that other software applications are vulnerable too.

Scammers exploit Java and Flash vulnerabilities to load the malicious code on targeted computers. It's very important to keep your machine updated. What is more, cyber criminals use valid software certificates and other possible methods to avoid detection and to infect as many computers as possible.

So, if you got infected with this fake Police Ukash virus, please follow the steps in the removal guide below. Sometimes, users can restart infected computers in Safe Mode. That makes the removal procedure a lot easier. Unfortunately, most of the time this ransomware comes bundled with other malware that locks down the computer completely. In such case, Live CD is the only option. We will show you how to remove Police Central e-crime Unit virus using Kaspersky Rescue Disk. Hopefully, this virus will only cost you time without taking your money too.

If you have any questions about this infection or need help removing it, please leave a comment below. Good luck!


Method 1: Police Central e-crime Unit virus removal instructions using System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.

2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the Police Central e-crime Unit ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Police Central e-crime Unit virus.

Method 2: Police Central e-crime Unit virus removal instructions using System Restore in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
  • Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
  • Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
3. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.

4. Select a restore point from well before the Police Central e-crime Unit virus appeared, two weeks should be enough.

5. Restore it. Please note, it can take a long time, so be patient.

6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the Police Central e-crime Unit virus.

Method 3: Police Central e-crime Unit virus removal instructions using MSConfig in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

4. Disable the malicious entry and click OK to save changes.

5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake Police Central e-crime Unit virus screen.

6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the Police Central e-crime Unit virus.

Method 4: Police Central e-crime Unit Ransomware removal using Kaspersky Rescue Disk:

1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.

2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.

For demonstration purposes we will use ImgBurn.

So, open up ImgBurn and choose Write image file to disc.

Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.

OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.

3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.

The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.

If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.

Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.

4. Let's boot your computer from Kaspersky Rescue Disk.

Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.

5. Select your language and press Enter to continue.

6. Press 1 to accept the End User License Agreement.

7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.

8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Police Central e-crime Unit virus. It won't take very long.

9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.

10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.

11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.

12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.

13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Police Central e-crime Unit virus and to protect your computer against these types of threats in the future.

For for information about ransomware threats and possible removal methods, please read the general ransomware removal guide.

Tell your friends:


Anonymous said...

Hi there,

Unfortunately having followed these steps, your fix didn't work for me. Once I had restarted Windows (after removing the detected Trojan), my desktop loaded as normal but then flashed several times and took me to a plain white screen. Even after waiting 5 minutes, the 'Police Central e-crime Unit' message still doesn't appear.

Presumably it's still there lurking in the background, the question is: how do I remove it entirely? I can't boot into safe mode so I'm guessing another rescue disc may be needed - unless you have another suggestion?

Any help you can offer would be GREATLY appreciated!

Many thanks

Anonymous said...

I am also having the same malware says it's deleted but pc still behaving oddly. Can't reboot in safe mode either, F8 seems to do nothing.
Any help out there?

Anonymous said...

I've recently got the new 2012 version Of this virus and all I want to know is what happens to your laptop after 72 hours is up
Any help out there

Anonymous said...

I have followed your steps but when I restart and log in I have a black screen with my computer open. any help is appreciated.

Anonymous said...

Cheers for helpful steps in trying to solve this.

I have just burnt the Kaspersky rescue iso onto disc but my disc drive for some reason doesn't open? I've tried opening it in safe mode using eject under my computer. Also tried manually with a paperclip in the hole.

Is this locked as part of the Trojan or just coincidence? i've actually never tried opening cd rom before as it's my work laptop and have never needed to. This is so annoying :S

Anyone had the same problem or any suggestions.

Anonymous said...

Also just to add to my last comment, i noticed if you turn off your wierless internet,, (if you have the switch on your laptop front)then it does not come up,,,, the fake police warning,,, it needs to connect to internent moment i turn it on then it covers the screen,,, ctrl alt del and then log off,,, then switch the wierless off and log in again and no warning can use desktop etc as normal,,, back up save data run cleanup security scan etc,,, then on and warning comes up..... so i took advantage playing with this i managed to open lots of pages/programs (to slow logging off process) then turned on wireless int then got warning and locked computor then i ctrl alt del logged off and as soon as the warning dissapeared its still trying to logg off says logging off need to wait for .....programs to close option cancel log off force log off etc,,, so canceled logg off at the last moment and that seems to have confusedd it and got rid of it and i can now go on internet to try properly solve this one :S hope its helpfull bit haphazard i know im not a pro!

Anonymous said...

Thank you for the instructions, I followed them up to having to use the kapersky cd but ran Malwarebytes in safe mode and it got rid of the pop up. It was very useful for a novice like me and you saved me a lot of embarassment from my family! Thank you.

Anonymous said...

Thank you. Your safe-mode solution worked for me. However, I want to correct a point in your article. The trojan did turn on my webcam, and showed me live video of myself.

Betty said...

definitely just wipe your hard drive and re-instal windows.
tah dah

Anonymous said...

Hi Everyone

The removal worked fine for me as I couldn't start the computer in safe mode, just followed the steps, then updated the anti virus when done :-)
Not had any more problems since removal

Anonymous said...

Hi, just had this nasty virus on my computer and the first instruction worked brilliantly. Will not be leaving my laptop unprotected ever again. Thanks so much thought I'd lost my laptop for a second was gutted. Great help. Amazing what you can find on google hey, thank god iv got Internet on my phone though else wouldn't have been able to find this. Thanks again your a life saver

Anonymous said...

Hi there, I followed the steps and i now just have a black screen, what should I do now?

Anonymous said...

Had tried several ways to rid my system of this virus/trojan followed the instructions at the top of this page it worked am now downloading spyware removal tool as recommended thank you a great help

Anonymous said...

Hey, i had this virus one time, but then it just went away i don't know when it just left, but i did catch it again with the camera, do i wait or....?

jack said...

Does this mothod work for other viruses too

Anonymous said...

I got past it with system restore then ran the spyware removal

Keith Williams said...

I had the 'police warning' malware & realised that all the other websites purporting to help remove it had their own agenda - selling professional help. The removal instructions way too complicated and left vital info out.

Coming to your website was a Godsend and, after unchecking around 4 suspect files, rebooted and - hey presto - it worked a treat.

Chrishp22 said...

Six hours later, it's been removed (I hope). Not straightforward. Options 1 to 3 didn't work - it closed down as soon as I got to the desktop screen, without showing a command prompt. Downloaded the Kaspersky ico file - discovered that normal CD burners don't work, you need to download an image burner - used the one recommended and it worked. However, the Kaspersky screen shots didn't correspond - Kaspersky 10 doesn't have a 'Windows Unloader' option so ran the full scan - took 90 minutes. When I rebooted, I got the command prompt screen. Entering 'explorer' as suggested just booted me out. But using some 15 year old memories of DOS commands, I managed to navigate to the restore facility, chose a date of 2 days ago, and Hey Presto! There is still an advantage for the non-professional to have a basic knowledge of DOS.