How to Manually Remove the Police Virus Using Another User on the Same PC

Step-by-Step Guide

1. 1

   Step 1: This procedure will function on a Windows 7 when another user on that computer is still not-virused and it is an Administrator user.

   You can use anything you want but maybe the safest is the infected user's name ,, The full name of the folder should be something like "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
   
   The complete filename there should include something like "C:\Documents and Settings\username\desktop\Bleah.exe"
   
   At the end my filename was "Skype.exe" instead of "Bleah.exe" .
   
   You can find any name of an important file or program.
   
   It is a FAKE name! , You will see a dialog box the value data.
   
   In my case: "C:\Documents and Settings\username\Desktop\Skype.exe"
   
   , In my case it was "Skype.exe".
   
   Make sure that Keys, Values and Data are ALL checked in the options. , When you find one right-click the name and use Delete. , Restart the computer normally or in the Safe Mode.
   
   It will work OK. , Go to the folder containing the files.
   
   You have it wrote on paper (in my case: "C:\Documents and Settings\username\desktop") You should find there one or several files with the fake name.
   
   In my case I found 2 files: "Skype.exe" and "Skype.dat"
   
   I choose to rename them to "___Skype___.exe" and "___Skype___.dat"
   
   In my case: "___Skype___.exe" and "___Skype___.dat"
2. 2

   Step 2: Start or switch using the non-infected user's name.

3. 3

   Step 3: Start Registry Editor : C:\Windows\Regedit.exe

4. 4

   Step 4: In Regedit : highlight the HKEY_USERS key and go to menu File.Load Hive

5. 5

   Step 5: Go to : C:\Users\<user>\ where <user> is the name of the infected user

6. 6

   Step 6: Open the "ntuser.dat" or "ntuser.dat.bhv" file (usually a hidden file)

7. 7

   Step 7: You'll be asked for a "Key Name" .

8. 8

   Step 8: Expand the Hive you just loaded

9. 9

   Step 9: Find a folder named "Winlogon" in the left list .

10. 10

    Step 10: on the right list find a registry key named "Shell" .

11. 11

    Step 11: Write down on a paper the EXACT file name.

12. 12

    Step 12: Right-click the word "Shell" and select Modify.

13. 13

    Step 13: Modify this value to "Explorer.exe" instead of anything it is already there.

14. 14

    Step 14: Go to Edit.Find menu and type the virus info you wrote down.

15. 15

    Step 15: Hit Find Next to find all the registry keys containing the virus info.

16. 16

    Step 16: Brutally shutdown the computer by holding down the Power Off button on the keyboard.

17. 17

    Step 17: Delete the virus files.

18. 18

    Step 18: Rename or delete the files.

19. 19

    Step 19: After everything is checked and OK you should completely delete the virus files.

Detailed Guide

About the Author