PCeU Ransomware

  Inside Edge 20:43 02 Dec 2012

Hi, ....My PC has been infected with the PCeU virus and it's locked. I can't boot it to Safe Mode either so have been unable to run any malware removal software.

I have 2 bootable HDD's in the PC so I booted to the clean one and have been trying to scan the infected drive from there. However, Malwarebytes, SuperAntiSpyware and a couple of others don't seem to find anything on the infected drive except some tracking cookies. When the scans run, they specifically look at the registry of the clean drive i've booted from, but don't seem to scan the registry of the infected one - where I'm led to believe all the junk gets installed. I'm usingSuperantispyware to scan specific parts of the infected HDD right now but still nothing substantial detected. The Emisoft Emergency kit looked more promising yesterday as it was finding more stuff than the others but was still running it's scan after 10 hours or so and eventually crashed without completing. I couldn't make it's custom scan option work, so it kept going right through the clean drive first, including thousands of jpgs and music files.

I'm running XP

Any suggestions gratefully received.

Many thanks in advance.


  lotvic 20:56 02 Dec 2012

If this ransomware blocks your screen when you start your computer in safe mode with networking, try starting your PC in safe mode with command prompt. from ClickHere - has screenshots

  1. During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.

  2. In the opened command prompt type explorer and press Enter. This command will open explorer window, don't close it and continue to the next step.

  3. In the command prompt type regedit and press Enter. This will open the registry editor window.

  4. In the registry editor window you should navigate to HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

  5. In the right side of the window locate "Shell" and right click on it. Click on Modify. The default value data is Explorer.exe if you see something else written in this window remove it and type in Explorer.exe (you can write down whatever else was written in the value data section - this is a path of the rogue execution file) - use this information to navigate to the rogue executable and remove it.

  6. Restart your computer, download and install a legitmate anti-spyware software and perform a full system scan to eliminate any left remnants of Metropolitan Police scam.

If command prompt still won't open Windows, there are more ways to do remove the Ransomeware they are on the link I've posted and it tells you which files need to be deleted.

  lotvic 20:58 02 Dec 2012

oops, forgot the links ClickHere and also clickhere

  lotvic 21:13 02 Dec 2012

Perhaps you could skip 1, 2, 3 and navigate step 4 and then do step 5 from your good clean bootup harddrive

  Phil Ocifer 10:31 03 Dec 2012

I received this particularly nasty piece of ransom ware.

I cleared it off by the F8 method above and booting into safe mode with networking and selected the option to run System Restore back to the most recent good point (a couple of days earlier).

This worked, and the system came back up fine. I then downloaded super anti malware bytes (or whatever it is called) and did a scan and clean.

Seems to have cleared everything off fine and that was about 8 weeks ago.

I just thought I'd mention this, as I also investigated the methods above and thought "too much trouble".

  Inside Edge 13:49 03 Dec 2012

Hi All, ...thanks for the very prompt and useful ideas. I'm just headed home from work and will try these in a couple of hours and post back with the outcome.

By way of further information, when I tried F8 previously, I got the Advanced Options Menu up but when I selected Safe Mode (and later when trying Safe Mode with Networking), on pressing Enter, a progress bar came up which ran right to the end and stopped. Despite waiting several minutes, it seemed to hang there and never reached Safe Mode. I was wondering if the malware was causing that hang.

Nonetheless I'll try all your suggestions.

Thanks again

  Inside Edge 20:40 05 Dec 2012

Hi All, ...

Due to the infection apparently affectin my access to the Windows advanced boot menu, I opted to try the Kaspersky Rescue disk suggestion. It appears to have worked without any hitches. The disk was easy to create and I was able to boot to it right away. It took around 4 hours to scan my HDD but that's due to the fact that I didn't exclude any files at all from the scan and I have a lot of music, video and pics on the drive. It picked up lots of nasties and either quarantined or deleted them, ....I wasn't sure how it decided which to do ! The PC then booted normally and I've just run a scan with McAfee, my installed antivirus software. That's taken an age too, but it's only found one infection and dealt with it. I'll follow that with Antimalwarebytes and/or Superantispyware for good measure.

I sent a query to Superantispyware by the way and they said that it wouldn't be able to scan the registry entries on a secondary HDD as I was originally trying to do.

So, all seems to be well - thanks again to everyone for your responses, your help really is appreciated.


This thread is now locked and can not be replied to.

Elsewhere on IDG sites

iPhone X review

Political cartoons in 2017: Chris Riddell, Rebecca Hendin and Dave Brown on what it’s like to…

The best iPhone for 2017

Tennis : comment regarder la finale de la Coupe Davis 2017 ?