Remove METROPOLITAN POLICE Ransomware (Uninstall Guide)

Your computer is infected with malicious software?
Do
you have popups on your PC?
If so, search this blog for removal instructions or find
computer threats by category.
Tuesday, June 21, 2011
Remove METROPOLITAN POLICE Ransomware
(Uninstall Guide)
Tell your friends:

Tweet Tweet

Search This Blog
Search
powered by
Security Threats & Risks
Adware (21)
Browser Hijackers
(58)
Fake Alerts (41)
Malicious websites
(62)
Ransomware (30)
Rogue programs
(256)
Rootkits (2)
Spyware (1)
Trojans (27)
Viruses (1)
Worms (3)
Malware Removal Instructions
Recommend this on Google
From network security to phishing and malicious software. Whatever problem you have,
we're here to help you solve it!
Home Threat Encyclopedia Security Advisories How To Cyberbullying
Deals & Giveaways Be A Guest Writer
How to Remove Malware
Remove all Traces of Malware Fast Follow
These 3 Steps Immediately!
speedmaxpc.com
Malware Virus Removal
Great Rates & Great Services. Comprehensive Virus
Removal.
computerclinicltd.com
Remove Trojan Ransomware.
How to Remove Trojan.Ransomware.
Trojan.Ransomware Removal Instr.
www.spywareremove.com
Best Antivirus Program
We Test Top Antivirus Brand Names. See Which
Antivirus Won for 2012.
www.PCAntivirusReviews.com
Norton Trojan Removal
New 2013 Version Available Now! Download
Latest Version For Free.
www.Norton.com/UK
Share Share Recommend 469
Remove METROPOLITAN POLICE Ransomware (Uninstall Guide) http://deletemalware.blogspot.co.uk/2011/06/remove-metropolitan...
1 of 53 06/10/2012 16:30
"METROPOLITAN POLICE" Attention! Illegal activity was revealed! is a
ransomware-based malware that demands you to pay up in order to
regain control of your computer. About a month ago, we wrote about
ransomware that replaces the Windows desktop with a fake warning from
the German Federal Police (BUNDESPOLIZEI). Apparently cybercrooks
are moving to Great Britain. As we wrote previously, if your computer is
infected with ransomware, you will notice the difference right away. Your
Desktop will be taken over by a scam notice headed METROPOLITAN
POLICE. It will stop you from accessing your files, programs and system
tools. Even if you start your machine in Safe Mode or Safe Mode with
Networking you'll get the same issue. The trojan claims that you were
watching illegal pornographic websites and states that if you don't pay
75 in 24 hours then your computer will be wiped clean. Don't worry, the
Trojan is not capable of doing this. On the other hand, no one would
really want to run the risk of losing important files or family photos so
there is a great chance that someone will actually fall victim to scam
artists behind the Metropolitan Police malware. To remove the
METROPOLITAN POLICE ransomware from your computer, please
follow the steps in the removal guide below. Good luck and be safe
online!
Anti-Malware Applications
SUPERAntispyware
Malwarebytes
Anti-Malware
Spyware Doctor
Microsoft Security
Essentials
Spybot - Search &
Destroy
Online Anti-Malware
Scanners
Kaspersky Online
Scanner
Windows Live
2 of 53 06/10/2012 16:30
Metropolitan Police malware removal instructions:
1. Reboot your computer is "Safe Mode with Command Prompt". As
the computer is booting tap the "F8 key" continuously which should bring
up the "Windows Advanced Options Menu" as shown below. Use your
OneCare Scanner
F-Secure Online
Malware Scanner
Symantec Security
Check
Blog Archive
Blog Archive
Blogroll
SophosLabs
Krebs on Security
XyliBox Blog
Symantec Security
Response
The Family HelpDesk
What's On My PC
PC Web Plus -
Security forum
BigGeekDaddy
Onthar Malware
Research
Sysinfo.org
Antivirus Comparison
Rate This Blog or Leave a
Review

3 of 53 06/10/2012 16:30
arrow keys to move to "Safe Mode with Command Prompt" and press
Enter key. Login as the same user you were previously logged in with in
the normal Windows mode.
2. When Windows loads, the Windows command prompt will show up as
show in the image below. At the command prompt, type explorer, and
press Enter. Windows Explorer opens. Do not close it.
3. Then open the Registry editor using the same Windows command
prompt. Type regedit and press Enter. The Registry Editor opens.
4. Locate the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\
In the righthand pane select the registry key named Shell. Right click on
this registry key and choose Modify.
4 of 53 06/10/2012 16:30
Default value is Explorer.exe.
Modified value data points to Trojan Ransomware executable file.
Please copy the location of the executable file it points to into Notepad or
otherwise note it and then change value data to Explorer.exe. Click OK
5 of 53 06/10/2012 16:30
to save your changes and exit the Registry editor.
5. Remove the malicous file. Use the file location you saved into Notepad
or otherwise noted in step in previous step. In our case, "Metropolitan
Police" was run from the Desktop. There was a file called movie.exe.
Full path: C:\Documents and Settings\Michael\Desktop\movie.exe
Go back into "Normal Mode". To restart your computer, at the command
prompt, type shutdown /r /t 0 and press Enter.
6. Download recommended anti-malware software (Spyware Doctor) and
run a full system scan to remove the leftovers of this virus from your
computer. That's it!
Metropolitan Police malware removal using Kaspersky Rescue Disk:
1. Download the Kaspersky Rescue Disk iso image from the Kaspersky
Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it
downloads.
2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can
use any CD/DVD record software you like. If you don't have any, please
download and install ImgBurn. Small download, great software. You won't
regret it, we promise.
For demonstration purposes we will use ImgBurn.
So, open up ImgBurn and choose Write image file to disc.
6 of 53 06/10/2012 16:30
Click on the small Browse for file icon as show in the image. Browse
into your download folder and select kav_rescue_10.iso as your source
file.
OK, so know we are ready to burn the .iso file. Simply click the Write
image file to disc button below and after a few minutes you will have a
bootable Kaspersky Rescue Disk 10.
7 of 53 06/10/2012 16:30
3. Configure your computer to boot from CD/DVD. Use the Delete or F2,
F11 keys, to load the BIOS menu. Normally, the information how to enter
the BIOS menu is displayed on the screen at the start of the OS boot.
The keys F1, F8, F10, F12 might be used for some motherboards, as
well as the following key combinations:
Ctrl+Esc
Ctrl+Ins
Ctrl+Alt
Ctrl+Alt+Esc
Ctrl+Alt+Enter
Ctrl+Alt+Del
Ctrl+Alt+Ins
Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your
CD/DVD-ROM as your 1st boot device.
If you can't enter Boot Menu directly then simply use Delete key to enter
BIOS menu. Select Boot from the main BIOS menu and then select
Boot Device Priority.
Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist
8 of 53 06/10/2012 16:30
BIOS menu.
4. Let's boot your computer from Kaspersky Rescue Disk.
Restart your computer. After restart, a message will appear on the
screen: Press any key to enter the menu. So, press Enter or any other
key to load the Kaspersky Rescue Disk.
5. Select your language and press Enter to continue.
6. Press 1 to accept the End User License Agreement.
9 of 53 06/10/2012 16:30
7. Select Kaspersky Rescue Disk. Graphic Mode as your startup
method. Press Enter. Once the actions described above have been
performed, the operating system starts.
8. Click on the Start button located in the left bottom corner of the
screen. Run Kaspersky WindowsUnlocker to remove Windows system
and registry changes made by Metropolitan Police Virus. It won't take
very long.
9. Click on the Start button once again and fire up the Kaspersky
Rescue Disk utility. First, select My Update Center tab and press Start
update to get the latest malware definitions. Don't worry if you can't
download the updates. Just proceed to the next step.
10 of 53 06/10/2012 16:30
10. Select Object Scan tab. Place a check mark next to your local drive
C:\. If you have two or more local drives make sure to check those as
well. Then click Start Objects Scan to scan your computer for malicious
software.
11 of 53 06/10/2012 16:30
11. Quarantine (recommended) or delete every piece of malicious code
detected during the system scan.
12 of 53 06/10/2012 16:30
12. You can now close the Kaspersky Rescue Disk utility. Click on the
Start button and select Restart computer.
13. Please restart your computer into the normal Windows mode.
Download recommended anti-malware software (Spyware Doctor) and
run a full system scan to remove the remnants of Metropolitan Police
virus and to protect your computer against these types of threats in the
future.
Associated Metropolitan Police malware files and registry values:
Files:
[SET OF RANDOM CHARACTERS].exe
Registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
13 of 53 06/10/2012 16:30
Tweet Tweet 7 0 55
1 200 of 233 Newer Newest
NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM
CHARACTERS].exe"
Share this information with other people:
Posted by Admin at 11:41 AM
Labels: Ransomware
233 comments:
Anonymous said...
it is the best tip I found
it works
thank you
at
June 22, 2011 4:23 PM
Anonymous said...
This sorted the problem instantly. Thank you very much for posting.
November 1, 2011 11:01 AM
Anonymous said...
I was following it step by step, sI did not write down the value data
location before saving it. Can you help with this? Please
November 1, 2011 3:23 PM
Admin said...
If you don't know where the malicious file is located, then just run
anti-malware software and I'm sure it will find it.
Alex said...
I reached to the step where it says to modify shell. I did that and got
"Default value is Explorer.exe" howere it is not leading me to "Modified
value data points to Trojan Ransomware executable file." what should i
do? how do i get the location?
Anonymous said...
I have the same problem ! The default value was already "explorer.exe"...
What should I do ?
(sorry for my english !)
November 27, 2011 11:04 AM
Like 469
14 of 53 06/10/2012 16:30
Anonymous said...
As above already has 'explorer.exe' as value.
Anonymous said...
Same here? Thanks by the way, im glad there people out there working
to defeat the people working against us
-Gary
November 29, 2011 12:43 PM
Anonymous said...
Same as above!
Anonymous said...
same as above, please help!
Anonymous said...
This is happening in a new form now as some of the comments above
show. I fixed this by the following:
As well as starting explorer and regedit at the command line also start
msconfig. Select the Startup tab. It can be difficult to spot although it
stuck out for me as having an absurd name, there can be more than one
entry. I think the best way is to look in the location column for any entry
ending with something like a string of random letters/numbers.exe, mine
also had a comma with a few letters after it as well to try to confuse me.
Also look for any startup item with something similar in the 'Startup Item'
column. Unticking these entries and applying should prevent it starting,
and the entry should reveal the path to the .exe file which you can find
and delete. Be warned you can stop important programs starting up,
although they try to confuse you, mine was tagged as being from the IBM
corporation!
You can't just delete startup entries from msconfig. You have to use
regedit. In regedit I found the offending entries here:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \
MSConfig \ startupfolder
but they might also be here:
MSConfig \ startupreg
All advice given as is, it's your responsibility for things that happen to
your computer, etc. Hopefully this helps some people.
December 2, 2011 2:01 AM
Anonymous said...
15 of 53 06/10/2012 16:30
Hi, I am also having same problem...
Shell has a default value of explorer.exe
And the startup doesnt show any wierd itmes..
Please help
December 2, 2011 1:02 PM
Anonymous said...
i followed them instructions now i have no screen! HELP!
Admin said...
Go back into Safe Mode with Command Prompt. Search the Registry for
malcious file, the one you've deleted manually. In our case it was
movie.exe. Also, make sure that all the "Shell" registry keys have
"explorer.exe" values. Just search the Registry for "Shell" key. By the
way, can you use Start menu?
P.S. don't worry, your files are safe. You just need to fix certain Registry
values.
Anonymous said...
well i followed the instructions, ive modified t and changed it but i must of
put the wrong one because i couldnt find movie, so i restarted it and
when its loaded i have no screen it just stay blank with the mouse there.
what do it do?
Anonymous said...
Well i followed all of the instructions, and i changed that box from
explorer to what i was meant to put, but i must of had and extra letter in
because it didnt work and i couldnt find the movie bit, so i restarted it, but
when i went back through safe mode their was no screen, so i tried it
again normal and its the same, it loads up but staying black with the
mouse. so becuase ive put the wrong thing in its gone like that. how do i
fix it?
Anonymous said...
Help!! I have the same problem with shell being explorer.exe!!!!!
Anonymous said...
please help, im at the stage of edit string with explor.exe in the data
section, but what now, how can i find the folder were the malicious file as
im completely stuck as to were its located.. nothing on my desktop that
relates to it..
16 of 53 06/10/2012 16:30
Anonymous said...
i asked the other question a few mins ago about not finding the file,
however after typing in winconfig into the command prompt as mentioned
above led me to the startup tab were i seen the file, it pretended to be an
HP file.. everythings running ok now.. however lesson learned!! time for
some computer protection.. thankyou
Anonymous said...
i had the same blank screen problem after removing the offening items.
simply reboot into safemode and do a system restore to a previous date.
i didnt have a modified registry i had elplorer.exe.
i removed the startup entries with an excellent free programme called
ccleaner, to to tools startup i had 2 entries with numbers like
0.4998473.exe and another, simply delete them
Anonymous said...
I just had the same thing happen, and followed the advice above with the
extra bit about using msconfig to find and disable the file - mine was
called "flay opal stash shade bawd claus" and claimed to be from
packard bell! ...but then I wasn't sure I had the right file to delete in
regedit; there was only one with the same path but it had a different
name, will it still cause damage if I just leave it now, or should I delete it?
The file says 'path' under name, and has "/0.8886688223985121.exe.lnk"
after the location under data.
I have restarted the computer in normal mode and it seems to be running
fine now. Thank you so much for posting this guide!!
Sarah
Anonymous said...
Just to add that the above didn't detect the malware (I got the same Met
Police warning but I must have had a different variant). My 'shell' setting
the registry was configured as per the default (i.e. explorer.exe).
The malware was instead an .exe file with a seemingly random numeric
name and stored in my user temp folder. It was launched through 'Start
Up' in my start menu each time I booted into Windows.
The way I fixed it was to log on as a different user, delete the 'Start Up'
shortcut and then delete the .exe. If you have more than one user
configured on Windows, this might be an option (select a different user
when you start the PC - note they will require admin privs).
You can also likely achieve this via safe mode. If this fails, try a bootable
CD such as UBCD and delete the offending file from the affected user's
start up folder.
17 of 53 06/10/2012 16:30
Good luck folks!
Phill
Anonymous said...
how can i fix what i changed to have my screen back?
Anonymous said...
@anonymous December 4, 2011 2:22 PM
Dunno. What did you do? As it says in a Haynes manual, reassembly is
the reverse of disassembly.
Anonymous said...
I'm on windows 7 and the registry seems to be very different. How I fixed
it was to
- CTRL-ALT-DEL
- select logoff
- you'll get a message back that says some tasks are stopping windows
from closing
- hit cancel
For me, the virus exe had been stopped by the logoff request and I was
back in control.
If it doesn't work for you - perhaps it just logs off - try again but start task
manager (again from CTRL-ALT-DEL menu) before trying to logoff. You
wonl;t see it;s started, but it will be running behind the virus screen.
Once I had control back I could do the MSCONFIG, REGEDIT, and
delete offending exe thing that's well described above.
Anonymous said...
when I re-booted my laptop it gave me the option to "repair computor" I
clicked on this and system restore and thankfully it did the job and
removed the viras phew!!
Anonymous said...
This seems to be a stubborn and rapidly changing virus. I have removed
this once yesterday, Avira then spotted it trying to start a few hours later
and then it has re-infected again today. Different filenames each time,
Avira didn't find anything wrong with the latest one - I guess it is changing
faster than the anti-virus can keep up. Anyone have any ideas how to
keep this out??
18 of 53 06/10/2012 16:30
Anonymous said...
I done it much easier than that.. went into safe mode with networking,
entered explorer & regedit, and once it had loaded, searched .exe in the
search bar, right clicked, delete, into recycling bin and permanently
deleted.. now computer is fine.
Anonymous said...
I did as above. Then I entered under safe mode. Then used CC cleanup.
THen a full system restore. Problem has gone. Like to know where I
picked this virus up from.
Anonymous said...
thanks to everybody's advice managed to get it off my pc, for me it was
under "flab noun germs" by packard bell, glad found this site
Anonymous said...
You saved my time and money!
I followed the advice of Anonymous who suggested using msconfig. It
totally worked.
Thank you a lot!
Anonymous said...
Im having this problem as well and followed these instructions but im still
having a problem up to editing 'shell' to 'explorer' part.
But i realised something, these instruction seems to be for WinXP (as u
can see from the cmd.exe screenshots). So I'm wondering, can this apply
to Vista and newer OSs'?
This is probably the only best solution i can find so i want to confirm it
Anonymous said...
Help my laptop screen has gone blank while following above instructions.
Laptop is on but screen gone blank. Someone kindly help on how to get
my screen back. Thank you.
Anonymous said...
Yer I also found it under flab noun germs but now my pc just loading a
black screen ... Help
19 of 53 06/10/2012 16:30
Anonymous said...
took me a while to get there but i finally did, thanks this saved me a lot.
much appreciated!
Anonymous said...
As Per about 5 posts up I successfully deleted the file. I use Windows 7.
In a bit more detail:
Boot the machine in Safe mode with Networking
Run a search in the start menu for ".exe"
Delete the file
Reboot in Normal mode and it should be gone.
Go into your Recycle bin, look at the file, poke it a bit and curse the fact
that it has ruined your morning.
Note:
This search only threw up one result for me which was the file in
question, located deep in a temp file within the Users directory. It
appeared to have two path names in fact. My file was called
0.9721615469483581.exe but I guess everyone can be different.
Anonymous said...
install Malawarebytes Anti Malaware if you have another pc,update it and
run a Quick scan,sorted mine
Anonymous said...
IF its default EXPLORER.EXE... then;
when in safe mode with networking go onto your start menu and search
.exe
it should take you to the problem :3
Anonymous said...
For those of you who can not see your desktop, start button, startup
folder, etc:
press ctr+Alt+Del , go to Tak Manager, in Processes find and end any
explorer.exe process, then click file -> New Task and type explorer.exe
Voila, your desktop is back. Then go find the worm as per above. In my
case it was the (random number).exe, same name with .exe.lnk, but it
also modified the hosts.txt file in Windows. It was not in the startup, but it
was one of the services starting at logon that you can see in msconfig.
Anonymous said...
20 of 53 06/10/2012 16:30
I have just picked this up. I must say that it does make me chuckle a tad.
I wonder how much the scammers got scammed for this. Makes you
wonder about the countries where this was marketed than anything else.
Far be it for me to be a starry eyed saxon but I have enough faith in our
police forces. I am sure they would not be distracted from their duty by
100. Besides if they were in the business of imposing arbitary fines - I
would have no respect for those who were obviously too busy eating
donuts to come round and get it. If this was too much trouble - I would
much prefer that they collect my fine via an attachment of earnings order.
However using pay pal / epay is is not very dignified for the forces of law
and order - so utilities - so ebay. It's no party here either but cmon it aint
that bad.
Scammers use your nefarious gifts to change your countries. If you want
to play with the previledged - learn to spell and at least make your pop up
eye pleasing. UKASH now that is classy
Anonymous said...
I tried going through the command prompt method but could not relate
the instructions to my system. My Operating system is Vista Service pack
2.
Not attempted anything as yet but have located the exe file. On checking
the Properties I see that:
Shortcut Target is: C:\Windows\System32\rundll32.exe C:\Users\Stuart
\AppData\Local\Temp\0.4767109628561754.exe,SuppS
Opening the File location shows highlight: rundll32
Oh and I have noticed that I am unable to change the Security settings
for this.
The fact that this has obviously already run leads me to suppose that
merely deleting the excutable is not quite good enough as there is
already corruption in the Registry.
I'm a real novice when it comes to these things. At present has anyone
any advice on either removal or damage limitation as I feel that this is
something that can evolve.
Anonymous said...
Go to safe mode with networking
, type .exe on the start menu.
You'll see 7878766 sort of file.exe
Curse it then delete it, from recycle bin as well
That's all..worked for me after installing so many anti viruses and too
many researches,
Have a safe pc
21 of 53 06/10/2012 16:30
Anonymous said...
If you have the variant where it is running a command of the form (as in a
post above):
'C:\Windows\System32\rundll32.exe C:\Users\Stuart\AppData\Local
\Temp\0.4767109628561754.exe,SuppS'
then you don't need to do anything with 'rundll32.exe', instead you should
delete the second file listed e.g. 'C:\Users\Stuart\AppData\Local
\Temp\0.4767109628561754.exe'
Anonymous said...
This guide helped thanks, also used the advice from anonymous about
using msconfig.
Anonymous said...
Im on Windows 7- what worked for me- pretty much as said above (also
loved the comment about poking it in the recycling bin for ruining your
morning- made me chuckle) anyhu yeh so- for the technologically
challenged out there- like myself.
Turn off computer, turn back on, tapping F8, select safe mode with
networking, log in to affected desktop- select start menu, type .exe into
search bar, delete file. note: DO IT QUICKLY!!! for me the virus still
popped up even in safe mode, but if you do it fast enough then you kick
its bum. Reboot- this time select normal mode. Run another anti virus
scan just to be on the safe side. Do happy dance. Enjoy Life. Peace and
love and shiz to you all - L x
Anonymous said...
Im on Windows XP. I got rid of this by installing Malawarebytes Anti
Malaware and did a full scan. It vame up with a number of trojans -
ZBot.CBCGen, Trojan.Agent, Backdoor.Agent. Removed them all using
Malawarebytes. I then regsiter for a full copy of Malawarebytes and did
another quick scan. This flagged up a problem in the registry
(HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\System\DisableTaskMgr
(PUM.Hijack.TaskManager). After removing this everything worked
normaly.
I had problem starting Windows up in safe mode - F didnt work for me.
Dont know if the tojan disabled this as well. I got round this by creating a
new user account and downloading and scanning from this account
rather than the infected one.
I have fully up to date Avast antivirus and windows firewall running but it
didnt catch this.
Hope this help someone else
December 10, 2011 12:13 PM
22 of 53 06/10/2012 16:30
Anonymous said...
Thanks everyone - this was really helpful.
Having found and deleted the file from the startup and in its saved
placed, the task manager was still disabled (used it as the test to see if it
really had gone)
To sort:
Click on Start, Run, and type REGEDIT and press Enter
Navigate to the following branch
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \
CurrentVersion \ Policies\ System
In the right pane, find and delete the value named DisableTaskMgr
Close the registry editor
December 10, 2011 12:38 PM
Maciej Jelen said...
i used "Malwarebytes Anti-Malware".its fee , job done! I had
0.0390998931754.exe and 0.0390998931754.exe.ink
Anonymous said...
don't know if this will help but I managed to remove the virus with
ccleaner.
In my case it was in the start up.
Start up in safe mode f8 then open ccleaner,click on tools and then start
up.
you may see a program that looks like lots of numbers and symbols but
ending in.exe.ink right click on it and click disable.
I then rebooted my computer as normal and it seemed to be back to
normal so I opened ccleaner again and this time deleted it then rebooted.
that was 3 days ago and up to now it has been ok.
I hope this may help,good luck
Anonymous said...
I've managed this by starting in safe mode and then checking msconfig.
Found the item .60***** and disabled. Started normally and then let
Malware do it's job. Np problems since
Anonymous said...
Thanks to the person who said "have a safe pc" ur tutorial although
simple was highly effective, much appreciated this crap is now out of my
laptop and my life, thanks
23 of 53 06/10/2012 16:30
Anonymous said...
Thanks to all who put up posts here, got my pc back again. Took me
about 45 mins to clean it. but with the instructions here i managed to
delete the file. I didnt have the movie.exe , mine was in
MSConfig \ startupfolder it was a bunch of random numbers.....exe.ink.
BTW i couldnt use my ctrl/alt/delete function at all..in fact still cant be hey
ho the virus / worm has now gone!!
Anonymous said...
thanks for all your posts i finally got rid of this... i tried everything but only
one solution worked...
tried the first.. restart with command prompt and do the regedit shell
modify... but mine was still at explorer.exe...
did the malware search... 3 full scans 2 quick scans... with full updated
dictionary... found nothing...
looked at the start up list, nothing, and the msconfig startup, nothing.
how i found it was do a full search of all the c:\ drive with all files *.* [do a
date between search and also all hidden files]
once finished, sort by date modified... and you should see it as
A.6579432158649.exe or anything random as that. it was infact on my
desktop but hidden and so was the shortcut in the startup folder hidden.
there is a rundll error in startup but i guess its trying to find the exe
December 12, 2011 10:39 AM
Anonymous said...
using windows 7,
I managed to delete the first virus by starting in safe mode with
networking and deleting .exe file,
like an idiot i never bothered to run my new norton disc i purchased,
Hours later I nw have another virus open lots of the same type of box
with a red cross, you also lose you background pic and it says my system
is over running, HELP PLease,
I have tried start up with norton disc but this is not working, saying norton
bootable recovery tool but this is saying total items scanned 0 and total
risks detected 0,
so its only preparing to scan but not actualy scanning,
Can anyone tell me hpw to get rid of this extended part of the virus, on
start up in safe mode with networking there is no .exe progems anymore.
24 of 53 06/10/2012 16:30
Anonymous said...
Hi
Im 16 and I got this virus yesterday. I have no idea how to get rid of it,
please explain it to me in a very basic way!
Thanks
amster said...
If you're using windows 7 - go to this directory by hook or by crook (i.e.
safemode) - or logging via a different user: C:\Users\\AppData
\Local\Temp
AND DELETE EVERYTHING.
reboot.
Anonymous said...
Norton is probably the worst anti-virus software available. Use avast or
avg in the future.
To remove this virus/malware boot your computer into 'safe mode' and
run MalwareBytes anti-Malware ( http://download.cnet.com
/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-
10804572&subj=dl&tag=button )
Anonymous said...
http://support.kaspersky.com/downloads/utils/www.bat.zip
unzip the file (if it asks use the default settings)
once its finished shutdown the pc
wait 5 mins
start up the pc.
Anonymous said...
To the 16 year old. Start your computer in safe mode. Click on start.In
search programs and files type exe and the file that comes up should be
the virus. Mine came up as 0.9721615469483581. Then delete and
empty your recyle bin. Hope this helps. It was all I needed to do!
December 14, 2011 12:56 PM
peter said...
hi guys im still struggling with getting my desktop screen back, i have
25 of 53 06/10/2012 16:30
followed the guide above and i think ive deleted the virus. If someone
could tell me how they got there screen back id be very grateful. cheers
Morello said...
Just got this malware/rootkit/virus tonight and thought I'd share how I got
rid of it.
Followed the instructions as above but as many have said, the shell
value was still 'explorer.exe'. Also opened msconfig via the cmd prompt
and looked in Startup. Spotted it straight away and disabled it.
When I rebooted as normal, I went back in to regedit to remove the
traces and found the key to it in HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Shared Tools\MSConfig\startupfolder. This will show you where
the file is by looking at the key 'path' and that there's also a backup under
the key 'backup' (mine was in a folder called pss at C:\Windows\pss\).
Anyway, I deleted both files and then the key from the registry and now
have everything back to normal.
!!!>>>>> So if you can't find the thing in msconfig then you can remove it
directly from the registry to stop it from starting and then get rid of it.
Anonymous said...
Thank you so much!!
the searching for .exe worked a treat :)
Bill said...
Thanks to everyone who posted their advice. Typing in .exe into the
search bar and deleting the only file that came up did the trick. I'm just
glad this was a hoax. Was freaking out for a while there.
Anonymous said...
Thanks to all who have posted their experiences. I was able to solve the
issue by using the advice posted. It's very annoying how some individuals
feel they need to develop viruses like these that cause problems for
others!
Anonymous said...
windows 7
=========
1) CTR-ALT-DEL
2) log off
3) press cancel because log off failed
26 of 53 06/10/2012 16:30
4) windows is back
5) see above comments to delete piece of shit
Anonymous said...
Many thanks for all the previous advice. My laptop appears to be
generally working ok with one key exception. I am unable to connect to
my Sky Broadband as, when I try, there are no wireless connections
available. Ive not tested it in other locations so Im unsure if this problem
is restricted to my home address or if it is a wider wireless issue. Any
suggestions please?
Anonymous said...
im on vista and these steps arent workin for me? anyone have any
suggestions?
Anonymous said...
I'm running windows 7... im doing as suggested above regarding
searching for .exe and im not finding anything ... help please !
please adress chris if ur replying to this :D
Anonymous said...
Will it work it I just restore my system. Please reply. If not, what do I do?
And how do I prevent this from happening in the future????
Anonymous said...
Nothing seems to be working any help will be appreciated SOOOOOO
MUCH! Nothing is coming up when i search for .exe in start and though i
have found the suspected file using msconfig and disabled it it is not
working.
Anonymous said...
Really helpful. I am genuinely grateful. Thank you
Anonymous said...
I just got this virus while on the web. I immediately disconnected from the
internet before it can send any information from my computer for further
exploit. I then forcefully logged out of computer which stopped it in its
ways. Ran the virus scanner and everything went back to normal. I have
checked the registry and there is no sign of it anymore. I guess a good
virus scanner is a must for windows OS machines
27 of 53 06/10/2012 16:30
December 22, 2011 11:15 AM
Anonymous said...
I JUST RECIEVED THIS VIRUS AND WITHIN 10 MINUTES IT WAS
GONE! THE EASY WAY TO DO THIS...ENTER YOUR PC WITH SAFE
MODE AND COMMAND PROMPT.....OPEN START > SEARCH>
ENTER '.EXE' THEN LOOK FOR A NUMBER EG. 0.0300381308
DELETE AND EMPTY TRASH...SIMPLE...MAKE SURE THE NUMBER
IS NEAR THE TOP OF THE LIST....GOOD LUCK!
December 22, 2011 11:26 AM
Anonymous said...
Will a full scan from malwarebytes detect the virus? If there's no problem
is it fine? PLEASE REPLY I'm only 16
December 22, 2011 12:05 PM
Anonymous said...
I have followed these steps and my computer starts fine but now I don't
have any desktop items only a black screen,although I can open task
manager then start explorer.executive to get to what is on my computer.
Has anyone had this problem and solved it?
Many thanks, and thankypu for this thread for helping!
Anonymous said...
on my windows 7, the registry hadn't been altered and i couldn't get task
manager to run, even from windows explorer.
i found a windows explorer window (using alt-tab) and ran system restore
to well before it happened. worked a treat.
file name is windows\system32\rstrui.exe
Anonymous said...
HELP, please?
After I go go on to the 'safe mode with command prompt' option..
I get something that says 'select the operating system to start', should I
select this as I should 'Login as the same user you were previously
logged in with in the normal Windows mode'? I've tried that and I don't
know where/how to type 'explorer' into?
RUBBISH with computers but I really need to get this done?
Any help would be appreciated, thank you.
Anonymous said...
It worked for me....win 7 is my OS.
I started the PC in safe mode and removed all the files from C:\Users
28 of 53 06/10/2012 16:30
\Stuart\AppData\Local\Temp folder.
Basically virus exe is located in temp folder, so once you remove all the
files in temp folder it will delet virus exe file.
Now restrat the PC in normal and remove the link from startup folder to
remove the link in msconfig.
Good Luck
Anonymous said...
I've just searched .exe because we already had explorer.exe in the
correct place but have come up with about 2000 files in the results...any
ideas???
I've also tried to type msconfig in the command and it says that it can't do
anything?
Anonymous said...
Thanks for above, managed to remove searching .exe
However, appears this has changed some settings on computer as I can't
connect to Internet, cannot locate wifi or create network connection. I
don't have any back up discs etc, tried to run various malware removers
as mentioned above but not corrected. Anyone suggest how to resolve?
Many thanks
Anonymous said...
Hello, I can't seem to get onto safe mode when loading the computer. I'm
tapping F8 but it just loads up as normal, the desktop flashes for a
second then the Ukash virus takes over. Anyone got any suggestions?
Anonymous said...
I've been trying everything above for hours now and to no avail. When I
open in safe mode with command prompt and try to open regedit or
msconfig it says file can't find the file. I've tried to delete everything from
AppData, but that hasn't worked. Now it's coming up when I open in safe
mode. Is there anything I can try prior to a full reboot? I'm guessing not,
but thought best to ask.
December 27, 2011 12:28 PM
Anonymous said...
same virus , windows 7 , followed this advice from previouse post.
"Boot the machine in Safe mode with Networking
Delete the file
Note:
29 of 53 06/10/2012 16:30
0.9721615469483581.exe but I guess everyone can be different"
sorry cant help with other issues
Anonymous said...
Same virus - Windows XP - followed above advice:
"Boot the machine in Safe mode with Networking
Found file as short cut kna,5679435.exe (or similar)
Looked at path and found kna,5679435.exe
Used right click menu for McAfee shred to shred (delete and wipe all
traces of file)
Restarted as usual - all seems fine!!
(will keep you posted)
Anonymous said...
Unable to get onto my desktop/search for a .exe file because as soon as
I log on it goes onto the virus!
Same problem when I log in on safe mode? :/
January 1, 2012 4:09 PM
Anonymous said...
I type '.exe' into search and it comes up with nothing..with Shell its
already Explorer.exe...please help. This virus is really annoying I:
January 11, 2012 8:56 AM
Anonymous said...
Mine is hidden as a dll - called wpbt0.dll
Deleted it but i cant deselect the startup item - it simply reselects it when i
press apply
Help
January 11, 2012 2:29 PM
Anonymous said...
I followed this link below which was written on here on 22 Dec (copied
and Paste)
To: AnonymousDec 22, 2011 11:26 AM
MODE AND COMMAND PROMPT ...TYPE IN... EXPLORE.EXE
30 of 53 06/10/2012 16:30
.....OPEN START > SEARCH> ENTER '.EXE' THEN LOOK FOR A
NUMBER EG. 0.0300381308 DELETE AND EMPTY
TRASH...SIMPLE...MAKE SURE THE NUMBER IS NEAR THE TOP OF
THE LIST....GOOD LUCK!
Thank you so much - after trying some options from the above this is the
one that worked for me! Ran a scan after aswell. So grateful :)
January 12, 2012 6:07 PM
Anonymous said...
I also have wpbt0.dll
My computer is working as it once was after using Malwarebytes.
However, the colouration of my screen has completely altered. Now there
are many things on screen missing or the colour is gone.
I still see wpbt0.dll. stopped it from running at startup, but clearly
something is still wrong. Any help?
January 13, 2012 5:35 AM
Anonymous said...
To people who may have tried all the steps above and still no luck type
.exe into the start directory and delete and suspiciouse files ( random
numbers, etc) Thi worked for me perfectly!
January 14, 2012 4:13 AM
Anonymous said...
Just to agree that's all I did as well... type .exe into search and delete the
files with a weird string of numbers and then .exe (I knew it was the
correct one because it was created on the date that the virus first
happened)
It was in the temp folder so you could start there and arrange icons by
date if you're search is slow
January 14, 2012 7:09 AM
Anonymous said...
Just removed, cause when I rebooted my comp for like the 75th time it
told me some system repair is needed, that did the trick. Bastards won't
be stealing my shit any time soon!
January 16, 2012 2:42 PM
Anonymous said...
I am on Windows 7.
I have managed to get explorer and regedit up and running in normal
mode (I switched to admin user, killed iexplore instances running as the
user, and switched users back) .
The regedit claim does nothing.
31 of 53 06/10/2012 16:30
The "AppData" claim : no such
folders on Windows7. The search for a ".exe" , no such "random" file (out
of the 6000 odd .exes found) .
January 18, 2012 6:11 AM
Anonymous said...
If you pressed ctrl alt del and it wont stop what you can do is when your
pc starts up hold f8 until it beeps then try to restore to a previous version
and that is how i did it
January 19, 2012 3:12 PM
Anonymous said...
Rather than go into the registry, I just rebooted into 'Safe Mode' as others
have shown us how to do this, then click on your:
'Start' menu then select
'All Programs'
'Start Up'
Within the Start up folder, you will see the name of the script that's been
written to bring up that screen each time you log on.
Right-click on the script name, go to 'Properties'
Select 'Open Folder Location'
Delete the ransomware application from it's location.
Once you've deleted it, you need to also delete the script from the start
up menu or each time you reboot your system, it will keep trying to
search for the ransomware you've already deleted (won't find it though!).
January 20, 2012 9:48 AM
Anonymous said...
I went to start all programes start up properties deleted the item in
location and applied and it worked a treat so thank for this help
@@@@@@@@@
February 9, 2012 4:54 PM
Anonymous said...
Just wanted to say thank you. I managed to pick this up, and the
msconfig check sorted it out. It was hiding in administrator\appdata
\roaming . The amount it demanded is 100 now, not 75. Inflation, eh?
I must admit, it's a pretty sophisticated mockup. Loads of official-looking
logos, a respectable layout, and even correct spelling. Someone
obviously put a lot of work into this.
Anyway, thanks again.
Thanks again.
32 of 53 06/10/2012 16:30
Anonymous said...
thanks all, windows 7 OS, followed the instructions below, and
whammo.....gone...although my search threw up 2 results, of which
began with a "Y" and ended in random numbers, deleted both files......
Boot the machine in Safe mode with Networking
Delete the file
Note:
0.9721615469483581.exe but I guess everyone can be different.
February 15, 2012 2:05 AM
Anonymous said...
Just got this today and looks like it has evolved.
No registry entry, no random numbers.exe, auto shutdown of anti virus
and lockout of the service so can't re-start. Nothing in startup, nothing in
MSconfig, log out causes graceful closure and switching to other admin
or other user brings it back, it is present in safemode and maleware
doesn't find anything.
I had no access, even in safe mode, so shut down PC, repaired through
windows repair tool, then restored to earlier version. That still didn't fix it,
but allowed safe mode. Windows search service and antivirus service
was shut off and unabled to be started so couldn't search for exe.
Downloaded Malewhere and run but didn't find anything.On Ms config
everything looked in order, but I stopped all non microsoft serivces and
apps just be bu sure. That allowed me into normal windows mode. From
there I reinstalled avast to get virus protection back and deleted
everything in the user/temp folder.
Computer now operating, but I can't be certain the exe or dll has been
found, and I'm certain there are registry keys in there somewhere for this
thing, but no idea where to look!
February 22, 2012 8:34 AM
Anonymous said...
I use Windows Vista. I booted in "Safe Mode with Networking" and
searched for .exe files. I found a short cut file 0.614394900.exe (not sure
of the number - I deleted the file!) This file was dated and timed at the
point when the virus hit me. After deletion of this file the problem
disappeared.
February 24, 2012 11:37 AM
lcnvn said...
'Start' menu then select
33 of 53 06/10/2012 16:30
'All Programs'
'Start Up'
Within the Start up folder, you will see the name of the script that's been
written to bring up that screen each time you log on.
Right-click on the script name, go to 'Properties'
Select 'Open Folder Location'
Delete the ransomware application from it's location. Has seemed to of
worked for me thankyou so much litrally shit myself
Anonymous said...
I really appreciate your help, it's easy to follow, and I admire that there is
someone out there trying to fight against these bastards.
I have a problem when I get to the enter "regedit" part, it tells me that it is
blocked by the administrator, even on the admin account :/ How do I
overcome this? At least I can see my documents!
Thanks so much!
Ben
Anonymous said...
Hello Everyone,
I just had the same issue. my 'shell' file was saying 'explorer.exe'
So instead i loaded safe more and did 'system restore'.
Restored my computer to an early point and it got rid of the virus as it
removes all the downloaded files from the time you restore your
computer.
To restore just load computer in safe mode,
go to 'start' in search field type 'recovery' and open 'recovery' file. A
window will open with 'open system restore'. just follow the steps and
recover your computer to an early point. worked great form me.
Good luck
March 1, 2012 3:14 PM
Tim Roll-Pickering said...
I've gone through the instructions for XP but the file is running and
refuses to delete. Taskmanager won't appear on top so I can't stop it that
way. Nor can I get on the web on that machine. Anyone got any ideas?
March 1, 2012 7:59 PM
Anonymous said...
I had this on my windows 7 OS
removed it by restarting in safe mode with networking.
searched for .exe and found something called "jag" or something
removed it, the file seems to work now
34 of 53 06/10/2012 16:30
March 2, 2012 1:28 PM
Anonymous said...
I have windows xp home and followed this:
MODE AND COMMAND PROMPT.....OPEN START > SEARCH>
ENTER '.EXE' THEN LOOK FOR A NUMBER EG. 0.0300381308
DELETE AND EMPTY TRASH...SIMPLE...MAKE SURE THE NUMBER
IS NEAR THE TOP OF THE LIST....GOOD LUCK!
It worked. Thanks so much. :)
March 2, 2012 2:28 PM
Sharief said...
Hi, thanks for all the help so far. The problem for me is, the ransomware
has hijacked my system in such a way so that I can't even access
command prompt in safe mode. When I try to, the command prompt
window flashes very briefly before the ransomware takes over the
screen, making me unable to locate and remove the offending files.
Please help!
March 4, 2012 9:37 PM
Craig said...
i got to the "regedit" bit and then a window came up saying "administrator
profile wont let you edit the registry something etc."
I am done for.:(
March 5, 2012 9:09 AM
Anonymous said...
can anyone suggest a solution for this virus ..have pressed F8 and take
option safe mode with command prompt and only option available is
microsoft windows XP professional and then virus blocks again .
cannot get to a command prompt.
does anyone have a solution for this ?
March 5, 2012 2:08 PM
Alice said...
I'm having the same problem, found a file PreCreateKnowfolder REG_SZ
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
should I delete that???
March 5, 2012 5:56 PM
Anonymous said...
I tried this and now my screens black and can't get to Start in safe mode,
HELP!
March 6, 2012 12:51 AM
35 of 53 06/10/2012 16:30
Anonymous said...
Steps I took to solve the problem.
1. Ctrl+Alt+Del
2. Log Off
3. Cancel Log Off
4. Go to Start (Bottom Left)
5. Type .exe but don't press anything
6. Wait
7. See file (NUMBERS).exe
8. Delete
9. Celebrate by doing the dougie
March 6, 2012 8:41 AM
Anonymous said...
AAAAGH i cant do this i log into my account in safe mode all ok then as
soon as the command propt opens the white screen just opens and
blocks EVERYTHING i cant type, click open or anything!!!! i paid 50 and
fell for it and everything so if i cant see or do anything what shall i do.
the screen says
'Please wait while the connections is beeing established'
and there is a spelling error in it.
:( PLEASE HELP ME
March 6, 2012 10:18 AM
Anonymous said...
i am having the same prolems as above. the prompt screen freezes and
doesn't allow me to enter anything, so am unable to follow the deletion
instructions. the operating system im using is windowx xp. does anyone
know how to over come this problem, any help will be very much
apprecaited mj
March 7, 2012 10:52 PM
Anonymous said...
I did a system restore to the day before, worked for me. Thank your lucky
stars those of us that have more than one computer!
Just doing a full scan now to be on the safe side using malwarebytesanti
alware.
March 10, 2012 2:08 AM
Anonymous said...
I'm so sorry for the person above who payed. This has to leave a trail
somewhere - I mean if you pay the money it has to go somewhere... I'd
love to get hold of the people behind this.
March 10, 2012 2:18 AM
Anonymous said...
I'm currently trying to fix my PC after getting this virus and I've performed
an .exe-scan for today. Still came up with over 20 search results. I see a
36 of 53 06/10/2012 16:30
lot of EXE-files at the time I got the virus. Can I safely assume they are
all dangerous?
1 is a java-file, is this virus wrtiten with java?
All files are located in C://Windows/Prefetch (no idea how to type those
strange "/"
Also running malwarebytes
March 10, 2012 3:33 PM
Anonymous said...
I am running XP. I cannot select anything other than 'normal' when trying
for safe or prompt modes ....just unstoppable lines of data at any other
choice and then back to the menu.
Ran recommended antimalware on my other user name, but it said there
were no viruses!!
Anyone know of a prog that I can put in via memory stick or CD that will
kill it?
Getting desperate!!
Thanks
March 13, 2012 9:57 AM
Anonymous said...
I don't know what i can do next, i ran a scan with Hitman Pro and
Malwaybyte's Anti-Malware and they didn't find any trace of the virus. I
myself searched for an .exe file and I didn't find anything like a random
number .exe. I also tried with msconfig, didn't work either.
Can somebody tell me what i did wrong?
March 15, 2012 12:05 PM
Anonymous said...
I can't find the malicious file. No results for ".exe" return when i type it into
thhe windows search. Please help!
March 16, 2012 6:21 AM
Anonymous said...
Phew Thank you! F8, Safe mode with networking, start .exe, delete
worked for me. Thanks again. Running malwarebytes now in normal
mode to make sure. Thanks again
March 18, 2012 5:26 PM
EileenB said...
My window says Administrator:cmd.exe - cmd.exe on the title bar
In the black screen it has C:\Windows\system32>
What goes in after this?
March 18, 2012 5:55 PM
37 of 53 06/10/2012 16:30
Anonymous said...
Tsk tsk tsk, no no no, you fools!
just go to control panel>system restore it usually has a backed up copy of
your system before the infection pick that point of restore and then go get
some frsh for 10-15 mins, when the computer restarts its like nothing
happened ---SO NO NEED TO MESS WITH THE REGISTRY - TOO
MANY PEOPLE HERE WANNA SHOW OFF NOT HELP!
AND THE REST WANNA SELL YOU STH!!?
March 19, 2012 8:26 AM
Ian said...
Easier way - this worked for me on this machine
1 - turn off machine & router / stay offline
2 turn machine back on and after it boots you may see a message that a
file cannot open / or tabs at bottom of screen saying webpage cannot be
displayed - clear these
3 - turn router back on / go online - this will allow you to go onto google /
use Iexplorer to find advice / download antimalware software.
Think about it - an online page cannot be displayed if you are offline
March 19, 2012 12:16 PM
Anonymous said...
Thanks for your help, I ran in safe mode, msconfig, looked in startup
Saw the long number0.78**************.exe
Unticked & restarted
Run ccleaner then registry cleaner
Btw win7 64bit ultimate OS
March 19, 2012 3:29 PM
Anonymous said...
Right, simple way I did it!!
1.Switch on computer and keep tapping F8 to go into safe mode.
2.Select safe mode with command prompt.
3.When pop up box appears, type msconfig then press enter.
Select start up tab and scroll thru' for obvious bogey program - usually
something ending .exe - my variant was arg44699.exe.
4.Once identified, unselect the check box and scroll along to make a note
of the full location info - mine was c:\users\"your user name
here"\appdata\roaming\microsoft\windows\start menu\programs\start up.
5.Restart you computer in normal mode and the annoying screen should
have gone.
6.Go to start menu and in search box, type the location you noted.
Select this location once it appears and identify the .exe file you disabled
in msconfig.
7.Delete then go to recycle bin and delete from there also.
8.Give your computer a full scan using your anti-virus package or
38 of 53 06/10/2012 16:30
download 'malwarebytes' and/or 'ccleaner' and give your computer a
clean up.
9.Reboot just to be sure, then you should be done.
Please note:
If at No.5, the malware screen is still there, you have not unchecked the
correct item which is causing your problems and I suggest you go back
into safe mode from the start and try another .exe file to uncheck whilst
re-enabling the first one.
This method worked for me and I only had one .exe file. For all I know,
you may get more than one.
I am by no means a computer expert and only found out how to do this
thru' trial and error plus a little suggestive help from a friend.
I cannot be held responsible for anything you may mess up whilst trying
to do this yourself.
If you are not confident with delving into the guts of what runs yor pc, pay
your money to an expert.
I pray and hope this works for you tho' and I've saved you a few pennies.
Like me, be careful what you click on next time.
March 20, 2012 1:04 PM
Anonymous said...
please help i am clicking safe mode with command prompt and my
computer keeps restarting back to the same screen
March 21, 2012 7:10 AM
Anonymous said...
When you get into the safe mode screen options, try not clicking
anything.
Use your arrow keys to scroll to the required method and once it is
highlighted, press your 'enter' key.
See if that helps, otherwise you'll have to wait until someone else with
more knowledge answers you.
March 21, 2012 1:47 PM
Anonymous said...
Anonymous comment 02-12-11 was spot on going into msconfig and
finding the offending file in startup.My file was a random 17 digit number
exe file on C;\users\...\AppData. Thankyou so much for the advice.
March 21, 2012 8:41 PM
shotta said...
when i searched for the ".exe" file no results were shown...
i have windows 7, i don't know what 2 do...
i found the 'shell' file, the value data was on explorer.exe, but in windows
7 there are no documents and settings right?
39 of 53 06/10/2012 16:30
sorry for the bad english
i know nothing about computers
HELP ME!PLEASE!
March 22, 2012 4:30 AM
Anonymous said...
Ok, thanks for help.
I found the malicious .exe via msconfig tool under the name
"SkypeRT.exe" it was located in C/users/username/appdata/SkypeRT.exe
As i never used skype on this computer it was a little suspicious, besides,
description of the startup routine was "Windows NT-2000" although i'm
running a win7.
Be careful, it seems that the name and description could be almost
anything.
The majority of startup commands point to files located in C/program files
folder (various drivers and utilities for different devices). Anything that
points elswere is suspicious.
March 22, 2012 11:28 AM
Anonymous said...
I logged on in safe mode and simply restored the computer to an earlier
date using the system restore. Easy.
March 23, 2012 3:48 AM
Anonymous said...
Thanks all for the help here, I used 8th dec 2011 'have a safe pc'
Seems to have worked!
March 23, 2012 4:35 PM
Anonymous said...
Hey guy, its now march and this virus has appeared on my computer.
i found the easier way to find the file if you are having problems is to run
explorer from the command promp.
go to start>computer> c: drive> and in the search bar type .exe and filter
the search bar with the date you go the virus on and you will notice it
easy.
then delete it completely
mine was located in C:\users\adam\appdata\roaming
March 24, 2012 7:11 AM
curly said...
40 of 53 06/10/2012 16:30
Hi,
Any advice for a Windows XP that doesn't run any SAFE MODES?
Task Manager doesn't show either when ALT+CTRL+DEL is pressed in
normal mode!
Thank you,
March 29, 2012 2:58 AM
Anonymous said...
Hi, thx for the advice worked a treat, i searched .exe files on msexplorer
just matched up the time and date with anything that looked suspicious
and completely deleted them,
mine to was under the file name
'c:/users/mark/appdata/roaming' and 'c:/users/mark/appdata/temp'.
March 30, 2012 6:58 AM
Anonymous said...
Thank you finally after a weekend of messing about a solution!
April 1, 2012 7:48 AM
Anonymous said...
I removed it by going on safe mode with command. Didnt find exe file
under search on startup. Searched on explorer by narrowing to date of
virus received. Just stood out big time. was called ch810.exe deleted it
and now its gone :) will now delete from recycle bin and install avg and
spybot.
April 2, 2012 12:04 AM
Anonymous said...
I've hit a hurdle straight from the off. I'm using XP pro and the Safe mode
runs but just restarts the computer returning me to the choice of start ups,
its an endless loop!!! Please help
April 2, 2012 9:14 AM
Anonymous said...
After reading all the good advice here I followed several trails. Eventually
found ch810.exe and winsh.exe.
Deleted both band now pc boots properly.
thanks to all those who contribute here - great advice.
April 3, 2012 1:12 AM
Anonymous said...
Windows XP pro SP3. As above can not boot in safe mode. Tried F12
and booted from XP install disc. Computer hung after install (please
wait). Rebooted as normal, desk top and icons appeared as normal for a
minute or so, then Metropolitan police virus took over desk top again......
41 of 53 06/10/2012 16:30
Is there anyway I can start in safe mode??
Thanks
April 9, 2012 5:36 AM
Anonymous said...
Thanks Solution Worked Great !!!
April 10, 2012 6:19 AM
Anonymous said...
Hi i have just got this problem tonight and i have contacted scotland yard
and thay say that it is a scam and it looks so reall will it deltet any of my
filies on my computer i will try the removal tomorow as i am going to bed
soon and i will take it to my ict tutor who will help me go throught the
steps. I would like to say A bigh thank you to this site for having this info
THANK YOU SO MUCH
April 10, 2012 1:50 PM
Anonymous said...
Fast way that worked for me: On Windows 7, If you have a system
restore backup, get into safe mode, then type msconfig in the Windows
icon, "search program and files". Under the TOOLS tab, scroll down to
System Restore and click on enter. You will be able to choose an earlier
time to restore your system. When my computer restarted, it confirmed
that the restore was successful. I have been using the computer for about
a half an hour now with no problems.
April 12, 2012 5:16 PM
Emily said...
I had a problem with the two methods that attempted to delete the virus.
My default value was explorer.exe and when I searched for '.exe' in the
start menu, it ended up searching the whole computer and brought up a
load of results, none of which had the long number described in most
people's posts. I had to do a system restore, (just pressed F8 and it was
the top option) which restored it to 2 days ago and seems to have done
the trick. I have Norton Anti-Virus but it's abviously got through!
My other half pooped his pants though when a message popped up from
the Police saying he'd been illegally downloading pornography...the moral
of that story being don't download pornography haha!
I all else fails, I'd say to a system restore. Fortunately we only use the
laptop for browsing the web and our work PC is safe!
April 15, 2012 1:01 PM
Anonymous said...
I have done 3 different ways including this one, i have done a scan with
alware and deleted the file but it is still there. i have done scans 5 times
and it says there is nothing!!!!
April 15, 2012 4:39 PM
42 of 53 06/10/2012 16:30
Hypervox said...
Big thank you to the site - I got rid of it by removing all the files from the
affected users temp directory
April 16, 2012 3:46 AM
Anonymous said...
I had this message come up this afternoon and fortunately the other user
still worked so i logged on and found all this information on the
ransomware bol54@ks. I tried to go through all the above ways to seek
and destroy this little bugger and have just a system restore. The restore
was from several days ago so i haven't lost anything other than the lovely
desktop picture that followed the ransomware attack!! I run Windows 7...
April 18, 2012 11:18 AM
Anonymous said...
i can't find the file... i don't know why? What's that you're talking about,
explorer.exe? what do you have to do? But thanks a lot, this is really
helping me!
April 18, 2012 2:59 PM
Anonymous said...
I deleted the "shell" file, by mistake. How can solve this? Sorry but I'm a
little bit bad with computers so you will have to explain it very simply and
step by step. Sorry and thanks a lot.
April 18, 2012 3:27 PM
Anonymous said...
Hi,
Just wanted to share my experience in case it helps someone else.
I tried everything listed here and i guess some of it may have helped. I
still, at the end of it all, had the ukash blocked screen but now i dont.
Like i said the other stuff posted here probably went a long way towards
helping but the last things i did before it finally stopped showing up at
boot were,
-boot to safe mode with networking
-install avast (couldnt set anything in safe mode so...)
-booted normally and used the log off and cancel idea to use the desktop
-open avast and schedule a boot time scan and i also set all the detection
setting to the highest
-used avast to restart the computer and let it run its boot scan
anything it found was moved to chest and it booted to windows fine,
seems to have removed the ransom-ware.
Yay
April 19, 2012 4:27 AM
Anonymous said...
43 of 53 06/10/2012 16:30
Thanks for all the comments. Tried few ways to go about it, but the best
for me was:
Safe Mode with Networking
Search .exe in start menu and delete the file quick. Restarted as normal
and the problem went away. It was quick and easy. Don't forget to curse
it, feels good.
April 23, 2012 4:42 AM
Anonymous said...
I picked up the malware by trying to download a 10cc album from a
Russian site, lol! I got rid of it by rebooting in safe-mode and running
HitmanPro, which I can't praise highly enough. HitmanPro also found and
removed a Google-redirect rootkit on my last computer that was not
detected by AVG or Malwarebytes.
April 23, 2012 2:53 PM
Anonymous said...
Help....
Have been following the advice after the PCeU Trojan has stopprd my pc!
When I use "F8" - start windows in Safe Mode with Vommand Prompt;
the Select MS Windows XP Professional... all that appears is aloads of
commands/lettering. Then the screen comes on again with the option to
start in various modes. I goes through the same senario again - smae
happens. When I try to start on sfae mode with the USB stick 'in' - the
message comes up " Boot form CD - missing operating system" There is
no option to do anything further. Any suggestions as what to do next will
be greatly appreciated
April 24, 2012 2:19 PM
Anonymous said...
This is the best bit of advice out of all the posts! Thanks
Tsk tsk tsk, no no no, you fools!
just go to control panel>system restore it usually has a backed up copy of
your system before the infection pick that point of restore and then go get
some frsh for 10-15 mins, when the computer restarts its like nothing
happened ---SO NO NEED TO MESS WITH THE REGISTRY - TOO
MANY PEOPLE HERE WANNA SHOW OFF NOT HELP!
AND THE REST WANNA SELL YOU STH!!?
April 30, 2012 11:23 AM
Anonymous said...
I am running Windows 7 and the process outlined above not work; I even
downloaded Trojan Killer in the hope this would do the trick, it did not
detect the Trojan so could not clean it; so I'm not suggesting the above
approach above does not work, just that it did not work for me.
The solution I found in the end was to re-boot using the "Directory
Services Restore Mode" from the F8 menu, using this restore enabled
much faster processing in windows (compared to the alternative Safe
Mode which had not worked) I then installed Malwarebytes (free 15day
trial) and it found the trojan in about 3-4 mins of the full scan, then
44 of 53 06/10/2012 16:30
removed it. PC worked as normal after that.
May 6, 2012 9:19 AM
Anonymous said...
I am running windows 7; what I had to do in the end was the following:
1. Boot up (F8 Menu) and chose Directory Services Restore Mode
2. Download Malwarebytes (15 day free trial)
3. Run full scan
4. Trojan was detected and deleted
5. After a reboot the PC functioned normally
May 6, 2012 9:21 AM
Anonymous said...
windows 7 users re-boot in safe mode and run system restore
Job Done
May 6, 2012 7:03 PM
Anonymous said...
Quite simple to fix for all browsers and computers. A novice could do it
and it only take a couple minutes. Start your computer up, repeatedly hit
the F8 key until the black screen with safe mode options appears. Click
"Safe Mode With Networking". Log on to your desktop, click start, type
restore, click restore when the file comes up. You dont need to restore
your computer back to its factory settings. Just restore it to a few hours or
days before the virus started. Simples.
May 8, 2012 4:08 AM
rilo said...
Hi, thanks for posting this. However, I would like to check about my
laptop condition now. This morning my laptop caught this malware, the
antivirus (Kaspersky Anti-Virus 2012) detected Trojan.Win32.Inject.ebqb
and recommend me to disinfect with reboot, which I did. After rebooting
and log in, however, that Metropolitan Police window appear. I looked
about it using other computer and found your article. I tried the
procedure, when I 'enter' the safe mode with command, my laptop start to
loading all the windows file and it suddenly stopped working. I press the
power button to restart it and press F8 again, the screen said that one of
my drive is unstable and it did the checking (and maybe repairing
process) after that my windows start like usual. I tried to press F8 again
but nothing happened. When I tried to log in, the Metropolitan Police
window NO longer appear. I ran the Malwarebytes to detect the file, but
when the program still scanning, the same Kaspersky window re-appear.
At the moment I haven't click anything from the two options (disinfect with
reboot & do not run) and the malwarebytes already finished scanning and
detected Rootkit.0Acess'. Now, my question is: is this malwarebyte
program detect the right file? is my computer infected? When I tried to
search the file in C:/, my username folder is locked and I cannot find 'App
Data' folder. I browse and wrote this using the very laptop which caught
the malware. Could you suggest what should I do to fully get rid of it
please? Thanks!
45 of 53 06/10/2012 16:30
May 10, 2012 6:49 AM
Anonymous said...
WINDOWS 7
Start in safe mode by battering f8 when your computer is warming up.
click on start and search ".exe"
find the file, mine was "t493902.exe" (or something like that).
delete the file.
shut down your computer.
turn on your computer.
log on as normal.
go to your recycling bin and delete the file permanently.
THANKS SO MUCH TO AN ANONYMOUS WHO POSTED THESE
INSTRUCTIONS EARLIER AS I AM PRETTY BAD WITH COMPUTERS
SO THESE CLEAR INSTRUCTIONS WERE MUCH EASIER THAN
ATTEMPTING TO CHANGE PROGRAMME/FILE NAMES AND SUCH
LIKE ! THANKS !
May 12, 2012 6:35 AM
Anonymous said...
Same thing happened with a friend's PC. Malwarebytes Anti-Malware
found these:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
\Run|21893 (Trojan.Agent) -> Data: C:\DOCUME~1\ALLUSE~1
\LOCALS~1\Temp\msaauv.bat;
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good:
(0);
C:\Documents and Settings\All Users\Local Settings\Temp\msaauv.bat
(Trojan.Agent)
Hope that was it! - seems to work OK now.
May 14, 2012 8:50 AM
Anonymous said...
Simple fix to this just reboot the computer in safe mode and system
restore a day before the virus hit
Job Done!
May 15, 2012 2:54 AM
Anonymous said...
hi all,
hoping you can help me i also have a new malware program ransom
thing, but cant even run in safemode, just comes up the blue screen of
death for every safe mode?
ive tried avg rescue cd nothing, hoping you can help, im on xp ser 3
cheers
May 17, 2012 3:48 AM
Anonymous said...
I've just been through this nightmare, no safemode at all, ctrl/alt/del not
working in fact nothing seemed to work.
46 of 53 06/10/2012 16:30
In the end I let the PSR screen load, right click, print, print to file, I then
had the Window open which included "My Computer" I opened my
computer and Cdrive, opened Windows and right clicked on one of the
files, one of the options was "Scan File" I figured I'd nothing to lose and
hit yes and to my amazement Microsoft essentials fired up, I ran a full
scan, when that was finished, I rebooted twice, the first time I just got the
desktop background, second time I got the bottom bar and was able to
do system restore.
I hope this make sense. As you will have gathered my computer
knowledge is pretty poor but it worked...And doesn't it feel good to beat
the bastards!!!
May 21, 2012 2:32 AM
Anonymous said...
What if my computer doesn't boot up in safe mode?
May 22, 2012 6:30 AM
Anonymous said...
Hi thanks for the tips..but i have a favour to ask....whenever i highlight the
safe mode command prompt..its like a list of number and leters being
scanned comes up sliding through in screen, then reboots again and at
the top it says it was unsuccessfull...so i highlight the safe mode
command prompt again and press enter...but it keeps doing the same
thing agaian and again...is there anything wrong with it??? how could i
solve it please help!!!
May 22, 2012 8:51 AM
Anonymous said...
I've had this twice in the past week.
I am lucky in as much that my machine operated in safe mode when this
happened and I have been able to restore the machine to an earlier time.
It seems that for some people this ransomware disables safe mode. It
seems to be selective, probably a setting somewhere in your/my
computer. Anyway at least try safe mode because it obviously works on
some machines.
May 23, 2012 2:39 PM
Anonymous said...
Thank you soo much :) I thought I was done for when that popped up,
couldn't have had my parents seeing that :P Thanks again :)
May 26, 2012 4:11 AM
putipa said...
Please help! this is driving me insane - nothing seems to be working and
to make mattere=s worse ALL MY WORK IS ON HERE! i tried typing in
exe but nothing comes up! please can some computer wiz help me
May 28, 2012 3:49 PM
Anonymous said...
The power plug for my tower is about six inches from my hand any sign
47 of 53 06/10/2012 16:30
of a hijacking I just yank the plug out of the socket Not the best way to
shut your computer down I grant.
But it survives powercuts so why not this .......The malware is always
gone when I reboot
May 30, 2012 12:57 AM
Kazi Farhan said...
I was hit by this virus yesterday. I managed to go on safe mood and
restore my pc to a previous restore point. after that the virus seems to
have gone. but now all my files- documents, pictures, songs shows
locked. cant open them using anything!
can any one pls help me with this?
May 30, 2012 4:47 AM
Anonymous said...
i try to open registry edit, but it says its disabled by the administrator. im
logged in as administrator. what can i do?
June 1, 2012 6:08 PM
Anonymous said...
Hi if tried everything named on this site. The system restore on safe
mode does not work and when I search exe nothing comes up.I even did
a scan of my laptop, it detected the virus and I removed it yet it is still
there! Every time I attempt a system restore to a past date, it
automatically restarts the laptop, goes to normal mode yet says the
restore was uncomplete and didn't work, then the virus notice comes up!
Incredibly frustating! Please help me solve this problem and I was
wondering if I left it to a computer store and asked them to fix it would
they be able to fix it or is hope lost? Please get back to me and it will be
very much appricated :)
June 10, 2012 3:36 PM
nikos thimianis said...
I can't enter safe-mode please help!!!!!!! I have Windows XP!! I can't do
anything!!!
June 13, 2012 9:03 AM
42n0rris said...
I followed the steps posted here and all worked fine for about 20 mins.
Then the virus came back so I thought I'd go through it all again but every
time I put the location into explorer it just opens firefox to a site that
doesn't exist. Also even if I do figure it out how can I stop it coming back
again anyway?!?!?!
June 13, 2012 3:42 PM
Anonymous said...
I have a windows vista. I tried all of that stuff but in the end I just had to
go to Safe Mode with Networking then I used my Anti-Malware. It found it
and removed it. Thank god! This is the 3rd time I've gotten a virus on my
computer and it's so embarrassing to admit I messed up again. I was
48 of 53 06/10/2012 16:30
looking at a tumblr account when it popped up. Guess I should stop going
online at night since for some reason that is when I get the viruses.
June 14, 2012 1:18 AM
Anonymous said...
I've just removed a new version of this from my mum's computer. Neither
Malwarebytes, Norton, AVG 2012 nor Rkiller could find it whilst in Safe
Mode. I used Combofix to rip out enough of it to boot up in Standard
Mode, then used Malwarebytes full scan to pull out the rest. Hope this
helps anyone who reads it... :)
June 17, 2012 12:51 PM
Anonymous said...
i have the same virus but when i try and sart in safe mode by pressing f8
it locks the system so I cant get in any ideas?
June 18, 2012 4:48 AM
Anonymous said...
Malwarebytes didn't pick up on this for me, and I couldn't find it in the reg.
In safe mode I went to msconfig> startup and a file called
etbxapzhnaevgej.exe came up. It was installed in c:programdata -
deleted it from there and hope that's enough.
June 19, 2012 4:49 PM
Anonymous said...
I cant get in safe mode either, when I try to regedit through the command
prompt, even though Im the admin it says: Your administrator has
dissabled this feature
June 19, 2012 7:10 PM
Anonymous said...
If i restore my system to an earlier point b4 viris will that solve the
problem for good, i.e i will have no problems with my personal info. Thx
hope to hear a reply soon
June 19, 2012 11:52 PM
Warren the Blue said...
I get up to the stage after I've done 'Regedit' but I can't see shell
anywhere, I can see HKEY_LOCAL_MACHINE but thats it, theres
nothing like 'Shell'. Anything else it would be under... or an alternative.
Thanks
June 21, 2012 3:56 PM
Anonymous said...
I just went in to safe mode and did a system restore seems to have
worked.
June 23, 2012 3:04 AM
49 of 53 06/10/2012 16:30
Anonymous said...
if you dont have a dodgey file name under shell go to...
start > allprograms > startup > and the file with a name your not familiar
with delete. worked for me and dude i love you!!
June 25, 2012 9:48 AM
Anonymous said...
Warren you need to go into the sub menu.
June 25, 2012 8:47 PM
Anonymous said...
Solution to not being able to boot in safe mode. ( I cannot boot in safe
mode ) Creat a recue cd with kaspersky10 then boot from the cd. This
allows you access to the registry through the kaspersky program.
June 26, 2012 9:27 AM
Anonymous said...
This virus is a real tricky one - I tried the steps above - got into safe mode
but it was not where this guide says it was. I ended up bringing up a list
of start up items with ccleaner anyways it was hidden in C:\ProgramData
\hanfukqi.exe
In safe mode I went to ProgramData and actually found two sets of the
virus, some was in a hidden folder - luckily I had hidden folders viewable
when I got the virus.
I ended up checking any folder file created today and delegated about 10
files and a folder.
All clear now thank goodness
I new it was a scam virus the second it came on screen - sure is scary
though
June 27, 2012 8:58 AM
Anonymous said...
Hi all, I've run malware three times and each time it's come up with a .exe
file and I've deleted it but when I restart the computer the metropolitan
police page comes back up. Any ideas? Thanks
June 27, 2012 11:10 AM
Anonymous said...
it works,
start > allprograms > startup > Ctfmon
i delete this file and the pc works again
June 28, 2012 12:53 AM
Anonymous said...
50 of 53 06/10/2012 16:30
Safe Mode was disabled for me, as was everything else, but I got there
by booting into the F8 Menu and selecting 'Directory Services Restore
Mode'.
It looked like it was going to do a system restore but at the last moment I
pressed cancel to come out of the system restore options and enter my
desktop environment.
It is easy to find if you look in your start up items (run: msconfig)to see
whats out of place/new additions, and do a search for any .exe programs
that was created the day you got the virus in the advanced search
options.
When you have found the file name (Mine began with 0_0 !!) do a search
on all files with that in the title/name to swiftly delete.
I also had to run regedit to delete the rogue entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared
Tools\MSConfig\startupfolder to carve them clean out of my startup
folder.
but they might also be here:
MSConfig \ startupreg
There was a sneaky entry in that folder called UPDATE which I could tell
was the virus as the details inside matched the same filename of the
virus, so I deleted that one too.
The main offending .exe virus file was in my system32 folder. Ripped that
straight out and into the trash can before permanently deleting it from the
trash.
Curiosly, neither AVG nor the Malawarebytes found anything wrong with it
when I scanned right clicked on it to scan it on it's own.
Thanks to you all, I saved my PC and a whole load of stress and time
saved, good luck all, and thank you very much to eveyone here! :D
July 4, 2012 9:09 AM
Anonymous said...
One of out members of staff had it as %userprofile%\local
settings\application data\microsoft\windows\2064\tapimigplugin.exe
found it searching for the most recently created .exe file in %userprofile%
hope that helps someone
July 6, 2012 4:04 AM
Anonymous said...
System Restore to earlier date should fix your problems. That worked for
me. Checked system files as they said found nothing, did a system
restore fixed it.
July 8, 2012 8:36 AM
51 of 53 06/10/2012 16:30
1 200 of 233 Newer Newest
old hack said...
hi i have had this little sod for three days now, it just appear while wife
was looking for a holiday hotel for us. have tride everything above and all
i get to is the blue screen of death. I'm running windows xp. short of
binning my pc, can any one help?
July 10, 2012 11:36 AM
Anonymous said...
What do you do if it won't let you into Safe Mode? It just keeps rebooting
to the fake homepage.
July 11, 2012 2:03 AM
Anonymous said...
Very helpful thank u.
July 11, 2012 4:29 PM
DaringSpirit said...
I got this yesterday so it looks like it's doing the rounds again.
I did a system restore back a few days and it solved the problem.
We have 2 user accounts with admin rights on the same computer so
even though one account was screwed by the virus, I was able to system
restore using the other account.
July 12, 2012 6:57 AM
Anonymous said...
Finally got this nasty little thing off my computer. Just run your system in
safe mode and install ComboFix (free download just Google) from a USB
stick you can plug in, just download ComboFix from another Internet
connected computer direct to the USB and install on the infected
machine. If your machine will run safe with network you can download
ComboFix straight from your Internet to desktop and run it there.
I tried all of the above and this was the only way I got rid of it.
Good luck
July 12, 2012 3:23 PM
Ganesh Moorthy said...
thank u
July 13, 2012 10:54 PM
Anonymous said...
Hi none of my safe modes work !!!
July 14, 2012 7:12 AM
52 of 53 06/10/2012 16:30
Newer Post Older Post
Post a Comment
Home
Subscribe to: Post Comments (Atom)

Disclaimer
This blog provides reliable information about the latest computer security threats including spyware, adware, browser hijackers,
Trojans and other malicious software. We do NOT host or promote any malware (malicious software). We just want to draw
your attention to the latest viruses, infections and other malware-related issues. The mission of this blog is to inform people
about already existing and newly discovered security threats and to provide assistance in resolving computer problems caused
by malware.
2010-2012 Malware Removal Instructions. All Rights Reserved. Privacy Policy | Contact Us
53 of 53 06/10/2012 16:30

Remove METROPOLITAN POLICE Ransomware (Uninstall Guide)

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Remove METROPOLITAN POLICE Ransomware (Uninstall Guide)

Caricato da

Copyright:

Formati disponibili

Your computer is infected with malicious software?

Potrebbero piacerti anche