Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Tuesday, June 21, 2011

Remove METROPOLITAN POLICE Ransomware (Uninstall Guide)

Tell your friends:
"METROPOLITAN POLICE" Attention! Illegal activity was revealed! is a ransomware-based malware that demands you to pay up in order to regain control of your computer. About a month ago, we wrote about ransomware that replaces the Windows desktop with a fake warning from the German Federal Police (BUNDESPOLIZEI). Apparently cybercrooks are moving to Great Britain. As we wrote previously, if your computer is infected with ransomware, you will notice the difference right away. Your Desktop will be taken over by a scam notice headed METROPOLITAN POLICE. It will stop you from accessing your files, programs and system tools. Even if you start your machine in Safe Mode or Safe Mode with Networking you'll get the same issue. The trojan claims that you were watching illegal pornographic websites and states that if you don't pay £75 in 24 hours then your computer will be wiped clean. Don't worry, the Trojan is not capable of doing this. On the other hand, no one would really want to run the risk of losing important files or family photos so there is a great chance that someone will actually fall victim to scam artists behind the Metropolitan Police malware. To remove the METROPOLITAN POLICE ransomware from your computer, please follow the steps in the removal guide below. Good luck and be safe online!








Method 1: Metropolitan Police virus removal instructions using System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the Metropolitan Police ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Metropolitan Police virus.


Method 2: Metropolitan Police virus removal instructions using System Restore in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
  • Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
  • Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
3. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.

4. Select a restore point from well before the Metropolitan Police virus appeared, two weeks should be enough.

5. Restore it. Please note, it can take a long time, so be patient.

6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the Metropolitan Police virus.


Method 3: Metropolitan Police virus removal instructions using MSConfig in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

4. Disable the malicious entry and click OK to save changes.

5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake Metropolitan Police screen.

6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the Metropolitan Police virus.


Method 4: Metropolitan Police malware removal instructions in Safe Mode with Command Prompt (requires registry editing):

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to Trojan Ransomware executable file.



Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.

5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. In our case, "Metropolitan Police" was run from the Desktop. There was a file called movie.exe.

Full path: C:\Documents and Settings\Michael\Desktop\movie.exe



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



6. Download recommended anti-malware software (direct download) and run a full system scan to remove the leftovers of this virus from your computer. That's it!


Method 5: Metropolitan Police virus removal using Kaspersky Rescue Disk:

1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.

2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.

For demonstration purposes we will use ImgBurn.

So, open up ImgBurn and choose Write image file to disc.



Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.



OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.



3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.



The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.

If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.



Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.



4. Let's boot your computer from Kaspersky Rescue Disk.

Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.



5. Select your language and press Enter to continue.



6. Press 1 to accept the End User License Agreement.



7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.



8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Metropolitan Police Virus. It won't take very long.



9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.



10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.



11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.



12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.



13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Metropolitan Police virus and to protect your computer against these types of threats in the future.


Associated Metropolitan Police malware files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
Share this information with other people:

257 comments:

«Oldest   ‹Older   1 – 200 of 257   Newer›   Newest»
Anonymous said...

it is the best tip I found
it works
thank you
at

Anonymous said...

This sorted the problem instantly. Thank you very much for posting.

Anonymous said...

I was following it step by step, sI did not write down the value data location before saving it. Can you help with this? Please

Admin said...

If you don't know where the malicious file is located, then just run anti-malware software and I'm sure it will find it.

Alex said...

I reached to the step where it says to modify shell. I did that and got "Default value is Explorer.exe" howere it is not leading me to "Modified value data points to Trojan Ransomware executable file." what should i do? how do i get the location?

Anonymous said...

I have the same problem ! The default value was already "explorer.exe"... What should I do ?

(sorry for my english !)

Anonymous said...

As above already has 'explorer.exe' as value.

Anonymous said...

Same here? Thanks by the way, im glad there people out there working to defeat the people working against us
-Gary

Anonymous said...

Same as above!

Anonymous said...

same as above, please help!

Anonymous said...

This is happening in a new form now as some of the comments above show. I fixed this by the following:

As well as starting explorer and regedit at the command line also start msconfig. Select the Startup tab. It can be difficult to spot although it stuck out for me as having an absurd name, there can be more than one entry. I think the best way is to look in the location column for any entry ending with something like a string of random letters/numbers.exe, mine also had a comma with a few letters after it as well to try to confuse me. Also look for any startup item with something similar in the 'Startup Item' column. Unticking these entries and applying should prevent it starting, and the entry should reveal the path to the .exe file which you can find and delete. Be warned you can stop important programs starting up, although they try to confuse you, mine was tagged as being from the IBM corporation!

You can't just delete startup entries from msconfig. You have to use regedit. In regedit I found the offending entries here:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ MSConfig \ startupfolder

but they might also be here:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ MSConfig \ startupreg

All advice given as is, it's your responsibility for things that happen to your computer, etc. Hopefully this helps some people.

Anonymous said...

Hi, I am also having same problem...

Shell has a default value of explorer.exe

And the startup doesnt show any wierd itmes..

Please help

Anonymous said...

i followed them instructions now i have no screen! HELP!

Admin said...

Go back into Safe Mode with Command Prompt. Search the Registry for malcious file, the one you've deleted manually. In our case it was movie.exe. Also, make sure that all the "Shell" registry keys have "explorer.exe" values. Just search the Registry for "Shell" key. By the way, can you use Start menu?

P.S. don't worry, your files are safe. You just need to fix certain Registry values.

Anonymous said...

well i followed the instructions, ive modified t and changed it but i must of put the wrong one because i couldnt find movie, so i restarted it and when its loaded i have no screen it just stay blank with the mouse there. what do it do?

Anonymous said...

Well i followed all of the instructions, and i changed that box from explorer to what i was meant to put, but i must of had and extra letter in because it didnt work and i couldnt find the movie bit, so i restarted it, but when i went back through safe mode their was no screen, so i tried it again normal and its the same, it loads up but staying black with the mouse. so becuase ive put the wrong thing in its gone like that. how do i fix it?

Anonymous said...

Help!! I have the same problem with shell being explorer.exe!!!!!

Anonymous said...

please help, im at the stage of edit string with explor.exe in the data section, but what now, how can i find the folder were the malicious file as im completely stuck as to were its located.. nothing on my desktop that relates to it..

Anonymous said...

i asked the other question a few mins ago about not finding the file, however after typing in winconfig into the command prompt as mentioned above led me to the startup tab were i seen the file, it pretended to be an HP file.. everythings running ok now.. however lesson learned!! time for some computer protection.. thankyou

Anonymous said...

i had the same blank screen problem after removing the offening items.
simply reboot into safemode and do a system restore to a previous date.
i didnt have a modified registry i had elplorer.exe.
i removed the startup entries with an excellent free programme called ccleaner, to to tools startup i had 2 entries with numbers like 0.4998473.exe and another, simply delete them

Anonymous said...

I just had the same thing happen, and followed the advice above with the extra bit about using msconfig to find and disable the file - mine was called "flay opal stash shade bawd claus" and claimed to be from packard bell! ...but then I wasn't sure I had the right file to delete in regedit; there was only one with the same path but it had a different name, will it still cause damage if I just leave it now, or should I delete it? The file says 'path' under name, and has "/0.8886688223985121.exe.lnk" after the location under data.

I have restarted the computer in normal mode and it seems to be running fine now. Thank you so much for posting this guide!!

Sarah

Anonymous said...

Just to add that the above didn't detect the malware (I got the same Met Police warning but I must have had a different variant). My 'shell' setting the registry was configured as per the default (i.e. explorer.exe).

The malware was instead an .exe file with a seemingly random numeric name and stored in my user temp folder. It was launched through 'Start Up' in my start menu each time I booted into Windows.

The way I fixed it was to log on as a different user, delete the 'Start Up' shortcut and then delete the .exe. If you have more than one user configured on Windows, this might be an option (select a different user when you start the PC - note they will require admin privs).

You can also likely achieve this via safe mode. If this fails, try a bootable CD such as UBCD and delete the offending file from the affected user's start up folder.

Good luck folks!

Phill

Anonymous said...

how can i fix what i changed to have my screen back?

Anonymous said...

@anonymous December 4, 2011 2:22 PM

Dunno. What did you do? As it says in a Haynes manual, reassembly is the reverse of disassembly.

Anonymous said...

I'm on windows 7 and the registry seems to be very different. How I fixed it was to
- CTRL-ALT-DEL
- select logoff
- you'll get a message back that says some tasks are stopping windows from closing
- hit cancel

For me, the virus exe had been stopped by the logoff request and I was back in control.

If it doesn't work for you - perhaps it just logs off - try again but start task manager (again from CTRL-ALT-DEL menu) before trying to logoff. You wonl;t see it;s started, but it will be running behind the virus screen.

Once I had control back I could do the MSCONFIG, REGEDIT, and delete offending exe thing that's well described above.

Anonymous said...

when I re-booted my laptop it gave me the option to "repair computor" I clicked on this and system restore and thankfully it did the job and removed the viras phew!!

Anonymous said...

This seems to be a stubborn and rapidly changing virus. I have removed this once yesterday, Avira then spotted it trying to start a few hours later and then it has re-infected again today. Different filenames each time, Avira didn't find anything wrong with the latest one - I guess it is changing faster than the anti-virus can keep up. Anyone have any ideas how to keep this out??

Anonymous said...

I done it much easier than that.. went into safe mode with networking, entered explorer & regedit, and once it had loaded, searched .exe in the search bar, right clicked, delete, into recycling bin and permanently deleted.. now computer is fine.

Anonymous said...

I did as above. Then I entered under safe mode. Then used CC cleanup. THen a full system restore. Problem has gone. Like to know where I picked this virus up from.

Anonymous said...

thanks to everybody's advice managed to get it off my pc, for me it was under "flab noun germs" by packard bell, glad found this site

Anonymous said...

You saved my time and money!

I followed the advice of Anonymous who suggested using msconfig. It totally worked.

Thank you a lot!

Anonymous said...

Im having this problem as well and followed these instructions but im still having a problem up to editing 'shell' to 'explorer' part.
But i realised something, these instruction seems to be for WinXP (as u can see from the cmd.exe screenshots). So I'm wondering, can this apply to Vista and newer OSs'?

This is probably the only best solution i can find so i want to confirm it

Anonymous said...

Help my laptop screen has gone blank while following above instructions. Laptop is on but screen gone blank. Someone kindly help on how to get my screen back. Thank you.

Anonymous said...

Yer I also found it under flab noun germs but now my pc just loading a black screen ... Help

Anonymous said...

took me a while to get there but i finally did, thanks this saved me a lot. much appreciated!

Anonymous said...

As Per about 5 posts up I successfully deleted the file. I use Windows 7. In a bit more detail:

Boot the machine in Safe mode with Networking
Run a search in the start menu for ".exe"
Delete the file
Reboot in Normal mode and it should be gone.
Go into your Recycle bin, look at the file, poke it a bit and curse the fact that it has ruined your morning.

Note:
This search only threw up one result for me which was the file in question, located deep in a temp file within the Users directory. It appeared to have two path names in fact. My file was called 0.9721615469483581.exe but I guess everyone can be different.

Anonymous said...

install Malawarebytes Anti Malaware if you have another pc,update it and run a Quick scan,sorted mine

Anonymous said...

IF its default EXPLORER.EXE... then;

when in safe mode with networking go onto your start menu and search .exe

it should take you to the problem :3

Anonymous said...

For those of you who can not see your desktop, start button, startup folder, etc:

press ctr+Alt+Del , go to Tak Manager, in Processes find and end any explorer.exe process, then click file -> New Task and type explorer.exe
Voila, your desktop is back. Then go find the worm as per above. In my case it was the (random number).exe, same name with .exe.lnk, but it also modified the hosts.txt file in Windows. It was not in the startup, but it was one of the services starting at logon that you can see in msconfig.

Anonymous said...

I have just picked this up. I must say that it does make me chuckle a tad. I wonder how much the scammers got scammed for this. Makes you wonder about the countries where this was marketed than anything else.

Far be it for me to be a starry eyed saxon but I have enough faith in our police forces. I am sure they would not be distracted from their duty by £100. Besides if they were in the business of imposing arbitary fines - I would have no respect for those who were obviously too busy eating donuts to come round and get it. If this was too much trouble - I would much prefer that they collect my fine via an attachment of earnings order. However using pay pal / epay is is not very dignified for the forces of law and order - so utilities - so ebay. It's no party here either but cmon it aint that bad.

Scammers use your nefarious gifts to change your countries. If you want to play with the previledged - learn to spell and at least make your pop up eye pleasing. UKASH now that is classy

Anonymous said...

I tried going through the command prompt method but could not relate the instructions to my system. My Operating system is Vista Service pack 2.

Not attempted anything as yet but have located the exe file. On checking the Properties I see that:

Shortcut Target is: C:\Windows\System32\rundll32.exe C:\Users\Stuart\AppData\Local\Temp\0.4767109628561754.exe,SuppS

Opening the File location shows highlight: rundll32

Oh and I have noticed that I am unable to change the Security settings for this.

The fact that this has obviously already run leads me to suppose that merely deleting the excutable is not quite good enough as there is already corruption in the Registry.

I'm a real novice when it comes to these things. At present has anyone any advice on either removal or damage limitation as I feel that this is something that can evolve.

Anonymous said...

Go to safe mode with networking
, type .exe on the start menu.
You'll see 7878766 sort of file.exe
Curse it then delete it, from recycle bin as well
That's all..worked for me after installing so many anti viruses and too many researches,
Have a safe pc

Anonymous said...

If you have the variant where it is running a command of the form (as in a post above):

'C:\Windows\System32\rundll32.exe C:\Users\Stuart\AppData\Local\Temp\0.4767109628561754.exe,SuppS'

then you don't need to do anything with 'rundll32.exe', instead you should delete the second file listed e.g. 'C:\Users\Stuart\AppData\Local\Temp\0.4767109628561754.exe'

Anonymous said...

This guide helped thanks, also used the advice from anonymous about using msconfig.

Anonymous said...

Im on Windows 7- what worked for me- pretty much as said above (also loved the comment about poking it in the recycling bin for ruining your morning- made me chuckle) anyhu yeh so- for the technologically challenged out there- like myself.
Turn off computer, turn back on, tapping F8, select safe mode with networking, log in to affected desktop- select start menu, type .exe into search bar, delete file. note: DO IT QUICKLY!!! for me the virus still popped up even in safe mode, but if you do it fast enough then you kick its bum. Reboot- this time select normal mode. Run another anti virus scan just to be on the safe side. Do happy dance. Enjoy Life. Peace and love and shiz to you all - L x

Anonymous said...

Im on Windows XP. I got rid of this by installing Malawarebytes Anti Malaware and did a full scan. It vame up with a number of trojans - ZBot.CBCGen, Trojan.Agent, Backdoor.Agent. Removed them all using Malawarebytes. I then regsiter for a full copy of Malawarebytes and did another quick scan. This flagged up a problem in the registry (HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager). After removing this everything worked normaly.

I had problem starting Windows up in safe mode - F didnt work for me. Dont know if the tojan disabled this as well. I got round this by creating a new user account and downloading and scanning from this account rather than the infected one.

I have fully up to date Avast antivirus and windows firewall running but it didnt catch this.

Hope this help someone else

Anonymous said...

Thanks everyone - this was really helpful.

Having found and deleted the file from the startup and in its saved placed, the task manager was still disabled (used it as the test to see if it really had gone)

To sort:

Click on Start, Run, and type REGEDIT and press Enter
Navigate to the following branch

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System


In the right pane, find and delete the value named DisableTaskMgr
Close the registry editor

Maciej Jelen said...

i used "Malwarebytes Anti-Malware".its fee , job done! I had 0.0390998931754.exe and 0.0390998931754.exe.ink

Anonymous said...

don't know if this will help but I managed to remove the virus with ccleaner.
In my case it was in the start up.
Start up in safe mode f8 then open ccleaner,click on tools and then start up.
you may see a program that looks like lots of numbers and symbols but ending in.exe.ink right click on it and click disable.
I then rebooted my computer as normal and it seemed to be back to normal so I opened ccleaner again and this time deleted it then rebooted.
that was 3 days ago and up to now it has been ok.
I hope this may help,good luck

Anonymous said...

I've managed this by starting in safe mode and then checking msconfig. Found the item .60***** and disabled. Started normally and then let Malware do it's job. Np problems since

Anonymous said...

Thanks to the person who said "have a safe pc" ur tutorial although simple was highly effective, much appreciated this crap is now out of my laptop and my life, thanks

Anonymous said...

Thanks to all who put up posts here, got my pc back again. Took me about 45 mins to clean it. but with the instructions here i managed to delete the file. I didnt have the movie.exe , mine was in
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ MSConfig \ startupfolder it was a bunch of random numbers.....exe.ink. BTW i couldnt use my ctrl/alt/delete function at all..in fact still cant be hey ho the virus / worm has now gone!!

Anonymous said...

thanks for all your posts i finally got rid of this... i tried everything but only one solution worked...

tried the first.. restart with command prompt and do the regedit shell modify... but mine was still at explorer.exe...

did the malware search... 3 full scans 2 quick scans... with full updated dictionary... found nothing...

looked at the start up list, nothing, and the msconfig startup, nothing.

how i found it was do a full search of all the c:\ drive with all files *.* [do a date between search and also all hidden files]

once finished, sort by date modified... and you should see it as A.6579432158649.exe or anything random as that. it was infact on my desktop but hidden and so was the shortcut in the startup folder hidden.

there is a rundll error in startup but i guess its trying to find the exe

Anonymous said...

using windows 7,

I managed to delete the first virus by starting in safe mode with networking and deleting .exe file,

like an idiot i never bothered to run my new norton disc i purchased,

Hours later I nw have another virus open lots of the same type of box with a red cross, you also lose you background pic and it says my system is over running, HELP PLease,

I have tried start up with norton disc but this is not working, saying norton bootable recovery tool but this is saying total items scanned 0 and total risks detected 0,

so its only preparing to scan but not actualy scanning,

Can anyone tell me hpw to get rid of this extended part of the virus, on start up in safe mode with networking there is no .exe progems anymore.

Anonymous said...

Hi
Im 16 and I got this virus yesterday. I have no idea how to get rid of it, please explain it to me in a very basic way!
Thanks

amster said...

If you're using windows 7 - go to this directory by hook or by crook (i.e. safemode) - or logging via a different user: C:\Users\\AppData\Local\Temp


AND DELETE EVERYTHING.


reboot.

Anonymous said...

Norton is probably the worst anti-virus software available. Use avast or avg in the future.

To remove this virus/malware boot your computer into 'safe mode' and run MalwareBytes anti-Malware ( http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button )

Anonymous said...

http://support.kaspersky.com/downloads/utils/www.bat.zip

unzip the file (if it asks use the default settings)

once its finished shutdown the pc

wait 5 mins

start up the pc.

Anonymous said...

To the 16 year old. Start your computer in safe mode. Click on start.In search programs and files type exe and the file that comes up should be the virus. Mine came up as 0.9721615469483581. Then delete and empty your recyle bin. Hope this helps. It was all I needed to do!

peter said...

hi guys im still struggling with getting my desktop screen back, i have followed the guide above and i think ive deleted the virus. If someone could tell me how they got there screen back id be very grateful. cheers

Morello said...

Just got this malware/rootkit/virus tonight and thought I'd share how I got rid of it.

Followed the instructions as above but as many have said, the shell value was still 'explorer.exe'. Also opened msconfig via the cmd prompt and looked in Startup. Spotted it straight away and disabled it.

When I rebooted as normal, I went back in to regedit to remove the traces and found the key to it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder. This will show you where the file is by looking at the key 'path' and that there's also a backup under the key 'backup' (mine was in a folder called pss at C:\Windows\pss\).

Anyway, I deleted both files and then the key from the registry and now have everything back to normal.

!!!>>>>> So if you can't find the thing in msconfig then you can remove it directly from the registry to stop it from starting and then get rid of it.

Anonymous said...

Thank you so much!!

the searching for .exe worked a treat :)

Bill said...

Thanks to everyone who posted their advice. Typing in .exe into the search bar and deleting the only file that came up did the trick. I'm just glad this was a hoax. Was freaking out for a while there.

Anonymous said...

Thanks to all who have posted their experiences. I was able to solve the issue by using the advice posted. It's very annoying how some individuals feel they need to develop viruses like these that cause problems for others!

Anonymous said...

windows 7
=========

1) CTR-ALT-DEL
2) log off
3) press cancel because log off failed
4) windows is back
5) see above comments to delete piece of shit

Anonymous said...

Many thanks for all the previous advice. My laptop appears to be generally working ok with one key exception. I am unable to connect to my Sky Broadband as, when I try, there are ‘no wireless connections available’. I’ve not tested it in other locations so I’m unsure if this problem is restricted to my home address or if it is a wider wireless issue. Any suggestions please?

Anonymous said...

im on vista and these steps arent workin for me? anyone have any suggestions?

Anonymous said...

I'm running windows 7... im doing as suggested above regarding searching for .exe and im not finding anything ... help please !

please adress chris if ur replying to this :D

Anonymous said...

Will it work it I just restore my system. Please reply. If not, what do I do? And how do I prevent this from happening in the future????

Anonymous said...

Nothing seems to be working any help will be appreciated SOOOOOO MUCH! Nothing is coming up when i search for .exe in start and though i have found the suspected file using msconfig and disabled it it is not working.

Anonymous said...

Really helpful. I am genuinely grateful. Thank you

Anonymous said...

I just got this virus while on the web. I immediately disconnected from the internet before it can send any information from my computer for further exploit. I then forcefully logged out of computer which stopped it in its ways. Ran the virus scanner and everything went back to normal. I have checked the registry and there is no sign of it anymore. I guess a good virus scanner is a must for windows OS machines

Anonymous said...

I JUST RECIEVED THIS VIRUS AND WITHIN 10 MINUTES IT WAS GONE! THE EASY WAY TO DO THIS...ENTER YOUR PC WITH SAFE MODE AND COMMAND PROMPT.....OPEN START > SEARCH> ENTER '.EXE' THEN LOOK FOR A NUMBER EG. 0.0300381308 DELETE AND EMPTY TRASH...SIMPLE...MAKE SURE THE NUMBER IS NEAR THE TOP OF THE LIST....GOOD LUCK!

Anonymous said...

Will a full scan from malwarebytes detect the virus? If there's no problem is it fine? PLEASE REPLY I'm only 16

Anonymous said...

I have followed these steps and my computer starts fine but now I don't have any desktop items only a black screen,although I can open task manager then start explorer.executive to get to what is on my computer. Has anyone had this problem and solved it?

Many thanks, and thankypu for this thread for helping!

Anonymous said...

on my windows 7, the registry hadn't been altered and i couldn't get task manager to run, even from windows explorer.

i found a windows explorer window (using alt-tab) and ran system restore to well before it happened. worked a treat.

file name is windows\system32\rstrui.exe

Anonymous said...

HELP, please?
After I go go on to the 'safe mode with command prompt' option..
I get something that says 'select the operating system to start', should I select this as I should 'Login as the same user you were previously logged in with in the normal Windows mode'? I've tried that and I don't know where/how to type 'explorer' into?
RUBBISH with computers but I really need to get this done?

Any help would be appreciated, thank you.

Anonymous said...

It worked for me....win 7 is my OS.
I started the PC in safe mode and removed all the files from C:\Users\Stuart\AppData\Local\Temp folder.
Basically virus exe is located in temp folder, so once you remove all the files in temp folder it will delet virus exe file.
Now restrat the PC in normal and remove the link from startup folder to remove the link in msconfig.
Good Luck

Anonymous said...

I've just searched .exe because we already had explorer.exe in the correct place but have come up with about 2000 files in the results...any ideas???

I've also tried to type msconfig in the command and it says that it can't do anything?

Anonymous said...

Thanks for above, managed to remove searching .exe
However, appears this has changed some settings on computer as I can't connect to Internet, cannot locate wifi or create network connection. I don't have any back up discs etc, tried to run various malware removers as mentioned above but not corrected. Anyone suggest how to resolve? Many thanks

Anonymous said...

Hello, I can't seem to get onto safe mode when loading the computer. I'm tapping F8 but it just loads up as normal, the desktop flashes for a second then the Ukash virus takes over. Anyone got any suggestions?

Anonymous said...

I've been trying everything above for hours now and to no avail. When I open in safe mode with command prompt and try to open regedit or msconfig it says file can't find the file. I've tried to delete everything from AppData, but that hasn't worked. Now it's coming up when I open in safe mode. Is there anything I can try prior to a full reboot? I'm guessing not, but thought best to ask.

Anonymous said...

same virus , windows 7 , followed this advice from previouse post.
"Boot the machine in Safe mode with Networking
Run a search in the start menu for ".exe"
Delete the file
Reboot in Normal mode and it should be gone.
Go into your Recycle bin, look at the file, poke it a bit and curse the fact that it has ruined your morning.

Note:
This search only threw up one result for me which was the file in question, located deep in a temp file within the Users directory. It appeared to have two path names in fact. My file was called 0.9721615469483581.exe but I guess everyone can be different"

sorry cant help with other issues

Anonymous said...

Same virus - Windows XP - followed above advice:

"Boot the machine in Safe mode with Networking
Run a search in the start menu for ".exe"
Found file as short cut kna,5679435.exe (or similar)
Looked at path and found kna,5679435.exe
Used right click menu for McAfee shred to shred (delete and wipe all traces of file)
Restarted as usual - all seems fine!!

(will keep you posted)

Anonymous said...

Unable to get onto my desktop/search for a .exe file because as soon as I log on it goes onto the virus!
Same problem when I log in on safe mode? :/

Anonymous said...

I type '.exe' into search and it comes up with nothing..with Shell its already Explorer.exe...please help. This virus is really annoying I:

Anonymous said...

Mine is hidden as a dll - called wpbt0.dll

Deleted it but i cant deselect the startup item - it simply reselects it when i press apply

Help

Anonymous said...

I followed this link below which was written on here on 22 Dec (copied and Paste)

To: AnonymousDec 22, 2011 11:26 AM

I JUST RECIEVED THIS VIRUS AND WITHIN 10 MINUTES IT WAS GONE! THE EASY WAY TO DO THIS...ENTER YOUR PC WITH SAFE MODE AND COMMAND PROMPT ...TYPE IN... EXPLORE.EXE .....OPEN START > SEARCH> ENTER '.EXE' THEN LOOK FOR A NUMBER EG. 0.0300381308 DELETE AND EMPTY TRASH...SIMPLE...MAKE SURE THE NUMBER IS NEAR THE TOP OF THE LIST....GOOD LUCK!

Thank you so much - after trying some options from the above this is the one that worked for me! Ran a scan after aswell. So grateful :)

Anonymous said...

I also have wpbt0.dll

My computer is working as it once was after using Malwarebytes.

However, the colouration of my screen has completely altered. Now there are many things on screen missing or the colour is gone.

I still see wpbt0.dll. stopped it from running at startup, but clearly something is still wrong. Any help?

Anonymous said...

To people who may have tried all the steps above and still no luck type .exe into the start directory and delete and suspiciouse files ( random numbers, etc) Thi worked for me perfectly!

Anonymous said...

Just to agree that's all I did as well... type .exe into search and delete the files with a weird string of numbers and then .exe (I knew it was the correct one because it was created on the date that the virus first happened)

It was in the temp folder so you could start there and arrange icons by date if you're search is slow

Anonymous said...

Just removed, cause when I rebooted my comp for like the 75th time it told me some system repair is needed, that did the trick. Bastards won't be stealing my shit any time soon!

Anonymous said...

I am on Windows 7.

I have managed to get explorer and regedit up and running in normal mode (I switched to admin user, killed iexplore instances running as the user, and switched users back) .

The regedit claim does nothing.

The "AppData" claim : no such
folders on Windows7. The search for a ".exe" , no such "random" file (out of the 6000 odd .exes found) .

Anonymous said...

If you pressed ctrl alt del and it wont stop what you can do is when your pc starts up hold f8 until it beeps then try to restore to a previous version and that is how i did it

Anonymous said...

Rather than go into the registry, I just rebooted into 'Safe Mode' as others have shown us how to do this, then click on your:

'Start' menu then select
'All Programs'
'Start Up'

Within the Start up folder, you will see the name of the script that's been written to bring up that screen each time you log on.

Right-click on the script name, go to 'Properties'
Select 'Open Folder Location'
Delete the ransomware application from it's location.

Once you've deleted it, you need to also delete the script from the start up menu or each time you reboot your system, it will keep trying to search for the ransomware you've already deleted (won't find it though!).

Anonymous said...

I went to start all programes start up properties deleted the item in location and applied and it worked a treat so thank for this help @@@@@@@@@

Anonymous said...

Just wanted to say thank you. I managed to pick this up, and the msconfig check sorted it out. It was hiding in administrator\appdata\roaming . The amount it demanded is £100 now, not £75. Inflation, eh?

I must admit, it's a pretty sophisticated mockup. Loads of official-looking logos, a respectable layout, and even correct spelling. Someone obviously put a lot of work into this.

Anyway, thanks again.

Thanks again.

Anonymous said...

thanks all, windows 7 OS, followed the instructions below, and whammo.....gone...although my search threw up 2 results, of which began with a "Y" and ended in random numbers, deleted both files......

Boot the machine in Safe mode with Networking
Run a search in the start menu for ".exe"
Delete the file
Reboot in Normal mode and it should be gone.
Go into your Recycle bin, look at the file, poke it a bit and curse the fact that it has ruined your morning.

Note:
This search only threw up one result for me which was the file in question, located deep in a temp file within the Users directory. It appeared to have two path names in fact. My file was called 0.9721615469483581.exe but I guess everyone can be different.

Anonymous said...

Just got this today and looks like it has evolved.

No registry entry, no random numbers.exe, auto shutdown of anti virus and lockout of the service so can't re-start. Nothing in startup, nothing in MSconfig, log out causes graceful closure and switching to other admin or other user brings it back, it is present in safemode and maleware doesn't find anything.

I had no access, even in safe mode, so shut down PC, repaired through windows repair tool, then restored to earlier version. That still didn't fix it, but allowed safe mode. Windows search service and antivirus service was shut off and unabled to be started so couldn't search for exe. Downloaded Malewhere and run but didn't find anything.On Ms config everything looked in order, but I stopped all non microsoft serivces and apps just be bu sure. That allowed me into normal windows mode. From there I reinstalled avast to get virus protection back and deleted everything in the user/temp folder.

Computer now operating, but I can't be certain the exe or dll has been found, and I'm certain there are registry keys in there somewhere for this thing, but no idea where to look!

Anonymous said...

I use Windows Vista. I booted in "Safe Mode with Networking" and searched for .exe files. I found a short cut file 0.614394900.exe (not sure of the number - I deleted the file!) This file was dated and timed at the point when the virus hit me. After deletion of this file the problem disappeared.

lcnvn said...

'Start' menu then select
'All Programs'
'Start Up'

Within the Start up folder, you will see the name of the script that's been written to bring up that screen each time you log on.

Right-click on the script name, go to 'Properties'
Select 'Open Folder Location'
Delete the ransomware application from it's location. Has seemed to of worked for me thankyou so much litrally shit myself

Anonymous said...

I really appreciate your help, it's easy to follow, and I admire that there is someone out there trying to fight against these bastards.

I have a problem when I get to the enter "regedit" part, it tells me that it is blocked by the administrator, even on the admin account :/ How do I overcome this? At least I can see my documents!

Thanks so much!
Ben

Anonymous said...

Hello Everyone,
I just had the same issue. my 'shell' file was saying 'explorer.exe'
So instead i loaded safe more and did 'system restore'.
Restored my computer to an early point and it got rid of the virus as it removes all the downloaded files from the time you restore your computer.
To restore just load computer in safe mode,
go to 'start' in search field type 'recovery' and open 'recovery' file. A window will open with 'open system restore'. just follow the steps and recover your computer to an early point. worked great form me.
Good luck

Tim Roll-Pickering said...

I've gone through the instructions for XP but the file is running and refuses to delete. Taskmanager won't appear on top so I can't stop it that way. Nor can I get on the web on that machine. Anyone got any ideas?

Anonymous said...

I had this on my windows 7 OS

removed it by restarting in safe mode with networking.

searched for .exe and found something called "jag" or something

removed it, the file seems to work now

Anonymous said...

I have windows xp home and followed this:

I JUST RECIEVED THIS VIRUS AND WITHIN 10 MINUTES IT WAS GONE! THE EASY WAY TO DO THIS...ENTER YOUR PC WITH SAFE MODE AND COMMAND PROMPT.....OPEN START > SEARCH> ENTER '.EXE' THEN LOOK FOR A NUMBER EG. 0.0300381308 DELETE AND EMPTY TRASH...SIMPLE...MAKE SURE THE NUMBER IS NEAR THE TOP OF THE LIST....GOOD LUCK!

It worked. Thanks so much. :)

Sharief said...

Hi, thanks for all the help so far. The problem for me is, the ransomware has hijacked my system in such a way so that I can't even access command prompt in safe mode. When I try to, the command prompt window flashes very briefly before the ransomware takes over the screen, making me unable to locate and remove the offending files. Please help!

Craig said...

i got to the "regedit" bit and then a window came up saying "administrator profile wont let you edit the registry something etc."

I am done for.:(

Anonymous said...

can anyone suggest a solution for this virus ..have pressed F8 and take option safe mode with command prompt and only option available is microsoft windows XP professional and then virus blocks again .
cannot get to a command prompt.
does anyone have a solution for this ?

Alice said...

I'm having the same problem, found a file PreCreateKnowfolder REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}

should I delete that???

Anonymous said...

I tried this and now my screens black and can't get to Start in safe mode, HELP!

Anonymous said...

Steps I took to solve the problem.

1. Ctrl+Alt+Del
2. Log Off
3. Cancel Log Off
4. Go to Start (Bottom Left)
5. Type .exe but don't press anything
6. Wait
7. See file (NUMBERS).exe
8. Delete
9. Celebrate by doing the dougie

Anonymous said...

AAAAGH i cant do this i log into my account in safe mode all ok then as soon as the command propt opens the white screen just opens and blocks EVERYTHING i cant type, click open or anything!!!! i paid £50 and fell for it and everything so if i cant see or do anything what shall i do.
the screen says
'Please wait while the connections is beeing established'
and there is a spelling error in it.

:( PLEASE HELP ME

Anonymous said...

i am having the same prolems as above. the prompt screen freezes and doesn't allow me to enter anything, so am unable to follow the deletion instructions. the operating system im using is windowx xp. does anyone know how to over come this problem, any help will be very much apprecaited mj

Anonymous said...

I did a system restore to the day before, worked for me. Thank your lucky stars those of us that have more than one computer!
Just doing a full scan now to be on the safe side using malwarebytesanti alware.

Anonymous said...

I'm so sorry for the person above who payed. This has to leave a trail somewhere - I mean if you pay the money it has to go somewhere... I'd love to get hold of the people behind this.

Anonymous said...

I'm currently trying to fix my PC after getting this virus and I've performed an .exe-scan for today. Still came up with over 20 search results. I see a lot of EXE-files at the time I got the virus. Can I safely assume they are all dangerous?
1 is a java-file, is this virus wrtiten with java?
All files are located in C://Windows/Prefetch (no idea how to type those strange "/"
Also running malwarebytes

Anonymous said...

I am running XP. I cannot select anything other than 'normal' when trying for safe or prompt modes ....just unstoppable lines of data at any other choice and then back to the menu.

Ran recommended antimalware on my other user name, but it said there were no viruses!!

Anyone know of a prog that I can put in via memory stick or CD that will kill it?

Getting desperate!!

Thanks

Anonymous said...

I don't know what i can do next, i ran a scan with Hitman Pro and Malwaybyte's Anti-Malware and they didn't find any trace of the virus. I myself searched for an .exe file and I didn't find anything like a random number .exe. I also tried with msconfig, didn't work either.

Can somebody tell me what i did wrong?

Anonymous said...

I can't find the malicious file. No results for ".exe" return when i type it into thhe windows search. Please help!

Anonymous said...

Phew Thank you! F8, Safe mode with networking, start .exe, delete worked for me. Thanks again. Running malwarebytes now in normal mode to make sure. Thanks again

EileenB said...

My window says Administrator:cmd.exe - cmd.exe on the title bar

In the black screen it has C:\Windows\system32>

What goes in after this?

Anonymous said...

Tsk tsk tsk, no no no, you fools!
just go to control panel>system restore it usually has a backed up copy of your system before the infection pick that point of restore and then go get some frsh for 10-15 mins, when the computer restarts its like nothing happened ---SO NO NEED TO MESS WITH THE REGISTRY - TOO MANY PEOPLE HERE WANNA SHOW OFF NOT HELP!
AND THE REST WANNA SELL YOU STH!!?

Ian said...

Easier way - this worked for me on this machine

1 - turn off machine & router / stay offline
2 turn machine back on and after it boots you may see a message that a file cannot open / or tabs at bottom of screen saying webpage cannot be displayed - clear these
3 - turn router back on / go online - this will allow you to go onto google / use Iexplorer to find advice / download antimalware software.

Think about it - an online page cannot be displayed if you are offline

Anonymous said...

Thanks for your help, I ran in safe mode, msconfig, looked in startup

Saw the long number0.78**************.exe

Unticked & restarted

Run ccleaner then registry cleaner

Btw win7 64bit ultimate OS

Anonymous said...

Right, simple way I did it!!

1.Switch on computer and keep tapping F8 to go into safe mode.
2.Select safe mode with command prompt.
3.When pop up box appears, type msconfig then press enter.
Select start up tab and scroll thru' for obvious bogey program - usually something ending .exe - my variant was arg44699.exe.
4.Once identified, unselect the check box and scroll along to make a note of the full location info - mine was c:\users\"your user name here"\appdata\roaming\microsoft\windows\start menu\programs\start up.
5.Restart you computer in normal mode and the annoying screen should have gone.
6.Go to start menu and in search box, type the location you noted.
Select this location once it appears and identify the .exe file you disabled in msconfig.
7.Delete then go to recycle bin and delete from there also.
8.Give your computer a full scan using your anti-virus package or download 'malwarebytes' and/or 'ccleaner' and give your computer a clean up.
9.Reboot just to be sure, then you should be done.

Please note:
If at No.5, the malware screen is still there, you have not unchecked the correct item which is causing your problems and I suggest you go back into safe mode from the start and try another .exe file to uncheck whilst re-enabling the first one.

This method worked for me and I only had one .exe file. For all I know, you may get more than one.
I am by no means a computer expert and only found out how to do this thru' trial and error plus a little suggestive help from a friend.
I cannot be held responsible for anything you may mess up whilst trying to do this yourself.
If you are not confident with delving into the guts of what runs yor pc, pay your money to an expert.

I pray and hope this works for you tho' and I've saved you a few pennies. Like me, be careful what you click on next time.

Anonymous said...

please help i am clicking safe mode with command prompt and my computer keeps restarting back to the same screen

Anonymous said...

When you get into the safe mode screen options, try not clicking anything.

Use your arrow keys to scroll to the required method and once it is highlighted, press your 'enter' key.

See if that helps, otherwise you'll have to wait until someone else with more knowledge answers you.

Anonymous said...

Anonymous comment 02-12-11 was spot on going into msconfig and finding the offending file in startup.My file was a random 17 digit number exe file on C;\users\...\AppData. Thankyou so much for the advice.

shotta said...

when i searched for the ".exe" file no results were shown...

i have windows 7, i don't know what 2 do...

i found the 'shell' file, the value data was on explorer.exe, but in windows 7 there are no documents and settings right?

sorry for the bad english

i know nothing about computers

HELP ME!PLEASE!

Anonymous said...

Ok, thanks for help.
I found the malicious .exe via msconfig tool under the name "SkypeRT.exe" it was located in C/users/username/appdata/SkypeRT.exe

As i never used skype on this computer it was a little suspicious, besides, description of the startup routine was "Windows NT-2000" although i'm running a win7.

Be careful, it seems that the name and description could be almost anything.

The majority of startup commands point to files located in C/program files folder (various drivers and utilities for different devices). Anything that points elswere is suspicious.

Anonymous said...

I logged on in safe mode and simply restored the computer to an earlier date using the system restore. Easy.

Anonymous said...

Thanks all for the help here, I used 8th dec 2011 'have a safe pc'
Seems to have worked!

Anonymous said...

Hey guy, its now march and this virus has appeared on my computer.

i found the easier way to find the file if you are having problems is to run explorer from the command promp.

go to start>computer> c: drive> and in the search bar type .exe and filter the search bar with the date you go the virus on and you will notice it easy.

then delete it completely

mine was located in C:\users\adam\appdata\roaming

curly said...

Hi,
Any advice for a Windows XP that doesn't run any SAFE MODES?
Task Manager doesn't show either when ALT+CTRL+DEL is pressed in normal mode!

Thank you,

Anonymous said...

Hi, thx for the advice worked a treat, i searched .exe files on msexplorer just matched up the time and date with anything that looked suspicious and completely deleted them,

mine to was under the file name

'c:/users/mark/appdata/roaming' and 'c:/users/mark/appdata/temp'.

Anonymous said...

Thank you finally after a weekend of messing about a solution!

Anonymous said...

I removed it by going on safe mode with command. Didnt find exe file under search on startup. Searched on explorer by narrowing to date of virus received. Just stood out big time. was called ch810.exe deleted it and now its gone :) will now delete from recycle bin and install avg and spybot.

Anonymous said...

I've hit a hurdle straight from the off. I'm using XP pro and the Safe mode runs but just restarts the computer returning me to the choice of start ups, its an endless loop!!! Please help

Anonymous said...

After reading all the good advice here I followed several trails. Eventually found ch810.exe and winsh.exe.

Deleted both band now pc boots properly.

thanks to all those who contribute here - great advice.

Anonymous said...

Windows XP pro SP3. As above can not boot in safe mode. Tried F12 and booted from XP install disc. Computer hung after install (please wait). Rebooted as normal, desk top and icons appeared as normal for a minute or so, then Metropolitan police virus took over desk top again...... Is there anyway I can start in safe mode??

Thanks

Anonymous said...

Thanks Solution Worked Great !!!

Anonymous said...

Hi i have just got this problem tonight and i have contacted scotland yard and thay say that it is a scam and it looks so reall will it deltet any of my filies on my computer i will try the removal tomorow as i am going to bed soon and i will take it to my ict tutor who will help me go throught the steps. I would like to say A bigh thank you to this site for having this info THANK YOU SO MUCH

Anonymous said...

Fast way that worked for me: On Windows 7, If you have a system restore backup, get into safe mode, then type msconfig in the Windows icon, "search program and files". Under the TOOLS tab, scroll down to System Restore and click on enter. You will be able to choose an earlier time to restore your system. When my computer restarted, it confirmed that the restore was successful. I have been using the computer for about a half an hour now with no problems.

Emily said...

I had a problem with the two methods that attempted to delete the virus. My default value was explorer.exe and when I searched for '.exe' in the start menu, it ended up searching the whole computer and brought up a load of results, none of which had the long number described in most people's posts. I had to do a system restore, (just pressed F8 and it was the top option) which restored it to 2 days ago and seems to have done the trick. I have Norton Anti-Virus but it's abviously got through!

My other half pooped his pants though when a message popped up from the Police saying he'd been illegally downloading pornography...the moral of that story being don't download pornography haha!

I all else fails, I'd say to a system restore. Fortunately we only use the laptop for browsing the web and our work PC is safe!

Anonymous said...

I have done 3 different ways including this one, i have done a scan with alware and deleted the file but it is still there. i have done scans 5 times and it says there is nothing!!!!

Hypervox said...

Big thank you to the site - I got rid of it by removing all the files from the affected users temp directory

Anonymous said...

I had this message come up this afternoon and fortunately the other user still worked so i logged on and found all this information on the ransomware bol54@ks. I tried to go through all the above ways to seek and destroy this little bugger and have just a system restore. The restore was from several days ago so i haven't lost anything other than the lovely desktop picture that followed the ransomware attack!! I run Windows 7...

Anonymous said...

i can't find the file... i don't know why? What's that you're talking about, explorer.exe? what do you have to do? But thanks a lot, this is really helping me!

Anonymous said...

I deleted the "shell" file, by mistake. How can solve this? Sorry but I'm a little bit bad with computers so you will have to explain it very simply and step by step. Sorry and thanks a lot.

Anonymous said...

Hi,

Just wanted to share my experience in case it helps someone else.

I tried everything listed here and i guess some of it may have helped. I still, at the end of it all, had the ukash blocked screen but now i dont.

Like i said the other stuff posted here probably went a long way towards helping but the last things i did before it finally stopped showing up at boot were,

-boot to safe mode with networking
-install avast (couldnt set anything in safe mode so...)
-booted normally and used the log off and cancel idea to use the desktop
-open avast and schedule a boot time scan and i also set all the detection setting to the highest
-used avast to restart the computer and let it run its boot scan
anything it found was moved to chest and it booted to windows fine, seems to have removed the ransom-ware.

Yay

Anonymous said...

Thanks for all the comments. Tried few ways to go about it, but the best for me was:
Safe Mode with Networking
Search .exe in start menu and delete the file quick. Restarted as normal and the problem went away. It was quick and easy. Don't forget to curse it, feels good.

Anonymous said...

I picked up the malware by trying to download a 10cc album from a Russian site, lol! I got rid of it by rebooting in safe-mode and running HitmanPro, which I can't praise highly enough. HitmanPro also found and removed a Google-redirect rootkit on my last computer that was not detected by AVG or Malwarebytes.

Anonymous said...

Help....
Have been following the advice after the PCeU Trojan has stopprd my pc! When I use "F8" - start windows in Safe Mode with Vommand Prompt; the Select MS Windows XP Professional... all that appears is aloads of commands/lettering. Then the screen comes on again with the option to start in various modes. I goes through the same senario again - smae happens. When I try to start on sfae mode with the USB stick 'in' - the message comes up " Boot form CD - missing operating system" There is no option to do anything further. Any suggestions as what to do next will be greatly appreciated

Anonymous said...

This is the best bit of advice out of all the posts! Thanks

Tsk tsk tsk, no no no, you fools!
just go to control panel>system restore it usually has a backed up copy of your system before the infection pick that point of restore and then go get some frsh for 10-15 mins, when the computer restarts its like nothing happened ---SO NO NEED TO MESS WITH THE REGISTRY - TOO MANY PEOPLE HERE WANNA SHOW OFF NOT HELP!
AND THE REST WANNA SELL YOU STH!!?

Anonymous said...

I am running Windows 7 and the process outlined above not work; I even downloaded Trojan Killer in the hope this would do the trick, it did not detect the Trojan so could not clean it; so I'm not suggesting the above approach above does not work, just that it did not work for me.

The solution I found in the end was to re-boot using the "Directory Services Restore Mode" from the F8 menu, using this restore enabled much faster processing in windows (compared to the alternative Safe Mode which had not worked) I then installed Malwarebytes (free 15day trial) and it found the trojan in about 3-4 mins of the full scan, then removed it. PC worked as normal after that.

Anonymous said...

I am running windows 7; what I had to do in the end was the following:

1. Boot up (F8 Menu) and chose Directory Services Restore Mode
2. Download Malwarebytes (15 day free trial)
3. Run full scan
4. Trojan was detected and deleted
5. After a reboot the PC functioned normally

Anonymous said...

windows 7 users re-boot in safe mode and run system restore

Job Done

Anonymous said...

Quite simple to fix for all browsers and computers. A novice could do it and it only take a couple minutes. Start your computer up, repeatedly hit the F8 key until the black screen with safe mode options appears. Click "Safe Mode With Networking". Log on to your desktop, click start, type restore, click restore when the file comes up. You dont need to restore your computer back to its factory settings. Just restore it to a few hours or days before the virus started. Simples.

rilo said...

Hi, thanks for posting this. However, I would like to check about my laptop condition now. This morning my laptop caught this malware, the antivirus (Kaspersky Anti-Virus 2012) detected Trojan.Win32.Inject.ebqb and recommend me to disinfect with reboot, which I did. After rebooting and log in, however, that Metropolitan Police window appear. I looked about it using other computer and found your article. I tried the procedure, when I 'enter' the safe mode with command, my laptop start to loading all the windows file and it suddenly stopped working. I press the power button to restart it and press F8 again, the screen said that one of my drive is unstable and it did the checking (and maybe repairing process) after that my windows start like usual. I tried to press F8 again but nothing happened. When I tried to log in, the Metropolitan Police window NO longer appear. I ran the Malwarebytes to detect the file, but when the program still scanning, the same Kaspersky window re-appear. At the moment I haven't click anything from the two options (disinfect with reboot & do not run) and the malwarebytes already finished scanning and detected Rootkit.0Acess'. Now, my question is: is this malwarebyte program detect the right file? is my computer infected? When I tried to search the file in C:/, my username folder is locked and I cannot find 'App Data' folder. I browse and wrote this using the very laptop which caught the malware. Could you suggest what should I do to fully get rid of it please? Thanks!

Anonymous said...

WINDOWS 7
Start in safe mode by battering f8 when your computer is warming up.
click on start and search ".exe"
find the file, mine was "t493902.exe" (or something like that).
delete the file.
shut down your computer.
turn on your computer.
log on as normal.
go to your recycling bin and delete the file permanently.
THANKS SO MUCH TO AN ANONYMOUS WHO POSTED THESE INSTRUCTIONS EARLIER AS I AM PRETTY BAD WITH COMPUTERS SO THESE CLEAR INSTRUCTIONS WERE MUCH EASIER THAN ATTEMPTING TO CHANGE PROGRAMME/FILE NAMES AND SUCH LIKE ! THANKS !

Anonymous said...

Same thing happened with a friend's PC. Malwarebytes Anti-Malware found these:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|21893 (Trojan.Agent) -> Data: C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msaauv.bat;
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0);
C:\Documents and Settings\All Users\Local Settings\Temp\msaauv.bat (Trojan.Agent)

Hope that was it! - seems to work OK now.

Anonymous said...

Simple fix to this just reboot the computer in safe mode and system restore a day before the virus hit
Job Done!

Anonymous said...

hi all,
hoping you can help me i also have a new malware program ransom thing, but cant even run in safemode, just comes up the blue screen of death for every safe mode?
ive tried avg rescue cd nothing, hoping you can help, im on xp ser 3
cheers

Anonymous said...

I've just been through this nightmare, no safemode at all, ctrl/alt/del not working in fact nothing seemed to work.
In the end I let the PSR screen load, right click, print, print to file, I then had the Window open which included "My Computer" I opened my computer and Cdrive, opened Windows and right clicked on one of the files, one of the options was "Scan File" I figured I'd nothing to lose and hit yes and to my amazement Microsoft essentials fired up, I ran a full scan, when that was finished, I rebooted twice, the first time I just got the desktop background, second time I got the bottom bar and was able to do system restore.
I hope this make sense. As you will have gathered my computer knowledge is pretty poor but it worked...And doesn't it feel good to beat the bastards!!!

Anonymous said...

What if my computer doesn't boot up in safe mode?

Anonymous said...

Hi thanks for the tips..but i have a favour to ask....whenever i highlight the safe mode command prompt..its like a list of number and leters being scanned comes up sliding through in screen, then reboots again and at the top it says it was unsuccessfull...so i highlight the safe mode command prompt again and press enter...but it keeps doing the same thing agaian and again...is there anything wrong with it??? how could i solve it please help!!!

Anonymous said...

I've had this twice in the past week.
I am lucky in as much that my machine operated in safe mode when this happened and I have been able to restore the machine to an earlier time.
It seems that for some people this ransomware disables safe mode. It seems to be selective, probably a setting somewhere in your/my computer. Anyway at least try safe mode because it obviously works on some machines.

Anonymous said...

Thank you soo much :) I thought I was done for when that popped up, couldn't have had my parents seeing that :P Thanks again :)

putipa said...

Please help! this is driving me insane - nothing seems to be working and to make mattere=s worse ALL MY WORK IS ON HERE! i tried typing in exe but nothing comes up! please can some computer wiz help me

Anonymous said...

The power plug for my tower is about six inches from my hand any sign of a hijacking I just yank the plug out of the socket Not the best way to shut your computer down I grant.
But it survives powercuts so why not this .......The malware is always gone when I reboot

Kazi Farhan said...

I was hit by this virus yesterday. I managed to go on safe mood and restore my pc to a previous restore point. after that the virus seems to have gone. but now all my files- documents, pictures, songs shows locked. cant open them using anything!
can any one pls help me with this?

Anonymous said...

i try to open registry edit, but it says its disabled by the administrator. im logged in as administrator. what can i do?

Anonymous said...

Hi if tried everything named on this site. The system restore on safe mode does not work and when I search exe nothing comes up.I even did a scan of my laptop, it detected the virus and I removed it yet it is still there! Every time I attempt a system restore to a past date, it automatically restarts the laptop, goes to normal mode yet says the restore was uncomplete and didn't work, then the virus notice comes up! Incredibly frustating! Please help me solve this problem and I was wondering if I left it to a computer store and asked them to fix it would they be able to fix it or is hope lost? Please get back to me and it will be very much appricated :)

nikos thimianis said...

I can't enter safe-mode please help!!!!!!! I have Windows XP!! I can't do anything!!!

42n0rris said...

I followed the steps posted here and all worked fine for about 20 mins. Then the virus came back so I thought I'd go through it all again but every time I put the location into explorer it just opens firefox to a site that doesn't exist. Also even if I do figure it out how can I stop it coming back again anyway?!?!?!

Anonymous said...

I have a windows vista. I tried all of that stuff but in the end I just had to go to Safe Mode with Networking then I used my Anti-Malware. It found it and removed it. Thank god! This is the 3rd time I've gotten a virus on my computer and it's so embarrassing to admit I messed up again. I was looking at a tumblr account when it popped up. Guess I should stop going online at night since for some reason that is when I get the viruses.

Anonymous said...

I've just removed a new version of this from my mum's computer. Neither Malwarebytes, Norton, AVG 2012 nor Rkiller could find it whilst in Safe Mode. I used Combofix to rip out enough of it to boot up in Standard Mode, then used Malwarebytes full scan to pull out the rest. Hope this helps anyone who reads it... :)

Anonymous said...

i have the same virus but when i try and sart in safe mode by pressing f8 it locks the system so I cant get in any ideas?

Anonymous said...

Malwarebytes didn't pick up on this for me, and I couldn't find it in the reg. In safe mode I went to msconfig> startup and a file called etbxapzhnaevgej.exe came up. It was installed in c:programdata - deleted it from there and hope that's enough.

Anonymous said...

I cant get in safe mode either, when I try to regedit through the command prompt, even though Im the admin it says: Your administrator has dissabled this feature

Anonymous said...

If i restore my system to an earlier point b4 viris will that solve the problem for good, i.e i will have no problems with my personal info. Thx hope to hear a reply soon

Warren the Blue said...

I get up to the stage after I've done 'Regedit' but I can't see shell anywhere, I can see HKEY_LOCAL_MACHINE but thats it, theres nothing like 'Shell'. Anything else it would be under... or an alternative.

Thanks

Anonymous said...

I just went in to safe mode and did a system restore seems to have worked.

Anonymous said...

if you dont have a dodgey file name under shell go to...
start > allprograms > startup > and the file with a name your not familiar with delete. worked for me and dude i love you!!

Anonymous said...

Warren you need to go into the sub menu.

Anonymous said...

Solution to not being able to boot in safe mode. ( I cannot boot in safe mode ) Creat a recue cd with kaspersky10 then boot from the cd. This allows you access to the registry through the kaspersky program.

Anonymous said...

This virus is a real tricky one - I tried the steps above - got into safe mode but it was not where this guide says it was. I ended up bringing up a list of start up items with ccleaner anyways it was hidden in C:\ProgramData\hanfukqi.exe

In safe mode I went to ProgramData and actually found two sets of the virus, some was in a hidden folder - luckily I had hidden folders viewable when I got the virus.

I ended up checking any folder file created today and delegated about 10 files and a folder.

All clear now thank goodness

I new it was a scam virus the second it came on screen - sure is scary though

Anonymous said...

Hi all, I've run malware three times and each time it's come up with a .exe file and I've deleted it but when I restart the computer the metropolitan police page comes back up. Any ideas? Thanks

Anonymous said...

it works,
start > allprograms > startup > Ctfmon

i delete this file and the pc works again

Anonymous said...

Safe Mode was disabled for me, as was everything else, but I got there by booting into the F8 Menu and selecting 'Directory Services Restore Mode'.

It looked like it was going to do a system restore but at the last moment I pressed cancel to come out of the system restore options and enter my desktop environment.

It is easy to find if you look in your start up items (run: msconfig)to see whats out of place/new additions, and do a search for any .exe programs that was created the day you got the virus in the advanced search options.

When you have found the file name (Mine began with 0_0 !!) do a search on all files with that in the title/name to swiftly delete.

I also had to run regedit to delete the rogue entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder to carve them clean out of my startup folder.

but they might also be here:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ MSConfig \ startupreg

There was a sneaky entry in that folder called UPDATE which I could tell was the virus as the details inside matched the same filename of the virus, so I deleted that one too.

The main offending .exe virus file was in my system32 folder. Ripped that straight out and into the trash can before permanently deleting it from the trash.

Curiosly, neither AVG nor the Malawarebytes found anything wrong with it when I scanned right clicked on it to scan it on it's own.

Thanks to you all, I saved my PC and a whole load of stress and time saved, good luck all, and thank you very much to eveyone here! :D

Anonymous said...

One of out members of staff had it as %userprofile%\local settings\application data\microsoft\windows\2064\tapimigplugin.exe

found it searching for the most recently created .exe file in %userprofile%

hope that helps someone

Anonymous said...

System Restore to earlier date should fix your problems. That worked for me. Checked system files as they said found nothing, did a system restore fixed it.

old hack said...

hi i have had this little sod for three days now, it just appear while wife was looking for a holiday hotel for us. have tride everything above and all i get to is the blue screen of death. I'm running windows xp. short of binning my pc, can any one help?

Anonymous said...

What do you do if it won't let you into Safe Mode? It just keeps rebooting to the fake homepage.

Anonymous said...

Very helpful thank u.

DaringSpirit said...

I got this yesterday so it looks like it's doing the rounds again.

I did a system restore back a few days and it solved the problem.

We have 2 user accounts with admin rights on the same computer so even though one account was screwed by the virus, I was able to system restore using the other account.

Anonymous said...

Finally got this nasty little thing off my computer. Just run your system in safe mode and install ComboFix (free download just Google) from a USB stick you can plug in, just download ComboFix from another Internet connected computer direct to the USB and install on the infected machine. If your machine will run safe with network you can download ComboFix straight from your Internet to desktop and run it there.

I tried all of the above and this was the only way I got rid of it.

Good luck

Ganesh Moorthy said...

thank u

Anonymous said...

Hi none of my safe modes work !!!

«Oldest ‹Older   1 – 200 of 257   Newer› Newest»