Virus alert - "Metropolitan Police" virus

#1
My PC just got hit with this virus. It slipped through all the AV and firewall software on my PC and took me three hours to fix it (lost a morning's work,,,).

It looks like this:



The virus says that the Met Pol have detected child porn being downloaded to your PC and it will lock your web access and prevent you from doing anything. It claims that payment of a £100 fine will unlock your PC.

More details here: Metropolitan Police Service - PCeU

I found that the virus was undetected by software such as Malwarebytes and the tech at my local computer shop told me that their Av software etc failed to pick it up. The Av and security software in Windows 7 also does not stop it.

Anyway, in case it might be of use here is how I cleaned it out:

1. Disconnect PC from Hub or web router.
2. Reboot in safe mode
3. Use system restore to restore registry settings to an earlier date
4. Search for suspicious .exe files created in last few days. I found a file called er_00_0_l.exe in the LocalSettings/Temp folder for the main user. I checked the file properties and it was not associated with any of the legit software installed on my PC. I deleted this file, plus all the .tmp files and it cleared the problem.
5. Reboot and check web browser running normally.
6. Tidy up hard drive, etc etc.

Hope this helps if anyone else gets hit with it.

:)

Rodney2q
 
#2
God damnit how did they find out :(
 
#3
One of my users had this at work. Mind you on digging into their pc I did find some "interesting" stuff..... She's going to model some of the corsets so this kind of thing can be useful ;-)
 
#5
One of my users had this at work. Mind you on digging into their pc I did find some "interesting" stuff..... She's going to model some of the corsets so this kind of thing can be useful ;-)
Post pic please!
 

Wordsmith

LE
Book Reviewer
#6
The virus says that the Met Pol have detected child porn being downloaded to your PC and it will lock your web access and prevent you from doing anything. It claims that payment of a £100 fine will unlock your PC.
And what .exe or attachment did you click on to activate the virus?

Just curious like...

Wordsmith
 
T

Tremaine

Guest
#7
Yip. Mentioned this a couple of months ago, very convincing and very annoying. Haven't had it strike but it's all over the Web.
 
#8
My PC just got hit with this virus. It slipped through all the AV and firewall software on my PC and took me three hours to fix it (lost a morning's work,,,).

It looks like this:



The virus says that the Met Pol have detected child porn being downloaded to your PC and it will lock your web access and prevent you from doing anything. It claims that payment of a £100 fine will unlock your PC.

More details here: Metropolitan Police Service - PCeU

I found that the virus was undetected by software such as Malwarebytes and the tech at my local computer shop told me that their Av software etc failed to pick it up. The Av and security software in Windows 7 also does not stop it.

Anyway, in case it might be of use here is how I cleaned it out:

1. Disconnect PC from Hub or web router.
2. Reboot in safe mode
3. Use system restore to restore registry settings to an earlier date
4. Search for suspicious .exe files created in last few days. I found a file called er_00_0_l.exe in the LocalSettings/Temp folder for the main user. I checked the file properties and it was not associated with any of the legit software installed on my PC. I deleted this file, plus all the .tmp files and it cleared the problem.
5. Reboot and check web browser running normally.
6. Tidy up hard drive, etc etc.

Hope this helps if anyone else gets hit with it.

:)

Rodney2q
But was your kiddie porn still there afterwards?
 
#9
Just an update about this virus, it is now infecting computers UK wide and is using your ip address to detect your region and then displaying as if from your local Police Force. For Example I had a bloke in Glasgow with a Strathclyde virus identitical in all other ways to the one you posted a screenshot of. It's got so annoying for me i wrote a post on it yesterday so people can remove it for free.

Please let me know if it helps you lads.

Metropolitan Police Virus Data and Removal Guide
 

Grumblegrunt

LE
Book Reviewer
#10
I did one of these last week for a friends son - he was in a right panic untill I read the payment details then looked it up. malwarebytes killed it.

last week someone had a gaelic one from the garda
 
#11
I did one of these last week for a friends son - he was in a right panic untill I read the payment details then looked it up. malwarebytes killed it.

last week someone had a gaelic one from the garda
Bet the priests stump up pronto.
 
#12
For the purposes of this thread.
The Metropolitan virus is bogus. It is not real. Even if you pay the money they will still not un-encrypt your data.



There really are people out there that will help you protect your data for nothing.

Check out Wilders Security Forums - Powered by vBulletin

They are the biggest security forum on the web.
If anyone wants any special advice on what security software to get - I will give it - time permitting.

I am not affiliated with anyone.

And couldn't give a shit.


All the programs I suggest can be backed up by lots of users.



Anyway, go to Wilders.....

Hang around for a few months....


Let's see if we come to the same conclusions..
 
#13
For the purposes of this thread.
The Metropolitan virus is bogus. It is not real. Even if you pay the money they will still not un-encrypt your data.



There really are people out there that will help you protect your data for nothing.

Check out Wilders Security Forums - Powered by vBulletin

They are the biggest security forum on the web.
If anyone wants any special advice on what security software to get - I will give it - time permitting.

I am not affiliated with anyone.

And couldn't give a shit.


All the programs I suggest can be backed up by lots of users.



Anyway, go to Wilders.....

Hang around for a few months....


Let's see if we come to the same conclusions..

Btw, the Metropolitan Police Virus in a known ruse. There is no such thing.
Anyone who gets it, boot into safe mode....


Like the Metropolitan Police would extort money out of known paedophiles for cash just to not get exposed.
Wait a minute....


Ello, Occifer, it is me.....


Well, I can explain....
 
M

mogwaimarshall

Guest
#14
Btw, the Metropolitan Police Virus in a known ruse. There is no such thing.
Anyone who gets it, boot into safe mode....


Like the Metropolitan Police would extort money out of known paedophiles for cash just to not get exposed.
Wait a minute....


Ello, Occifer, it is me.....


Well, I can explain....
Hi all, i had this virus last month and was a right bitch to get rid of. i thought i had got rid of it but my laptop was still playing up. the people who created this virus also read the posts on how to remove the virus and to where the virus was hiding on the files and hard drive. so they changed where the virus sat which made it even harder to find.
Metropolitan Police virus warning. How to remove
September 6, 2011 — andy

“METROPOLITAN POLICE” Attention! Illegal activity was revealed! is the fake virus warning which has nothing to do with the Metropolitan Police of Great Britain. This is just the next fraudulent way developed by cyber hackers in order to collect money from users whose PC security has been greatly compromised or weakened. Nominating it with the right definition of various sorts of malware programs, this is nothing but the ransomware-type threat which requires of you to immediately effect the payment in order to restore control over your infected workstation. Another variant of such ransomware application was noticed previously, being known to substitute the Windows desktop with a bogus warning supposedly originated by the German Federal Police (BUNDESPOLIZEI). Obviously, cyber criminals change their virus application to suit various countries where they want to get as many victims as they can. So, this time they chose Great Britain as the platform for spreading their malware and reaching their evil plots. If your system is contaminated with this type of threat, you will encounter the difference immediately. Your desktop will be substituted permanently with the scareware warning titled as METROPOLITAN POLICE.




Metropolitan Police fake warning

It will prevent you from using or even having access to your files, programs and system applications. In fact, you will not be able to use your PC as you normally do. Even if you reboot your computer into Safe Mode or Safe Mode with Networking you’ll get the same problem. The virus states that you were noticed while watching illegal pornographic web-pages and claims that if you don’t pay £75 within 24 hours then your PC will be wiped clean, with all your important files and settings being erased. However, don’t ever get nervous, the virus is not capable of performing what it claims to be able to do. On the other hand, none of us would really want to stand any chance of losing important files or other valuable information, so there is a great probability that some person might actually become the victim of these frauds who developed the Metropolitan Police threat program. In order to get rid of the METROPOLITAN POLICE virus from your system please be so kind to follow the removal milestones in the uninstall section provided below. Of course, please do not hesitate to contact us at any time should your require our assistance on these or other matters.

Automatic removal solution (recommended):
1.Go to your friend, relative or anybody else who has computer with Internet connection.
2.Take your USB flash drive / Memory Stick with you.
3.Download GridinSoft Trojan Killer installation file from this site http://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.




Version: 2.1



4.Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
5.Perform hard reset (press reset button on your computer) if your infected PC has been on with Metropolitan Police background. If not, then simply turn your PC on.
6.Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
7.In the window that appeared select “Safe mode with command prompt” option and press Enter.
8.Choose your operating system and user account which was infected with Metropolitan Police virus.
9.In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
10.Select “My Computer” and choose your USB flash drive / Memory Stick.
11.Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
12.When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
13.In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
14.Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
15.However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing Metropolitan Police virus to infect your PC.

Automatic removal video:





Metropolitan Police manual removal (optional):
1.Restart your system into “Safe Mode with Command Prompt”. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.



Safe Mode with command prompt

2.Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer”, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.


3.Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit” and hit Enter button of your keyboard. The Registry Editor should open.



You know how it normally looks like, don’t you? Well, here is the screenshot of it:


4.Find the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe”. However, Metropolitan Police virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.



5.Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of Metropolitan Police virus is located.
6.Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
7.Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, “Metropolitan Police” virus file was located and running from the Desktop. There was a file called “contacts.exe”, but it may have different (random) name.
8.Get back to “Normal Mode”. In order to reboot your PC, when at the command prompt, type-in the following phrase “shutdown /r /t 0″ (without the quotation marks) and hit Enter button.
9.The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.




Version: 2.1




Associated virus files to be removed:

[random].exe

Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"

Manual removal video:


Metropolitan Police virus removal - YouTube

--------------------------------------------------------------------------------

Related Posts:
If your PC has been infected with ransomware virus…
surcharge@cyber-metropolitan-police.co.uk is used to steal your money
FBI virus and Metropolitan Police virus – the scariest malwares of 2012
Police Central e-crime Unit (PCEU) ransomware

i hope this helps anybody that gets infected, i was just lucky to have a spare laptop and a dongle. in the end though i done a complete factory install. only way i could qaurantee the virus was gone

mick
 
#17
My daughter (aged 16) has had this evil thing twice now in the last 6 months. ******* infuriating: dreadful/shocking thing for her to receive, ******* expensive for me at the Laptop cleaning service and interferes with her school work, most of which these days seems to involve the computer. Her laptop is 'safety-ed' up to the eyeballs - how the hell does this one get through?
 
#18
Hi all, i had this virus last month and was a right bitch to get rid of. i thought i had got rid of it but my laptop was still playing up. the people who created this virus also read the posts on how to remove the virus and to where the virus was hiding on the files and hard drive. so they changed where the virus sat which made it even harder to find.
Metropolitan Police virus warning. How to remove
September 6, 2011 — andy

“METROPOLITAN POLICE” Attention! Illegal activity was revealed! is the fake virus warning which has nothing to do with the Metropolitan Police of Great Britain. This is just the next fraudulent way developed by cyber hackers in order to collect money from users whose PC security has been greatly compromised or weakened. Nominating it with the right definition of various sorts of malware programs, this is nothing but the ransomware-type threat which requires of you to immediately effect the payment in order to restore control over your infected workstation. Another variant of such ransomware application was noticed previously, being known to substitute the Windows desktop with a bogus warning supposedly originated by the German Federal Police (BUNDESPOLIZEI). Obviously, cyber criminals change their virus application to suit various countries where they want to get as many victims as they can. So, this time they chose Great Britain as the platform for spreading their malware and reaching their evil plots. If your system is contaminated with this type of threat, you will encounter the difference immediately. Your desktop will be substituted permanently with the scareware warning titled as METROPOLITAN POLICE.




Metropolitan Police fake warning

It will prevent you from using or even having access to your files, programs and system applications. In fact, you will not be able to use your PC as you normally do. Even if you reboot your computer into Safe Mode or Safe Mode with Networking you’ll get the same problem. The virus states that you were noticed while watching illegal pornographic web-pages and claims that if you don’t pay £75 within 24 hours then your PC will be wiped clean, with all your important files and settings being erased. However, don’t ever get nervous, the virus is not capable of performing what it claims to be able to do. On the other hand, none of us would really want to stand any chance of losing important files or other valuable information, so there is a great probability that some person might actually become the victim of these frauds who developed the Metropolitan Police threat program. In order to get rid of the METROPOLITAN POLICE virus from your system please be so kind to follow the removal milestones in the uninstall section provided below. Of course, please do not hesitate to contact us at any time should your require our assistance on these or other matters.

Automatic removal solution (recommended):
1.Go to your friend, relative or anybody else who has computer with Internet connection.
2.Take your USB flash drive / Memory Stick with you.
3.Download GridinSoft Trojan Killer installation file from this site http://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.




Version: 2.1



4.Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
5.Perform hard reset (press reset button on your computer) if your infected PC has been on with Metropolitan Police background. If not, then simply turn your PC on.
6.Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
7.In the window that appeared select “Safe mode with command prompt” option and press Enter.
8.Choose your operating system and user account which was infected with Metropolitan Police virus.
9.In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
10.Select “My Computer” and choose your USB flash drive / Memory Stick.
11.Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
12.When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
13.In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
14.Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
15.However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing Metropolitan Police virus to infect your PC.

Automatic removal video:





Metropolitan Police manual removal (optional):
1.Restart your system into “Safe Mode with Command Prompt”. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.



Safe Mode with command prompt

2.Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer”, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.


3.Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit” and hit Enter button of your keyboard. The Registry Editor should open.



You know how it normally looks like, don’t you? Well, here is the screenshot of it:


4.Find the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe”. However, Metropolitan Police virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.



5.Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of Metropolitan Police virus is located.
6.Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
7.Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, “Metropolitan Police” virus file was located and running from the Desktop. There was a file called “contacts.exe”, but it may have different (random) name.
8.Get back to “Normal Mode”. In order to reboot your PC, when at the command prompt, type-in the following phrase “shutdown /r /t 0″ (without the quotation marks) and hit Enter button.
9.The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.




Version: 2.1




Associated virus files to be removed:

[random].exe

Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"

Manual removal video:


Metropolitan Police virus removal - YouTube

--------------------------------------------------------------------------------

Related Posts:
If your PC has been infected with ransomware virus…
surcharge@cyber-metropolitan-police.co.uk is used to steal your money
FBI virus and Metropolitan Police virus – the scariest malwares of 2012
Police Central e-crime Unit (PCEU) ransomware

i hope this helps anybody that gets infected, i was just lucky to have a spare laptop and a dongle. in the end though i done a complete factory install. only way i could qaurantee the virus was gone

mick
So, you're saying that instead of paying money to an unspecified foreign website for a "cure", get your friends and relatives to go to some Ukranian website and give someone else money for a "cure" instead?

Good call.

 
#19
The laptop I am trying to clean is a guy I work with who isnt very pc savvy, I thought I'd sussed it but it keeps coming back (as if it can avoid the scanware) just wondering if there is any update on a cure? Prevention being better than a cure he should have had some decent AV ware in the first place ;-)
 
#20
The laptop I am trying to clean is a guy I work with who isnt very pc savvy, I thought I'd sussed it but it keeps coming back (as if it can avoid the scanware) just wondering if there is any update on a cure? Prevention being better than a cure he should have had some decent AV ware in the first place ;-)
Got rid of it on my old chaps PC, by starting up in safe mode, and running Malwarebytes, then CC cleaner, no problems since.
 
Thread starter Similar threads Forum Replies Date
Border_Reiver Mobile Phones 4
dpcw Gaming and Software 20
msr Army Reserve 0

Similar threads

Latest Threads

Top