An Garda Siochana. Ireland’s National Police Service virus

andy | December 1, 2012

Of course, An Garda Siochana isn’t a virus. What is it, by the way? This is the Ireland’s National Police Service, the highly esteemed law enforcement organization of Ireland. Its aim is to protect rights and freedoms of Irish users and to make sure all citizens of Ireland are law-abiding. This well-known agency isn’t associated with development of the virus that uses its good name in the very header. This type of virus is a ransomware infection that is very severe and aggressive, because it aims to attack as many PCs as possible. The ransomware is a special form of Trojan infection that locks the computer and then asks for the ransom amount of funds to be paid in order to unlock it. Hackers have invented this way of earning funds by means of scaring and deceiving users. So, they’ve elaborated the special locker that is of an international character. It infects PCs located in various corners of the world, and Ireland is just one of many countries worldwide that suffers the consequences of hackers’ fraudulent and evil acts.

An Garda Siochana virus

When An Garda Siochana ransomware attacks the PC the entire desktop of the infected computer becomes blocked. User cannot do anything with the infected PC. The keyboard is disabled as well, and any attempts to reboot the PC turn out to be vain, irrespective of how many times such attempts were made. You therefore should be very careful when you see the message that you see quoted below:

Your Computer has been locked!
The work of your computer has been suspended on the grounds of unauthorized cyberactivity.
Described below are possible violations, you have made: Article 274 – Copyright
A fine or imprisonment for the term of up to d years (The use or sharing of copyrighted files – movies, software)
Article 183- Pornography
A fine or imprisonment for the term of up to 2 years (The use or distribution of pornographic files)
Article 184 – Pornography involving children (under 18 years)
imprisonment for the term of up to 15 years (The use or distribution of pornographic files) Article 104 – Promoting Terrorism
imprisonment for the term of up to 25 years (You have visited websites of terrorist organizations)
Article 297 – Neglect computer use, entailing serious consequences A fine or imprisonment for the term of up to 2 years
(Your computer has been infected with a virus, v/hich, in turn, infected other computers) Article 108 – Gambling
A fine or imprisonment for the term of up to 2 years (You have been gambling, but according to the lav/ residents of the your country are not allowed gambling in any format)
in connection with the decision of the Government as of August 22, all of the violations described above could be considered as conditional in case of payment of a fine.
Amount of the fine is €100 . Payment must be made within 48 hours after the discovery of the violation. If the fine has not been paid, you will become the subject of criminal prosecution.
After paying the fine your computer will be unblocked

Why should you be careful? This is all because hackers want you to believe into the lies they’ve presented in front of you. Keep in mind that this locker has nothing to do with the Irish police. This is fully the product of the crooks and online hackers who simply want to become richer by deceiving and tricking simple people. Do not obey the tricks of the frauds, so do not ever listen to the scary instructions of the malware makers. Instead, please follow the simple and clear malware removal guide that we’ve developed specifically for ransomware removal.

Automatic removal solution (recommended):

  1. Go to your friend, relative or anybody else who has computer with Internet connection.
  2. Take your USB flash drive / Memory Stick with you.
  3. Download GridinSoft Trojan Killer installation file from this site http://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.
  4. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
  5. Perform hard reset (press reset button on your computer) if your infected PC has been on with Metropolitan Police background. If not, then simply turn your PC on.
  6. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
  7. In the window that appeared select “Safe mode with command prompt” option and press Enter.
  8. Choose your operating system and user account which was infected with Metropolitan Police virus.
  9. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
  10. Select “My Computer” and choose your USB flash drive / Memory Stick.
  11. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
  12. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
  13. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
  14. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  15. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing Metropolitan Police virus to infect your PC.

Automatic removal video:

Metropolitan Police manual removal (optional):

  1. Restart your system into “Safe Mode with Command Prompt”. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Safe Mode with command prompt

    Safe Mode with command prompt

  3. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer”, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  4. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit” and hit Enter button of your keyboard. The Registry Editor should open.
  5. You know how it normally looks like, don’t you? Well, here is the screenshot of it:

  6. Find the following registry entry:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

    In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe”. However, Metropolitan Police virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.

  7. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of Metropolitan Police virus is located.
  8. Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
  9. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, “Metropolitan Police” virus file was located and running from the Desktop. There was a file called “contacts.exe”, but it may have different (random) name.
  10. Get back to “Normal Mode”. In order to reboot your PC, when at the command prompt, type-in the following phrase “shutdown /r /t 0″ (without the quotation marks) and hit Enter button.
  11. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.

Associated virus files to be removed:

[random].exe

Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"Shell" = "[random].exe"

Manual removal video:

Leave a comment

*