GVU virus. How to remove it and unlock your system

andy | December 7, 2012

Active PC users in Germany are being massively bombarded by an old ransomware locker that is extremely dangerous and persistent in its actions. It is known as GVU virus, even though the reality is that it has nothing to do with Gesellschaft zur Verfolgung von Urheberrechlsverletzungen, this decent and reputable organization of Germany. The purpose of this virus is to lock computer and then to condemn user of committing various crimes online through application of this locked PC. Hackers have invented this way of scaring users with the fake warnings that has nothing to do with any governmental organization. In the majority of the cases this scary alert is presented as the one supposedly coming from the police and other law enforcement bodies, but this is just the way how hackers want to make their fake accusations more persuasive. The fact is that the PC is locked indeed, but this is the result of the malware presence on your system.

GVU virus

Just as a way to satisfy your curiosity, we’ve decided to place the quotation from the text of this ransomware into this article. Here is how the text of the accusation looks like once it attacks the PCs located in Germany and other German-speaking countries:

Gesellschaft zur Verfolgung von Urheberrechlsverletzungen
Bundesamt für Sicherheit in der Informationstechnik
GVU
Alle auf diesem Computer durchgeführten Vorgänge werden aufgezeichnet. Wenn Sie eine Webcam benutzen, dann werden alle Videos und Fotos für die Identifikation aufgezeichnet.
Ihr Computer wurde gesperrt!
Die Funktion ihres Computers wurde aufgrund unerlaubter Internethandlungen außer Kraft gesetzt.
im Folgenden werden mögliche Verstöße aufgelistet, die von ihnen begangen werden konnten:
Artikel 274 – Urheberrechte
Eine Geldstrafe oder Freiheitsstrafe von bis zu 4 Jahren. (Die Benutzung oder Verbreitung von Daten, die urheberrechtlich geschützt sind – Filme, Software)
Artikel 183 – Pornografie
Eine Geldstrafe oder Freiheitsstrafe von bis zu 2 Jahren. (Die Benutzung oder Verbreitung von pornografischen Daten)
Artikel 184 – Kinderpornografie (bis 18 Jahre)
Eine Freiheitsstrafe von bis zu 15 Jahren (Die Benutzung oder Verbreitung von pornografischen Daten)
Artikel 104 – Terrorismusförderung
Eine Freiheitsstrafe von bis zu 25 Jahren (Sie haben Seiten von Terrororganisationen besucht)
Artikel 297 – Fahrlässige Computernutzung mit schwerwiegenden Konsequenzen Eine Geldstrafe oder Freiheitsstrafe von bis zu 2 Jahren
(Ihr Computer ist von einem virus infiziert, welcher bereits andere Computer infiziert hat) Artikel 108 – Glücksspiel
Eine Geldstrafe oder Freiheitsstrafe von bis zu 2 Jahren. (Sie nahmen am Glücksspiel teil, jedoch ist dies entsprechend der Gesetzgebung Ihres Landes verboten)
in Bezug auf den Regierungsentscheid vom 22 August können alle Verstöße bei einer Geldbuße als bedingt angesehen werden.
Die Summe der Geldbuße beträgt 100 Euro. Die Bezahlung muss innerhalb von 48 Stunden nach Kundgabe des Verstoßes entrichtet werden.
Wenn die Strafe nicht entrichtet wird, wird automatisch ein Strafverfahren gegen Sie eingeleitet.
Nach Bezahlung der Geldstrafe wird ihr Computer entsperrt.

As you see, the plot of the game played by hackers is this. First, they attack the PC with their ransomware (system locker), block the entire operating system, including the keyboard. Any attempts of users to reboot the PC turn out to be completely vain, irrespective of the number of reboot attempts. Then hacker accuse users of performing various crimes online through their infected machine. They’ve elaborated their locker as the one that is supposedly coming from the police. Finally, hackers instruct users to pay the fine (penalty or forfeit) as the ransom to unlock their systems. The crooks want users to donate these funds in their favor through indication of Ukash or Paysafecard voucher (PIN) codes in the respective section of the locker. Nevertheless, performing the actions as instructed by the crooks is a serious mistake, so we hope that you will never commit it. Please be wise and read a lot of useful information in the Internet about this ransomware type of infection. You will find out that it has nothing to do with the police (GVU in particular). Finally, to get rid of this scam please follow the simple and clear malware removal guide that we developed specifically for ransomware elimination with the help of GridinSoft Trojan Killer.

Automatic removal solution (recommended):

  1. Go to your friend, relative or anybody else who has computer with Internet connection.
  2. Take your USB flash drive / Memory Stick with you.
  3. Download GridinSoft Trojan Killer installation file from this site http://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.
  4. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
  5. Perform hard reset (press reset button on your computer) if your infected PC has been on with Metropolitan Police background. If not, then simply turn your PC on.
  6. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
  7. In the window that appeared select “Safe mode with command prompt” option and press Enter.
  8. Choose your operating system and user account which was infected with Metropolitan Police virus.
  9. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
  10. Select “My Computer” and choose your USB flash drive / Memory Stick.
  11. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
  12. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
  13. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
  14. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  15. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing Metropolitan Police virus to infect your PC.

Automatic removal video:

Metropolitan Police manual removal (optional):

  1. Restart your system into “Safe Mode with Command Prompt”. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Safe Mode with command prompt

    Safe Mode with command prompt

  3. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer”, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  4. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit” and hit Enter button of your keyboard. The Registry Editor should open.
  5. You know how it normally looks like, don’t you? Well, here is the screenshot of it:

  6. Find the following registry entry:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

    In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe”. However, Metropolitan Police virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.

  7. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of Metropolitan Police virus is located.
  8. Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
  9. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, “Metropolitan Police” virus file was located and running from the Desktop. There was a file called “contacts.exe”, but it may have different (random) name.
  10. Get back to “Normal Mode”. In order to reboot your PC, when at the command prompt, type-in the following phrase “shutdown /r /t 0″ (without the quotation marks) and hit Enter button.
  11. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.

Associated virus files to be removed:

[random].exe

Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"Shell" = "[random].exe"

Manual removal video:

No Comments

1 Trackbacks

Leave a comment

*