Metropolitan Police virus warning. How to remove

andy | September 6, 2011

“METROPOLITAN POLICE” Attention! Illegal activity was revealed! is the fake virus warning which has nothing to do with the Metropolitan Police of Great Britain. This is just the next fraudulent way developed by cyber hackers in order to collect money from users whose PC security has been greatly compromised or weakened. Nominating it with the right definition of various sorts of malware programs, this is nothing but the ransomware-type threat which requires of you to immediately effect the payment in order to restore control over your infected workstation. Another variant of such ransomware application was noticed previously, being known to substitute the Windows desktop with a bogus warning supposedly originated by the German Federal Police (BUNDESPOLIZEI). Obviously, cyber criminals change their virus application to suit various countries where they want to get as many victims as they can. So, this time they chose Great Britain as the platform for spreading their malware and reaching their evil plots. If your system is contaminated with this type of threat, you will encounter the difference immediately. Your desktop will be substituted permanently with the scareware warning titled as METROPOLITAN POLICE.

Metropolitan Police virus

Metropolitan Police fake warning

It will prevent you from using or even having access to your files, programs and system applications. In fact, you will not be able to use your PC as you normally do. Even if you reboot your computer into Safe Mode or Safe Mode with Networking you’ll get the same problem. The virus states that you were noticed while watching illegal pornographic web-pages and claims that if you don’t pay £75 within 24 hours then your PC will be wiped clean, with all your important files and settings being erased. However, don’t ever get nervous, the virus is not capable of performing what it claims to be able to do. On the other hand, none of us would really want to stand any chance of losing important files or other valuable information, so there is a great probability that some person might actually become the victim of these frauds who developed the Metropolitan Police threat program. In order to get rid of the METROPOLITAN POLICE virus from your system please be so kind to follow the removal milestones in the uninstall section provided below. Of course, please do not hesitate to contact us at any time should your require our assistance on these or other matters.

Automatic removal solution (recommended):

  1. Go to your friend, relative or anybody else who has computer with Internet connection.
  2. Take your USB flash drive / Memory Stick with you.
  3. Download GridinSoft Trojan Killer installation file from this site http://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.
  4. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
  5. Perform hard reset (press reset button on your computer) if your infected PC has been on with Metropolitan Police background. If not, then simply turn your PC on.
  6. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
  7. In the window that appeared select “Safe mode with command prompt” option and press Enter.
  8. Choose your operating system and user account which was infected with Metropolitan Police virus.
  9. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
  10. Select “My Computer” and choose your USB flash drive / Memory Stick.
  11. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
  12. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
  13. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
  14. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  15. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing Metropolitan Police virus to infect your PC.

Automatic removal video:

Metropolitan Police manual removal (optional):

  1. Restart your system into “Safe Mode with Command Prompt”. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Safe Mode with command prompt

    Safe Mode with command prompt

  3. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer”, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  4. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit” and hit Enter button of your keyboard. The Registry Editor should open.
  5. You know how it normally looks like, don’t you? Well, here is the screenshot of it:

  6. Find the following registry entry:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

    In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe”. However, Metropolitan Police virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.

  7. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of Metropolitan Police virus is located.
  8. Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
  9. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, “Metropolitan Police” virus file was located and running from the Desktop. There was a file called “contacts.exe”, but it may have different (random) name.
  10. Get back to “Normal Mode”. In order to reboot your PC, when at the command prompt, type-in the following phrase “shutdown /r /t 0″ (without the quotation marks) and hit Enter button.
  11. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.

Associated virus files to be removed:

[random].exe

Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"Shell" = "[random].exe"

Alternative ransomware removal solution:

70 Comments

  1. Andrew says:

    I tried the above – unfortunately i am being told that ‘registry editing has been disabled by your administrator’. any idea how to get around it?

  2. andreas says:

    Andrew,

    If you have questions or problems, please, write us here:
    http://trojan-killer.net/support/

    We will help you to cope with your problem.

  3. Misa says:

    Help! Im on windows 7, and when I modified Shell, it said ‘explorer.exe’ what should I do?

  4. Saw says:

    The shell has not been changed mine is still explorer.exe so how do I remove the virus?!

  5. ivan says:

    I didn’t get the messed up shell entry either.

    I opened “system configuration” from the start menu and looked at the startup tab. There was one entry that was gibberish and it was located in the temp folder. I just deleted everything there from the last couple of days. To be honest, I didn’t think it would work…
    My antivirus software, which is supposed to be a full version, didn’t help AT ALL. It’s mcafee by the way.

  6. Vexx says:

    I followed and i also had the same problem, when i right click on shell and modify, it says explorer.exe

  7. Cloud says:

    I had issue with following this step and found out that Shell already had explorer.exe. I managed to Find/Remove the virus by going into safe mode with networking, and in the start menu’s Search function i just typed “.exe” and immediately it found a file that was for example “0.81179398D9d.exe” which when i opened it, it loaded a internet page made my screen enter full screen mode and pretty much did what the virus does. i restarted my computer and found it again, it said it was located in system/rundll… and this time i delted it, and restarted my computer, no more virus appeared.

  8. me says:

    I tried this too but found that the shell line in the registry was still explorer.exe

    but in the end found the virus hiding rather simply as a random exe in the program files startup folder from the start menu, worth taking a quick look there and if there is an exe you dont regognise delete it.

  9. Tan says:

    Thanks a lot … I have tried it but this time it did not changed the reg file … Rather found the virus after searching in explorer under safe mode … At least this blOg helped me tO realise that its a virus and .exe file needed to remove …

  10. Calan says:

    There’s a slightly easier way.

    1) Start PC in safe mode
    2) Navigate to Windows > Startup
    3) You’ll see a random file listed, right click it and view properties. It will have been created today and will display its location
    4) Find it, delete it
    5) Delete the startup entry
    6) Job done

  11. HELP says:

    Will it work if I restore my laptop? And how did this happen and more importantly. how do I stop this from happening in the future??? Please reply asap!

  12. Lu says:

    will it get rid of it if you delete the account it happened on?

  13. Marina says:

    Trojan remower лучшая програмулька для этого. Загрузка по F8 c поддержкой сети , скачать и установить программу (она есть 30дневная) ,обновить базы и запустить скармливание. Работа мин на 20. Удачи!

  14. ambro says:

    when i type in shutdown /r /t 0 my computer turns off but it wont turn on back again. pls help

  15. Lorenzo says:

    non capisco perchè infilarvi in queste guide tanto complesse quanto parlando chiaro la maggior parte di coloro che proveranno questa guida chiameranno il “tecnico” di fiducia e si faranno formattare il pc….troppo complessa per i miei gusti!! ci sono capitato anch’io in questo virus! e dico che è una cavolata uscirne….basta riavviare il pc normalmente e prima ancora che il virus agisca,portarsi su start,scrivere nella barra di ricerca “msconfig” andare nel menu strumenti ed avviare il ripristino configurazione di sistema!! (il virus agirà comunque ma almeno avete il pannello di configurazione sistema a vostra disposizione,e avendo il pannello avete pieno accesso al pc ) tempo 5 minuti e il vostro pc si dimenticherà di aver incontrato quella sottospecie di virus!!!

  16. andy w says:

    hi
    what happens if i access safe mode but can’t get a command prompt/ says ‘a problem has been detected and windows has shut down to avaoid damage to your computer’
    thanks
    andy

  17. marg says:

    done everything as advised, but when i try to load the trojan killer, my computer will not recognise the usb and i cant run the program, please help :)))

  18. Dan says:

    Hello People
    This is a ransomware which I think is from from the nazis who think that they could get away from trying to threaten people and get some money out of people in British Pounds. This Trojan virus comes into your computer if you visit some porn sites with .eu extension.
    These nazis are also getting smarter as and when people post remidies on this website they try and find out ways and means of hiding thier files.
    I had to sort out a laptop which had both administrator and user accounts. The user had used the user account to visit some .eu porn site and this virus had blocked his laptop.
    Unlike what has been said in the forum that the “shell” when being modified using regedit would show the place where the file would be available won’t be true any more as these guys have left the shell to show explorer.com. However they have started hiding the files that they are using to block your computer.
    What I did was to remove the hard drive from the laptop and connected it to another computer using an USB adapter. Then I made sure that, when exploring the hard drive, I had set the folder options to show hidden files.
    When I went into the the C: drive and then into ‘doucments and settings folder’, I saw the user folder(which is hidden if the folder option is set to not show hidden files). I went into it and found some applications called 0.2944330001364994 and 0.96683332612963674h7i. This hard drive had XP installed in it.
    I deleted these files and there you go, the laptop is back on line. No more metropolitan threats. I had also done a regedit as suggested on this forum just to ensure that the shell had some funnies in it. But it did not.
    No Antivirus or malware software does detect this.

  19. Dan says:

    Hello People,
    Sorry for an omission. The hidden folder was in ‘document and settings\user\applicationdata’ (which is a hidden folder).
    Hope this helps
    Regards
    Dan

  20. Phil says:

    Hi all, I removed this with the Trojankiller. I couldn’t do it automatically once Trojan killer found all the problems because I was in safe mode and couldn’t register with them. So I copied the registry list by hand and deleted manually. My file was hiding in my users file/appdata/roaming/cgs8ho.exe. Plus there are 10 registry items to find. Seems to have worked though.

  21. Tom says:

    i also had this problem today it came up as a random file won’t say anymore but if i were you id talk about this privately they read these posts to figure out how they improve their schemes if youre running on windows do the msconfig in the run menu then startup go through the files and it will come up with a random file like ‘cd128.exe’ and next to it where it sais author or origin it will say unknown untick the box and download a malware removing device hope this helped

    Tom

  22. Alice says:

    J’ai fait le systeme automatique mais ca n’a pas marché, j’ai toujours le “message de la Gendarmerie” au démarrage. Comment faire?

  23. Peter says:

    I found myself with this last night (price has gone up to £100 BTW). As I didn’t have an alternative PC, I simply disabled my wireless, then (as the laptop was SLOWLY starting up) dived in quickly and ran System Restore back to a restore point from a couple of days ago.
    Once this was completed, I ran an AV scan (Symantec) which found nothing. Having read this article, I’ll be running an alternate Trojan scan, but so far all seems OK.

  24. isabella says:

    if i can remove it with the trojan killer program i will absolutely buy this program.just i wait to see what it happen.now is scaning.

  25. Filipe says:

    Não consigo, quando ligo no modo de segurança com linha de comandos, o ecrã fica branco. Por favor respondão para aqui se faz faor: pipas.sporting@hotmail.com

  26. Graham Revens says:

    Metropolitan police virus

    Safe mode
    Safe mode with command etc
    All seem to have been disabled
    They either return me to the boot page or windows starts in normal mode

  27. Petar says:

    Got this today on a coleagues laptop but virus web page stays on top of everything so it is impossible to do anything from task manager or Command prompt in safe mode. Managed to remove it by starting repair fron windows boot and doing system restore.

  28. Jack says:

    I used system restore, and scanned with malbytes, nothing appears,

    is the virus still on my pc?

    Checked regedit and the shell says ‘explore.exe’ so cant find the location if there is one hiding?

    is it nesscary to run trojan killer? and does it cost anything?

  29. dino says:

    não veem que estão a ser comidos?!?!?!o fulano está-vos a dizer exactamente como se instalar ele próprio no vosso computador,a maioria que se disponibiliza para vos ajudar(programas e pessoas) é sempre com outro intuito..não façam nada acima mencionado…este deve ser exactamente o q lançou o virus,agora é a forma dele de entrar..ACORDEM..DAHHHHH

  30. Fabio says:

    per sbaglio ho eliminato il file “shell”…qualcuno sa dirmi quali rischi comporta e se la rimozione del virus si puo’ effettuare lo stesso??? Help me grazie

  31. Julia says:

    Dear Fabio,
    We will help you to sort out this issue. Please contact us via ticket system http://trojan-killer.net/support/.
    Best regards,
    Trojan Killer customer support team.

  32. Lorraine says:

    Thanks to this website I finally got rid of this pesky Trojan. In our case, the explored.exe option had been covered by the bug so I scanned the comments section and tried the user/application data advice and there it was! An ugly cartoon face and the name was “fnpmxlqf” Which is nowhere to be found on the Internet. I am now trying to down load some antivirus to prevent it coming right back! Thanks !!!

  33. Because says:

    Ok so I’m having problems from the start. First of all it does not come up on the second screen shot on my computer. There is no documents and settings written. I write explorer but then it doesn’t come up. Even wen I reach the redi t settings. I don’t see shell anywhere ? Please help if u can

  34. Jack says:

    Will any of these methods wipe files off of the computer though?

    I can’t afford to lose files!

  35. nigel says:

    didnt work ,said it found virus and remove but it, still there?

  36. nigel says:

    update, now tried the manual way, at edit string, mine does say explorer.exe to start with ,so no point in changing it.

  37. nigel says:

    ps, on my xp system,reads Garda Siohana as im in ireland, dont knnow if i have a updated version of ths virus,so the trojan killer dont work?

  38. nigel says:

    Just done a system restore,seems to have done it, computer unlocked and working, should have done this in the place.

  39. ritchie says:

    GUYS IVE HAD THE FILE AND FIXED IT!
    **READ IF HAVING TROUBLE**

    Ok what i did i went into the command prompt then typed in “msconfig”, I then clicked the option for the programmes that are used when starting your computer up, look firstly at the publisher catgory for “unknown” it will be one of them i then found one with unknown, or one that sounds really werid and it would normally be in your app data folder i then diasbled it, restart then i went on start computer, found some werid file when i hovered my mouse over this file it said the date created was the day of the virus so i removed this file emptied recycle bin, and did a full virus scan on my computer, Hope this help, please tell me if you didnt understand any steps!

    .Rich

  40. Glen says:

    Done the Gridinsoft to USB option, worked perfect, thank you for the guidence.

  41. Colin says:

    Rich
    Your solution has worked for me. Thanks

  42. Mike says:

    I start my computer in safe mode but it shuts itself off befor I can do much. Help

  43. Hayley says:

    The regedit didn’t work for me either, my Shell file was still at explorer.exe.
    I went into System Config, Startup an saw a bunch of letters I didn’t recognize, in my program data, sure enough, when I went to the folder, had to use windows key + R, because it was hidden, the file was there with a stupid cartoon pic. I deleted the file and now my laptop is back to normal. Easy peasy once you work it out!

  44. John says:

    I managed to remove this by pressing F8 to get the screen where you can start in safe mode, but instead of doing that I selected “repair you computer”. I followed through this and chose “system restore” and simply restored the system from about a week earlier.

  45. Rols says:

    Worked fine, went to safe mode, msconfig, killed suspicious looking service, deleted the relevant hidden folders, rebooted the pc and scanned with antimalware/antivirus and pc good to go…

    Thanks

  46. Nas says:

    Hi,
    For me the virus was located in C:\Users\(User)\AppData\Roaming\msconfig.dat. It took me a long time to find it and many anti-spyware/virus software could not find it. Hope this helps.

  47. Jimbob says:

    Nice one ‘JACK’….SYSTEM RESTORE…thought ‘what a waste of time that’ll be’..IT WORKED!!(I had already tried all regis.etc..WELL DONE!!

  48. Chris says:

    Under ‘msconfig’ then ‘Start up’. I have a start up item named ‘Conime’..this is the only item in the list that is listed as ‘unknown’. Im wondering if this is where the problem is coming from. If i un-tick/disable this item will that solve the problem?
    The location of ‘Conime’ is ‘HKLM/SOFTWARE/Wow6432Node/Microsoft/Windows/CurrentVersion/Run

    Thanks.

  49. AG says:

    the downloaded trojan killer worked perfectly first time. i had a very nasty case of the Police Virus and Trojan Killer did exactly what was on the box.

    I would reccommend this product.

  50. Lisa says:

    Omg! My now ex bf!!! Locked my laPtop out completely with this virus, he eventually admitted that he got the virus after looking at porn!!

    Safe mode doesn’t work, just goes round in a looP?

    Simple fix, DON’T LOOK AT PORN!!!

  51. Keith says:

    System Restore works every time. Just make sure you roll back to the point *before* the session before the screen actually appeared as it is installed prior to shutdown and is not evident until the next reboot.

  52. Lisa says:

    Omg! So many pervs on here looking at porn! No wonder it’s mostly men!

  53. sean mc larnon says:

    thats a lot of effort. Simply remove by booting in safe mode and use system restore to roll back your pc to a time before it was infected.

  54. andy says:

    can anybody help me get this virus off my daughters school laptop, ive tried everything,

  55. Julia says:

    Dear Andy,
    we recommend you carefully reading this post. Here you will find the effective removal instructions. If any other questions occur, we kindly ask you to contact us via http://trojan-killer.net/support/
    Best regards,
    Trojan Killer customer support team

  56. Terry says:

    Thank you for your kind instructions. Have faith in humanity again! ;-))

  57. bhu says:

    the virus keeps retsarting my PC when I try to use trojen killer and the same when i try to remove it manually. I got to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon once in time before it rebooted but it was normal with explorer.exe!!! ANy more ideas? Please help

  58. Adrian says:

    Hi,

    I did this, went to Change the explorer.exe – the entry was as should be.

    I was using safari when this ransom ware took effect, is there any other thing I should be checking?

    Thanks,
    Adrian

  59. tony says:

    yeah lisa because women dont watch porn…

  60. Paul says:

    Cannot boot to safe mode keep getting blue screen …

  61. N says:

    Persoanlly, I found ‘lsass’ located in folder: C:/Program Data/
    Another place to look.

  62. Unknown says:

    You could always do it the easy way.. start PC tapping F8, repair your computer, system restore…

    I deal with this scam daily.. why download other programs when your PC has everything needed.

  63. Caroline says:

    Tried this but when I type explorer it just goes straight to the virus window. Im on windows XP can anyone tell me how to get to the explorer page so that I can fun the virus fix file which I downloaded from this page

  64. Dinoderk1 says:

    please help, pressed f8 on boot up and tried to boot up in safe mode with comd promt but it will not go to safe mode it just keeps booting back up to the police virus screen. The axact same thing happens when i try to boot up in safe mode with networking. i am using windows XP Pro.

  65. Victim says:

    My laptop “Toshiba” from 2000 has been infected with this “Metrolian police” but it’s more advanced and it’s Spanish. What it does is that it doesn’t allow you to start on safe mode, neither enter the F1 in the start. I can’t find a way of removing it. It does not allow you to do ANYTHING. It’s fake I know but nothing happenes when we try to remove it. PLEASE HELP!

  66. Victim says:

    Also my windows is an XP

  67. Rod Smith says:

    Dissapointed that the softwear does not let you remove your first infection before asking for money for the programme.

    Publishers will find if a good softwear publisher is trusting enough, people will still buy the softwear, especially if it has solved a problem.

    Initial reaction, will find another way to remove, try, Malwarebytes.

  68. andy says:

    We can issue the free trial code for 15 days to all interested users

  69. 00st says:

    Got this on a windows 7 machine. Got rid of it by using “safe mode with command prompt”, minimizing that & then using system restore. Normal safe mode would just cause a restart.Tried the regedit thing, but like so many others I only found “explorer.exe”.

  70. John says:

    I have disabled the bug from startup as Rich suggested. However, when I go to delete the file from Appsdata folder it is not there?
    Do I have to enable it for it to appear?

8 Trackbacks

Leave a comment

*