Metropolitan Police Virus

FritzBox · Oct 04, 2012, 09:55:22

Trying to remove it off someone's lappie running XP SP3 that won't boot into safe mode. Currently running a scan with Kaspersky rescue disc. Have tried the regedit method via Kaspersky disc but that appears to be in order, nothing changed with Winlogon-Shell
Any tips if this fails to find it?

sobranie · Oct 04, 2012, 11:20:25

I totally gave up on this on a friends lappie and reformatted instead.
There's a myriad of 'cures' on the net BUT if you can't get into safe mode then you've had it!!!
Sorry for the doom and gloom but the reformat is far easier than kicking various solutions around for hours and hours.
NB: There's a prog out there called GridinSoft which purports to wipe this virus, unfortunately Gridinsoft appears to be a trojan according
to NOD 32.

Glenn · Oct 04, 2012, 11:38:30

That was the 'fix' I used at work too.

Combofix may located the trojan files.

zappaDPJ · Oct 04, 2012, 12:11:14

I've successfully removed this from a number of PCs this week, it is indeed a right sod to get rid of. Assuming you can get the OS booted and the payload removed, the only piece of software I've found that will remove the actual trojan files is Malwarebytes.

john · Oct 04, 2012, 12:30:31

I've found two methods of removing this, the first time I did a system restore which got rid of it.

I also noticed it only affected my account so I created a new account to test it. When I got it in the new account I simply deleted the account (including the files) and re-created it again.

In both the above methods I ran Malwarebytes, Windows Security Esentials and Dr Web just to check if there was anything else left behind but I don't think they found anything.

The first method is probably the best if it does the job.

psp83 · Oct 04, 2012, 17:57:19

Has anyone tried Norton Power Eraser ?

I've used this on several viruses that other antivirus programs wouldn't remove and its worked every time.

http://security.symantec.com/nbrt/npe.aspx

FritzBox · Oct 05, 2012, 18:48:12

Trouble is I can't boot into safe mode

psp83 · Oct 05, 2012, 19:07:18

Quote from: FritzBox on Oct 05, 2012, 18:48:12
Trouble is I can't boot into safe mode

I don't think you need to with NPE, it scans in normal windows and then reboots your pc to do another scan to remove deeper infections.

FritzBox · Oct 05, 2012, 19:44:08

Quote from: psp83 on Oct 05, 2012, 19:07:18
I don't think you need to with NPE, it scans in normal windows and then reboots your pc to do another scan to remove deeper infections.

I wouldn't have time to do it psp, the lappie boots, gets into windows desktop then a minute or so later it goes to a blue blank screen for another minute or so then up pops the Metropolitan Police thingy which covers the whole screen including the task bar, I can't do anything from there not even get into Task Manager

Glenn · Oct 05, 2012, 19:48:37

Are you able to slave the drive into a PC that can be safely rebuilt afterwards if necessary, then load NPE on that to run a scan or 2?

FritzBox · Oct 05, 2012, 20:14:57

That's not a bad idea Glenn might have a look at that if the latest Kaspersky scan fails again

The first time I tried it the lappie locked up after 79%

FritzBox · Oct 05, 2012, 21:10:33

Update.

Looks like Kaspersky Rescue Disc has done the job, it has now gone and I am currently running an updated, Malwarebytes scan

Info: this time I didn't bother updating Kaspersky 10 just ran the scan as it came on the iso, updated it the first time and it failed

psp83 · Oct 05, 2012, 21:25:57

Give NPE a run just to be sure, it found things on my old pc that other AV's didn't

FritzBox · Oct 05, 2012, 21:34:20

Quote from: psp83 on Oct 05, 2012, 21:25:57
Give NPE a run just to be sure, it found things on my old pc that other AV's didn't

Will do, but think that's for tomorrow, beer and pc's don't mix too well

cavillas · Oct 06, 2012, 17:39:51

You cna always try and use a windows cd touse the repair or safe mode form that.

FritzBox · Oct 06, 2012, 18:52:01

Quote from: cavillas on Oct 06, 2012, 17:39:51
You cna always try and use a windows cd touse the repair or safe mode form that.

Well I could but that wasn't in the job description, so he can have it back in the same state. Pretty sure it's a dodgy version anyway

mrapoc · Oct 11, 2012, 23:02:29

Get this all the time

usually safe mode
run Rkill
run combofix
check for mbr infection using mbrcheck
check for rootkill using tdsskiller
finally malwarebytes

sorted

Rik · Oct 12, 2012, 10:48:42

Quote from: mrapoc on Oct 11, 2012, 23:02:29
run Rkill

I misread that for a second, Sam.

Simon · Oct 12, 2012, 11:13:57

I was more interested in Sam's comment that he "gets this all the time". Do mainstream Internet security products not prevent or block this?

john · Dec 14, 2012, 17:42:14

The BBC reports someone has been arrested over this (though I suppose they may not be responsible for the particular cases mentioned on this thread).

Simon · Dec 14, 2012, 18:01:17

Let's hope so.