[help plzz] Metropolitan police virus

[Wipeout]

my niece somehow managed to get a Metropolitan police virus asking her to pay £100 to unlock the computer, however i know its a virus and im having trouble getting rid of it, i found a list of instructions how to get rid of it but it requires me to move a " shell " reg file, however i went to the location where the shell file is suppose to be located and its not there, i told my brother and he said he deleted it but now i cant get it back...

anyone know how i can ethier get the viruses shell reg file or get rid of the virus on windows xp ( without using windows restore as its not enabled on the pc )

[Yohassakura]

Try method 1 or 3 of this guide: http://malwaretips.com/blogs/metropolitan-police-virus/

[Biernot]

If this malware is anything similar to the BKA/GVU version we have here in germany, than it is quite simple to remove:

1. Boot Windows in Safe Mode with Command Prompt (Hit F8 before Windows loads and select the proper action)

2. Type "msconfig" in command prompt. If you get an error message, then first type "explorer" to load the normal desktop and then select the "Run" option from start menu and start msconfig there.

3. Select the Startup Ribbon and sort by the "command" column. Now look for any entries that try to execute something from the "C:\Users\..." directory. Sometimes they try to mask the command by routing it through "ctfmon", so make the column wider to see the whole command.
Deactivate any entry that seems fishy to you. Especially naughty are things from the "c:\users\...\Temp\" folder. But sometimes there is also something in the "C:\ProgramData\" directory

4. Now go to "c:\users\[username]\AppData\Local\Temp" and delete everything in there. If you do not see the "AppData" folder, make sure to activate "show hidden files" in the directory options of the windows explorer. If there were other fishy entries in your msconfig, then it is probably a good idea to locate the files they tried to load and delete them too.

5. Now theoretically, the ransomware should be gone. But i would suggest to make a full virus scan before you resume your daily work. I would suggest to use the Kaspersky Virus Removal Tool (Standalone One-Time scanner). Download it on another computer just before you want to use it (to make sure you get the most current version... this one is updated daily or even more often). Use this scanner while still in safe mode.
As settings (cogwheel icon) i would recommend to include the full C: partition and under "Actions" take the automatic disinfect/delete option. Then do a full run ("automatic scan")