UKash - Metropolitan Police Virus Scam

123Simples · Dec 9, 2011

UKash - Metropolitan Police Virus Scam is doing a re-run in the UK, and recently hit one of our customers PC's who was very distressed and upset by the experience. I'm only posting this is an advisory in case anyone else gets caught out with this.

Our customer (probably like many computer users) had failed to really keep his internet security up to date, but whilst surfing YouTube he clicked on an external link, and inadvertently in doing so, downloaded the Ukash virus. It is a trojan -

Basically the virus installs on your system, and then it locks the computer up with a screen saying Metropolitan Police - Your computer has been locked.
The screen information displays your computer IP and other information that might make you think (if you do have your wits about you) that this is quite a genuine thing. Obviously the giveaway is if you pay them a £100 using any of the methods show, then an unlock code will be sent to you.

This is a scam that happened a few years ago in Germany and has been modified and released again. If you type this into Google Search:

"ukash virus metropolitan police"

You will note that there have been a spate of recent attacks using this virus. Removal needs to be done with care, and using Safe Mode - even then it takes a bit of weeding out.

Just to advise anyone who may be interested.

James1980 · Dec 9, 2011

I caught this yesterday, but rather serendipip.. serendillupus... rather luckily I seem to have accidentally killed it when I went to shut down my PC.

As part of the shutdown procedure it seems Windows killed the malware, but because I had an unsaved file open on my desktop, it paused and asked if I wanted to save it. I cancelled the shutdown procedure and then did a full scan with Antimalware Bytes and Windows Essential Security.

This seems to have done the trick... but I haven't rebooted my PC since. Fingers crossed and all that.

It would be interesting to know if the unlock code is the same for all PCs. I seem to recall this was the case with a piece of ransomware from a few years ago - it was something trivial like "1234".

James

123Simples · Dec 9, 2011

I think you are right on the unlock code James - it will be interesting to hear from you when you reboot the PC to see if you have killed it, or it is just hiding somewhere

My advice would be (just to make sure) is to boot up in Safe Mode with Command Prompt, do a complete MalwareBytes Scan and Anti Virus check. From what I can see this virus can be awkward inasmuch it has maybe changed how it does work because there seems to be so many conflicting ideas on how to find it/remove it.

iXtremeLuke · Dec 10, 2011

I got this Trojan an hour ago, It go removed with Maleware Bytes, It locked my computer down but I simply press Shut Down and the computer closed all programs except Avast and Explorer.exe

TonyHarbon · Dec 12, 2011

One further cautionary tale is that trojans like to bring their friends along to play when you inadvertantly download them onto your PC. Our standard practice is to reformat the hard drive and re-build a PC that gets infected with a trojan because it's the only way that you can be sure that you are not now part of a Botnet!

Tony Harbon

123Simples · Dec 12, 2011

TonyHarbon said:
One further cautionary tale is that trojans like to bring their friends along to play when you inadvertantly download them onto your PC. Our standard practice is to reformat the hard drive and re-build a PC that gets infected with a trojan because it's the only way that you can be sure that you are not now part of a Botnet!

Tony Harbon

I do agree - if I feel that the system has been compromised in this way, I would almost certainly reformat the hard drive. I would also suggest that if a hard drive is partitioned, that a thorough scan is run after the format procedure. If in doubt clear everything out and start afresh.

Bill1954 · Dec 12, 2011

I agree with the formatting advice, and a full format not just a boot sector format, but rebuilding the whole PC seems abit like overkill.

123Simples · Dec 12, 2011

I would guess (or hope) that Tony meant re-building the software side of it as yes there is no reason to literally REBUILD the whole hardware side of it at all - that would be overkill

rachaelx · Dec 15, 2011

I know this is probably a long shot but I just wanted to post my experience on the off chance that the horrible, selfish, thuggish people that started this scam read others experiences for the fun of it.

I hope they do. This thread would be really helpful if I had been able to see it before my computer was hijacked.
It was my fathers funeral last week, which I had to pay for with the money I had saved up for Christmas. Then, my computer came up with that sick horrible virus and I panicked, assuming my son had clicked on some website accidently. I paid the £100, and when that didn't resolve the situation I realised it was a scam. I then had to pay a further £60 to get a technician to remove the virus.
I literally now have no money for christmas. Instead, my money is in the pockets of those horrible people that set this up. My kids wont have a proper christmas dinner and I cant buy the presents I was planning on getting them. I feel really sick that this has happened to me with everything else that has gone on this month.
I hope whoever did this, you will read this and realise how it has affected my life. You don't deserve the money I have worked so hard to save this year and I know I probably wont ever get it back. I just hope that this catches up with you, and you end up in some jail with some other villans making your christmas special.

123Simples · Dec 15, 2011

Hi rachaelx

Sorry to hear about your Dad. Sadly these kind of people don't even care and that is why they do this sort of stuff. I would however advise you to contact your bank and tell them what has happened, and make sure that your bank account details are safe.
Also contact your local police and explain what has happened.

There is no such thing as a "victimless crime" and you should report this, but please do check with your bank IMMEDIATELY or whichever card issuer you may have used to pay this scum with.

pcproblems · Dec 15, 2011

I had a look at a laptop with this earlier in the week.

The customer was scared stiff and took it to our local Police Station where they put his mind at rest.

The bug also corrupted his Norton AV

I used Malwarebytes as always and it's perfect again. Actually, the police advised him to use Malwarebytes but he didn't fancy trying it himself.

It was flagged as trojan.zbot.cbcgen

Rasta Pickles · Dec 15, 2011

TonyHarbon said:
One further cautionary tale is that trojans like to bring their friends along to play when you inadvertantly download them onto your PC. Our standard practice is to reformat the hard drive and re-build a PC that gets infected with a trojan because it's the only way that you can be sure that you are not now part of a Botnet!

Tony Harbon

Once you've installed everything you need then simply image your system.

You can flash the image back over any damage in minutes rather than having to do a complete reinstall.

Once a month, I reimage my system, download the latest Windows/Office updates and then create a new image.

The most upto date, clean system is only ever about five minutes away.

If you don't image, then booting Linux from a USB stick and running anti-virus software from that environment is very effective (the operating system runs on-the-fly from the USB stick so any virsu on your hard drive is literally a sitting duck).

Rasta Pickles · Dec 15, 2011

TonyHarbon said:
One further cautionary tale is that trojans like to bring their friends along to play when you inadvertantly download them onto your PC. Our standard practice is to reformat the hard drive and re-build a PC that gets infected with a trojan because it's the only way that you can be sure that you are not now part of a Botnet!

Tony Harbon

Once you've installed everything you need then simply image your system.

You can flash the image back over any damage in minutes rather than having to do a complete reinstall.

Once a month, I reimage my system, download the latest Windows/Office updates and then create a new image.

The most upto date, clean system is only ever about five minutes away.

If you don't image, then booting Linux from a USB stick and running anti-virus software from that environment is very effective (the operating system runs on-the-fly from the USB stick so any virus on your hard drive is literally a sitting duck).

pcproblems · Dec 15, 2011

Just had another call about this.. Customer been told by there ISP to contact fraud people at local police as she paid the scammers.

pcproblems · Dec 22, 2011

I see that this thread is now at the top of google for the search term:

UKash - Metropolitan Police Virus Scam

LindseyMaguire · Mar 8, 2012

I'm in Hampshire and would welcome your assistance as one of our computers has this virus and I can't seem to get from Safe Mode with Command Prompt into any kind of position where I can activate AV software or stop the PC opening Windows. Your help would be much appreciated:

123Simples said:
UKash - Metropolitan Police Virus Scam is doing a re-run in the UK, and recently hit one of our customers PC's who was very distressed and upset by the experience. I'm only posting this is an advisory in case anyone else gets caught out with this.

Our customer (probably like many computer users) had failed to really keep his internet security up to date, but whilst surfing YouTube he clicked on an external link, and inadvertently in doing so, downloaded the Ukash virus. It is a trojan -

Basically the virus installs on your system, and then it locks the computer up with a screen saying Metropolitan Police - Your computer has been locked.
The screen information displays your computer IP and other information that might make you think (if you do have your wits about you) that this is quite a genuine thing. Obviously the giveaway is if you pay them a £100 using any of the methods show, then an unlock code will be sent to you.

This is a scam that happened a few years ago in Germany and has been modified and released again. If you type this into Google Search:

"ukash virus metropolitan police"

You will note that there have been a spate of recent attacks using this virus. Removal needs to be done with care, and using Safe Mode - even then it takes a bit of weeding out.

Just to advise anyone who may be interested.

network engineer · Mar 15, 2012

Came across the same problem with one of my clients.
Pc did have Norton 2012 installed but seems like the anti-virus didn't detect it.
What worked for me to fix the problem is:-
1.Restart computer in Safe Mode
2.Do a System Restore to a previous date b4 infection occured.

This deletes ALL data installed after this date including virus.

The JGG · Mar 15, 2012

Hi Lindsey, in order to remove this malware, it is safe mode with networking, rather than safe mode command prompt you need.

Once in smwn, then download either malwarebytes, or hitmanpro.

Both of these programs, will remove the malware from your machine.

@network engineer, just because you ran a system restore prior to the virus being downloaded does not mean that your machine is now 100% free of viruses. Can I respectfully suggest, that you run all your virus / malware programs on a full scan (after updating the definitions obviously). If required you can also run a couple of online scanners to ensure your machine is free.

When I do virus removals, I use a 5 stage process, rather than a simple scan. That way I know the machine is clear of all traces.

jf9901 · Jul 28, 2012

hello there
i was watching big brother online when all of a sudden my screen locked and said that the metro police had locked my computer for downloading pirated material/ child pornography/ visiting band sites and that to un-lock it i had to send them 100 quid so safe to say i was shitting myself but i immediately googled it from my other laptop and confirmed my suspicions that in fact it was a big fat scan ! luckily for me my uncle is a whiz with computers and told me how to fix it cause like a right **** i don't have internet security but all i had to to was take my battery out without shutting down then replace it turn my comp on then click safe mode at the start up screen which windows brings up if u have not shut down properly it started up fine on factory setting no lock screen then u go on to control panel and click system restore then go through the motions and click on the earliest restore date before u got the virus and click finish it take no more than 2 mins and it restarts ur comp and everything is back to normal it doesn't delete any of your files and its 100% free !!!!

Websitehandyman · Jul 28, 2012

Funny this should crop as I too had this for the first time yesterday afternoon. I had five or six windows open so can't track which click it was. But I used to work installing anti-virus for many years so I like to think I know a bit about how to avoid them.

Microsoft Essentials didn't pick this up, which is a supprise as it's old code now.

The easy way out for me was to reboot into basic mode and do a restore to a another point, which for me was only the day before.

Jim2k · Jul 29, 2012

Have had a few experiences with this little blighter recently. As said previously though, just because you clear the trojan keep an eye out for root kits and other associated nasties and if in any doubt, go the format and reinstall route.

Would also recommend the disk imaging as said above. Makes a clean install redundant and saves alot of time. Paragon have a free disk imaging tool for home users and it works well in conjunction with an external hard drive. Set and forget.

Tools used to clear this out at various times: Malwarebytes, Combofix, Kaspersky TDSSKiller and Security Essentials.

mit74 · Jul 29, 2012

There is plenty of information about how to get rid of this malware on youtube. If malware bytes doesn't get rid of it or you can't get into safemode then you'll need to use a bootable disc, there are plenty around for free such as UBD v5, Linux or you windows disc. May even be easier to remove the drive and connect to a second computer to remove the files (it's a trojan so won't infect the other).

For someone who fixes these things every week I still cannot believe how gullible people are and how easily they'll hand over their credit card details to complete strangers or websites. Only last week I was called out to a customer who entered every single bit of personal data they have to a bank phising site to because they had a 'your account has been comprimised' email... even their passport and driving licence details !!!!

Websitehandyman · Jul 29, 2012

mit74 said:
For someone who fixes these things every week I still cannot believe how gullible people are and how easily they'll hand over their credit card details to complete strangers or websites. Only last week I was called out to a customer who entered every single bit of personal data they have to a bank phising site to because they had a 'your account has been comprimised' email... even their passport and driving licence details !!!!

Given the right situation anyone will fall for a con, I once worked for a company when a director re-registered a domain simply because a letter came to him - only £800 !

10032012 · Jul 29, 2012

jf9901 said:
hello there
i was watching big brother online when all of a sudden my screen locked and said that the metro police had locked my computer for downloading pirated material/ child pornography/ visiting band sites and that to un-lock it i had to send them 100 quid so safe to say i was shitting myself but i immediately googled it from my other laptop and confirmed my suspicions that in fact it was a big fat scan ! luckily for me my uncle is a whiz with computers and told me how to fix it cause like a right **** i don't have internet security but all i had to to was take my battery out without shutting down then replace it turn my comp on then click safe mode at the start up screen which windows brings up if u have not shut down properly it started up fine on factory setting no lock screen then u go on to control panel and click system restore then go through the motions and click on the earliest restore date before u got the virus and click finish it take no more than 2 mins and it restarts ur comp and everything is back to normal it doesn't delete any of your files and its 100% free !!!!

haha, Met Police taking bribes... its true they do, but I don't think its for as little as £100 and for the general public.

just wanted to add, a linux live cd can be great at removing trojans/viruses etc.

ukmh · Jul 29, 2012

A friends PC caught this annoying little bug. Solution was:
1) Restart in safe mode and scan with Malwarebytes Anti-Malware Free edition.
2) Run msconfig and disable all startup items.
3) Restart in safe mode and scan with AVG free.
4) Services.exe in system32 folder was infected and could not be replaced from within windows so... boot (from cd) into Puppy linux, run pfind search for services.exe which was found in a subfolder of winsxs. Use it to replace the system32 version of services.exe.
5) Restart into windows and all should be well. Worked fine for me, hope it helps someone.

visagephoto · Jul 30, 2012

I was at a a family gathering the other night and I couldn't believe the following conversation I overheard between my brother-in-law and my brother.

My brother mentioned that his desktop PC hadn't been used for a few months as it had been infected with a virus and he wasn't sure how to deal with it, My brother in laws advice was to download "freeantispyware" as that apparently cures every infection?

He then advised that the PC should now be clean anyway as it hadn't been used for a few months, "Because if you leave your machine switched off for a few months a virus usually gets bored and deletes itself from your PC"

I called my brother the following day with different advice.

pcproblems · Jul 30, 2012

I had an email yesterday from a lady whos son has now had this twice.. She seems to think that his laptop got infected after visiting the projectfreetv website.
I've written a blog about this little nasty at the voltix website

Good luck

10032012 · Jul 30, 2012

Always right click a link (where possible) and copy the link... or memorise the domain name, paste it into google sometimes tell you if its dodgy... there are better ways of course...

The Panda · Aug 17, 2012

I was using my laptop this morning to view this very site and the trojan locked it. I am using my office desktop to check on it as I spotted the scam straight away.
It says you can get from several sources including your wallet. That was the clincher for me.
Now I have to spend some time finding out how to remove the bloody thing. I am at a meeting for 2 days next week and need the laptop. This is something I could have done without. Bugger.

Websitehandyman · Aug 17, 2012

The Panda said:
I was using my laptop this morning to view this very site and the trojan locked it. I am using my office desktop to check on it as I spotted the scam straight away.
It says you can get from several sources including your wallet. That was the clincher for me.
Now I have to spend some time finding out how to remove the bloody thing. I am at a meeting for 2 days next week and need the laptop. This is something I could have done without. Bugger.

Just do a windows restore to yesterday, this doesn't affect your saved documents etc. Should take 30 mins or so to finish.

Dan_Kesher · Aug 17, 2012

The best resource ive found so far is http://forums.malwarebytes.org/index.php?showforum=7

They have volunteers and paid staff ready to help you remove viruses and malware for free. In exchange, they often ask your permission to receive a copy of the viruses (if they havent seen them before) so they can improve their Malwarebytes products.

Just start a new topic if you suspect you have a virus and usually someone will be with you within a few minutes.

Every virus is different so don't follow removal any existing posts on that forum. You have to start a new thread.

Also, Windows System Restore is not magic. Quick often, the Restore Copies are infected and Restoring will have no real effect.

The Panda · Aug 17, 2012

Websitehandyman said:
Just do a windows restore to yesterday, this doesn't affect your saved documents etc. Should take 30 mins or so to finish.

Yep, cheers for that tip. Worked a treat. Just need to run antivirus over the system now to scrub it clean. I can well understand how people could be caught out with this. Your immediate reaction is shock because it does actually lock everything but if you just step back for a second you see it as the scam it is but some people would be so worried they would just pay up. It is a clever little scam and people need to be aware of it.

doctorwhofan63 · Sep 14, 2012

Hi. I got this problem a while back. Since then I have only used the PC with wifi not connected so the message doesn't appear. I turned the internet on again today and the message doesn't appear. I assume however that the virus is still on my computer. Would it be safe to transfer important files to an external hard drive and completely reset my computer, or would I inadvertently load the virus onto my external hard drive?

123Simples · Sep 14, 2012

To remove (or attempt removal) of this UKash Scam follow the suggested steps:

Shut down your computer
Restart the computer and as it is booting up press F8 repeatedly - you should bring on a black screen similar to this:

Select Safe Mode with Networking and then hit Enter
Once the computer has started in safe mode download Malwarebytes Anti-Malware Free - download link: http://www.malwarebytes.org/products/malwarebytes_free
Install the software on your system and then run a FULL system scan. It should find the corrupted files and quarantine or remove them.
Restart the computer normally and you should be good to go

doctorwhofan63 · Sep 14, 2012

I'll try it out, but how will I know of its definitely eliminated the virus? And will I be able to use all my normal programmes without the virus interfering or corrupting them?

The JGG · Sep 14, 2012

to be honest, just using malwarebytes or doing a simple system restore will NOT remove the met virus scam.

You ideally, require a full virus removal completing. The best thing to do, is to take it to your local computer repair shop. They will be able to remove any and all traces of the virus (together with any other malware found on your machine).

I remove this virus at least weekly from clients machines, using a 5 stage virus removal procedure. I do not do a single scan, and call it clean, as there are other places to check.

doctorwhofan63 · Sep 14, 2012

Now the message doesn't pop up, the only worry would be damage to my PC. What can it actually do?

The JGG · Sep 14, 2012

It can and will stop your machine from booting up complete, and logging into your account.

It can also halt you, once you do eventually log in, from doing anything.

This particular virus does not remove files from your machine (least the ones I have dealt with). But scan all your mydocuments files for starters, with a GOOD anti virus program. Not the likes of AVG, Norton, or Mcafee.

Also download and install, Super Anti Spyware, and Malwarebytes. Download the latest virus definitions, and run both programs on a full scan. These will take at least 1 hour to run, but its well worth it.

I would also seriously consider taking your machine to your local pc repair shop as mentioned in my previous post. Just to be on the safe side.

doctorwhofan63 · Sep 14, 2012

Just one other question. If I got another computer and transferred files over, would I also transfer the virus?

The JGG · Sep 14, 2012

You easily could do yes.

Which is why I mention, it is best to check for any viruses on your machine, NOW before you transfer ANY!! data over anywhere!

Cookie Consent

Essential

Analytics

Marketing

UKash - Metropolitan Police Virus Scam

James1980

iXtremeLuke

LindseyMaguire

network engineer

The JGG

ukmh

The JGG

The JGG

The JGG