UKash - Metropolitan Police Virus Scam

Discussion in 'IT & Internet' started by 123Simples, Dec 9, 2011.

  1. 123Simples

    123Simples UKBF Enthusiast Free Member

    Posts: 784 Likes: 253
    UKash - Metropolitan Police Virus Scam is doing a re-run in the UK, and recently hit one of our customers PC's who was very distressed and upset by the experience. I'm only posting this is an advisory in case anyone else gets caught out with this.

    Our customer (probably like many computer users) had failed to really keep his internet security up to date, but whilst surfing YouTube he clicked on an external link, and inadvertently in doing so, downloaded the Ukash virus. It is a trojan -

    Basically the virus installs on your system, and then it locks the computer up with a screen saying Metropolitan Police - Your computer has been locked.
    The screen information displays your computer IP and other information that might make you think (if you do have your wits about you) that this is quite a genuine thing. Obviously the giveaway is if you pay them a £100 using any of the methods show, then an unlock code will be sent to you.

    This is a scam that happened a few years ago in Germany and has been modified and released again. If you type this into Google Search:

    "ukash virus metropolitan police"

    You will note that there have been a spate of recent attacks using this virus. Removal needs to be done with care, and using Safe Mode - even then it takes a bit of weeding out.

    Just to advise anyone who may be interested.
    Posted: Dec 9, 2011 By: 123Simples Member since: Jul 10, 2011
    #1
  2. James1980

    James1980 UKBF Regular Free Member

    Posts: 322 Likes: 93
    I caught this yesterday, but rather serendipip.. serendillupus... rather luckily I seem to have accidentally killed it when I went to shut down my PC.

    As part of the shutdown procedure it seems Windows killed the malware, but because I had an unsaved file open on my desktop, it paused and asked if I wanted to save it. I cancelled the shutdown procedure and then did a full scan with Antimalware Bytes and Windows Essential Security.

    This seems to have done the trick... but I haven't rebooted my PC since. Fingers crossed and all that.

    It would be interesting to know if the unlock code is the same for all PCs. I seem to recall this was the case with a piece of ransomware from a few years ago - it was something trivial like "1234".


    James
    Posted: Dec 9, 2011 By: James1980 Member since: Sep 3, 2009
    #2
  3. 123Simples

    123Simples UKBF Enthusiast Free Member

    Posts: 784 Likes: 253
    I think you are right on the unlock code James - it will be interesting to hear from you when you reboot the PC to see if you have killed it, or it is just hiding somewhere

    My advice would be (just to make sure) is to boot up in Safe Mode with Command Prompt, do a complete MalwareBytes Scan and Anti Virus check. From what I can see this virus can be awkward inasmuch it has maybe changed how it does work because there seems to be so many conflicting ideas on how to find it/remove it.
    Posted: Dec 9, 2011 By: 123Simples Member since: Jul 10, 2011
    #3
  4. iXtremeLuke

    iXtremeLuke UKBF Newcomer Free Member

    Posts: 1 Likes: 0
    I got this Trojan an hour ago, It go removed with Maleware Bytes, It locked my computer down but I simply press Shut Down and the computer closed all programs except Avast and Explorer.exe
    Posted: Dec 10, 2011 By: iXtremeLuke Member since: Dec 10, 2011
    #4
  5. TonyHarbon

    TonyHarbon UKBF Newcomer Free Member

    Posts: 18 Likes: 2
    One further cautionary tale is that trojans like to bring their friends along to play when you inadvertantly download them onto your PC. Our standard practice is to reformat the hard drive and re-build a PC that gets infected with a trojan because it's the only way that you can be sure that you are not now part of a Botnet!

    :(

    Tony Harbon
    Posted: Dec 12, 2011 By: TonyHarbon Member since: Nov 24, 2011
    #5
  6. 123Simples

    123Simples UKBF Enthusiast Free Member

    Posts: 784 Likes: 253
    I do agree - if I feel that the system has been compromised in this way, I would almost certainly reformat the hard drive. I would also suggest that if a hard drive is partitioned, that a thorough scan is run after the format procedure. If in doubt clear everything out and start afresh.
    Posted: Dec 12, 2011 By: 123Simples Member since: Jul 10, 2011
    #6
  7. Bill1954

    Bill1954 UKBF Regular Full Member - Verified Business

    Posts: 416 Likes: 59
    I agree with the formatting advice, and a full format not just a boot sector format, but rebuilding the whole PC seems abit like overkill.
    Posted: Dec 12, 2011 By: Bill1954 Member since: May 24, 2010
    #7
  8. 123Simples

    123Simples UKBF Enthusiast Free Member

    Posts: 784 Likes: 253
    I would guess (or hope) that Tony meant re-building the software side of it as yes there is no reason to literally REBUILD the whole hardware side of it at all - that would be overkill :)
    Posted: Dec 12, 2011 By: 123Simples Member since: Jul 10, 2011
    #8
  9. rachaelx

    rachaelx UKBF Newcomer Free Member

    Posts: 1 Likes: 0
    I know this is probably a long shot but I just wanted to post my experience on the off chance that the horrible, selfish, thuggish people that started this scam read others experiences for the fun of it.

    I hope they do. This thread would be really helpful if I had been able to see it before my computer was hijacked.
    It was my fathers funeral last week, which I had to pay for with the money I had saved up for Christmas. Then, my computer came up with that sick horrible virus and I panicked, assuming my son had clicked on some website accidently. I paid the £100, and when that didn't resolve the situation I realised it was a scam. I then had to pay a further £60 to get a technician to remove the virus.
    I literally now have no money for christmas. Instead, my money is in the pockets of those horrible people that set this up. My kids wont have a proper christmas dinner and I cant buy the presents I was planning on getting them. I feel really sick that this has happened to me with everything else that has gone on this month.
    I hope whoever did this, you will read this and realise how it has affected my life. You don't deserve the money I have worked so hard to save this year and I know I probably wont ever get it back. I just hope that this catches up with you, and you end up in some jail with some other villans making your christmas special.
    Posted: Dec 15, 2011 By: rachaelx Member since: Dec 15, 2011
    #9
  10. 123Simples

    123Simples UKBF Enthusiast Free Member

    Posts: 784 Likes: 253
    Hi rachaelx

    Sorry to hear about your Dad. Sadly these kind of people don't even care and that is why they do this sort of stuff. I would however advise you to contact your bank and tell them what has happened, and make sure that your bank account details are safe.
    Also contact your local police and explain what has happened.

    There is no such thing as a "victimless crime" and you should report this, but please do check with your bank IMMEDIATELY or whichever card issuer you may have used to pay this scum with.
    Posted: Dec 15, 2011 By: 123Simples Member since: Jul 10, 2011
    #10
  11. pcproblems

    pcproblems UKBF Regular Free Member

    Posts: 387 Likes: 51
    I had a look at a laptop with this earlier in the week.

    The customer was scared stiff and took it to our local Police Station where they put his mind at rest.

    The bug also corrupted his Norton AV

    I used Malwarebytes as always and it's perfect again. Actually, the police advised him to use Malwarebytes but he didn't fancy trying it himself.

    It was flagged as trojan.zbot.cbcgen
    Posted: Dec 15, 2011 By: pcproblems Member since: Jun 30, 2010
    #11
    • Thanks Thanks x 2
  12. Rasta Pickles

    Rasta Pickles UKBF Newcomer Free Member

    Posts: 326 Likes: 70
    Once you've installed everything you need then simply image your system.

    You can flash the image back over any damage in minutes rather than having to do a complete reinstall.

    Once a month, I reimage my system, download the latest Windows/Office updates and then create a new image.

    The most upto date, clean system is only ever about five minutes away.

    If you don't image, then booting Linux from a USB stick and running anti-virus software from that environment is very effective (the operating system runs on-the-fly from the USB stick so any virsu on your hard drive is literally a sitting duck).
    Posted: Dec 15, 2011 By: Rasta Pickles Member since: Jun 15, 2010
    #12
  13. Rasta Pickles

    Rasta Pickles UKBF Newcomer Free Member

    Posts: 326 Likes: 70
    Once you've installed everything you need then simply image your system.

    You can flash the image back over any damage in minutes rather than having to do a complete reinstall.

    Once a month, I reimage my system, download the latest Windows/Office updates and then create a new image.

    The most upto date, clean system is only ever about five minutes away.

    If you don't image, then booting Linux from a USB stick and running anti-virus software from that environment is very effective (the operating system runs on-the-fly from the USB stick so any virus on your hard drive is literally a sitting duck).
    Posted: Dec 15, 2011 By: Rasta Pickles Member since: Jun 15, 2010
    #13
  14. pcproblems

    pcproblems UKBF Regular Free Member

    Posts: 387 Likes: 51
    Just had another call about this.. Customer been told by there ISP to contact fraud people at local police as she paid the scammers.
    Posted: Dec 15, 2011 By: pcproblems Member since: Jun 30, 2010
    #14
  15. pcproblems

    pcproblems UKBF Regular Free Member

    Posts: 387 Likes: 51
    I see that this thread is now at the top of google for the search term:

    UKash - Metropolitan Police Virus Scam
    Posted: Dec 22, 2011 By: pcproblems Member since: Jun 30, 2010
    #15
  16. LindseyMaguire

    LindseyMaguire Guest

    Posts: 1 Likes: 0
    I'm in Hampshire and would welcome your assistance as one of our computers has this virus and I can't seem to get from Safe Mode with Command Prompt into any kind of position where I can activate AV software or stop the PC opening Windows. Your help would be much appreciated:


    Posted: Mar 8, 2012 By: LindseyMaguire Member since: Mar 8, 2012
    #16
  17. network engineer

    network engineer UKBF Newcomer Free Member

    Posts: 1 Likes: 0
    Came across the same problem with one of my clients.
    Pc did have Norton 2012 installed but seems like the anti-virus didn't detect it.
    What worked for me to fix the problem is:-
    1.Restart computer in Safe Mode
    2.Do a System Restore to a previous date b4 infection occured.

    This deletes ALL data installed after this date including virus.
    Posted: Mar 15, 2012 By: network engineer Member since: Mar 15, 2012
    #17
  18. The JGG

    The JGG UKBF Newcomer Free Member

    Posts: 54 Likes: 10
    Hi Lindsey, in order to remove this malware, it is safe mode with networking, rather than safe mode command prompt you need.

    Once in smwn, then download either malwarebytes, or hitmanpro.

    Both of these programs, will remove the malware from your machine.

    @network engineer, just because you ran a system restore prior to the virus being downloaded does not mean that your machine is now 100% free of viruses. Can I respectfully suggest, that you run all your virus / malware programs on a full scan (after updating the definitions obviously). If required you can also run a couple of online scanners to ensure your machine is free.

    When I do virus removals, I use a 5 stage process, rather than a simple scan. That way I know the machine is clear of all traces.
    Posted: Mar 15, 2012 By: The JGG Member since: Jul 21, 2011
    #18
  19. jf9901

    jf9901 UKBF Newcomer Free Member

    Posts: 1 Likes: 0
    hello there
    i was watching big brother online when all of a sudden my screen locked and said that the metro police had locked my computer for downloading pirated material/ child pornography/ visiting band sites and that to un-lock it i had to send them 100 quid so safe to say i was shitting myself but i immediately googled it from my other laptop and confirmed my suspicions that in fact it was a big fat scan ! luckily for me my uncle is a whiz with computers and told me how to fix it cause like a right **** i don't have internet security but all i had to to was take my battery out without shutting down then replace it turn my comp on then click safe mode at the start up screen which windows brings up if u have not shut down properly it started up fine on factory setting no lock screen then u go on to control panel and click system restore then go through the motions and click on the earliest restore date before u got the virus and click finish it take no more than 2 mins and it restarts ur comp and everything is back to normal it doesn't delete any of your files and its 100% free !!!!:):D;)
    Posted: Jul 28, 2012 By: jf9901 Member since: Jul 28, 2012
    #19
  20. Websitehandyman

    Websitehandyman UKBF Newcomer Full Member

    Posts: 2,068 Likes: 525
    Funny this should crop as I too had this for the first time yesterday afternoon. I had five or six windows open so can't track which click it was. But I used to work installing anti-virus for many years so I like to think I know a bit about how to avoid them.

    Microsoft Essentials didn't pick this up, which is a supprise as it's old code now.

    The easy way out for me was to reboot into basic mode and do a restore to a another point, which for me was only the day before.
    Posted: Jul 28, 2012 By: Websitehandyman Member since: Nov 25, 2011
    #20