Metropolitan Police fake warning
At this very present moment thousands of computers, primarily in Europe, are being actively attacked and hijacked by the virus bearing the name of Metropolitan Police scam. The very first statement you encounter after your PC has been infected with this ransomware application is as follows: ‘Metropolitan Police. Attention! Illegal activity was revealed!’ Ransomware stands for certain malware program which snatches your PC, hijacks it in a way that you can hardly do anything with it and then scares you with the message of you being supposedly noticed to download, watch and spread certain illegal content. It then says that this supposed illegal behavior on your part is the cause of such blockage. Afterwards the malware offers you to pay certain amount of money to have this problem fixed, promising you not to report any of such sinful actions on your part if only you donate certain amount of money via Ukash service. For this reason some users whose PC were infected with this scam name it as Ukash virus, however, it has nothing to do with Ukash company. It does not spread this virus nor does it support such fraudulent activities of the cyber crooks and criminals who elaborated this indeed scary program.
Let us first of all analyze how exactly this virus acts on your system upon successful penetration. First of all, please be advised of the fact that if you are being hijacked by the Metropolitan police background page your PC is evidently attacked with horrible browser hijacker known as ZeroAcces / TDSS rootkit. You should realize that this browser hijack is connected with the team of online crooks who use various tricky yet powerful and destructive applications in order to redirect your home page and online search engine queries via certain IP addresses in order to prompt you into effecting the payment supposedly as the fine for unlocking your system.
As soon as this ransomware is successfully installed and running on your PC certain DNS redirect virus would be executed every time you actually click on the result links in the majority of the most popular search engines. This would eventually make your default browser (FireFox, Internet Explorer, Chrome or any other web browser) to redirect and show this scam message known as Metropolitan Police warning.
One thing you need to realize now is that you should avoid effecting payments in favor of these crooks! The above–stated notifications are entirely bogus and have not been originated to you by any police office, wherever you are located. This scam was elaborated in order to scare you and steal your funds without you actually receiving any good service in response. Never disclose the information about Ukash vouchers to the frauds claiming to be allegedly the police officers. They are attacking many workstations nowadays with their scareware. They state that this blockage is due to detection of some illegal or pirated information on your computer.
The virus in fact encrypts the information on the HDD of your PC and the frauds then ask for a ransom payment to be effected by various payment methods, not only Ukash vouchers, allegedly in order to get rid of such encryption. Do not ever disclose Ukash voucher information to these hackers as you will lose your fund and may not have the threat eliminated at all. In order to report this criminal behavior of cyber crooks make sure to contact the Action Fraud department at the telephone number 0300 123 2040 in order to report this issue, which is a real crime on the part of those people who invented this malware.
Metropolitan Police removal video:
Metropolitan Police important removal milestones:
- Restart your system into “Safe Mode with Command Prompt”. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
- Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer”, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
- Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit” and hit Enter button of your keyboard. The Registry Editor should open.
- Find the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe”. However, Metropolitan Police virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.
- Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of Metropolitan Police virus is located.
- Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
- Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, “Metropolitan Police” virus file was located and running from the Desktop. There was a file called “contacts.exe”, but it may have different (random) name.
- Get back to “Normal Mode”. In order to reboot your PC, when at the command prompt, type-in the following phrase “shutdown /r /t 0″ (without the quotation marks) and hit Enter button.
- The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.
Safe Mode with Command Prompt
You know how it normally looks like, don’t you? Well, here is the screenshot of it:
Registry Editor
Associated virus files to be removed:
[random].exe
Associated virus registry entries to be removed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"
