My question is similar to https://community.mcafee.com/message/236326
My computer has been infiltrated by the Fake West Yorkshire Police Virus for a few days now. I previously had the Metropolitan Police Virus but managed to get onto safemode and do a system restore. However, this new virus pops up even on safe mode. As soon as I get onto any of the safe modes the full screen virus pops up. If I manually press the shutdown button the virus disappears and my desktops shows in preperation for shutdown. I have tried start > run > shutdown -a to abort shutdown but my computer still shuts down. Any suggestions on how to remove the virus or how I can get access to my desktop so I can install a antivirus programme?
Solved! Go to Solution.
malwarebytes found it and killed it seemingly. It could be found in the registry under the Run section of Current User in Windows, but I wasn't 100% sure that was the culprit. Things looking ok now, going to do a few scans and none of the files are encrypted.
I just posted the following in that thread as there isn't too much one can do if Safe Mode is unusable too. Unless you can find an anti-malware scanner that will run from a USB Flash drive.
I think the only solution left would be to use System Recovery Options.
Here are some Tutorials (also some other links at the bottom of the first post in the 7 and Vista ones)
XP: There are many articles on this so I am just publishing the search results HERE
Moved this to Top Threats to be with the others. Leaving it open in case anyone else has this latest variant.
Comment around the forums indicates that this latest variant is harder to remove than the Metropolitan Police and Strathclyde Police variants which have been around for several months, and the authors are getting a little careless - this one has been found outside the UK. The localisation code in the program should ensure that only the picture, language and currency appropriate for the country in which an infected PC is based should appear, and the program should exit without doing anything if the PC is in any country other than those in a list hard-coded into the program. Perhaps their beta testing was a little sloppy.
By the way, the official advice from West Yorkshire Police is that if anyone (I presume they mean, anyone in their operational area) gets this, they should contact WYP and notify them. I assume their cybercrime unit is now involved, in which case their investigation will eventually make life very uncomfortable for a certain group of Russian-speaking individuals.Message was edited by: Hayton on 23/04/12 08:32:23 IST
I done the dr web decryption and it has worked what a guy if i had not got that done was going to have to leave my course after a year. I am just wondering what to do now with all the locked files as they are still there with the new unlocked files
@dominic29 : you need to manually delete the old (encrypted) files. See post #43.
@dubedford : running all those tools must have done something to your system. The best advice I've found is to run Bootrec.exe - see http://support.microsoft.com/kb/927392
If you can't get that to work then see
There are a number of similar threads over on the Microsoft forums, but each error message seems to have a different underlying cause so I won't point you towards any specific thread : the recommendations are all different.
You may need to ask over there for assistance. The Windows 7 Miscellaneous forum might be your best bet - go to http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/threads.Message was edited by: Hayton on 12/05/12 06:30:25 IST
Many thanks for your swift response and kind reply.
Your leads have possibly helped along the way. Whilst the bootrec won't run from my recovery disk, I have managed to download, burn and run a copy, and which allowed me to trying fixing using the repair utility and the various (internet) advised fixes through using the cmd prompt. This moved me on to at least getting a new errormessage, regarding a missing %hs, and which in googling took me to this page:
Unfortunately, that's where I'm up to now: have downloaded, burnt and run the hirens bootcd facility, and which means I'm now able to edit the registry, only that the virus at hand isn't affecting the registry in the same way as that discussed on the above page.
Will look to post on the suggested site, and will be happy to update here should I find the solution.
What a great way to spend the weekend.
Yesterday my system was attacked by this virus. by using malware i was able to remove this virus, but now most of my files (word, jpeg, excel etc) on my computer are prefixed with Locked and some wired extension (i.e locked-New master timesheet.xlsx.cyan). i cant open these files, is there any way i can repair these files ?Message was edited by: nit2k on 4/30/12 4:10:23 PM CDT
One thing that should help you : if you have a System Restore point, from before the date of the ransomware, that you can go back to, use System Restore. This may not fix the problem you have with locked and renamed files though.
As a general guide to dealing with the Police ransomware, I would follow the advice given below by Microsoft and F-Secure. Remember that the initial symptoms may disguise the fact that other malicious programs have been downloaded and may be active on your system.
This is the method recommended by Microsoft for dealing with the (slightly earlier) 'Metropolitan Police' variant of this ransomware, which they classify as Trojan:Win32/Reveton.A :
If you are affected by this trojan, you may need to perform the following instructions to manually remove it:
- Press CTRL+O
- In the dialogue box that opens, type the following as is, then press Enter:
- In the command prompt window, type the following as is, then press Enter:
cd "%USERPROFILE%\Start Menu\Programs\StartUp"
- Still in the command prompt window, type the following as is, then press Enter:
- Still in the command prompt window, type the following as is, then press Enter:
shutdown -r -t 0
F-Secure's advice is almost the same, but they are referring to a different variant. New strains of the malware seem to require a slightly different approach :
1 – Press Ctrl-O (that's the letter O, not the number zero).
2 – Select "Browse", go to c:\windows\system32 and open cmd.exe.
3 – Type "explorer.exe" into the newly opened window. You should now be able to use the desktop again.
4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace "Administrator" with your user name in the path (unless you're already using the Administrator account, but lets not get started on that…).
5 – Delete any entries you don't recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting.
6 – Reboot the computer.
Both of them recommend that you then run a program to remove malware. Microsoft advise the Microsoft Safety Scanner; F-Secure recommend their own antivirus.
You say that you removed the malware by using "malware" (Malwarebytes?) - obviously the repair was only partially successful. It sounds almost as if you only succeeded in removing the 'Police' picture - that's all it is, a jpeg that fills the screen and covers everything.
Please let me know if the steps recommended above work : each new variant of the ransomware is slightly different, as the authors add to it and modify it.
The files which are locked : do they all have the same suffix, and is that suffix ".cyan"? Can you check one and tell us exactly what the new file name is and what it should be? I'll have to ask somewhere how to rename them and restore the file attributes.Message was edited by: Hayton on 01/05/12 01:35:21 IST
Thanks for the reply. I tried both above steps but didn’t find any unwanted files in startup directory or other directory. Then i loaded the system on safe mode and ran malwarebytes, after complete scan it shows it have detected and removed some virus, after that i tried to clean registry, but didn’t find any suspicious entry.
it works for me and i was able to log into my computer without west Yorkshire police but unfortunately most of my files was renamed and it prefixed with "locked-" and some random 4 char extension(i.e werd, gawe, cyan, ....etc). it updated all the files including pst, some pdf,s favourite bar etcMessage was edited by: nit2k on 5/1/12 2:20:02 AM CDT
I too have the problem of the locked/renamed files. It is pretty catastrophic. For eg "file.txt." becomes "locked-file.txt.<random4letters>" ie locked-file.txt.abcd
When you try to rename it back to file.txt and open it it just comes out all jumbled. docs, music, video, programs.. I'd say at LEAST 75% of my computer. All the important stuff like windows works, but I have a lot of very important stuff that's locked :*(
As far as any virus scan shows, and I've done many, the virus is completely gone, EXCEPT for this locking and renaming/encrypting of files it has done. I've never seen anything so destructive.