1 2 3 Previous Next 123 Replies Latest reply on Sep 10, 2012 10:07 AM by Hayton Branched to a new discussion.

    West Yorkshire Police Virus

      My question is similar to https://community.mcafee.com/message/236326


      My computer has been infiltrated by the Fake West Yorkshire Police Virus for a few days now. I previously had the Metropolitan Police Virus but managed to get onto safemode and do a system restore. However, this new virus pops up even on safe mode. As soon as I get onto any of the safe modes the full screen virus pops up. If I manually press the shutdown button the virus disappears and my desktops shows in preperation for shutdown. I have tried start > run > shutdown -a to abort shutdown but my computer still shuts down. Any suggestions on how to remove the virus or how I can get access to my desktop so I can install a antivirus programme?

        • 1. Re: West Yorkshire Police Virus

          I just posted the following in that thread as there isn't too much one can do if Safe Mode is unusable too.   Unless you can find an anti-malware scanner that will run from a USB Flash drive.


          I think the only solution left would be to use System Recovery Options.


          Here are some Tutorials (also some other links at the bottom of the first post in the 7 and Vista ones)


          Windows 7:  http://www.sevenforums.com/tutorials/668-system-recovery-options.html

          Vista:  http://www.vistax64.com/tutorials/194765-system-recovery-options.html?ltr=S

          XP:  There are many articles on this so I am just publishing the search results HERE

          • 2. Re: West Yorkshire Police Virus

            Moved this to Top Threats to be with the others. Leaving it open in case anyone else has this latest variant.


            Comment around the forums indicates that this latest variant is harder to remove than the Metropolitan Police and Strathclyde Police variants which have been around for several months, and the authors are getting a little careless - this one has been found outside the UK. The localisation code in the program should ensure that only the picture, language and currency appropriate for the country in which an infected PC is based should appear, and the program should exit without doing anything if the PC is in any country other than those in a list hard-coded into the program. Perhaps their beta testing was a little sloppy.


            By the way, the official advice from West Yorkshire Police is that if anyone (I presume they mean, anyone in their operational area) gets this, they should contact WYP and notify them. I assume their cybercrime unit is now involved, in which case their investigation will eventually make life very uncomfortable for a certain group of Russian-speaking individuals.




            Message was edited by: Hayton on 23/04/12 08:32:23 IST
            • 3. Re: West Yorkshire Police Virus

              Yesterday my system was attacked by this virus. by using malware i was able to remove this virus, but now most of my files (word, jpeg, excel etc) on my computer are prefixed with Locked and some wired extension (i.e locked-New master timesheet.xlsx.cyan). i cant open these files, is there any way i can repair these files ?


              Message was edited by: nit2k on 4/30/12 4:10:23 PM CDT
              • 4. Re: West Yorkshire Police Virus

                One thing that should help you : if you have a System Restore point, from before the date of the ransomware, that you can go back to, use System Restore. This may not fix the problem you have with locked and renamed files though.


                As a general guide to dealing with the Police ransomware, I would follow the advice given below by Microsoft and F-Secure. Remember that the initial symptoms may disguise the fact that other malicious programs have been downloaded and may be active on your system.


                This is the method recommended by Microsoft for dealing with the (slightly earlier) 'Metropolitan Police' variant of this ransomware, which they classify as Trojan:Win32/Reveton.A :

                If you are affected by this trojan, you may need to perform the following instructions to manually remove it:

                1. Press CTRL+O
                2. In the dialogue box that opens, type the following as is, then press Enter:
                3. In the command prompt window, type the following as is, then press Enter:
                  cd "%USERPROFILE%\Start Menu\Programs\StartUp"
                4. Still in the command prompt window, type the following as is, then press Enter:
                  del *.dll.lnk
                5. Still in the command prompt window, type the following as is, then press Enter:
                  shutdown -r -t 0



                F-Secure's advice is almost the same, but they are referring to a different variant. New strains of the malware seem to require a slightly different approach :

                1 – Press Ctrl-O (that's the letter O, not the number zero).

                2 – Select "Browse", go to c:\windows\system32 and open cmd.exe.

                3 – Type "explorer.exe" into the newly opened window. You should now be able to use the desktop again.

                4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace "Administrator" with your user name in the path (unless you're already using the Administrator account, but lets not get started on that…).


                5 – Delete any entries you don't recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting.

                6 – Reboot the computer.


                Both of them recommend that you then run a program to remove malware. Microsoft advise the Microsoft Safety Scanner; F-Secure recommend their own antivirus.


                You say that you removed the malware by using "malware" (Malwarebytes?) - obviously the repair was only partially successful. It sounds almost as if you only succeeded in removing the 'Police' picture - that's all it is, a jpeg that fills the screen and covers everything.


                I don't know if the McAfee Stinger program has been updated for this latest variant : it should have been by now. Try Stinger or the Microsoft Safety Scanner. Then run Malwarebytes (free version).


                Please let me know if the steps recommended above work : each new variant of the ransomware is slightly different, as the authors add to it and modify it.


                The files which are locked : do they all have the same suffix, and is that suffix ".cyan"?  Can you check one and tell us exactly what the new file name is and what it should be? I'll have to ask somewhere how to rename them and restore the file attributes.


                Message was edited by: Hayton on 01/05/12 01:35:21 IST
                • 5. Re: West Yorkshire Police Virus

                  Thanks for the reply. I tried both above steps but didn’t find any unwanted files in startup directory or other directory. Then i loaded the system on safe mode and ran malwarebytes, after complete scan it shows it have detected and removed some virus, after that i tried to clean registry, but didn’t find any suspicious entry.

                  it works for me and i was able to log into my computer without west Yorkshire police but unfortunately most of my files was renamed and it prefixed with "locked-" and some random 4 char extension(i.e werd, gawe, cyan, ....etc). it updated all the files including pst, some pdf,s favourite bar etc


                  Message was edited by: nit2k on 5/1/12 2:20:02 AM CDT
                  • 6. Re: West Yorkshire Police Virus

                    I too have the problem of the locked/renamed files. It is pretty catastrophic. For eg "file.txt." becomes "locked-file.txt.<random4letters>" ie locked-file.txt.abcd


                    When you try to rename it back to file.txt and open it it just comes out all jumbled. docs, music, video, programs.. I'd say at LEAST 75% of my computer. All the important stuff like windows works, but I have a lot of very important stuff that's locked :*(


                    As far as any virus scan shows, and I've done many, the virus is completely gone, EXCEPT for this locking and renaming/encrypting of files it has done. I've never seen anything so destructive.


                    PLEASE HELP!

                    • 7. Re: West Yorkshire Police Virus



                      Please find attached a print screen of an example of what it's done to my NETGEAR router folder. It's the same pretty much everywhere else in BOTH my HDDs

                      • 8. Re: West Yorkshire Police Virus

                        @nit2k, @countcristo,


                        Thanks for supplying that information. I asked because, as I said, each new version of this ransomware introduces some additional features. I've looked at the analyses of the previous versions and I don't see this behaviour there so it's likely to have been added for this release.


                        If simply renaming the files isn't working my guess is that a registry entry has been added or modified to scramble the file names. I'll try to get one of the McAfee techs to have a look at this to determine what that registry entry might be. In the meantime I'll keep looking elsewhere for other reports - someone may already have found the answer. If you find anything on the Net before I do can you post the information here? That will help the others.


                        I'll report back as soon as I've found anything relevant.

                        • 9. Re: West Yorkshire Police Virus

                          Thanks for replying Haydon. I think you're correct in that this is a very new string; there's not much anywhere about it, in fact here is the first place I've seen someone mention it after googling for hours. I would hope it's a simple case of deleting/modifying a reg entry and that it ihasn't scrambled these files for good. I will keep looking and let you know. I also have someone else looking into this (without success thus far).

                          1 2 3 Previous Next