Thursday 12 January 2012

Remove Strathclyde Police Ransomware (Uninstall Guide)

Today we encountered ransomware that poses as a warning from the "Strathclyde Police" and asks to pay a fine for viewing illegal adult content. We believe this malware was created by the same group of cyber criminals who put some effort into distributing the Metropolitan Police ransomware. The back-end code is almost the same, except this time malware replaces explorer.exe instead of modifying Windows registry. And this time cyber crooks are targeting residents of Scotland. Upon execution, Strathclyde Police virus locks the computer and displays misleading warning claims you have been viewing adult content and asks you to pay a £100 fine via Ukash, Paysafecard or other legitimate online payment services.
Attention!!!
Under the laws of the United Kingdom and investigation of Metropolitan Police Service and Strathclyde Police Your computer is locked to prevent illegal activity in the network.

Your IP-Address "[removed]". From this IP address it was visited sites containing banned scenes of violence against people......Unsolicited Bulk messages was send from your computer's IP address and it was recorded by SpamHaus this month. The computer has been blocked to prevent your illegal activities on the Internet.


Ukash employees were already aware of such incidents and posted a short statement. They warned not to pay the 'ransom' by Ukash vouchers to remove virus and seek assistance from anti-virus companies and computer repair technicians. Ukash and Paysafecard are not in any way involved with this scam. We found out that Strathclyde Police ransom, as well as some other ransomware families were distributed using the Blackhole Exploit Kit. It seems to be the most popular crimiware kit nowadays.

Anyway, if your computer is infected with the Strathclyde Police ransomware, please do not follow the instructions on screen. To remove the virus from your computer, please follow the removal instructions below. The removal guide has been created to help you to remove this particular variant of Strathclyde Police ransom Trojan. Keep in mind that this removal guide may not work if you got updated of different variant of this malware. Just give it a try. If you have any questions, please leave a comment below. Good luck and be safe online!


Method 1: Strathclyde Police virus removal instructions using System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the Strathclyde Police ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Strathclyde Police virus.


Method 2: Strathclyde Police malware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2.  When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type regedit and press Enter. The Registry Editor opens.



3. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Change value data to iexplore.exe. Click OK to save your changes and exit the Registry editor.



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



4. When Windows loads, there will be no icons. Don't worry, we will fix this soon. First, press Ctrl+Alt+Del or Ctrl+Shift+Esc and fire up Task Manager. Click FileNew Task (Run...)



Type in iexplorer and click OK or press Enter.



5. Now, you need to download clean explore.exe file and over-write the infected one. Please make sure you download the file for your version of Windows:
Click on the link to download the file. Choose Save. Then browse to C:\Windows folder and select existing explorer.exe file. Click Save to over-write the malicious explorer.exe file.



6. Open up Task Manager once again. Click File → New Task (Run...) as you previously did. Type in regedit and click OK to open Registry Editor.



Locate the same registry entry outlined in step 3 of this removal guide.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify. Delete iexplore.exe and type in Explorer.exe as it was before. Click OK to save changes.



Close Registry Editor and restart your computer.

7. Finally, download recommended anti-malware software (direct download) and run a full system scan. Remove found malware remnants and fix Windows errors. That's it! I hope this helps!

If your computer is still infected, please follow an alternate ransomware removal guide.

To learn more about ransomware, please read Remove Trojan.Ransomware (Uninstall Guide).
    Share this information with other people:

    No comments:

    Post a Comment