Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Thursday, January 12, 2012

Remove Strathclyde Police Ransomware (Uninstall Guide)

Tell your friends:
Today we encountered ransomware that poses as a warning from the "Strathclyde Police" and asks to pay a fine for viewing illegal adult content. We believe this malware was created by the same group of cyber criminals who put some effort into distributing the Metropolitan Police ransomware. The back-end code is almost the same, except this time malware replaces explorer.exe instead of modifying Windows registry. And this time cyber crooks are targeting residents of Scotland. Upon execution, Strathclyde Police virus locks the computer and displays misleading warning claims you have been viewing adult content and asks you to pay a £100 fine via Ukash, Paysafecard or other legitimate online payment services.
Attention!!!
Under the laws of the United Kingdom and investigation of Metropolitan Police Service and Strathclyde Police Your computer is locked to prevent illegal activity in the network.

Your IP-Address "[removed]". From this IP address it was visited sites containing banned scenes of violence against people......Unsolicited Bulk messages was send from your computer's IP address and it was recorded by SpamHaus this month. The computer has been blocked to prevent your illegal activities on the Internet.


Ukash employees were already aware of such incidents and posted a short statement. They warned not to pay the 'ransom' by Ukash vouchers to remove virus and seek assistance from anti-virus companies and computer repair technicians. Ukash and Paysafecard are not in any way involved with this scam. We found out that Strathclyde Police ransom, as well as some other ransomware families were distributed using the Blackhole Exploit Kit. It seems to be the most popular crimiware kit nowadays.

Anyway, if your computer is infected with the Strathclyde Police ransomware, please do not follow the instructions on screen. To remove the virus from your computer, please follow the removal instructions below. The removal guide has been created to help you to remove this particular variant of Strathclyde Police ransom Trojan. Keep in mind that this removal guide may not work if you got updated of different variant of this malware. Just give it a try. If you have any questions, please leave a comment below. Good luck and be safe online!


Method 1: Strathclyde Police virus removal instructions using System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the Strathclyde Police ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Strathclyde Police virus.


Method 2: Strathclyde Police malware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2.  When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type regedit and press Enter. The Registry Editor opens.



3. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Change value data to iexplore.exe. Click OK to save your changes and exit the Registry editor.



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



4. When Windows loads, there will be no icons. Don't worry, we will fix this soon. First, press Ctrl+Alt+Del or Ctrl+Shift+Esc and fire up Task Manager. Click FileNew Task (Run...)



Type in iexplorer and click OK or press Enter.



5. Now, you need to download clean explore.exe file and over-write the infected one. Please make sure you download the file for your version of Windows:
Click on the link to download the file. Choose Save. Then browse to C:\Windows folder and select existing explorer.exe file. Click Save to over-write the malicious explorer.exe file.



6. Open up Task Manager once again. Click File → New Task (Run...) as you previously did. Type in regedit and click OK to open Registry Editor.



Locate the same registry entry outlined in step 3 of this removal guide.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify. Delete iexplore.exe and type in Explorer.exe as it was before. Click OK to save changes.



Close Registry Editor and restart your computer.

7. Finally, download recommended anti-malware software (direct download) and run a full system scan. Remove found malware remnants and fix Windows errors. That's it! I hope this helps!

If your computer is still infected, please follow an alternate ransomware removal guide.

To learn more about ransomware, please read Remove Trojan.Ransomware (Uninstall Guide).
Share this information with other people:

17 comments:

Lena said...

Damn scummers!
Both Ukash and Paysafecard are such a great payment method (however, I prefer Paysafecard), which makes it possible to shop online even if you don't have a credit card. And such cases just really upset me. We all have to be very careful online. Because even the safest payment method in the world won't help if you're not aware of what you're doing. Thank you for the article!

reptiliancivilian said...

When I get to the stage of reinstalling Explorer from the hyperlink, I get a dialogue box saying 'You'll need to provide administrator permission to copy this folder'. I have Windows 7 Starter. Any help?

Anonymous said...

Same as reptiliancivilian (Windows 7) .

The other issue is that a SPECIFIC USER account has the problem. The PC root account is NOT infected. Therefore the problem cannot be system wide (ie how can the system-wide "explorer" program have been overwritten by a user account) .

If anyone wishes to explain the above, please feel free to do so.

Also, the safe mode boot is not so necessary. I logged in as the user, got the problem. Switched user to root, brought up the task mgr. Killed all iexplore processes, and switched user back.

I am typing this now from that account. There are no toolbars/icons etc, but an explorer window was opened by the infection. I used this to start regedit as per the instructions.

Anonymous said...

Same as reptiliancivilian (Windows 7) .

The other issue is that a SPECIFIC USER account has the problem. The PC root account is NOT infected. Therefore the problem cannot be system wide (ie how can the system-wide "explorer" program have been overwritten by a user account) .

If anyone wishes to explain the above, please feel free to do so.

Also, the safe mode boot is not so necessary. I logged in as the user, got the problem. Switched user to root, brought up the task mgr. Killed all iexplore processes, and switched user back.

I am typing this now from that account. There are no toolbars/icons etc, but an explorer window was opened by the infection. I used this to start regedit as per the instructions.

Anonymous said...

I think I overwrote a Internet explorer explorer file rather than explorer. Now I have a black screen when logging in.any ideas?

Anonymous said...

I have a message that comes up with " This version is not compatible with your system, check if you need an 86x (32 bit)or a 64x (64bit) version of the software then contact the publisher". Help please!

Anonymous said...

Tried doing what you said, but once I changed the explorer to iexplore and rebooted I couldn't do anything else, as I can't run the task manager (the virus seems to have blocked it), also can't start up on safe mode (blue screen pops)

What do I do???

Anonymous said...

This virus devasted my W7 laptop.

Within seconds,various windows opened and then the "this computer is locked" message came up but this turned out to be the least of my worries.

Multiple attempts to restart always failed with blank desktop, anti-virus disabled,hardware settings locked (volume,brightness),windows restore corrupted, built-in back-up (in seperate drive)corrupted.

I could start windows in safe mode. Malawarebytes full scan worked but detected nothing.Nothing was found using REGEDIT or MSCONFIG. (I dare not risk connecting to the web to download anything such as ccleaner).I used safe mode to copy personal files (docs,photos) onto USB.

Luckily the built-in "restore PC system to factory default" was unaffected and I was able to use this to re-install Windows but all programs and non-backed up data were lost.

Anonymous said...

I hit this on Windows 7. Booting to safe mode with networking, installing Malawarebytes, bring to current level and running quick scan found the offending item - a .bat file in c:\user\[profile]\appdata\local\temp. I needed to deselect 'hide protected operating system files' in order to see it in the folder.

As it was a bat file various other solutions mentioned above didn't work, e.g. looking for .exe in Search. Also, I was also able to login to the administrator account, so that might give another avenue for resolving this to anyone similarly infected.

Anonymous said...

C:\Documents and Settings\<> \Start Menu\Programs\Startup


Found a file in there called
arg157339.exe
renamed it
arg157339.exe.old

found it by serching all .exe files creted at the time of the virus.

also looked in msconfig under start up and it was there too..

Paige said...

Having a problem downloading the replacement explorer.exe. I click on the file and choose overwrite but it keeps saying download failed. I have windows 7

Anonymous said...

This worked for me!
many thanks
Phil

Anonymous said...

typed "regedit" in dos
got "Registry editing has been disabled by your administrator." popup box.

Probably from the virus, since I dont remember disabling it. Any way to re-enable registry editing from dos?

GD said...

When I boot in safemode, I get a totally white screen that says 'Please wait while the connection is being established' in english and german. I can't get to the command prompt, or anything. Suggestions?

Anonymous said...

The file causing the problem on my computer was named C:\windows\system32\ABBY0_TAR.exe also an updater in the registry of the same name.

Anonymous said...

Fantastic! It worked using command prompt instructions.

Robbie Ap said...

I have tried to follow the reboot sequence but it keeps going to the BIOS setup utility screen and there are a series of menu options including Config, Date/time, Security, Startup, Restart and HDD diagnostic program. I can't get the laptop to the safe mode screen to start up. Any help would be appreciated.