Page 1 of 3

Ukash / Police Ransomware

Posted: Thu Apr 25, 2013 1:00 pm
by spectre
Similar topics may have been covered previously but as this is prolific in my area I thought it would be helpful to start a new thread to warn people.
At this moment,the most common type of ransomware is the ‘Police Trojan’,will display a bogus notification, that pretends to be from your local law enforcement agency and states that your computer has been blocked due to it being involved with the distribution of pornographic material, SPAM and copyrighted content.
The Police virus will lock you out of your computer and applications, so whenever you’ll try to log on into your Windows operating system or Safe Mode with Networking, it will display instead a lock screen asking you to pay anywhere from 100 to 200 Euro/$ in the form of a MoneyPak,Ukash or PaySafeCard code.
Furthermore, to make this alert seem more authentic, this virus also has the ability to access your installed webcam so that the alert shows what is happening in the room.

Info taken from hxxp://malwaretips.com/blogs/remove-police-trojan, who also appear to have the most effective tips for removal. I would advise ignoring option 2 - System Restore.

Yesterday, none of the tips I found there or elsewhere would work. I had to remove the HDD & scan it through another machine. Problem was eventually resolved by MSE which detected Win32/Nymaim.
MBAM then found Hijack.shell.gen (winlogon/shell)
Currently I have no idea where people are getting this malware from.

Images vary by country, state & county!
I have been unable to get my own screenshots so here are a couple I found.

[url=http://i33.tinypic.com/2eb7ub7.jpg t=_self] [img]http://i33.tinypic.com/2eb7ub7.jpg[/img][/url]

[url=http://i36.tinypic.com/2z5uek8.jpg t=_self][img]http://i36.tinypic.com/2z5uek8.jpg[/img][/url]



RE: Ukash / Police Ransomware

Posted: Fri Apr 26, 2013 9:56 am
by Guest
Hi Shazza =

We have been having the same problem over here , and unfortunately is being discussed via TV news , which is not always that helpful
In the cases I have seen , is mostly scareware but some searching will indicate that the problem can be more problematic
http://www.fbi.gov/news/stories/2012/august/new-internet-scam
http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/fbi-moneypak-scam-removal/aa21d9c9-8362-432e-8c15-f17a6971b018?msgId=5d99c09d-75dd-42cd-bd02-b286b0e87abe
Thank you for this information , I think is very important


RE: Ukash / Police Ransomware

Posted: Fri Apr 26, 2013 10:31 am
by Guest
http://support.kaspersky.com/us/viruses/solutions?qid=208286527


http://support.kaspersky.com/viruses/deblocker


http://support.kaspersky.com/us/viruses/rescuedisk


http://forum.kaspersky.com/index.php?showtopic=238192

RE: Ukash / Police Ransomware

Posted: Fri Apr 26, 2013 10:39 am
by Guest
<quote user="leofelix">
http://support.kaspersky.com/us/viruses/solutions?qid=208286527


http://support.kaspersky.com/viruses/deblocker


http://support.kaspersky.com/us/viruses/rescuedisk


http://forum.kaspersky.com/index.php?showtopic=238192
[/quote]

Thank you for the information , bookmarked : - }

RE: Ukash / Police Ransomware

Posted: Fri Apr 26, 2013 8:51 pm
by spectre
Thanks Leofelix, booting with the [url=http://www.surfright.nl/en/kickstart t=_self] HitmanPro Kickstart disk [/url] is normally effective, but in the latest incident none of the options involving booting from USB would work.

RE: Ukash / Police Ransomware

Posted: Sat Apr 27, 2013 2:11 am
by Guest
@ Shazza =

One question
Why not use the restore point ?
Or back up the engine ?
OK, there are two questions :-}
Thank you , in advance

RE: Ukash / Police Ransomware

Posted: Sat Apr 27, 2013 3:55 am
by c۞g
Do you have domain(s) and/or URL(s) which installed this?

RE: Ukash / Police Ransomware

Posted: Sat Apr 27, 2013 6:16 am
by Colorado.Chris
Google FixMeStick 2013

RE: Ukash / Police Ransomware

Posted: Sat Apr 27, 2013 4:41 pm
by Jazspeak
<quote user="superhero58">
"Why not use the restore point ?"
[/quote]

Because you cannot be certain that the restore point has not been compromised and infected. Better to be safe than sorry, and much better to keep a clean clone so that the infected drive(s) can be wiped and restored from the clone.

RE: Ukash / Police Ransomware

Posted: Sat Apr 27, 2013 5:32 pm
by Guest
<quote user="jazspeak">
Because you cannot be certain that the restore point has not been compromised and infected. Better to be safe than sorry, and much better to keep a clean clone so that the infected drive(s) can be wiped and restored from the clone.
[/quote]
Thanks :-}