How to remove South Yorkshire Police Ransomware virus (Removal Guide)

Fiery

New Member
Joined
Jan 11, 2011
Messages
2,028
#1
What is the South Yorkshire Police Ransomware virus?

The South Yorkshire Police virus is a fake warning that attempts to scare users into paying money to unlock their PC. This malware will prevent users from accessing the standard windows environment until payment is received. Do not make any payments as this infection can be removed.

This malware belongs to the Yorkshire Police ransomware family. Other aliases include:
  • West Yorkshire Police virus
  • North Yorkshire Police virus
Am I infected?

These are screenshots of this ransonware.



Infected users will also receive the following warnings:

Warning! Your computer has been locked.
The following violations were revealed:
Please wait. Your data is being verified. If you entered the correct code and pay the fine you will regain access to your computer. If you entered a wrong code, this message will reappear. If you entered a wrong code three times, the hard drive will be completely erased. your computer will be totally damaged and unusable. Your IP-address will be stored in our database. If you go with your IP address back to pornographic web pages, your case will be transferred to special department for further investigation!
Warning! Your Computer is locked for violating the law of Great Britain
<h1>How to remove the South Yorkshire Police virus (Removal Instructions)</h1>
Please note that this is a self-help guide, use at your own risk.

If you experience any problems completing these instructions or wish to have a staff member guide you, please start a new thread in our <a href="http://malwaretips.com/Forum-Malware-Removal-Assistance">Malware Removal Assistance</a> forum.

<h2>STEP 1 : Start your computer in Safe Mode with Networking</h2>If you can't get into safe mode or normal mode, proceed to step 7
  • Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
    [*]<>Tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
    [*]On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.

<br>
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>

<h2> Step 2: Download and run RKill</h2>
Download mirror 1 - Download mirror 2 - Download mirror 3


  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run. If it does not run, try another download link from above.
<img title="RKILL Command prompt" src="http://malwaretips.com/images/removalguide/rkill2.png" alt="[Image: run-rkill-2.png]" width="507" height="256" border="0" />
  • When Rkill has completed its task, it will <>generate a log</>. You can then <>proceed with the rest of the guide</>.

<img title="RKILL LOG" src="http://malwaretips.com/images/removalguide/rkill3.png" alt="[Image: XP Defender 2013 rkill3.jpg]" width="414" height="187" border="0" /></li>
</ol><br>
<br><>WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.</>

<h2>Step 3: Download TDSSkiller from here </h2>
  • Double-Click on TDSSKiller.exe to run the application
  • When TDSSkiller opens, click Start scan
  • If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
  • If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

NOTE: Reboot to safe mode with networking again and run rKill before proceeding to the next step.

<h2>Step 4: Download and install HitmanPro</h2>
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://malwaretips.com/download-hitmanpro" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li><>Double click on the previously downloaded file</> to start the HitmanPro installation.
<img title="HitmanPro Installer" src="http://malwaretips.com/images/removalguide/hpro1.png" alt="[Image: hitmanpro-icon.png]" width="54" height="58" border="0" />
<>IF</> you are experiencing problems while trying to starting HitmanPro, you can use the "<em>Force Breach</em>" mode.To start this program in Force Breach mode,<> hold down the left CTRL-key when you start HitmanPro</> and all non-essential processes are terminated, including the malware process. (<a href="http://www.youtube.com/watch?feature=player_embedded&v=m6eRWTv2STk" target="_blank">How to start HitmanPro in Force Breach mode - Video</a>)</li>
<li>Click on <>Next </>to install HitmanPro on your system.
<img title="HitmanPro installation process" src="http://malwaretips.com/images/removalguide/hpro2.png" alt="[Image: installing-hitmanpro.png]" width="532" height="421" border="0" /></li>
<li>The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on <>Next </>to start a system scan.
<img title="HitmanPro setup options" src="http://malwaretips.com/images/removalguide/hpro3.png" alt="[Image: hitmanpro-setup-options.png]" width="532" height="421" border="0" /></li>
<li>HitmanPro will start scanning your system for malicious files. Depending on the the size of your hard drive, and the performance of your computer, this step will take several minutes.
<img title="HitmanPro scanning for Win 8 Security System" src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanpro-scanning.png]" width="532" height="421" border="0" /></li>
<li>Once the scan is complete,a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</>.
<img title="HitmanPro Win 8 Security System scan results" src="http://malwaretips.com/images/removalguide/hpro5.png" alt="[Image: hitmanpro-scan-results.png]" width="532" height="421" border="0" /></li>
<li>Click <>Activate free license </>to start the free 30 days trial and remove the malicious files.
<img title="Activate HitmanPro free license to remove detected infections" src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanpro-activation.png]" width="532" height="421" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.</li>
</ol>
Note: Let your PC boot to normal mode to perform the next step. If you can't go back to safe mode and run rkill again before performing the next step.

<h2> Step 5: Download Malwarebytes' Anti-Malware(download link) to your desktop
</h2>
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • Malwarebytes Anti-Malware will now start and you'll be prompted to start a trial period , please select '<>Decline</>'
    <img title="Decline trial period in Malwarebytes Anti-Malware" src="http://malwaretips.com/images/removalguide/mbam3.PNG" alt="[Image: Decline Malwarebytes trial]" width="432" height="165" border="0" />
    [*]If an update is found, it will download and install the latest version.




    [*]Once the program has loaded, select Perform quick scan, then click Scan.
    [*]When the scan is complete, click OK, then Show Results to view the results.





    [*]Be sure that everything is Checked (ticked) and click on Remove Selected.
    [*]Reboot your computer if prompted.


Note: Let your PC boot to normal mode to perform the next step. If you can't go back to safe mode and run rkill again before performing the next step.

<h2>STEP 6: Double check for other malicious files with Emsisoft Emergency Kit</h2>
<ol>
<li>You can download the latest official version of Emsisoft Emergency Kit from the below link.
<a href="http://malwaretips.com/download-emsisoft" rel="nofollow" target="_blank"> <>EMSISOFT EMERGENCY KIT DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download Emsisoft Emergency Kit)</em></li>
<li>After the download process will finish , you'll need to <span style="font-weight: bold;">unpack EmsisoftEmergencyKit.zip</span>
<img title="Unpack EmsisoftEmergencyKit.zip" src="http://malwaretips.com/images/removalguide/ekk-zip-image.png" alt="Unpack Emsisoft Emergency Kit" width="319" height="109" /></li>
<li>Open the Emsisoft Emergency Kit folder and double click <>EmergencyKitScanner.bat</>.
<img title="Double click on EmergencyKitScanner.bat" src="http://malwaretips.com/images/removalguide/ekk-batfile.png" alt="Click on EmergencyKitScanner.bat" width="396" height="141" /></li>
<li>A pop-up will prompt you to update Emsisoft Emergency Kit,and you'll need to click the <>Yes</> button to allow this request.
<img title="Update Emsisoft Emergency Kit definitions" src="http://malwaretips.com/images/removalguide/eek-update.png" alt="Update Emsisoft Emergency Kit" width="360" height="139" /></li>
<li>After the Update process has completed,click on the <>Menu</> tab and then select <>Scan PC</>.
<img title="Go to the Scan tab to start a system scan" src="http://malwaretips.com/images/removalguide/ekk-scan.png" alt="Scan tab on Emsisoft Emergency Kit" width="479" height="346" /></li>
<li>Select <>Smart scan</> and click on the <>SCAN</> button to search for malicious files.
<img title="Start a Emsisoft Emergency Kit Smart scan" src="http://malwaretips.com/images/removalguide/ekk-smart-scan.png" alt="Emsisoft Emergency Kit smart scan" width="480" height="345" /></li>
<li>Emsisoft will now start scanning your computer for malicious files.When the scan will be completed,you will be presented with a screen showing you the infections that Emsisoft has detected.
Make sure that everything is <>Checked (ticked)</> and then click on <>Quarantine selected objects</>.
<img title="Emsisoft Scan results" src="http://malwaretips.com/images/removalguide/eek-scan-results.png" alt="Emsisoft smart scan results" width="480" height="345" /></li>
<li>Emsisoft Emergency Kit will now start removing the malicious files.If during the removal process Emsisoft will display a message stating that it needs to reboot, please allow this request.</li>
</ol>
[hr]
<h2>Step 7: Only perform this step IF Step 1 could not be performed. </h2>

Note: After you perform step 7, attempt to follow Step 1-6. If you experience any problems completing these instructions or wish to have a staff member guide you, please start a new thread here

Note: Click Show spoiler to view the instructions for step 7.
<h2>STEP 7.1: Download and create a bootable Kaspersky Rescue Disk CD</h2>
<ol>
<li><>Download the Kaspersky Rescue Disk ISO</>image from below.
<a href="http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable" rel="nofollow"><img title="Download Kaspersky resecue disk" src="http://malwaretips.com/images/removalguide/downloadnow.gif" alt="download kaspersky rescue disk" width="345" height="100" /></a></li>
<li><>Download ImgBurn</>, a software that will help us create this bootable disk.
<a href="http://www.imgburn.com/index.php?act=download" rel="nofollow"><img title="Download ImgBurn" src="http://malwaretips.com/images/removalguide/downloadnow.gif" alt="download ImgBurn" width="345" height="100" /></a></li>
<li>You can now <>insert your blank DVD/CD in your burner</>.</li>
<li><>Install ImgBurn by following the prompts</> and then start this program.</li>
<li>Click on the <>Write image file to disc</> button.
<img title="Create a bootable CD" src="http://malwaretips.com/images/removalguide/img1.png" alt="Create bootable CD step1" width="510" height="537" /></li>
<li>Under <>'Source'</> click on the <>Browse for file</> button, then browse to the location where you previously saved the Kaspersky Rescue Disk ISO file.(kav_rescue_10.iso)
<img title="Browse to the Kaspersky Rescue Disk Image" src="http://malwaretips.com/images/removalguide/img3.png" alt="Create bootable CD step2" width="512" height="171" /></li>
<li>Click on the big <>Write</> button.
<img title="Click 'Write' to create the bootable disk" src="http://malwaretips.com/images/removalguide/img4.png" alt="Create bootable CD step3" width="480" height="91" /></li>
<li>The disc creation process will now start and it will take around 5-10 minutes to complete.</li>
</ol>
<h2>STEP 7.2:Configure the computer to boot from CD-ROM</h2>
<ol>
<li><>Use the Delete or F2 keys, to load the BIOS menu</>.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:
<img title="Boot into BIOS" src="http://malwaretips.com/images/removalguide/kasp1.png" alt="Boot into Bios" width="285" height="137" /></li>
<li>In your PC <>BIOS</> settings select the <>Boot menu</> and set CD/DVD-ROM as a primary boot device.
<img title="Select to boot from CD" src="http://malwaretips.com/images/removalguide/kasp2.png" alt="Boot into BIOS Step2" width="250" height="146" /></li>
<li><>Insert your Kaspersky Rescue Disk and restart your computer.</></li>
</ol>
<h2>STEP 7.3:Boot your computer from Kaspersky Rescue Disk</h2>
<ol>
<li>Your computer will now boot from the Kaspersky Rescue Disk,and you'll be asked to <>press any key</> to proceed with this process
<img title="Press any key" src="http://malwaretips.com/images/removalguide/kasp3.png" alt="Kaspersky Rescue Disk 1" width="450" height="337" /></li>
<li>In the start up wizard window that will open, <>select your language</> using the cursor moving keys. <>Press the ENTER</> key on the keyboard.
<img title="Select your language" src="http://malwaretips.com/images/removalguide/kasp4.png" alt="Kaspersky Rescue Disk 2" width="450" height="337" /></li>
<li>On the next screen, select <>Kaspersky Rescue Disk. Graphic Mode</> then press <>ENTER</>.
<img title="Select Graphic Mode for Kaspersky Rescue Disk" src="http://malwaretips.com/images/removalguide/kasp5.png" alt="Kaspersky Rescue Disk 3" width="450" height="337" /></li>
<li>The End User License Agreement of Kaspersky Rescue Disk will be displayed on the screen. Read carefully the agreement then <>press the C </> button on your keyboard.
<img title="Accept the End User License Agreement " src="http://malwaretips.com/images/removalguide/kasp6.png" alt="Kaspersky Rescue Disk 4" width="487" height="273" /></li>
<li>Once the actions described above have been performed, the Kasprsky operating system will start.</li>
</ol>

<h2>STEP 7.4:Scan your system with Kaspersky Rescue Disk</h2>
<ol>
<li>Click on the Start buttonlocated in the left bottom corner of the screen and <>select the Kaspersky Rescue Disk</> then click on <>My Update Center</> and press <>Start update</>.
<img title="Update Kaspersky Rescue Disk AV Definitions" src="http://malwaretips.com/images/removalguide/kasp8.png" alt="Kaspersky Bootable Cd scan 1" width="385" height="404" /></li>
<li>When the update process has completed, the light at the top of the window will turn green, and the databases release date will be updated.
<img title="Kaspersky Updated Definitions" src="http://malwaretips.com/images/removalguide/kasp9.png" alt="Kaspersky Bootable Cd scan 2" width="385" height="404" /></li>
<li>Click on the <>Objects Scan</> tab, then click <>Start Objects Scan</>to begin the scan.
<img title="Start a Kaspersky Rescue Disk scan" src="http://malwaretips.com/images/removalguide/kasp10.png" alt="Kaspersky Bootable Cd scan 3" width="385" height="404" /></li>
<li>If any malicious items are found, the default settings are to prompt you for action with a red popup window on the bottom right. <>Delete</> is the recommended action in most cases but we <>ly recommend </>that you try first to disinfect , and if it doesn't work chose to quarantine the infected files just to be on the safe side.
<img title="Kaspersky Rescue Disk detecting malicious objects" src="http://malwaretips.com/images/removalguide/kasp11.png" alt="Kaspersky Bootable Cd scan 5" width="262" height="345" /></li>
<li>When all detected items have been processed and removed, the light in the window will turn green and the scan will show as completed.
<img title="Kaspersky Rescue Disk After malware removal" src="http://malwaretips.com/images/removalguide/kasp12.png" alt="Kaspersky Bootable Cd scan 7" width="385" height="404" /></li>
<li>When done you can close the Kaspersky Rescue Disk window and use the Start Menu to <>Restart the computer</>.</li>
</ol>

Note: If you weren't able to perform Step 1 before, try doing so now.

[hr]

The steps in this guide should remove this virus. If you are still experiencing problems or would like to have one of our staff members verify that your PC is clean, please start a new thread in our <a href="http://malwaretips.com/Forum-Malware-Removal-Assistance">Malware Removal Assistance</a> forum.


How was I infected?

  • Rogues can get on to computers without the user's consent through Drive-by downloads. When a user visits a compromised or infected website, the site immediately checks for any security vulnerabilities on the machine to inject the malicious code.
  • Peer-to-peer (P2P) programs such as utorrent are frequently used by hackers to distribute malware
  • Hackers can also trick the user into downloading a file, saying it is a legitimate file needed to view a video or pictures.

How can I prevent these infections?

Keep your system updated
  • Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here
[hr]
If you have another antivirus, it is recommended that you to switch your antivirus program to a better one. Here are some suggestions:

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.


Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.
[hr]
Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.
[hr]
It is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.


<h2> Technical Details </h2>
Files:
C:\ProgramData\(random)
C:\ProgramData\(random).dll
C:\ProgramData\(random).exe
C:\ProgramData\(random).exe
C:\Users\username\Desktop\South Yorkshire Police.lnk
%UserProfile%\Start Menu\Programs\South Yorkshire Police\
%UserProfile%\Start Menu\Programs\South Yorkshire Police\Uninstall South Yorkshire Police.lnk
%UserProfile%\Start Menu\Programs\South Yorkshire Police\South Yorkshire Police.lnk

Registries:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “(random).exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“CertificateRevocation” = ’0′
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“WarnonBadCertRecving” = ’0′
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
“NoChangingWallPaper” = ’1′
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
“LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr” = ’1′
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
“DisableTaskMgr” = ’1′
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download] “CheckExeSignatures” = ‘no’
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Use FormSuggest” = ‘yes’
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“Hidden” = ’0′
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowSuperHidden” = 0′
 
Last edited by a moderator: