As of June 2012, there are two separate forms of new ransomware titled Police Central e-crime Unit, one is Win32/Weelsof and the other is Win32/ Reveton, found having been infecting numerous computers masquerading as the Sepecialist Crime Directorate or Metropolitan Police. The Police Central e-crime Unit ukash ransomware locks computer system, as ransomware usually does, alleges the operating system is locked due to the violation of the laws depending on IP geographical location (mostly notably the UK) such as visiting pornography, child pornography and zoofilia website among other fake claims, and then asks for a fine of 100 Euro or $ 100 paid by Ukash or Paysafecard services. That is ordinary credit card scheme of such ransomware that even steal your credit card data at the very last to scam you with much more money.
Similar Ransomware Infections: FBI moneypak virus, PCeU virus (aka Metropolitan Police Ukash virus), Malex ransomware, Citadel Reventon Malware, United States Cyber Security virus, Your computer is locked for violating the Law of Great Britain virus, DOJ virus, File Encryption Virus, SGAE virus, An Garda Síochána. Ireland’s National Police Service virus, ISCA 2012 virus, Automated Information Control System virus, ACCDFISA Protection Program ransomware, Celas ransomware, Votre ordinateur est bloque! Gendarmerie Ukash virus, FBI Ultimate Game Card virus, Canadian Police Association Virus, Urausy virus/ransomware, Office Central de Lutte contre la Criminalité Virus, Bundesamt fur Polizei Virus, Canadian Police Cybercrime Investigation Department Virus, GEMA: Your computer has been locked virus, All Activity on This Computer Has Been Recorded-Fake FBI Warning infection, Den Syenska Polisen IT-Sakerhet Ransomware, Bundes Polizei Ukash virus, Australian Federal Police Ukash Virus, Internet Crime Crime Compliant Center ransomware virus, United States Department of Justice virus, Politia Romana virus, etc.
Symptoms of Police Central e-crime Unit Ransomware Infection
- > A fake alert from an online authority Metropolice, stating the infected computer has violated the law which claims “this computer was locked to stop your illegal activity”
> Fake violation messages include: "Your IP address was used to visit websites containing pornography, child pornography, zoofilia and child abuse."
> Also, “Your computer also contains video files with pornographic content, elements of violence, and childe pornography. Spam-message with terrorist motives were also sent from your computer.” Please, be aware of such make-up claims.
> This accusing of law-violation ends with a demand for a penalty fine as the price to unlock the infected computer. “To unlock the computer, you must pay a find of 100 Euros” via Ukash or Paysafecard services.
The fire variant belongs to the Win32/Weelsof malware family, which is basically a Trojan that allows hackers to perform a number of actions on the infected computer. What for certain is that they can launch such fake Police warnings as shown in the image above. While Win32/Weelsof clearly targets the United Kingdom, the infection has spread to many other countries as well and is expected to progress, change and adapt to other countries in the future.
2. Win 32/Reveton
- > A fake alert from an online authority Specialist Crime Directorate stating the infected computer has been violating the law which alleges “ Your computer is blocked due to at least one of the reasons specified below.”
> “ You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article 128 of the Criminal Code of Great Britain.”
> “Article 128 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years.”
> “ You have been viewing or distributing prohibited Pornographic content (Child Porn/Zoofilia and etc.) thus violating Article 202 of the Criminal Code of Great Britain.”
> “Illegal access to computer data has been initiated from your PC, or you have been…” (incomplete wordking)
> “Article 208 of the Criminal Code provides for a fine up to Euros 100,000 and/or a deprivation of liberty for four to nine years.”
> “ Illegal access has been initiated from your PC without our knowledge or consent, your PC may be infected by malware, thus you are violating the law on Neglectful Use of Personal Computer” (No Such Law at all)
The second variant of Police Central e-crime Unit (PCEU) ransomware belongs to the Win32/Reveton malware family. The fake waning is different from that of the Weelsof version. It is much more sophisticated, claiming to be from Specialist Crime Directorate rather than Metropolitan Police. Please be cautious about this ransomware upon sight as the above image shows and just overlook those seemingly scaring words and instantly get ways out to get rid of it upon sight.
Web cam control
Once infected, there would be a little more than usual that this ransomware virus would even attempt to trick the user into thinking they are under surveillance by webcam, as it always shows a fake screen in “recording” status. Actually this even makes no difference on the infected computer with no web cam at all. Apparently, the truth is ready to jump out at your call.
Most ransomware exploits Java or Flash vulnerabilities to load the malicious code. In some cases denying or disabling flash on your system may suspend the Police Central e-crime Unit ransomware viurs and enable the user to navigate through the infected system. If this not a necessity for removal, skip to the removal options below these steps.
To disable (deny) flash
2. Select the “Deny” radio option
3. Proceed to a removal option (detailed below).
How to Remove Police Central e-crime Unite Virus (Ransomware Removal Guide)
There are several ways to get rid of such Ukash ransomware depending on the specific situation of infection. If the computer can still boot into safe mode, please follow the Option 1 removal steps to go. If the computer is completely blocked from anything, including safe mode running, then bet on Option 2 removal steps to go.
Removal Option 1-Safe Mode with Command Prompt Restore
- Step 1> Launch your PC into Safe Mode with Command Prompt. During the start, keep pressing F8 key till the Advanced Windows Options Menu shows up and then use the arrow key on the keyboard to highlight the Safe Mode with Command Prompt option and then press Enter. See detailed instructions on how to boot Windows to Safe Mode
Note: make sure you login your computer with administrative privileges. (login as admin)
Step 2> Once the Command Prompt appears you only have few seconds to type “explorer” and hit Enter. If you fail to do so within 2-3 seconds, the ransomware virus will not allow you to type anymore.
Step 3> Once Windows Explorer shows up browse to:
Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
Step 4> Follow all steps to restore or recover your computer system to an earlier time and date (restore point), before infection.
Step 5> Download, install, update and runAnvi Smart Defender(http://www.anvisoft.com/software/asd/. Remove all threats detected and reboot your PC.
Removal Option 2 Using Anvi Rescue Disk to Remove the Ransomware and Repair the Infected Computer
Chances are your PC is heavily infected by this ransomware that it is blocked from safe mode running as well. If such is the case, the removal may be a little bit complex and here we use Anvi Rescue Rescue Disk to demonstrate the removal steps and good luck to you. If any question in the process, just let us know.
Also below is a video of ransomware removal using Anvi Rescue Disk for reference.
- Step 1> Download the Anvi Rescue Disk isoimage file Rescue.iso and the USB disk production tool BootUsb.exe from Anvisoft official site.
Direct download link: http://download.anvisoft.com/software/rescuedisk.zip
Please kindly note that Rescue.iso is a large file download; please be patient while it downloads.
Step 2> Record Anvi Rescue Disk iso image to USB drive. You can also record the iso image to a CD/DVD. We will introduce the steps to record iso image to a CD/DVD in following guide.
Connect USB to computer. You’d better backup your important data and format your USB drive before use it to record the iso image.
Locate your download folder and double-clicking on BootUsb.exe to start it. And then click “Choose File” button to browser into your download folder and select Rescue.iso file as your source file.
Select the path of USB drive, such as Drive H:
Click “Start Burning” to start the burn of USB Rescue Disk boot drive.
Please close BootUsb.exe tool after you successfully burn the file to USB drive when you get following message.
Now, you have bootable Anvi Rescue Disk to repair your computer.
You can also record Anvi Rescue Disk iso image to a DV/DVD. Any CD/DVD record software is fine for burn iso image. If you don’t have any, you can download and install Nero Burning ROM and ImgBurn. Here we will use Nero Burning ROM for demonstration purpose.
Please open and start Nero Burning ROM and select Burn Image from the drop-down menu of the Recorder.
Locate your download folder and select Rescue.iso file as your source file and then click Open button.
Click Burn button to start record the iso image. After a few minutes, you will have a bootable Anvi Rescue Disk to repair your computer.
Step 3>Restart your computer and configure your computer to boot from USB drive/DV/DVD that recorded Anvi Rescue Disk. Basically , you can use F8 to load USB boot menu.
For different motherboard, you may need to use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.
The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.
If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority. After that, set USB drive or CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.
Step> 4 After that let's boot your computer from Anvi Rescue Disk.
Restart your computer. After restart, a message will appear on the screen: press any key to enter the menu. So, press Enter or any other key to load the Anvi Rescue Disk
please selected your preferred language and press Enter to continue.
Step> 5Now you are in the mini Operating system, please double click Rescue tool to start Anvi Rescue disk.
Step> 6 Make sure that your computer is connected to network connection before you run a scan on your computer. If you fail to connect your computer to Internet, please check the tutorial on network configuration in this article: Remove Ransomware using Anvi Rescue Disk-Network Troubleshooting Tips
Step> 7 Please run a full scan by clicking the “Scan Computer” button in the middle of the program to detect and kill the PC lockup virus.
Step>8 Clicking “Fix Now” to Remove the detected threat by Anvi Rescue Disk.
Step> 9 Switch to Repair tab. Scan and fix the registry error with the “Repair” module of Anvi Rescue
Important Notice: You must repair the registry error after kill the virus. You are probably disabled to boot your Windows without fixing registry damaged by the virus.
Step>10 Now your computer should be clean and rescued from the virus infection. Please restart your computer to normal mode.
Please note, some ransomware infection variant is seriously persistent, so you are highly recommended to download the antimalware Anvi Smart Defender in the rescue disk menu when the scan and repair is finished just as shown in below picture:
In the prompt window, click Yes button to download and install Anvi Smart Defender and perform a full scan to ensure all possible files of the infection is removed.
To prevent the computer from infecting by such ransomware or related Trojans, please ensure you get proper protection on your computer and you may just keep the Anvi Smart Defender for this. Safe and direct download link:http://www.anvisoft.com/software/asd/
You are suggested to turn on Security Features of your browser to better secure your surfing activities online. See detailed steps to turn on security features of IE, or Firefox or Google Chrome.
Good luck and be safe online.
PS: A new version of PCeU virus is detected as shown in below picture:
For more detailed information about this new PCeU virus infection and the corresponding removal instructions, read this post: http://forums.anvisoft.com/viewtopic-45-3821-0.html