Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ukash Metropolitan Police Scam


  • This topic is locked This topic is locked
26 replies to this topic

#1 zander65

zander65

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 28 December 2011 - 09:09 AM

Hi guys, 1st post due to an unwanted xmas present.
Old Dell Dimension 4100, Windows XP Pro, SP3. Full Macafee Virus Protection.

Got a message on the full screen, "Your computer was been used for illegal purposes, etc, etc" Then a Ukash request for a £100 fine. Message is supposedly from New Scotland Yard. I am unable to navigate past the message. Problem is when I boot into safe mode the same message comes up so I am unable to get past the message even in safe boot. Is there anyway past this without installing XP again.

Any advice would be greatly appreciated.

Thanks, Alex

Edited by hamluis, 28 December 2011 - 10:26 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 noahdfear

noahdfear

    New Bremen Bulldog


  • Malware Response Team
  • 1,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bremen, OH.
  • Local time:09:42 PM

Posted 28 December 2011 - 09:30 PM

Hi Alex,

Are you able to use Ctrl+Alt+Del to bring up the task manager? If so, click File>New Task (Run) then type regedit and press Enter. Does the registry editor open?

Are you able to burn a bootable cd if unable to use the Task Manager/regedit? Do you also have a flash drive to download/save files on?
Dave

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:42 PM

Posted 28 December 2011 - 10:50 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 zander65

zander65
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 29 December 2011 - 09:27 AM

Hi Dave

I tried ctrl-alt-del yesterday and I get no response. I can't get rid of/past the message from Scotland Yard When I login to my user name or as an administrator in safe mode or any of the other options the message fills the screen and I can't perform any other functions. I did try to repair windows a couple of days ago but as SP3 is installed in the PC I am unable to use my older windows disc to use that option.

Thanks

Alex

#5 noahdfear

noahdfear

    New Bremen Bulldog


  • Malware Response Team
  • 1,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bremen, OH.
  • Local time:09:42 PM

Posted 29 December 2011 - 12:13 PM

Hi Alex,

Are you able to burn a bootable cd if unable to use the Task Manager/regedit? Do you also have a flash drive to download/save files on?


Please let me know if this is an option.
Dave

#6 zander65

zander65
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 29 December 2011 - 12:54 PM

Dave

I have various flash/memory sticks. I am unable to do anything on the infected PC as the Ukash message comes up everytime and I am unable to navigate past it. Do I not need access to the infected PC to burn a disc for that PC? I have access to the laptop I am using to send these messages which has a CD/DVD writer.

Alex

Edited by zander65, 29 December 2011 - 12:55 PM.


#7 noahdfear

noahdfear

    New Bremen Bulldog


  • Malware Response Team
  • 1,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bremen, OH.
  • Local time:09:42 PM

Posted 29 December 2011 - 06:25 PM

Use the working laptop to complete the following instructions for creating a bootable cd.

Download GETxPUD.exe to the desktop of your clean computer
  • Double click GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download query.exe and save it to a USB flash drive
  • Double click query.exe and it will extract a file and folder to the usb drive (query.sh file and chntpw folder)
  • Remove the USB & CD and insert it in the ailing computer, then boot with the CD you just burned
  • A Welcome to xPUD screen will appear after selecting the language
  • Click the File tab on the left
  • Expand mnt by clicking the + sign to it's left
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see the query.sh file in the main window
  • Click Tool at the top
  • Select Open Terminal
  • Type bash query.sh in the Terminal window then press Enter
  • After it has finished a report will be located on your USB drive named RegReport.txt
  • Remove the USB drive and insert it back in your working computer and navigate to RegReport.txt
Copy and paste the RegReport.txt in a reply here for my review.

Please note - all text entries are case sensitive
Dave

#8 zander65

zander65
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 29 December 2011 - 08:45 PM

Thanks Dave

I have attached the RegReport file

Alex

Attached Files



#9 noahdfear

noahdfear

    New Bremen Bulldog


  • Malware Response Team
  • 1,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bremen, OH.
  • Local time:09:42 PM

Posted 29 December 2011 - 09:09 PM

Great! Download xPUD_userinit_fix and save it to the flash drive.
Download ComboFix and save it to the flash drive.
Boot the ailing computer into xPUD with the flash drive attached, then navigate to the flash drive and double click xPUD_userinit_fix to execute it. When it completes, reboot the computer and logon in safe mode. You should be able to see the desktop and navigate to the flash drive. Copy ComboFix.exe to the desktop then double click the desktop copy to run it. Follow any prompts and allow it to reboot the computer (into normal mode) if prompted. When complete, please post the contents of the ComboFix log located in C: and the UserinitReport.txt from the flash drive.
Dave

#10 zander65

zander65
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 29 December 2011 - 11:33 PM

Hi Dave

Your instructions have worked perfectly so far. I have attached the ComboFix & Userinit Logs.

Thanks
Alex

Attached Files



#11 noahdfear

noahdfear

    New Bremen Bulldog


  • Malware Response Team
  • 1,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bremen, OH.
  • Local time:09:42 PM

Posted 30 December 2011 - 12:09 AM

Good work Alex! You can do this in normal mode on the ailing computer.
Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Collect::
c:\windows\system32\xzsrlzsrlxft.exe
c:\windows\system32\zxftdxftdxft.sys
RenV::
c:\program files\btbb_wcm\McciTrayApp .exe
Driver::
feak
Rootkit::
c:\windows\system32\drivers\olksdcwr.sys
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=-
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5a85f794-d0bb-4e83-958d-7820652490cc}]


Close all open programs and windows

Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed when/if prompted.

ComboFix should prompt you to upload a zip file for submission. Please allow it to do so. The zip will contain files for analysis and will help the developer to add rogues to the database.

Do you know why FireFox proxies are in use? Using an app such as FoxyProxy?

uInternet Settings,ProxyServer = http=127.0.0.1:63212
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 63212
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63212
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 63212
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 63212
FF - prefs.js: network.proxy.type - 2

Edited by noahdfear, 30 December 2011 - 12:14 AM.

Dave

#12 zander65

zander65
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 30 December 2011 - 03:44 PM

Hi Dave

It took quite a while to run after entering the CFScript.txt but I have now attached the 2nd ComboFix Log.

I have no idea why the Firefox proxies are running using FoxyProxy.

PS the recovery console was downloaded.

Thanks

Alex

Attached Files


Edited by zander65, 30 December 2011 - 03:46 PM.


#13 noahdfear

noahdfear

    New Bremen Bulldog


  • Malware Response Team
  • 1,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bremen, OH.
  • Local time:09:42 PM

Posted 30 December 2011 - 09:30 PM

Still a bit more to do Alex. First, and this isn't a critical issue, so you can correct it or leave it be ..... your discretion.

Your boot.ini file has an odd entry.

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="windows xp" n

The odd part is the n following "windows xp". As you probably know, the windows xp part is what gets displayed upon startup for choosing the operating system to boot. The n will do nothing, since it's not an actual switch. See here for more information on boot.ini switches.

If you wish to edit out the n, press the Windows key (between Ctrl and Alt on the left of your keyboard) and the Pause/Break key simultaneously to open System Properties (you can also right click My Computer and select Properties).
Select the Advanced tab.
Click the Settings button in the Startup and Recovery section.
Click the Edit button to open the boot.ini file.
Place your cursor behind the n then backspace to the end quote of "windows xp"
Click the close button on boot.ini and save the changes.
Exit your way out of System Properties.

We need to run another CFScript. Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

File::
c:\windows\system32\xzsrlzsrlxft.exe
c:\windows\system32\zxftdxftdxft.sys
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:63212
FF - prefs.js: browser.search.selectedEngine - Facemoods Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 63212
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63212
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 63212
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 63212
FF - prefs.js: network.proxy.type - 2
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
RenV::
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe
c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\QuickTime\qttask                                                                                                                                                                                                                              .exe
c:\program files\Sony\SonicStage\SsAAD .exe

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Let me know how the computer is behaving after completing the above procedure, and if any issues exist.

Edited by noahdfear, 30 December 2011 - 09:31 PM.

Dave

#14 zander65

zander65
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 31 December 2011 - 06:52 AM

Hi Dave

ComboFix Scan completed succesfully. Please find attached Log.

The PC appears to be running fine at this time.

Thanks

Alex

Attached Files



#15 noahdfear

noahdfear

    New Bremen Bulldog


  • Malware Response Team
  • 1,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bremen, OH.
  • Local time:09:42 PM

Posted 31 December 2011 - 11:53 AM

Hi Alex,

It does not appear that the submission zip file from ComboFix run #2 was uploaded. Please look in C: and see if you have a shortcut named CFSubmit.htm
If so, double click and when prompted, allow it to upload the file.

If no shortcut, see if you have a file named similar to [4]Submit {date time}.zip, either in C: or C:\qoobox
If found, please go here and upload the file.

Boot to xPUD and locate the following files in mnt>sda1>WINDOWS>system32

xzsrlzsrlxft.exe
zxftdxftdxft.sys

Now hold Ctrl and click both files to select them.
Release Ctrl then right click and select Compress.
Type submit for the filename.
Click Browse then navigate to and select the flash drive (mnt>sdb1) ... click Browse again to collapse the browse dialog.
Change the format of compressed file to zip
The name should now show submit.zip and location to save sdb1
Click Save

Now delete the two files from system32.

Reboot and upload the submit.zip file on the flash drive to my submission site


Now in normal mode copy and paste the following command into a Run dialog (press Windows key+R or Start>Run)

notepad %appdata%\Mozilla\Firefox\Profiles\wk7w0vjd.default\prefs.js

Look for and remove any lines that refer to a proxy. Examples below.

user_pref("network.proxy.http", "127.0.0.1");
user_pref("network.proxy.http_port", 63212);

The entries you will be looking for are reflected in the following lines from your combofix log.

Internet Settings,ProxyServer = http=127.0.0.1:63212
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 63212
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63212
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 63212
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 63212
FF - prefs.js: network.proxy.type - 2

Once removed, close the file and save the changes.

Restart the machine, open and close FireFox at least once, then download DDS, save it to your desktop and run it.
Save both dds.txt and attach.txt files to the desktop then attach them to a reply here.
Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users