Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UKASH infected


  • This topic is locked This topic is locked
25 replies to this topic

#1 Hamfatter

Hamfatter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 28 October 2012 - 12:45 PM

Hi,

I am a novice when it comes to PC stuff, however I have been infected by UKASH - Metropolitan Police. I have spent the day searching for solutions, I have downloaded Windows Defender Offline, Malwarebytes and AVG Resuce Disk but none of these work as I can't even get to the safe mode options screen via F8, it just ignores me and continues to boot to Windows XP (2006) and then freezes and then goes to the UKASH screen.

It's as if it's a new version of the virus that you simply cannot overcome!

Any help would be very gratefully received, I am currently using another computer to post this, as it appears impossible to use the infected one currently.

Many thanks

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:47 PM

Posted 30 October 2012 - 05:46 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Hamfatter

Hamfatter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 31 October 2012 - 01:15 PM

Thanks m0le, looking forward ot the first instructions.

Regards

Hamfatter

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:47 PM

Posted 31 October 2012 - 07:06 PM

Okay, well first things first: Do not pay them!

This is a bit tricky if it is not letting you get to safe mode but we may be able to access the system another way - you must have your XP disk though.

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

:step1:

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output: (C:\ubcd4win\BartPE)
    • Keep the default BartPE
  • Media output
  • Choose Create ISO image
  • Do not choose Burn to CD/DVD


Please note: If your XP install disc is SP1 then please .....

  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

    This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

Also note: If you have a Dell XP install disc you will need to follow the instructions here
http://www.ubcd4win.com/faq.htm#dell
[/list]
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit


4. Burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.
[/list]
==========

:step2:

Next, from your clean computer:

Download Farbar Recovery Scan Tool
and save it to your flash drive.

Now plug your flashdrive back into your sick computer and follow the next instructions:

==========

:step3:

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
    • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
  • You should now have a desktop that looks like this:

    Posted Image


==========

:step4:

  • Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
  • Double click on it to begin running the tool.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Hamfatter

Hamfatter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 02 November 2012 - 04:12 AM

M0le,

This is great, thanks for this. Unfortunately I will be unable to follow your advice until this Sunday coming due to access to a clean PC. However I will have this by Sunday afternoon so will duly follow your instructions.

Thank you so much for your help so far, I will come back to you Sunday/Monday.

Regards

Hamfatter :thumbup2:

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:47 PM

Posted 02 November 2012 - 08:23 PM

:thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 Hamfatter

Hamfatter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 04 November 2012 - 10:35 AM

Hi m0le,

Well, the good news is that I got further than before. The infected PC managed to start booting from the Ultimate Boot CD, the screen said 'Now Loading....The Ultimate Boot CD for Windows'. However after a few minutes I got the following message on a black screen 'The file nvcchflt.sys is missing Press any key to continue'. Needless to say nothing happens when you press any key.

I have turned the PC off again as paranoid someone is accessing my credit card details/ personal info, hopefully there is a solution to this?

Many thanks

Hamfatter

Edited by Hamfatter, 04 November 2012 - 10:35 AM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:47 PM

Posted 04 November 2012 - 11:41 AM

It's a missing driver which is explaining a bit about why your machine is struggling

Let's try and locate a backup copy

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    nvcchflt.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#9 Hamfatter

Hamfatter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 05 November 2012 - 03:13 PM

Hi,

Probably a really stupid question, but just checking I do this on the clean pc not the infected one right?

Thanks


Hamfatter

#10 Hamfatter

Hamfatter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 05 November 2012 - 03:18 PM

This was the responsefrom my clean pc:

SystemLook 30.07.11 by jpshortstuff
Log created at 20:15 on 05/11/2012 by Al
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "nvcchflt.sys"
No files found.

-= EOF =-

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:47 PM

Posted 05 November 2012 - 08:07 PM

No, we need to check the infected machine for a clean backup file.

Give SystemLook a spin on your other machine.
Posted Image
m0le is a proud member of UNITE

#12 Hamfatter

Hamfatter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 06 November 2012 - 01:49 PM

The problem is I can't get to that stage before it locks up with the UKASH Metropolitan Police screen, and I can't go to safe mode as you know, so I am unable to do this on the infected machine.

Thanks

Hamfatter

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:47 PM

Posted 06 November 2012 - 07:58 PM

Apologies, I did forget that.

We need to use a recovery disk. The one I want to use is Kaspersky's and the best step-by-step guide I can find is here

What we basically are doing is booting the system using a disk (much like we were trying to do with FRST) to allow Kaspersky access past the fake screen to remove the infection. The error message you had before may reoccur but we'll hope it doesn't, if it does then let me know.
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:47 PM

Posted 09 November 2012 - 08:59 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#15 Hamfatter

Hamfatter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 10 November 2012 - 04:06 AM

Hi M0le,

Really sorry hadn't come back to you, I will be trying the next course of action today and will come back to you today.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users