Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ukash Police Ransomware infection


  • This topic is locked This topic is locked
34 replies to this topic

#1 Belacqua

Belacqua

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 17 October 2013 - 11:57 AM

My PC (Win XP) has the Ukash Police Ransomware virus.
 
I am unable to boot into any type of safe mode - PC just reboots into the Ukash desktop.
 
I used Kaspersky Rescue Disk on a USB stick and ran a scan but it failed to detect or remove the virus. I then used its File Manager and Registry Editor to try and find bad files or registry entries but was unable to find anything in the usual locations for this virus. After using KRD fo a few days it suddenly stopped working and wouldn't let me boot up so now I am completely locked out.
 
I've tried to use Hitman Pro Kickstart on a USB stick but that would not boot up either.

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum, due to the absence of any malware logs in the topic. ~ Animal

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:11 AM

Posted 17 October 2013 - 06:32 PM

I'll report this topic to appropriate helpers.

1. Please let us know what Windows version you have and if it's 32- or 64-bit.
2. Is the computer bootable in any mode?

Hold on there....


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Belacqua

Belacqua
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 18 October 2013 - 05:11 AM

PC is Win XP Home 32 bit.

I am unable to boot in any safe mode - PC immediately reboots.

Kaspersky Rescue Disk will not mount files.

Hitman Pro Kickstart will not work. Get to initial screen listing 3 boot options but unable to select any - keyboard not responding.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 PM

Posted 23 October 2013 - 02:06 AM

Hello,
Could you please tell me what happens at this point when you boot in normal mode?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Belacqua

Belacqua
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 23 October 2013 - 02:22 AM

When booting in normal mode, windows loads up and the user screen is displayed. I click on user but instead of going to my desktop the Ukash police ransomware screen appears.

If I attempt to boot in any kind of safe mode the process begins but then the pc shuts down & reboots.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 PM

Posted 23 October 2013 - 05:07 AM

Okay, then lets do a bit more searching. Can you still boot from the Kaspersky disk and access files on your system (that will save us from having to create another boot disk).

If so, please use the file manager and let me know what is in the following location: \documents and settings\<your username>\start menu\programs\startup (please list all files)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Belacqua

Belacqua
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 23 October 2013 - 07:13 AM

Hi Elise

 

Thanks for your help. As I mentioned in my opening post Kaspersky Rescue Disk no longer works on my PC. I had been using it for several days but then it suddenly stopped working. I can open the KRD program from a USB stick but when I click graphic mode the loading bar runs across the screen then I get a black screen with the following error messages:

 

mount: no medium found on/ dev/ Sdh
mount: no medium found on/ dev/ Sr0
mount: special device /dev/ mapper/ live-rw does not exist


dracut Warning: Can't mount root filesystem
dracut Warning: dracut: FATAL: Failed to mount block device of live image
dracut Warning: dracut: Refusing to continue
dracut Warning: dracut: FATAL: Failed to mount block device of live image
dracut Warning: dracut: Refusing to continue


dracut Warning: Signal caught!
dracut Warning: dracut: FATAL: Failed to mount block device of live image
dracut Warning: dracut: Refusing to continue
dracut Warning: dracut: FATAL: Failed to mount block device of live image
dracut Warning: dracut: Refusing to continue

Kernel panic - not syncing: Attempted to kill init!

Pid: 1, comm: init Not tainted 3.0.13-krd10 #1
Call Trace:
[<c08e60x2>] panic+0x50/0x141
[<c0436f3d>] do_exit+0x92/0x68d
[<c043759c>] do_group_exit+0x66/0x8f
[<c04375da>] sys_exit_group+0x13/0x17
[<c08e80ec>] syscall_call+0x7/0x6

I posted on the Kaspersky Forum asking for help but the only advice given was to try the latest version which had the same result. I even tried two earlier versions of KRD but again they failed to mount files. I am puzzled as to why it suddenly stopped working as I was able to boot from it a dozen or so times before this problem arose.



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 PM

Posted 23 October 2013 - 07:28 AM

Okay, see if you can try it from this:

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • Navigate to /sda1/documents and settings/<your username>/start menu/programs/startup and list what is present there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Belacqua

Belacqua
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 23 October 2013 - 11:00 AM

This isn't looking good.

 

I booted from the CD and got the initial choose language screen. I pressed enter on English then the screen went black with lots of text scrolling past and finally stopped with the following messages:

 

Fatal Server Error

no screens found

 

please consult the x.Org Foundation Support at http://wiki.x.org for help

please also check the log file at "/var/log/Xorg.O.log" for additional information

 

ddxSigGiveUp: Closing log

 

[7.287565] sd 8.0.0.0. [sdb] Assuming drive cache: write through

[7.291061] sd 8.0.0.0. [sdb] Assuming drive cache: write through

[7.299059] sd 8.0.0.0. [sdb] Assuming drive cache: write through

[7.527151] sd 9.0.0.0. [sdc] Assuming drive cache: write through

[7.528514] sd 9.0.0.0. [sdc] Assuming drive cache: write through

[7.845290] sd 10.0.0.0. [sdd] Assuming drive cache: write through

[7.847286] sd 10.0.0.0. [sdd] Assuming drive cache: write through

[7.849405] sd 10.0.0.0. [sdd] Assuming drive cache: write through

[11.605160] sd 9.0.0.0. [sdc] Assuming drive cache: write through

 

giving up

xinit: no such file or directory (errno 2): unable to connect to X Server

xinit: no such process (errno 3): Server Error

xauth: (argv): 1: bad display name "(none): 0" in "remove" command

sh: no job control in this shell

sh-4.0#

 

I tried putting xPUD on a USB stick and booted from that with exactly the same result.

Any ideas?



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 PM

Posted 23 October 2013 - 11:41 AM

No worries, that means your video card is not supported. are you familiar with any linux live CD (in that case we can use what you prefer, otherwise I'll just pick another one).


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 Belacqua

Belacqua
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 23 October 2013 - 04:00 PM

No, I'm not familiar with any. I'll be guided by your choice.



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 PM

Posted 23 October 2013 - 04:42 PM

Please try to create a ubuntu live CD (or usb whatever you prefer). A good guide is here: https://help.ubuntu.com/community/LiveCD

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 Belacqua

Belacqua
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 24 October 2013 - 05:33 AM

Hi Elise.

I've followed the guide and created a Ubuntu live CD (plus a USB in case of problems). Awaiting your instructions.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 PM

Posted 24 October 2013 - 06:33 AM

Okay, please see if you can get to its desktop (you will at one point be asked if you want to install or just try it out, select the latter to continue working from CD). Once there you should see in the left panel a file manager, which will allow you to browse your partitions. Fine the partition with the Windows folder and look in the documents and settings\<your username>\start menu\programs\startup folder.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 Belacqua

Belacqua
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 24 October 2013 - 07:31 AM

There are just two files in the startup folder:

 

desktop.ini

lf7t1lt3.lnk






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users