Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Police Report" program has hijacked my XP machine


  • This topic is locked This topic is locked
54 replies to this topic

#1 magnusansky

magnusansky

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 04 August 2015 - 05:25 PM

Upon coming back to my laptop today, I noticed the webcam was on.  Further the screen was a big white window with a webcam box in it as well as a payment field. 

 

Not able to do anything (short of clicking on submit), I pressed the power button to turn it off.

 

Tried to restart in all 3 safe modes, but each attempt brings me back to the same safe mode vs normal start screen selection.

 

I then let the computer start windows normally, and quickly launched the task manager.  Before the computer was hijacked, I saw "Police Report" show up as an application.  Wasn't fast enough to kill it (not sure it would have made a difference.

 

This computer does not have an optical drive, but does have an SD card reader as well as USB2.0 ports.

 

Please help me gain back control of my computer.

 

Thanks

 



BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:22 PM

Posted 05 August 2015 - 07:36 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Let's get going now :thumbup2:

==========================
 
Hi magnusansky,
 
FRST Scan from RECOVERY Environment on Vista, 7, and 8:
 
On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

 
 
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========
 
On the System Recovery Options menu you will get the following options:
 
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
Select Command Prompt
 
==========
 
Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 magnusansky

magnusansky
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 06 August 2015 - 06:33 PM

Thanks Toffee

 

I downloaded FRST 32 bit and put it on a flash drive.  Inserted the flash drive and then started my XP machine.  Hitting F8 got me to the Windows Advanced Options Menu where my options are Safe Mode, Safe Mode w/Networking, Safe Mode w/Command Prompt, Enable Boot Logging, Enable VGA Mode, Last Known Good Configuration, Directory Services Restore Mode, Debugging Mode, Disable automatic restart on system failure, Start Windows Normally, and Reboot

 

Are any of these options useful (previously tried the Safe Mode options but those didn't work)?

 

I'm not sure where my Windows XP install discs are (this computer doesn't have an optical drive so I must have done it some other way previously...I had to reinstall XP once before, so I know there's a way somehow) so hoping there's a way without needing to find them.

 

Thanks



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:22 PM

Posted 07 August 2015 - 01:57 PM

Hi magnusansky,
 
Please download ARCDC.

  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: XP Professional SP2 & SP3 or XP Home SP2 & SP3 (depending on which version the unbootable computer is, if you do not know then select the professional option).
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • Your ISO is located on your desktop.
  • Follow the instructions here to create a bootable USB with the iso which you created.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 magnusansky

magnusansky
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 08 August 2015 - 12:31 AM

Hi Toffee

 

I tried to run ARCDC, but when I choose Profession SP2&SP3, I get a new window that says:

 

The program is unable to download the required files.

This is most likely due to a failed connection to Microsoft

 

Though the logfile that it asks me to see says the following:

 

Traceback (most recent call last):
  File "ARCDC.py", line 466, in <module>
  File "ARCDC.py", line 131, in main
  File "ARCDC.py", line 287, in download
UnboundLocalError: local variable 'file' referenced before assignment

 

Any ideas on what I can do?

Thanks
 



#6 magnusansky

magnusansky
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 08 August 2015 - 04:19 AM

Hi Toffee.

 

Potentially good news... While rummaging, I found 3 discs.

 

2 XP Professional SP3 product recovery discs

1 Rescue and Recovery Disc

 

Note, these were distributed by Lenovo and I'm pretty sure came with my infected thinkpad. (even though it doesn't have an optical drive).

 

Can you advise how to transfer/setup onto a USB drive? I have an empty (except for FRST) 128GB drive to play with and computers with optical drives running XP (old and unused for a while) or Win7.

 

Thanks



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:22 PM

Posted 08 August 2015 - 04:42 AM

Hi magnusansky,
 
That is very useful, hopefully the instructions should work as I have had to adapt the instructions. If there are any problems, let me know.
 
We need to try and boot your computer using the Ultimate Boot CD for Windows (UBCD4win)

Please print this guide for future reference!

You will need: a Windows XP CD, a clean computer, and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

Step 1 - creating the ISO file

1. Please select a mirror and download the Ultimate Boot CD for Windows to your Desktop

  • Double-Click on the UBCD4Win.exe that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up
  • Note: Do not install to a folder with spaces in it's name, it is best to use the default C:\UBCD4Win
  • Note: Your Antivirus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read here for information regarding the files that normally trigger AV software.
  • At the very end, uncheck "Run UBCD4WinBuilder.exe when installation is complete", then click Finish

2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive

  • Open My Computer, navigate to: C:\ubcd4win
  • Double-click on UBCD4WinBuilder.exe
  • Click I Agree to the UBCD4Win PE Builder License
  • Click No when prompted to Search for Windows installation files
  • For Source: click on the ellipsis (...), then click on the drive with your Windows XP CD, then press Ok
  • For Custom: no information is necessary, leave blank
  • For Output: keep the default BartPE
  • For Media output select Create ISO image: (enter filename)
    Note: you can leave the default filename and path as well (C:\UBCD4Win\UBCD4WinBuilder.iso), but if you do change it make sure it is a folder without spaces in the name
  • Note: If your XP install disc is SP1 then please click the Plugins button and modify the following options:

    Click on each option, then click Enable/Disable so the correct value is displayed.

    Disabled - !Critical: DComLaunch Service [Building with XP SP1-DISABLE]
    Enabled - !Critical: LargeIDE Fix (KB331958) [Building with XP SP1-ENABLE]

  • Note: If you have a Dell XP install disc you will need to follow the instructions here: http://www.ubcd4win.com/faq.htm#dell

3. Click on the "Build" button

  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run its course
  • When the Build is finished you can click close, then exit

4. Burn your ISO file to USB

  • Follow the instructions here to create a bootable USB with the iso which you created.

==========

Step 2 - downloading Farbar's Recovery Scan Tool (FRST)

Next, from your clean computer, download Farbar Recovery Scan Tool and save it to your flash drive.

note: you will need the 32-bit version to run with UBCD4Win

Now plug your flash drive back into your sick computer and move on to the next step.

==========

Step 3 - booting to the UBCD4Win CD

Restart Your sick Computer Using the UBCD4Win Disc That You Have Created

  • Insert the UBCD4Win USB into one of your USB ports.
  • Restart your computer, the computer should choose to boot from the UBCD4Win USB automatically.
  • If it doesn't and you are asked if you want to boot from USB, then choose that option.
    note: more information on booting from USB can be obtained here (if the options to boot do not automatically appear, follow the instructions to boot from the usb)
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter
  • It may take a little longer for the desktop to appear than it does when you start your computer normally, just let the process run itself until the desktop appears
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?, click Yes
  • You should now have a desktop that looks like this:
    Main.jpg

==========

Step 4 - running the FRST scan

  • Single click My computer from your UBCD4Win desktop to navigate to the Farbar Recovery Scan Tool (FRST.exe) you saved to your flash drive.
  • Double click on FRST.exe to begin running the tool
  • When the tool opens click Yes to disclaimer
    note: if prompted to download the latest version, please do so from the link in Step 2
  • Click on the Scan button
  • It will make a log (FRST.txt) on the flash drive, close it and then shutdown the computer.
  • Safely remove the USB drive and insert the USB drive into your clean computer and post the log in your next reply

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 magnusansky

magnusansky
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 08 August 2015 - 06:15 PM

I will try it out.  Just one thing.  I clicked on the ubcd4win Dell instruction link in your post just to see if there would be a lenovo one too, and instead, I got redirected somewhere that was a blue virus warning page.  It threw a pop up that said to call a number.  Anyway, hopefully, that page is benign, but I am now scanning my current machine after I killed Chrome. =/

 

Also, are the 2 product recovery CDs the WinXP CD?  Will ubcd4win be asking me then for both CDs (I'm not sure if they are CDs or DVDs).  

 

Thanks


Edited by magnusansky, 08 August 2015 - 06:20 PM.


#9 magnusansky

magnusansky
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 09 August 2015 - 12:38 AM

Hi Toffee

 

Run into another snag or 3.

 

Downloaded UBCD4Win off the first majorgeek link and tried to install.  It asked if I wanted to do an MD5 check, to which I said yes.  It said the check failed.  I searched and saw a previous post by you that said the checker is broken so I just went ahead.  It then asked me if I wanted to patch and I clicked yes.

 

On one computer that I tried this, I got a pop up window with some text.  I've since forgotten what it said but may have been some checks and details about the program.  On this computer, I tried to launch UBCD4Win after I inserted the CD, but it stopped cold and said I needed admin permissions.  

 

So I went to another computer, and got to the patch step.  When I clicked yes, I got an error that some file was missing.  It still sent me to the finish page and I unchecked launch to finish the install.  Did everything still go ok?  I don't know because when I tried to run UBCD4Win, I again got the "need admin priviledges".  Except this time, I am logged in as the admin on this computer (there's only one account on this win7 home premium machine).

 

Looks like I'm stuck again.

Thanks



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:22 PM

Posted 09 August 2015 - 05:53 AM

Hi magnusansky,
 

I clicked on the ubcd4win Dell instruction link in your post just to see if there would be a lenovo one too, and instead, I got redirected somewhere that was a blue virus warning page.  It threw a pop up that said to call a number.

Ah, I see what link that is. My fault, as the domain which the website used to be hosted on has been brought out. Those pages are fake and do not actually do anything to your computer, just block the browser.
 

I don't know because when I tried to run UBCD4Win, I again got the "need admin priviledges".

Try running UBCD4Win by right clicking on it and selecting "Run as administrator".
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 magnusansky

magnusansky
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 09 August 2015 - 05:57 PM

Run as administator got me past the administrator error, but then it turns out the 3 CDs I have are not ones that, at the very least, UBCD4Win can handle.

 

It looks for a file in i386/ and the two product recovery discs don't have that directory, and the other one, the Rescue and Recovery Disc has it, but not the file that the program is looking for.

 

Is this CD path (at least with my 3 CDs) a dead end?

 

Thanks

 

edit: apologies for use of "CD path".  that may get confusing given that the error is that it can't find files in a particular path.  By "CD path", I mean the solution option where we try to leverage my CDs.


Edited by magnusansky, 09 August 2015 - 06:56 PM.


#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:22 PM

Posted 11 August 2015 - 04:29 AM

Hi magnusansky,
 
Let's try something else
 
Download the OTLPE Standard REATOGO Windows Recovery Environment:

  • Place a blank USB into your USB drive.
  • Download OTLPEStd.exe and double-click on it. Click yes to the prompt.
  • When the ImgBurn windows appears, click on bf11a4555a3e287e11d6a7884feec988.png and make a note of the path.
  • Go to the path which you just noted down and copy the OTLPE_New_Std.iso to the desktop.
  • Follow the instructions here to create a bootable USB with the iso which you created.
  • Boot into your infected system using the boot USB you just created.
  • Note : If you do not know how to set your computer to boot from USB follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
  • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved  in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 magnusansky

magnusansky
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 12 August 2015 - 01:28 AM

Hi Toffee

 

How do I make the USB bootable?  There seems to be a missing link to instructions on how to get the ISO's contents onto the USB drive?

 

Thanks



#14 magnusansky

magnusansky
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 12 August 2015 - 01:33 AM

I tried to use Win7 USB/DVD Tool to burn the ISO to my USB, but when I selected the ISO, it claimed i did not have a valid ISO.  That's my attempt to solve it on my own for the evening. =)

 

Thanks



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:22 PM

Posted 13 August 2015 - 06:22 AM

Hi magnusansky,

 

Oops, sorry. Here's the link on how to make a bootable USB.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users