Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Police Report (U-Cash)


  • This topic is locked This topic is locked
5 replies to this topic

#1 Tiger-Heli

Tiger-Heli

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 10 August 2015 - 07:37 AM

My Windows XP SP3 computer is apparently infected with the Ucash or Police report virus.   (Loads Windows, then goes to a white screen saying “Connect to the Internet and Send Payment”.)

The computer has a single SATA hard drive with a C:\Windows and a G:\Programs partition.

 

Symptoms are almost identical to this:

http://www.bleepingcomputer.com/forums/index.php?app=forums&module=post&section=post&do=new_post&f=103

 

Somewhat similar to this:

http://malwaretips.com/blogs/remove-police-trojan/

 

I would like to get it working tomorrow, so will probably try some of the items in the above posts if I don't hear back before then.

 

Symptoms and things tried so far:

Computer goes to a white screen and says to press Escape and you have 30 seconds to Access the internet.

 

Booting into Safe Mode does the same thing.

 

When I pressed Esc, I managed to start MalwareBytes Anti-Malware and start a scan, but since it went back to the white screen, I was unable to access the scan results or run any fixes.  If I pressed ALT-TAB, I noticed the top window was named "Police Report", which is the malware.

 

I booted the sick machine into Linux with an old CD named XPUD Linux - I think that might be the ultimate Boot CD that I created in 2011.  It did not list or allow me to mount the hard disk.

 

I booted the sick machine in Knoppix (date unknown) with an old CD and could see both the partitions, but they said 0 Files and 0 Folders (but this version might not support Linux or NTFS).

 

I pulled the HD from the sick machine and (risky) used a Kingwin USB to SATA adapter with a healthy computer to copy some critical files to a USB thumbdrive - all the files appeared to be still on the hard drive.

 

Steps I plan to take (and questions in red).

 

The MalwareTips seems to have the easiest solutions - I haven't tried running system restore from the command prompt - I will try that first.  The MBAM suggestion seems worthless since I can't get into the computer to install it (and it is already installed anyway.   Hitman Pro might be promising.  Kaspersky is worth a shot - although it didn't work for other BC member with the same problem.

 

I might try F-Secure rescue disk from here: https://forums.malwarebytes.org/index.php?/topic/5736-malwarebytes-boot-cd/

 

Then, I will try what worked for the other user.  Questions:

 

I have a clone of the C:\Drive of the sick computer, and I think I have a WIN XP disk with SATA Drivers slipstreamed - I assume I want the SATA Drivers Slipstreamed disk.

 

From the other thread, I assume you knew to replace the user32.dll b/c that was the file that did not say MD5 is legit?

 

A final option would be restoring the C:\Partition with the old cloned partition - info on that is here: (can't find a current version): https://web.archive.org/web/20100206211644/http://www.bleepingcomputer.com/tutorials/tutorial160.html#clonerestore

 

I read the tutorial, but I have a few questions:

 

  • The clone image is on a DVD disc.  I can copy it to a thumb drive, but I was wondering if it would work from the DVD.
  • I want to wipe out all the files on the C:\Partition.  I’m not sure if I have to format the partition to accomplish this, or if the write image command will take care of that.  I think it is probably safest to format the partition.
  • I assume I DO NOT want to set a new drive ID.  The partition will be the same as what the computer was previously using.  The tutorial was confusing on this - it implied that I would want to change the Drive ID, but the screenshot implied that I would not.
  • I have never restored a drive from a cloned image before - are there any “gotcha’s to watch out for.  It seems pretty straightforward, but …
  • Since most of the other Linux programs couldn't find any programs on the hard drive, I assume that might be an issue.  I am guessing worst case, I could re-install Windows to the C:\ partition and then replace that with the clone disk.
  • How likely is this to work - I assume if the virus has infected the C:\Drive, this should clear it (it is an old image).  If the virus has infected files on the G:\ Partition that are called at startup, it probably won’t work, but I could maybe re-image and boot into safe mode then.  (It looks like the virus typically infects the system files on C:\ so that is probably not an issue.
  • What program should be catching this and how do I make certain the PC is clean afterward - i.e should I do a full scan with MalwareBytes or with Avast Antivirus (both, something else)?

Thanks in advance!!!!



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:31 AM

Posted 10 August 2015 - 07:41 AM

Hi there,

Please don't try to replace files without knowing exactly what is infected.

You can use this tutorial for instructions to use HitmanPro.Kickstart to remove the ransomware.

#3 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 10 August 2015 - 12:04 PM

Thanks - I'll be careful and will not delete files randomly.

 

HitmanPro seems like it will do what I need ...

 

A few more questions ...

 

The link lists 866-639-1368 - is this free phone support and what is the wait time?  The main problem I have with the forum (but the help on here is great), is that I don't have e-mail on either PC at home, so when I have to print and post logs, etc. and then check for replies, and then run another program and print logs, and then wait on replies, etc., it delays the repair time.  (Then again, I can't imagine phone support being able to deal very well with "Open your FarBar log file and look for entries that say ...")

 

More Clarification:

 

I don't see any kind of "computer Locked, or Police Screen" - but then again, the PC hasn't been online since this started, so if that is stored online it hasn't downloaded.  I initially saw a white screen saying submit payment with a box below it, and then I hard shut down and re-started and I see a white screen with "Press Escape and attempt to connect to the Internet - you have 30 seconds to do this."  Should Hitman Pro still fix this?

 

I would have expected Avast to prevent this, but it didn't seem to.  I suspect the problem was an outdated adobe flash install.  I got a warning about this in Firefox and tried to update it and got installation failed, and then downloaded the distribution (17 MB) version of flash player and that seemed to work, but then this happened (but I suspect the ransomware downloaded previously and waited a predetermined time before locking the PC up.)



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:31 AM

Posted 10 August 2015 - 12:15 PM

Hi there,

You are probably looking at an ad - Bleeping Computer has no phone support.

If you are not confident in removing the infection on your own, I suggest that you post in here and let a Malware Response Team member guide you step by step.

#5 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 10 August 2015 - 12:50 PM

Okay - it says:

 

"BleepingComputer has always prided itself on its trusted online support. We are excited to recommend Online Virus Repair Inc. for the same trusted support via telephone."

 

Which isn't quite the same thing.

 

I'm comfortable running the CD Scan tools and running a FarBar Recovery Scan Tool Log.

 

I'm not that confident in interpreting the log to know what files need to be replaced.

 

Then again - when I posted this, I thought I was in the forum that would get me a Malware Response Team Member response, so I'm probably not as good as I thought I was ...  :lmao:



#6 hamluis

hamluis

    Moderator


  • Moderator
  • 56,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:31 AM

Posted 12 August 2015 - 06:50 AM

New topic posted in MRL, http://www.bleepingcomputer.com/forums/t/586172/started-as-u-cash-now-bsod/page-0 .

 

This topic is closed to avoid confusion.

 

Louis


Edited by hamluis, 12 August 2015 - 06:53 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users