My Windows XP SP3 computer is apparently infected with the Ucash or Police report virus. (Loads Windows, then goes to a white screen saying “Connect to the Internet and Send Payment”.)
The computer has a single SATA hard drive with a C:\Windows and a G:\Programs partition.
Symptoms are almost identical to this:
Somewhat similar to this:
I would like to get it working tomorrow, so will probably try some of the items in the above posts if I don't hear back before then.
Symptoms and things tried so far:
Computer goes to a white screen and says to press Escape and you have 30 seconds to Access the internet.
Booting into Safe Mode does the same thing.
When I pressed Esc, I managed to start MalwareBytes Anti-Malware and start a scan, but since it went back to the white screen, I was unable to access the scan results or run any fixes. If I pressed ALT-TAB, I noticed the top window was named "Police Report", which is the malware.
I booted the sick machine into Linux with an old CD named XPUD Linux - I think that might be the ultimate Boot CD that I created in 2011. It did not list or allow me to mount the hard disk.
I booted the sick machine in Knoppix (date unknown) with an old CD and could see both the partitions, but they said 0 Files and 0 Folders (but this version might not support Linux or NTFS).
I pulled the HD from the sick machine and (risky) used a Kingwin USB to SATA adapter with a healthy computer to copy some critical files to a USB thumbdrive - all the files appeared to be still on the hard drive.
Steps I plan to take (and questions in red).
The MalwareTips seems to have the easiest solutions - I haven't tried running system restore from the command prompt - I will try that first. The MBAM suggestion seems worthless since I can't get into the computer to install it (and it is already installed anyway. Hitman Pro might be promising. Kaspersky is worth a shot - although it didn't work for other BC member with the same problem.
I might try F-Secure rescue disk from here: https://forums.malwarebytes.org/index.php?/topic/5736-malwarebytes-boot-cd/
Then, I will try what worked for the other user. Questions:
I have a clone of the C:\Drive of the sick computer, and I think I have a WIN XP disk with SATA Drivers slipstreamed - I assume I want the SATA Drivers Slipstreamed disk.
From the other thread, I assume you knew to replace the user32.dll b/c that was the file that did not say MD5 is legit?
A final option would be restoring the C:\Partition with the old cloned partition - info on that is here: (can't find a current version): https://web.archive.org/web/20100206211644/http://www.bleepingcomputer.com/tutorials/tutorial160.html#clonerestore
I read the tutorial, but I have a few questions:
- The clone image is on a DVD disc. I can copy it to a thumb drive, but I was wondering if it would work from the DVD.
- I want to wipe out all the files on the C:\Partition. I’m not sure if I have to format the partition to accomplish this, or if the write image command will take care of that. I think it is probably safest to format the partition.
- I assume I DO NOT want to set a new drive ID. The partition will be the same as what the computer was previously using. The tutorial was confusing on this - it implied that I would want to change the Drive ID, but the screenshot implied that I would not.
- I have never restored a drive from a cloned image before - are there any “gotcha’s to watch out for. It seems pretty straightforward, but …
- Since most of the other Linux programs couldn't find any programs on the hard drive, I assume that might be an issue. I am guessing worst case, I could re-install Windows to the C:\ partition and then replace that with the clone disk.
- How likely is this to work - I assume if the virus has infected the C:\Drive, this should clear it (it is an old image). If the virus has infected files on the G:\ Partition that are called at startup, it probably won’t work, but I could maybe re-image and boot into safe mode then. (It looks like the virus typically infects the system files on C:\ so that is probably not an issue.
- What program should be catching this and how do I make certain the PC is clean afterward - i.e should I do a full scan with MalwareBytes or with Avast Antivirus (both, something else)?
Thanks in advance!!!!