Close

Results 1 to 19 of 19
  1. #1
    DF VIP Member hotentot's Avatar
    Join Date
    Oct 2001
    Location
    Manchester
    Posts
    823
    Thanks
    18
    Thanked:        133
    Karma Level
    325

    Help TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    Hi

    I have a problem which I need some assistance with please. I have had two users who contracted this annoying Fake Police scam virus this week, one on a Windows 7 laptop, the other on a Windows 8 PRO all in one Sony Vaio touchscreen PC. the laptop one I simply re-imaged. the Windows 8 Sony all in one PC one though is an issue as it belongs to our CEO who has a lot of files he needs to recover and would prefer we some how clean it or at least get his data off before rebuilding (btw we only have a basic standalone Win8 Pro image as our standard image is Windows 7 which we deploy with SCCM, we only have the Win 8 image for these 2 x Sony all in one PC's)

    I know there are a few malware removal tools out there which I can run, but to use these I would need to atleast be logged into Windows which I cannot currently do as

    1. the infected machine is 200 miles away in London and has been removed from the network
    2. once I get down to it on Tuesday I suspect im not going to be able to get onto windows to select advanced boot options so it can reboot with the option of safe mode


    the research I have done all suggest booting into safe mode and to then either run some removal tool such as malwarebytes or McAfee stinger (not sure what the best option is yet) but my first barrier will be getting into safe mode. I guess I could boot with the Win image USB disk which should provide me with some options, will one of them be boot options??


    im not a desktop engineer btw, we have a new guy starting in 3 weeks but I cant wait that long


    any advice/assistance will be much appreciated

  2. #2
    DF VIP Member Zippeyrude's Avatar
    Join Date
    Dec 2002
    Location
    UK
    Posts
    4,317
    Thanks
    238
    Thanked:        792
    Karma Level
    534

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    do a search, i advised on a w7 removal and it worked. you need a usb device.

    link here
    http://www.digital-forums.com/showth...ight=usb+virus

  3. #3
    DF VIP Member akimba's Avatar
    Join Date
    Jun 2006
    Location
    UK
    Posts
    2,846
    Thanks
    1,034
    Thanked:        783
    Karma Level
    369

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    If not encrypted just boot from windows disk and then do a system restore, quick and clean ;-)
    Out of interest is it the UKCASH one that uses the webcam to take a pic of what the person was doing at the time hehe ;-)

  4. #4
    DF Moderator
    CallmeGoose's Avatar
    Join Date
    Jan 2010
    Location
    Norwich
    Posts
    3,534
    Thanks
    2,535
    Thanked:        1,292
    Karma Level
    390

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    it was me who asked about this virus here in the above thread.

    I had it on a goverment encrypted laptop and believe me it was a FUCKING NIGHTMARE to remove.

    None of the usual usb removal tools worked, as we couldnt access the hard drive for it to be removed in safe mode

    In the end we got every usb device we could find, phones, tablets, you name it and plug them all into the computer. It fooled the computer into loading windows so we could get access to the registry and from there we managed to get the fucker out.

    If it isnt an encrypted laptop. Hitman Pro should do the job.....

  5. #5
    DF VIP Member hotentot's Avatar
    Join Date
    Oct 2001
    Location
    Manchester
    Posts
    823
    Thanks
    18
    Thanked:        133
    Karma Level
    325

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    Excellent, some good info there, will give this a bash when im down in London on Tuesday

    Quote Originally Posted by Zippeyrude View Post
    do a search, i advised on a w7 removal and it worked. you need a usb device.

    link here
    http://www.digital-forums.com/showth...ight=usb+virus

  6. #6
    DF Rookie bryanw's Avatar
    Join Date
    Dec 2002
    Location
    oxon
    Posts
    20
    Thanks
    1
    Thanked:        16
    Karma Level
    260

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    if it the same 1 i had hold dowm f8 and boot into safe mode then i made another account guest
    and booted into that then ran mailware bytes its linked to the user so you dont see it in guest account

  7. #7
    DF VIP Member QfanatiQ's Avatar
    Join Date
    Jan 2004
    Location
    Berkshire
    Posts
    3,944
    Thanks
    241
    Thanked:        131
    Karma Level
    436

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    I had this and it was a bitch.

    Turn of internet on the effected PC. If you google this, there are some free tools that will help. It does depend on how much it got into your system, I was lucky. But I have since rebuilt my neighbours. I am on Vista, he was Win7.

    This si what I used. I needed Hitman Pro, you get a free 30 day trail.

    http://malwaretips.com/blogs/remove-police-trojan/

  8. #8
    DF Super Moderator
    evilsatan's Avatar
    Join Date
    Jul 2004
    Location
    Essex
    Posts
    20,079
    Thanks
    1,105
    Thanked:        3,241
    Karma Level
    1541

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    Hit man pro is a godsend for ransom ware. I had some easy techniques for some of these variants such as create a new user account but new variants are very clever.

  9. #9
    DF VIP Member WRATH OF BOD's Avatar
    Join Date
    Jul 2004
    Location
    Monkey Hangers
    Posts
    6,611
    Thanks
    2,585
    Thanked:        1,229
    Karma Level
    790

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    i messed about with this & found if you run a live disk to search the hard drive you look in the start-up folder & delete anything in there you should be looking for regmondstd reboot & it stops it running then malwarebytes should clean it.
    but i delete anything in the start-up just in case, it uses flash to show the police image 1st.

    Thanks to WRATH OF BOD

    evilsatan (2nd August 2013)  


  10. #10
    DF Super Moderator
    evilsatan's Avatar
    Join Date
    Jul 2004
    Location
    Essex
    Posts
    20,079
    Thanks
    1,105
    Thanked:        3,241
    Karma Level
    1541

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    Quote Originally Posted by WRATH OF BOD View Post
    i messed about with this & found if you run a live disk to search the hard drive you look in the start-up folder & delete anything in there you should be looking for regmondstd reboot & it stops it running then malwarebytes should clean it.
    but i delete anything in the start-up just in case, it uses flash to show the police image 1st.
    Handy tip but I think some run as services, all depends how complex the variant is. I had several techniques that worked in all cases until a few months ago so now I just use hitman. The easier ones were removable by enabling the administrator account, logging into it which was clean and running MBAM to scan the whole drive and remove the nasties. Some were avoidable in safe mode, but now they are pretty clever. The ones that take photos using the webcam really creep customers out.

    As always encrypted drives will be a bastard as live cds can't be ran properly until you decrypt the drive...

    Thanks to evilsatan

    WRATH OF BOD (2nd August 2013)  


  11. #11
    DF VIP Member DJ OD's Avatar
    Join Date
    Jul 2001
    Location
    On da decks.
    Posts
    10,114
    Thanks
    1,008
    Thanked:        2,254
    Karma Level
    1104

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    Royallly fucked if its an encrypted drive.

    That said anyone (IT Department) smart enough to use full hard drive encryption, should also be smart enough to have decent anti-virus/malware on their pc...


    DJ OD

  12. #12
    DF Super Moderator
    evilsatan's Avatar
    Join Date
    Jul 2004
    Location
    Essex
    Posts
    20,079
    Thanks
    1,105
    Thanked:        3,241
    Karma Level
    1541

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    Quote Originally Posted by DJ Overdose View Post
    Royallly fucked if its an encrypted drive.

    That said anyone (IT Department) smart enough to use full hard drive encryption, should also be smart enough to have decent anti-virus/malware on their pc...


    DJ OD
    Do you mean time-wise mate? I don't think there is anything stopping you from decrypting (if you have the authority/ability to do so) and then using a normal method but this will add hours to the repair time. The real bitch with encryption is if there is a hardware failure so you may not be able to decrypt to then run recovery.


  13. #13
    DF Super Moderator
    DejaVu's Avatar
    Join Date
    Nov 2005
    Location
    Essex
    Posts
    9,107
    Thanks
    1,836
    Thanked:        4,004
    Karma Level
    953

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    If we can Shoehorn Linux on to it, then I'll be able to run it up the flagpole and push the button on that.

    3 Thanks given to DejaVu

    Ashley (2nd August 2013),  tombott (2nd August 2013),  Zoots (3rd August 2013)  


  14. #14
    DF VIP Member
    tombott's Avatar
    Join Date
    Oct 2002
    Location
    Hereford
    Posts
    5,697
    Thanks
    507
    Thanked:        571
    Karma Level
    722

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    Quote Originally Posted by DejaVu View Post
    If we can Shoehorn Linux on to it, then I'll be able to run it up the flagpole and push the button on that.
    If you could Shoehorn Linux on to it, then the virus would not be there in the first place.
    Digital-Forums IRC Last.FM duckduckgo
    Guns don't kill people rappers do, I'm a fucking rapper and I might kill you.

    Thanks to tombott

    DejaVu (2nd August 2013)  


  15. #15
    DF VIP Member DJ OD's Avatar
    Join Date
    Jul 2001
    Location
    On da decks.
    Posts
    10,114
    Thanks
    1,008
    Thanked:        2,254
    Karma Level
    1104

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    Quote Originally Posted by evilsatan View Post
    Do you mean time-wise mate? I don't think there is anything stopping you from decrypting (if you have the authority/ability to do so) and then using a normal method but this will add hours to the repair time. The real bitch with encryption is if there is a hardware failure so you may not be able to decrypt to then run recovery.
    Not time wise as such, although it would be a bit more long winded. More a case of finding an offline tool to fix the malware that will allow you to decrypt the drive should installed ones not do the job.

    Anything is possible if you have the required keys/access.


    DJ OD

  16. #16
    DF Super Moderator
    evilsatan's Avatar
    Join Date
    Jul 2004
    Location
    Essex
    Posts
    20,079
    Thanks
    1,105
    Thanked:        3,241
    Karma Level
    1541

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    Quote Originally Posted by DJ Overdose View Post
    Not time wise as such, although it would be a bit more long winded. More a case of finding an offline tool to fix the malware that will allow you to decrypt the drive should installed ones not do the job.

    Anything is possible if you have the required keys/access.


    DJ OD
    Ahh so drives that can't be decrypted pre-boot? I only use Truecrypt so if I have to repair the drive I just decrypt pre-boot then run usual methods.


  17. #17
    DF VIP Member doughboy's Avatar
    Join Date
    Jul 2001
    Location
    Beckenham
    Posts
    2,142
    Thanks
    139
    Thanked:        90
    Karma Level
    407

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    The kids got this on their laptop but I had no issues removing it. IIRC safe mode was still available and malwarebytes took care of it.

  18. #18
    DF VIP Member
    GedR's Avatar
    Join Date
    Jan 2001
    Location
    Chester
    Posts
    233
    Thanks
    4
    Thanked:        26
    Karma Level
    304

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    So far I've had about 20 machines come in with this, all Windows 7. The easiest way I've found to remove it is to F8 when starting then system restore to before the infection. When the system reboots you have to F8 again and start in safe mode to allow System Restore to complete or the malware will still be there and keep you locked out of Windows.. Then run your AV / Antimalware to ensure the system is clean.
    Hope this helps ..... GedR

  19. #19
    DF VIP Member
    liveseytowers's Avatar
    Join Date
    Aug 2007
    Location
    Bristol, Unite
    Posts
    7,756
    Thanks
    495
    Thanked:        251
    Karma Level
    643

    Default Re: TROJ.RANSOM UKASH Police virus on Windows 8 removal help

    As it's the CEOs PC and it's 200 miles away I'd be tempted to use a WinPE boot disk with a file explorer on it, then copy all his files off it and just reimage it. Not worth the risk of it going wrong again and another trip to London IMO.

    Sent from my HTC One using Tapatalk 4 Beta

Similar Threads

  1. Police Harassment
    By macca69 in forum The Comedy Club
    Replies: 5
    Last Post: 1st October 2002, 01:37 PM
  2. Wanted JackieChan Hk DVDs Police Story 1 &2
    By majicman21 in forum Buy, Sell and Trade
    Replies: 1
    Last Post: 17th September 2002, 04:41 PM
  3. Replies: 4
    Last Post: 5th September 2002, 06:55 PM
  4. Police Report, read and pass on!
    By biggy7 in forum The Dog and Duck
    Replies: 3
    Last Post: 3rd September 2002, 01:00 PM
  5. Replies: 5
    Last Post: 28th August 2002, 01:31 PM

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •