ukash malware, no safe boot mode

[ekih]

I have a dell laptop that has the ukash malware, only boots to ukash screen with rcmp (police) warning to pay $100 to unlock.

I am not able to boot into safe mode, I don't have the password, not caused by ukash.

I have removed the hard drive and connected it to my desktop via a sata to usb connector.

My though is to work on the hard drive from my desktop.

When trying to access the hard drive a window pops up asking to format drive.

My drives on the desktop are NTFS.

[Tomk_]

We need a little more info in order to see what we can do to help:

• What operating system is on your laptop?
• What operating system is on your desktop?
• Do you have a thumb drive? (flash drive/usb drive)

[Joe C]

down load the Emisoft free emergency kit from here and put it on a flash drive, it's a good size zip file...277 mb

http://www.emsisoft.com/en/software/eek/

click F8 as your pc boots up like you would get into safe mode but select Safemode With Command Prompt.

when you get the command prompt box, type in : explorer.exe.

pop in the flash drive and run Emisoft's emergency kit

Follow this guide

http://www.bleepingcomputer.com/virus-removal/remove-urausy-fbi-ransomware

 

Run Malwarebytes after that to get anything else that might still be on your pc

 

 

 

 

.

Edited March 16, 2013 by Joe C

[Jacee]

See this, ekih (ransomware) ... http://www.ukash.com/en-ZZ/Malware/

@ Tomk_ do you want to take over?

[Tomk_]

Don't know.

 

I've never used (or heard of) Emisoft free emergency kit. Maybe it will work - though it appears that you at least need to be able to get into safe mode... which OP has said they can't.

 

My thought was FRST.

[Joe C]

Not just safemode Tom, but Safemode with Command Prompt. you only open explorer.exe and it's more basic than safemode when it comes to functionality but it can detect a usb drive and run the Emisoft program. It can get you back to your desktop

I just cleaned up a laptop with the same issue and the Bleeping computer guide worked very well

Edited March 16, 2013 by Joe C

[Tomk_]

I've never been able to get into safe mode with command prompt when I couldn't get into any of the other safemodes... but I'm always wanting to learn new tricks.

[Joe C]

This worked for me, When I went into just safemode or safemode with networking the windows would load up and as soon as the desktop appeared, the pc rebooted, It would go into regular mode with the desktop but as soon as you touched the mouse or keyboard it went into a white screen with the mouse cursor and that was all you could see. This person waited past the 72 hours they allotted for payment and was totally locked out

 

Safemode with command prompt just opens up the command box (looks like a dos box) and from there you only need to type in explorer.exe to open explorer

[ekih]

Running WinXP pro on Desktop as well as on the laptop.

 

Not able to boot into safe mode comand prompt.

 

Is there a program that I can boot into from the CD drive say and run from there?

[ekih]

forgot to mention that yes I do have a flash drive

[ekih]

Not able to boot into safe mode command prompt, need password.

[Joe C]

I am not able to boot into safe mode, I don't have the password, not caused by ukash.

 

not caused by ukash?

Is this your pc or somebody else's?

 

[Tomk_]

XP is a little tricky.

 

We will have to get a bit creative. I suggest that you put the drive back in the laptop.

 

Use the working desktop to complete the following instructions for creating a bootable cd.

Download GETxPUD.exe to the desktop of your clean computer

• Double click GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and when finished will open BurnCDCC ready to burn the image.
• Click on Start and follow the prompts to burn the image to a CD.
• Next download query.exe and save it to a USB flash drive
• Double click query.exe and it will extract a file and folder to the usb drive (query.sh file and chntpw folder)
• Remove the USB & CD and insert it in the ailing computer, then boot with the CD you just burned
• A Welcome to xPUD screen will appear after selecting the language
• Click the File tab on the left
• Expand mnt by clicking the + sign to it's left
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Confirm that you see the query.sh file in the main window
• Click Tool at the top
• Select Open Terminal
• Type bash query.sh in the Terminal window then press Enter
• After it has finished a report will be located on your USB drive named RegReport.txt
• Remove the USB drive and insert it back in your working computer and navigate to RegReport.txt

Copy and paste the RegReport.txt in a reply here for my review.

Please note - all text entries are case sensitive

[Joe C]

On a side note:

Microsoft is cutting support for XP next year. Seriously consider upgrading to Windows 7 or Windows 8

[ekih]

I followed you instructions to the letter.

When trying to boot using the CD the screen comes up for selecting the languge.

When hitting enter on english it goes into a dos window with this below:

(I have typed out just what is looks like on the screen)

 

Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.

Markers: (--) probed, (**) from config file, (==) default setting,

(++) from command line, (!!) notice, (II) informational,

(WW) warning, (EE) error, (NI) not implementied, (??) unknown.

(==) Log file: "var/log/Xorg.0.log", Time: Sun Mar 17 11:04:47 2013

(==) Using config file: "/etc/X11/xorg.conf"

(EE) No devices detected.

 

Fatal server error:

no screens found

 

Please consult the The X.Org Foundation support

At http://wiki.x.org

for help.

Please also check the log file at "/var/log/Xorg.0.log" for additional information.

 

ddxSigGiveUp: Closing log

giving up.

xinit: No such file or directory (errno2): unable to conncet to X server

xinit: No such process (errno 3): server error.

xauth: (argv):1: bad display name "(none):0" in "remove" command

sh: no job control in this shell

sh-4.0#_ (cursor is blinking waiting for command)

Edited March 17, 2013 by ekih

[Tomk_]

It appears that drivers for your system aren't found in this minimal install operating system.

Let's make a bootable usb stick with extended drivers and see if we can make it go.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

• [*]Insert your USB drive [*]Press

Start > My Computer > right click your USB drive > choose Format > Quick format [*]Double click the unetbootin-xpud-windows-387.exe that you just downloaded [*]Press Run then OK [*]Select the DiskImage option then click the browse button located on the right side of the textbox field. [*]Browse to and select the xpud-0.9.2.iso file you downloaded [*]Verify the correct drive letter is selected for your USB device then click OK [*]It will install a little bootable OS on your USB device [*]Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface [*]After it has completed do not choose to reboot the clean computer simply close the installer [*]Now download the extended driver package and copy it onto the USB in the opt folder (must be in this folder) [*]Next download http://noahdfear.net/downloads/query.exe to your USB [*]Double click query.exe and it will extract a file and folder to the usb drive (query.sh file and chntpw folder) [*]Remove the USB and insert it in the sick computer [*]Boot the Sick computer [*]Press F12 and choose to boot from the USB [*]Follow the prompts [*]A Welcome to xPUD screen will appear [*]Press File [*]Expand mnt [*]sda1,2...usually corresponds to your HDD [*]sdb1 is likely your USB [*]Click on the folder that represents your USB drive (sdb1 ?) [*]Confirm that you see query.sh that you downloaded there [*]Press Tool at the top [*]Choose Open Terminal [*]Type bash query.sh [*]Press Enter [*]After it has finished a report will be located on your USB drive named RegReport.txt [*]Remove the USB drive and insert back in your working computer and navigate to RegReport.txt

Please note - all text entries are case sensitive
[*]Copy and paste the RegReport.txt for my review

[ekih]

When booting to usb stick the xPUD loads with the selection for language.

After hitting enter under english xPUD starts loading in a dos window.

Shows:

Loading /boot/xpud..........................................................................................

........................................................................................................................

........................................................................................................................

Loading /opt/media...........................................................................................

.........................................................................................................................

.........................................................................................................................

After doing that same screen as before appears allmost the same.

One thing that is common is Fatal server error:

no screens found.

[Tomk_]

Fatal server error:

no screens found.

 

is telling you that that is the end of the information. The important part is the error (EE) No devices detected. which tells you that the drivers for your chipset couldn't be found.

 

Sounds like I need to come up with another plan.

[Tomk_]

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

 

Please print this guide for future reference!

 

You will need a blank CD, a clean computer and a flash drive.

 

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

 

FIRST

 

1. Download and Run Ultimate Boot CD for Windows

[*]Save it to your Desktop.

[*]Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.

[*]Follow all of the instructions/prompts that come up.

NOTES:

[*]Do not install to a folder with spaces in it's name.

[*]Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.

[*]2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive

[*]Double-Click on UBCD4WinBuilder.exe located in your C:ubcd4win folder.

[*]Click "I agree" to the Builders License.

[*]Click NO to Search for Windows Installation Files

[*]Make the following selections from the Main Screen that pops up:

[*]Builder

[*]Source:(path to Windows installation files)

[*]Enter the path to the drive where your XP CD is located.

[*]You can click on the "..." button on the right to navigate to the path as well.

[*]Custom: (include files and folders from this directory)

[*]No information is necessary, leave blank.

[*]Output: (C:ubcd4winBartPE)

[*]Keep the default BartPE

[*]Media output

[*]Choose Create ISO image

[*]Do not choose Burn to CD/DVD

[*]

 

• Please note: If your XP install disc is SP1 then please .....
  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

     

    This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

  Also note: If you have a Dell XP install disc you will need to follow the instructions here

  http://www.ubcd4win.com/faq.htm#dell

  [*]3. Click on the "Build" button

  [*]You will see the Windows EULA message. Click on I Agree

  [*]You will now see the Build Screen. Let it run it's course

  [*]When the Build is finished you can click close, then exit

4. Burn your ISO file to CD

[*]Please see HERE on how to burn an ISO to CD.

==========

 

NEXT

 

Next, from your clean computer:

 

Download Farbar Recovery Scan Tool

and save it to your flash drive.

 

Now plug your flashdrive back into your sick computer and follow the next instructions:

 

==========

 

THEN

 

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created

[*]Insert the UBCD4Win disc in to one of your CD/DVD drives.

[*]Restart your computer.

[*]The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.

[*]In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.

[*]It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.

[*]Once the desktop appears, you will receive a message asking: Do you want to start Network support?

[*]Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.

[*]You should now have a desktop that looks like this:

==========

 

NOW

[*]Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.

[*]Double click on it to begin running the tool.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.

[ekih]

I gave it a try.

The disk I created wouldn't boot.

Couple of things going against me, only had a dell reinstall disk and when creating the ISO, imgburn said that bartpe had some files being used by another source, so it skipped those files.

I know I have a Winxp sp3 disk around, and will use that next time.

The only thing I don't get is why imgburn said that some files were in use.

Any ideas?

I will try again tomorrow after work.

Thanks

James

[Tomk_]

Did you follow the "special" instructions for Dell machines?

[ekih]

Still won't boot.

I tried booting my desktop as well from the same disk and no go.Used an oem winxp pro sp3 disk.one warning came up after the build: "Building from OEM Ver: can mean trouble"No errors though.The only other disk I have is a Dell reinstallation cd Winxp pro sp3.

Don't know if you have any other tricks?

 

I have a little bit of info that is not backed up that I would like to get from the HD.

When connecting using a sata to usb converter I can see the laptop HD but not able to access it.

When trying to access the drive it says that drive needs to be formated.

When it says that does it mean that the structure needs changing or is it going to wipe it clean?

If it means wipe it clean, I can live with that, don't want to but can.

[ekih]

The disk wouldn't boot.

Tried it in my desktop as well same thing.

 

Using Winxp pro sp3 OEM disk.

Just one warning: "Building from oem ver: disk can mean trouble."

No errors though.

The only other disk I have is Dell re installation CD xp pro sp3.

 

Don't know if you have any more ideas?

 

I have a little info on the hd entered since my last bkm.

When I connect the hd via a sata to usb connector, I can see the hd but not able to access it.

When trying to access, it comes up saying that it needs to format.

Is this in wipe it clean format or change the parameters type of format?

[Tomk_]

If you reformat... it will wipe it clean.

 

I don't have the answer for you as to why it is doing that.. all I can say is it happens sometimes. It is my understanding that this is a common error when trying an XP drive remotely on a Vista machine, but your's are both XP so I really don't know.

 

I can understand xpud not working as it is a minimal operating system and sometimes it just doesn't have what it takes. I am totally surprised that Ultimate boot CD didn't work.

 

Let's try a different linux distro again.

 

• Save these files to your Desktop
  • Download Latest Puppy Linux ISO (i.e.: lupu-528.iso)
  • Download BurnCDCC ISO Burning Software
• Open BurnCDCC and Extract All files to to it's own folder
• Double Click BurnCDCC
• Click Browse and navigate to the Puppy Linux ISO file you just downloaded
• click on it and click Open
• IMPORTANT: Adjust the speed bar to CD: 4x DVD: 1x
• Click Start
• Your CD Burner Tray will open automatically
• Insert a blank CD and close the tray
• Click OK

The CD should eject when finished.


To use the CD

• Insert the CD and restart the computer
• When the computer first starts please press the key indicated on the screen to enter the bios or setup.
• Make the necessary changes to make the CD first in the boot order
• Save the changes and exit the bios/setup
• Your computer will restart and boot from the Puppy Linux Live CD
• Install your Flash Drive that contains Query.exe that we downloaded for xpud earlier

• Set your language, time. etc preferences and continue
• Click the Mount Icon located at the top left of your desktop (should be 3rd from the left top row)
• A Window will open, click mount for each drive listed
• if you have a USB Flash Drive connected it's usually automatically mounted upon boot, but click the "usbdrv" tab and make sure it is mounted.
• Click on the folder that represents your USB drive (sdb1 ?)
• Confirm that you see the query.sh file in the main window
• Click Tool at the top
• Select Open Terminal
• Type bash query.sh in the Terminal window then press Enter
• After it has finished a report will be located on your USB drive named RegReport.txt
• Remove the USB drive and insert it back in your working computer and navigate to RegReport.txt

Copy and paste the RegReport.txt in a reply here for my review.

Please note - all text entries are case sensitive

[ekih]

The 2 files you wanted me to dl:

• Download Latest Puppy Linux ISO (i.e.: lupu-528.iso)
• Download BurnCDCC ISO Burning Software

The first link was broken and the other took me somewhere?

I am dl the 2 files:

• lupu-528.005.iso from http://puppylinux.org/main/Download%20Latest%20Release.htm
• burncdcc.zip from http://www.snapfiles.com/get/burncdcc.html

Do these look right.

 

One other thing, I have been using dvd's not cd's any difference?

Edited March 19, 2013 by ekih