Author Topic: [Resolved - K] Police Report Malware  (Read 6358 times)

Offline chipmeister

  • Bronze Member
  • Posts: 183
[Resolved - K] Police Report Malware
« on: August 04, 2015, 01:17:01 AM »
Hi again Spywarehammer,

Went to boot up yesterday and about halfway in the process, got a completely white screen with a text input box and the words "?echo $submit?" and "Waiting payment" in the lower right corner. Could not do anything after that. Tried to reboot again and a little sooner in the process, I opened task manager and saw 'Police Report' in the applications tab. I ended the process but it came right back, eventually it ended up back at the white screen. I tried to reboot into safe mode but it wouldn't work. Actually, I have been unable to boot into safe mode under any circumstances for over a year. But, a little research seems to indicate that that is also something that occurs with this malware. Anyway, that's what I have and once again, could use a little assistance. I'm currently running XP SP3. Thanks.
« Last Edit: August 18, 2015, 12:17:07 AM by kevinf80 »

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #1 on: August 04, 2015, 05:18:02 AM »
Hello chipmeister,

As you`ve opened this thread I assume you have access to another PC, if that is true see if you can create the following tool.....

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

Stage 1

1. Download and Run http://www.ubcd4win.com/downloads.htm Ultimate Boot CD for Windows

  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
NOTES:

  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with either SP1/SP2/SP3 into the CD Rom drive

  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files

Make the following selections from the Main Screen that pops up:

Builder

Source:(path to Windows installation files)

  • Enter the path to the drive where your XP CD is located.
  • You can click on the "..." button on the right to navigate to the path as well.
Custom: (include files and folders from this directory)

  • No information is necessary, leave blank.

Output: (C:\ubcd4win\BartPE)

  • Keep the default BartPE
Media output:

  • Choose Create ISO image
  • Do not choose Burn to CD/DVD

Please note: If your XP install disc is SP1 then please .....

  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

Also note: If you have a Dell XP install disc you will need to follow the instructions here:

http://www.ubcd4win.com/faq.htm#dell


3. Click on the "Build" button

  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit

4. Burn your ISO file to CD

    Please see Here on how to burn an ISO to CD.

=====================================

Stage 2


Next, from your clean computer:

Download Farbar Recovery Scan Tool and save it to your flash drive.
Make sure to get the correct version for your system.
Now plug your flashdrive back into your sick computer and follow the next instructions:

=====================================

Stage 3

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created

  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
  • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.

  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
  • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
  • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
You should now have a desktop that looks like this:



===================================

Stage 4

  • Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
  • Double click on it to begin running the tool.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive.

Please copy and paste the log to your next reply.

Thanks,

Kevin...

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #2 on: August 05, 2015, 12:06:02 AM »
Hi Kevin, thanks for picking this up. Having an issue with the link for the Ultimate Boot CD. First time I clicked it, it took me to: http://www.justseethis.com/?utm_source=534c103a66da43fc27000ecf&utm_medium=DNTX&utm_term=software&utm_campaign=US. The second time it went to: http://www.ubcd4win.com/downloads.htm which is the right URL but it's just a page with a domain for sale and a few ads. Any ideas? Also one question. I have an OLD Windows disk that they sent me once when I was having an issue (my computer did not ship with a disk). If I boot from that, is it going to wipe out anything I have (files etc.) or any windows updates I've loaded since that disc version? Just want to be sure I don't loose anything I can't reload, especially any of the XP security updates. Thanks for the help.

Chip

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #3 on: August 05, 2015, 01:23:03 PM »
If you have a correct version of Windows XP cd you can run a repair install. Bbasically it installs over the top, no data, files, music, videos etc are lost. The only problem would be previous windows updates will be lost, also no chance of getting those as XP is not supported anymore...

The instructions I give to run FRST via UBCD is maybe the best option for now...

Try this link: http://www.ultimatebootcd.com/ I`ve tried it, seems to be ok. The previous link was old hence the problems, never used this fix for XP for a very long time....

Thank you,

Kevin..

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #4 on: August 05, 2015, 08:14:11 PM »
Hi kevin,
I was kind of afraid that i was going to lose those XP updates. Is this pretty much the only way to deal with this thing? Last night I was messing around and tried doing that ubcd4win.com site replacing .com with .org and did get to some mirror sites. I downloaded the program from a few but they wouldn't install. Said something about an 'MD5 Hash' problem. Anyway, I did download from the new link. I saved it to my desktop. When I click it, it doesn't give me any options to open or install in a folder. It immediately opens the disc burner and prompts me to burn it to disc. I also see your instructions later on discus creating an ISO image. The file I downloaded shows as 'ubcd535.iso' so is it possible this is already configured? It's just not matching up with your original instructions. I just want to be sure I'm doing this correctly. Thanks

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #5 on: August 06, 2015, 01:02:49 AM »
Thanks for the reply and info, you`ve downloaded an ISO of UBCD ready to burn, that is not what we`re after. We need to d/l, save to desktop the .exe version of UBCD.
Run the .exe to install to the root of C:\ that action is the default folder setting. That process is straightforward, just accept each prompt as it appears...
From there we will build a bootable CD containing UBCD and Windows XP (sp1 or sp2 or sp3) it is essential that one of those service packs is on the XP cd, if not we would need to create a new XP cd with a service pack slipstreamed..

The executable version is available at the following link:

http://www.majorgeeks.com/files/details/ubcd4win.html

Apologies regarding the links previously provided, they are quite old and obviously have changed.....

Cheers,

Kevin

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #6 on: August 06, 2015, 02:22:04 AM »
Thanks Kevin. Actually, this is one of the sites I downloaded from last night that wouldn't install. I'm going to provide the exact text I got in the windows that opened. But first i wanted to check something. My Windows disc says Microsoft Window XP Media Center edition 2005 with Update Rollup 2. Not sure if Update Rollup 2 is same as Service Pack 2. I think they switched to Update vs. Sp at some point but I'm not sure. I got the disc about 6 years ago when I had some Windows files bung up. Dell sent it to me. Anyway, here's the info I got when I tried to install:
UBCD4WIN is a large file and it's not entirely uncommon to see an occasional corrupted or incomplete download which eventually results in having to start over later and maybe even a possibility of hairloss. The MD5 Hash of your UBCDWIN download can be verified for you now if you're connected to the internet. Do it?......I clicked yes and got a window with this:  Your download seems to be either corrupted or incomplete and UBCDWIN cannot be built. Please download it again (from a different mirror?) and try again. The MD5 Hash of your download is F83C81B5197F01DFD8CA00764474F453  it should be :<!DOCTYPE.

I actually downloaded and tried to install from 3 different mirrors and got these messages from all 3. Sorry I've got some big mysteries here. Thanks,  Chip

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #7 on: August 06, 2015, 10:24:41 AM »
I`ve tried all d/l from MajorGeeks myself, tried to install on all versions of windoows from Vista through to Windows 10, I get the same results. I guess that tool needs to be dumped....

As you have access to another PC see if yu can create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.  It can also be run from a CD, just change to that option in the instructions…

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Run the tool, Windows 7/8 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"



In the new window accept the agreement:



In the new window select your USB Flash Drive, then select "Next"



In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"



In the new window accept the formatting alert by selecting "Next"



Files will be Downloaded:



Files will be processed and created



Flash drive will be formatted and prepared



Files will be added to the Flash Drive and the tool will be created.



The procedure is finished and the Tool created, click on "Finish" to complete.



Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...
As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.
When complete do a full scan, deal with what it finds.
When finished, remove the USB stick then press the Esc key to boot into regular windows.
Navigate to the following file:

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

Open with notepad and copy and paste it into a reply.

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #8 on: August 06, 2015, 07:55:34 PM »
Thanks Kevin,

I burned it to a disc (had one sitting here) and used it to boot the bad machine. I couldn't get the disc tray to open until I hit start but I dropped it in pretty fast. Program loaded and it defaulted to the quick scan which ran and found nothing. After that i ran the complete scan and it did find 3 items:
Ransom:win32/reveton.v
Trojan:win32/eyestye.B!CFG
Ransom:win32/TOBFY! mp3

I had it remove the items which it said was completed. ESC to reboot and when it did, the original white screen popped up. I manually shutdown and restarted. This time, the white screen popped up for a second then my full desktop came up (which it has not done since the problem) but only stayed up about 30 seconds and then the white screen came back. I did drop the disc back in, shut down and restarted from the the disc and am running the full scan again. So, something happened but then screen came up again. I'll let you know what the second scan does. Thanks

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #9 on: August 07, 2015, 12:32:54 AM »
Hi Kevin,

the second full scan ran and it didn't find anything this time. But when I used ESC to reboot, I ended up with the original problem/white screen with payment text.           

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #10 on: August 07, 2015, 01:40:42 AM »
Sorry Kevin. It wouldn't let me edit my previous post. I also wanted to mention that I was trying to open task manager to see if I could end the process. It had been only opening for a second then disappearing but this time it opened during shutdown which kept my desktop up while it was running shutdown. A window popped up saying it was trying to close MBAM (Malwarebytes). I waited to see what would happen so i did nothing and it wouldn't shutdown until I manually clicked end program. Interesting as I hadn't done anything to run it. Well, the very first time I was getting the white screen, I did have time to start a scan before the white screen took over but I have started/shutdown several times since then. I can't imagine it was related to that but did want mention it.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #11 on: August 07, 2015, 01:49:40 AM »
If you want to close the current process select Alt - F4 keys together, I`m not sure if the Ransome screen is still the issue or not.
This type of infection "Revetron" is usually killed in one shot with Kaspersky 10 rescue CD, it means another tool to create but well worth trying...

Download Kaspersky Rescue Disk (iso)
  • Burn it to a cd or dvd, if you need a program to burn an ISO...use  Active@ ISO Burner
  • Configure your computer to boot from CD/DVD


Note : If you do not know how to set your computer to boot from CD/DVD follow the steps here

  • Once you have the CD/DVD created, boot the computer up using it
  • Press any key to enter the menu
  • Select your language
  • Press 1 to accept the End User License Agreement
  • Select Kaspersky Rescue Disk. Graphic Mode
  • Click on the Start button located in the left bottom corner of the screen
  • Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Malware/Virus
If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > Enter


  • When it's done, click on the Start button and start Kaspersky Rescue Disk utility
  • Click on My Update Center tab and press Start to download the latest update
  • Next, select the Object Scan tab
  • Put a check next to C:\ and any other local drives
  • Then click Start Objects Scan
  • Quarantine any malware found
  • Restart your computer and see if it boots up normally....

When booted back into Windows Navigate > Start > Computer > C:\Kaspersky Rescue Disck 10.0 Open the folder, inside is log from KRD run named "ScanObject" copy/paste that file to your reply.

Thank you,

Kevin..

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #12 on: August 07, 2015, 09:49:03 AM »
Thanks Kevin,

Got it burned and ran it. All it found was a minor adware program. Rebooted and right back to the white screen. One thing, when I clicked on the WindowsUnlocker, a black screen opened with a bunch of stuff in it. I believe it was the Unlocker results but, the process only took a second or two so I'm not sure if it ran fully. After I did the scan and rebooted, I shut down but the only way I could do it was to hard shutdown with the power button as all I have is the white screen. I rebooted with the Rescue disc to try it one more time and when it got to the step of mounting the file, it gave me a warning saying the OS was shut down incorrectly and mounting the file may damage the file system. Gave me the option to continue, skip, or restart computer. I assume that last one would be a normal shutdown and reboot so I did it, but at the file mounting step, got the warning again. So, I don't know if that restart computer option executed a normal shutdown or not. Not sure where to go with it now.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #13 on: August 07, 2015, 11:58:27 AM »
Can you boot to any of the safe mode options, start the PC and tap on the F8 key... Do you get any options?

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #14 on: August 07, 2015, 12:18:06 PM »
Actually no. That's an issue I've had for a couple years. Cannot boot into any safe modes. Never could figure out why. But, I did read that this malware is also known for not being able to boot to safe anyway.