Mokong Posted July 24, 2012 Share Posted July 24, 2012 (edited) Just wondering if anyone else here has encountered this Ransomware or heard of it. Cousin of mine came to the house last night with his laptop and said he thinks there's a virus on it. I turned it on to find a screen like this. Thought that just ain't right, haha. Turns out this "ransomware" works out where the computer it is on is based and then takes the logo of your local law enforment and inserts it into it's display to try to look genuine. Because of this it can also be known by different names based on the law enforment agency it is pretending to be. Generally it seems to be called the "Ukash Virus" based on the method of payment it is asking you to pay the ransom by. It locks down you computer, you won't be able to access any files even the windows button won't work, nor will task manager. It starts on start up too and doesn't give you any window of oppurtunity to prevent it from starting. No idea how he got it on his laptop (or actually how his wife got it on it as she was apparently using it at the time). From what I can work out after reading bout it online in my search to find a way to remove it I can only guess that a pop-up appeared which she clicked on thinking it was safe. Of course when asked if she downloaded anything it is denied Anyway first thing I did was boot to safe mode which worked fine. Opened up MSConfig and looked at teh start up items to see if I could work out what program and where it was hidding. But there was just a ton of crap in there that I didn't recognise and looked dodgy. As a test I turned off all start up items and rebooted to normal and the banner image didn't come back. Guess I could have tried going through restarting with one item at a time disabled but the amount of crap in the start up list I just couldn't bother Back to safe mode, and tried to run a full scan with MSE, to my surprise MSE actually worked and did the scan. So I waited and when it finally finished it picked up 3 trojans and 1 malware, quarantined and removed all. Thought that was that, restarted to normal boot and the thing was still there and still locking up the laptop. So back to my google searches on my own laptop I tried a method I found here, which involved booting to safe mode and using a program called "Rkill" which stops malware from running (doesn't remove it, just stops it) and then running Malwarebytes to find and remove it. The "Rkill" did find something (can't remember what it threw up...and forgot to save the log file it gave me ) so I then ran Malwarebytes on it which found another 3 trojans at the end of its full scan. Of course then removed them. Restarted the laptop booted to normal boot and still the damn thing was there. Back to my google searches on my own laptop a lot of "how to remove pages" I found were saying to go into the registry and delete certain entries. Including some videos on youtube which seemed pretty good but I always try to avoid manually messing with the registry if I could help it. And since the virus changes its "police logo" depending on where it is it also changes it's file names it seems so no gaurantee what a webpage was telling me to look for would be the same on my cousins registry. Eventually found another program called ComboFix from the same people that made Rkill. Gave it a try and bam, the kidnapped laptop has been rescued. Checked the Msconfig start up list and all the dodgey looking items are gone. Ran another Malwarebytes and MSE and even another Combofix scan to be sure and none are picking up anything anymore. Just thought I'd post up my experience dealing with it in case anyone here bumps into it in the future and has problems trying to get rid of it. Of course I do mean if you have a friend or relation who gets their computer kidnapped by the ransomware and asks you for help. I doubt anyone here would accidently download something from a popup they didn't intend to d/l Edited July 24, 2012 by Mokong Link to comment Share on other sites More sharing options...
Sheikah Posted July 24, 2012 Share Posted July 24, 2012 lol, I'm amazed that some people do fall for such scams. Yeah your computer has been caught doing things illegal - pay us cash and it'll all go away! Link to comment Share on other sites More sharing options...
Mokong Posted July 24, 2012 Author Share Posted July 24, 2012 Haha, actually I never stopped to think if anyone has actually fallen for it and paid up. I bet there is someone out there .... wonder what state their comp is in today. Could imagine if it was someone who was doing something illegal like a pedophile, he gets this thing up and pays the fine and it goes away. Few days later while still going to his illegal sites the cops break down the door and arrest him. And he starts saying "but I paid the fine already" Haha, if that scenario ends up in the papers someday I will lol so hard Link to comment Share on other sites More sharing options...
Rummy Posted July 24, 2012 Share Posted July 24, 2012 Didn't we have a thread about this a while ago? I swear I remember reading about it somewhere, coulda sworn it was on here? Link to comment Share on other sites More sharing options...
Mokong Posted July 25, 2012 Author Share Posted July 25, 2012 Didn't we have a thread about this a while ago? I swear I remember reading about it somewhere, coulda sworn it was on here? I did check before starting this... but I didn't see anything Link to comment Share on other sites More sharing options...
Rummy Posted July 25, 2012 Share Posted July 25, 2012 http://n-europe.com/forum/showthread.php?t=33175&highlight=ukash :p! Still, it's good to keep it fresh, it's a particularly sly virus in how it preys on people, not to mention from what I hear quite the little bastard to get shot of! Fortunately, I've never had to deal with it. Link to comment Share on other sites More sharing options...
Mokong Posted July 25, 2012 Author Share Posted July 25, 2012 Ah crap and now I do remember reading that thread. Ah well it was over 6 months ago And I guess that answers my question at the start of the first post so Also I can't believe this but my cousin came back today. This is just too bloody unreal, but they picked up the virus AGAIN Apparently yesterday evening when his wife got the laptop back she went right back to the last site she was on when it first got infected Filipino TV video site or something. Thing is I did update MSE before giving it back to them so no idea how it wasn't picked up.... unless she maybe clicked on something and maybe MSE tossed up a message which was ignored Or maybe MSE don't yet have a definition update for the Irish "strain" of this virus yet? "Luckily" though as it was now just the one virus on it and not the 6 or 7 that was on it aswell the first time they gave me the laptop it was easier to spot the start up program in Msconfig when I booted to safe. Took a guess on the one item, turned it off and rebooted and I was right first time. The "main" .exe file was at c:\doc & settings\all users\app data\tqixkcio.exe in App Data also found an unknown file type with the name rvywluobksawjqf And a folder called "odcbstqwsfvvotx" which contained all the image and data files for the dummy "Police page" that locks the computer as seen in my first post and also a 2nd .exe found at c:\docs&settings\username\ms.exe All were created last night at half 10 so at least I know this was a new instance and not something I didn't remove yesterday afternoon I tried scanning the .exe files individually with MSE but it didn't pick them up as a threat. So again either MSE doesn't have a definition for this strain (apparently it picks up the US one) or I guess maybe the virus has a way of tricking MSE? I suppose I could have just deleted those files/folders but thought I'd try Malwarebytes again even though it didn't find it yesterday, figured since I know what files I want it to find I wanted to see if it would find those or find other files. It did indeed find and remove the files I mentioned above. The start up item was still showing in Msconfig but it vanished after using a registry cleaner. And the files are now gone from App data and user folders. And it of course not happening aymore again. Will probably leave Malwarebytes on his laptop this time just in case. And told him to get her to find a new site to watch her filipino tv from Anyone know if that and MSE ever have any conflicts if they are both on the one computer? Link to comment Share on other sites More sharing options...
Rummy Posted July 26, 2012 Share Posted July 26, 2012 Not in any way related/an answer to your question, but the way you describe things would worry me about ghosts in the machine eventually. Could be worth doing a system restore(if it isn't too much) and putting some good security on there(no idea what I mean by 'good' mind) Link to comment Share on other sites More sharing options...
Mokong Posted February 14, 2013 Author Share Posted February 14, 2013 BUMP Just spotted on the news the gang behind this virus were caught and arrested last night http://news.yahoo.com/spain-busts-ransomware-cybercrime-gang-201859529.html Link to comment Share on other sites More sharing options...
Rummy Posted February 14, 2013 Share Posted February 14, 2013 At least a million euros a year, damn. Without getting too conspiratorial, it makes you wonder what all that might be funding too. Link to comment Share on other sites More sharing options...
Mokong Posted February 14, 2013 Author Share Posted February 14, 2013 At least a million euros a year, damn. Without getting too conspiratorial, it makes you wonder what all that might be funding too. Probably some of the stuff their ransomware accused their victims of doing Link to comment Share on other sites More sharing options...
Recommended Posts