SEARCH

The How-To Geek Forums Have Migrated to Discourse



Join the Discussion at discuss.howtogeek.com

How-To Geek Forums / Windows XP

(Solved) - ukash police scam

(12 posts)
  • Started 12 months ago by GuiltySpark
  • Latest reply from pauldwaite
  • Topic Viewed 5833 times

  • Remove Solved Status
GuiltySpark
GuiltySpark
Posts: 4024

Hi all,

My friend was telling me he has a virus on his system, its called "West Yorkshire Police Ukash" virus.

I had a look at it briefly and realised it was a lot like the old "Met Police scams" only the difference is this one locks you out of your system completely, Safe mode was a hit and miss (one minute it would work, the next???).

I didn't have my tools with me to attempt to bypass it and after doing some checking on line the Virus apparently cannot be detected by AV or AS programmes and subsequently shuts down their access.

I have yet to get my "fingers dirty" with this (a couple of days I might get the chance), but was wondering if anyone else had come across this and if so what method you used to remove it ?

Posted 12 months ago #
Top
 
Xhi
Xhi
Posts: 6298

I have not run across this, but I would be inclined to try Windows Defender Offline and/or Kaspersky Rescue disk. These both run from outside windows and may be able to clear the problem.

Posted 12 months ago #
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

Yea Xhi that's some of the things I've got in my arsenal but was a little worried about the fact that it can stay undetected from Av's and AS's due to its random file names.

Posted 12 months ago #
Top
 
Xhi
Xhi
Posts: 6298

You won't know unless you try. Av's do not depend on file names they depend on bit patterns in files.

Posted 12 months ago #
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

But AV's do check the Registry right?

And I have a feeling this may be the root cause of the virus which if I can get into the OS (eventually) I'm going to have to go through it with a fine toothcomb :(

And if the reg has a random file/reg name it would always have the ability to resurrect itself.

I'm not going to enjoy this one. But I do enjoy 'sussing' them out.

Posted 12 months ago #
Top
 
Xhi
Xhi
Posts: 6298

You are giving too much credit to the offender and not enough credit to the good guys. If it were as simple as you say none of these viruses could be fixed.

Posted 12 months ago #
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

True, either way I'll update this thread when the time comes :)

Posted 12 months ago #
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

Forgot about this thread :)

Ok here's how you can go about beating it if you ever find yourself locked out of the system.

1. Download a rescue disc (I used Avira rescue and recovery but any bootable version should work).

2. Update (is important as the virus works as a backdoor for other Trojans).

3. Run full scan.

At this point I noticed about 28 serious alerts, the reason being the machine was left hooked up to the net.

4. After scan you will have to restart your system.

5. Because of what I noticed in the alerts, I decided to turn off System Restore as they were infected.

6. If you have a decent anti spyware programme installed nows the time to use it, I used SuperAntiSpyware at this point I couldn't update it so I just ran a full scan.

Programme picked up a number of Disablers including :

Task.Disabler = disables Task Manager.

Security.Disabler = disables AV software.

Rebooted machine.

Unfortunately I still couldn't get into the Registry so I restarted in safe mode but safe mode froze up, so I restarted machine normally. Used the Run box to bring up "msconfig" and selected SafeBoot (if you have the same problem in NO WAY TRY THIS for reasons you will understand shortly).

Restarted machine waited for it to go to the Advanced Options menu so I could select Safe mode (it would not do it on its own), selected it and it started to go through the usual safe process then when it came to loading windows it stopped and restarted. Now this loop went on and on I could not get round it, so I tried to boot from an install disc to see if I could get into the desktop that way (to disable SafeBoot) no chance.

So I had no way to get into the registry. (I knew what files I had to look for incase I had to manually delete them).

Anyway to set a long story short it was decided that a clean install was the easiest solution.

So if you ever get this virus and it locks you out, first disconnect from internet (remove internet cable), and gather your bootable and USB virus tools then use them attach network cable and update (if necessary).

Otherwise your machine will be absolutely buggered.

Posted 11 months ago #
Top
 
CompWiz
CompWiz
Posts: 864

Not sure if you've seen this..

http://www.2-spyware.com/remov.....ukash.html

Posted 11 months ago #
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

@ CompWiz,

Yea I have but as I say couldn't get into the comp to use it, as system was badly infected.

Posted 11 months ago #
Top
 
CompWiz
CompWiz
Posts: 864

Haven't encountered it yet. It does seem pretty harsh. But I guess you did a wise decision of wiping and re-installing the OS.

Posted 11 months ago #
Top
 
pauldwaite
Posts: 1

Microsoft’s own Windows Defender Offline (http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline) sorted it for me.

You need a blank CD or a USB drive to create the boot disk, but the process was very simple, and it worked a treat.

Posted 6 months ago #
Top
 



Topic Closed

This topic has been closed to new replies. Please create a new topic instead.


Create New Topic Return to Forum