PC is locked by Police Virus * Help Needed

124»

Comments

  • henm2henm2 Posts: 160
    Forum Member
    For good free imaging software try clonezilla
    http://clonezilla.org/
    For how to use it www.dedoimedo.com/computers/clonezilla.html
  • SexbombSexbomb Posts: 20,005
    Forum Member
    ✭✭✭
    Just got this myself now, explorer went for 10secs then the massive criminality picture all over my screen :mad::mad:

    I managed to do a system restore and just done malwarebytes scan but nothing has happend so far.

    Files Detected: 1
    C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad (Exploit.Drop.GSA) -> Quarantined and deleted successfully.
  • GoodBuddyGoodBuddy Posts: 2,211
    Forum Member
    ✭✭✭
    Sexbomb wrote: »
    Just got this myself now, explorer went for 10secs then the massive criminality picture all over my screen :mad::mad:

    I managed to do a system restore and just done malwarebytes scan but nothing has happend so far.

    Files Detected: 1
    C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad (Exploit.Drop.GSA) -> Quarantined and deleted successfully.

    Which site infected you?
  • GroutyGrouty Posts: 33,943
    Forum Member
    ✭✭✭
    henm2 wrote: »
    For good free imaging software try clonezilla
    http://clonezilla.org/
    For how to use it www.dedoimedo.com/computers/clonezilla.html

    I just used the inbuilt one Win 7s got to do mine :)
  • PES 2009PES 2009 Posts: 1,146
    Forum Member
    ✭✭✭
    I've just purposely infected my PC with the Ukash Police Ransomware Virus.

    Sure enough Windows XP no longer boots, and safe mode also does not boot.

    I'm running Ubuntu Live CD so will have a nosey around on my hard disk to see what has changed.

    The file wgsdgsdgdsgsd.dll has appeared in my Documents and Settings folder.
  • PES 2009PES 2009 Posts: 1,146
    Forum Member
    ✭✭✭
    Deleted file wgsdgsdgdsgsd.dll in Ubuntu and restarted PC, Ukash Police Ransomware hijack screen no longer present in Windows XP.

    Running Malwarebytes.
  • max99max99 Posts: 9,002
    Forum Member
    PES 2009 wrote: »
    Deleted file wgsdgsdgdsgsd.dll in Ubuntu and restarted PC, Ukash Police Ransomware hijack screen no longer present in Windows XP.

    Running Malwarebytes.

    Check this entry via Regedit:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe

    The newer versions of this malware will modify explorer.exe to the randomly named infected file. It looks as though your variant didn't do that. The older versions would simply drop an infected file(s) in various folders and run it on start-up. It will be interesting to see exactly what your version has done altogether.
  • PES 2009PES 2009 Posts: 1,146
    Forum Member
    ✭✭✭
    max99 wrote: »
    Check this entry via Regedit:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe

    The newer versions of this malware will modify explorer.exe to the randomly named infected file. It looks as though your variant didn't do that. The older versions would simply drop an infected file(s) in various folders and run it on start-up. It will be interesting to see exactly what your version has done altogether.

    Regedit seems fine now, pointing at the right file.
  • PES 2009PES 2009 Posts: 1,146
    Forum Member
    ✭✭✭
    Malwarebytes detected 2 files which were deleted.

    dsgsdgdsgdsgw.pad
    runctf.lnk

    PC is now virus free, highly recommend Ubuntu Live CD as a way of dealing with this Police Ransomware Virus.

    http://www.ubuntu.com/download/desktop
  • clarriboclarribo Posts: 6,258
    Forum Member
    I have been infected with this today at work (so no was not looking at anything dodgy) I'm waiting for someone to come and sort it out now I work for a big company so guessing this is able to bypass virus scans.
    Sorry if this has been answered but how does it get on a computer I haven't downloaded anything out of the ordinary.
  • StigStig Posts: 12,446
    Forum Member
    ✭✭
    clarribo wrote: »
    Sorry if this has been answered but how does it get on a computer I haven't downloaded anything out of the ordinary.

    I've seen it get on a PC just browsing sites like DS. I think it gets introduced into ads somehow.
  • joe-mediajoe-media Posts: 225
    Forum Member
    I encountered this virus, known as the 'Reveton' ransomware on a clients' laptop last week, which was running Windows Vista SP2.

    I had to use another laptop to download Aviri Rescue disk, as I could not access Explorer or the registry as there were no other accounts to use. Safe mode was also affected both with and without networking.

    I burned this to disk, creating a rescue disk and tapped F10 on the affected machine (your mileage may vary, as most laptops have a different boot menu key). The program then launched so I updated the definitions and did a scan. It found and removed the Reveton ransom ware and I rebooted straight back to the desktop in Safe mode with networking.

    I then downloaded malwarebytes and did a scan, this found some further trojans. I then rebooted into normal mode and thus everything was fine. I then proceeded to update AVG (which was already present on the PC), but that didn't find anything.

    The client also says that it has not reappeared since I removed it.

    I know that you can muck about in the registry but I would rather use a dedicated program to ensure that everything possible has been removed. Always good to check with another program too at the end.
Sign In or Register to comment.