Police ransomware, I'm back to the desktop but still having issues.

Discussion in 'Malware Help (A Specialist Will Reply)' started by Drayden, Jan 9, 2014.

  1. Drayden

    Drayden Private E-2

    Hi,

    I was infected with the Police ransom ware Trojan, the Department of Homeland Security version. my screen was locked out displaying the ransom screen with the fine to paid via money pack. the one described in this link:

    http://www.bleepingcomputer.com/virus-removal/remove-homeland-security-ransomware

    I could not boot to safe mode and I don't have access to the windows install disks in order to run windows recovery.

    I tried to use HitmanPro kickstart to recover without success. my laptop would not boot with this method.

    I used Kaspersky rescue disk and was able to unlock the ransom screen and boot into windows. I then ran a scan with Malwarebytes anti-malware and my Symantec endpoint protection antivirus and both came up clean.

    This was several weeks ago. I thought everything was ok but then I began to notice different windows errors.

    1. I cannot update the virus definitions of my anti-virus SW.
    2. I cannot perform a windows update.
    3. I cant turn on my BT adapter. I've never used it on this laptop and only discovered it when I recently tried to use it.
    4. recently when I open Outlook a get a popup asking to redirect to a website to auto update my user settings. the site is one I recognize as my work so I try to allow it but it does not respond.

    So assuming I'm either still infected or the original infection and subsequent removal left me with an unstable operating system. So......

    I started with the "read and run me first" thread here on Major Geeks and then on to the windows 7 specific cleaning instructions. I got as far as the step to disable UAC. I disabled UAC via the control panel and then rebooted. When it came back up, the original ransomware screen came back and I was again locked out.

    I was again able to restore access using Kaspersky rescue disc. Again I started with "read and run me first" and this time I was able to get through all the instructions to the end and run logs. This time however when I got to the step asking to disable UAC, it was already reporting as disabled.

    I'm currently able to boot and use my laptop as before with the same issues of not being able to update definitions/windows of change some system settings.

    System info:
    Lenovo W520
    Windows 7 enterprise service pack 1 64-bit
    Symantec Endpoint Protection

    I'd just like to say in advance...

    Thank you all at Major Geeks for the great work you guys do! I realize that sometimes all that can be done is reformat and reinstall. In fact, until I came across your site, it's what I'd do if I even suspected an infection. But after stumbling across your sight I've been able to recover my Dad's computer several times using just the steps outlined here in the forums (He gets infected often). But this time it's mine and I need a bit more help.
     

    Attached Files:

    Drayden, Jan 9, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman Pro and have it remove the Potential Unwanted Program. (Softonic item)


    Are you deliberately set up to use a proxy? If not then please include it in the fix below:


    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (10.10.40.10:80 [Country: (Private Address) (XX), City: (Private Address)]) -> FOUND
    • [HJ DLL][SUSP PATH] HKLM\[...]\CCSet\[...]\Parameters : ServiceDll (C:\PROGRA~3\hlcbj6flc.pss [x]) -> FOUND
    • [HJ DLL][SUSP PATH] HKLM\[...]\CS001\[...]\Parameters : ServiceDll (C:\PROGRA~3\hlcbj6flc.pss [x]) -> FOUND
    • [HJ DLL][SUSP PATH] HKLM\[...]\CS002\[...]\Parameters : ServiceDll (C:\PROGRA~3\hlcbj6flc.pss [x]) -> FOUND
    • [HJ DLL][SUSP PATH] HKLM\[...]\CS003\[...]\Parameters : ServiceDll (C:\PROGRA~3\hlcbj6flc.pss [x]) -> FOUND

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    Did you deliberately set this restriction yourself?

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\Users\drollf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hlcbj6flc.lnk
C:\ProgramData\hlcbj6flc.bxx
C:\ProgramData\hlcbj6flc.fvv
C:\ProgramData\hlcbj6flc.reg

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.




    Download Cleano 0.61

    Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

    View attachment 148092
    Click clean now and exit the program.



    Please uninstall older Java versions:
    • J2SE Runtime Environment 5.0 Update 18
    • Java 2 Runtime Environment, SE v1.4.2_12
    • Java(TM) 6 Update 13

    and install the latest


    Please download AdwCleaner by Xplode http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

    • Double click on AdwCleaner.exe to run the tool.
    • Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


    Re run RogueKiller (just a scan) and attach log.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jan 9, 2014
    #2
  3. Drayden

    Drayden Private E-2

    Hi Kestrel13!,

    Thanks so much for your help.

    I ran through all your instructions without issue. My laptop seems to be running much better now. Symantec LiveUpdate updated automatically without my prompting it and now reports the latest definitions. Windows updated automatically as well. My outlook is no longer asking me to redirect either. I haven't tried to enable my Bluetooth adapter yet but I have a hunch it'll be a go as well.

    I didn't install the Java update yet, I wanted to verify with you first that it is the correct version. The link you provided takes me to a 32-bit version and I'm running 64-bit. I realize that it doesn't always matter with the 64-bit OS, but I'd like confirmation before proceeding.

    As far as I can tell from the log file, AdwCleaner didn't find anything. Certainly nothing I'd be interested in saving.

    I've attached the log files requested in the instructions and eagerly await your reply.:)
     

    Attached Files:

    Drayden, Jan 9, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi Drayden. :)

    Here is the link for the 64 bit version. my apologies.


    Don't forget to answer my question:

    Did you deliberately set this restriction yourself?

    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
     
    Kestrel13!, Jan 10, 2014
    #4
  5. Drayden

    Drayden Private E-2

    Hi Kestrel13!,

    The simple answer is, no I did not set the restriction. However, the long answer is...

    ...it may be legitimate. I'm a contract engineer and the laptop is supplied to me and was configured by the IT dept. The laptop came pre installed with a VPN client that I uninstalled as I have no use for it. My situation is that I'm a resident at another company because we are a third party supplier. I'm the only one here that represents the company I contract for. Because of this I never have a reason to connect to the company (I contract for) network that this laptop was configured for. The company we supply to has a contractor access point that I use to get internet connectivity. I also work from my home connection.

    My question is...
    What is the restriction? If it's legitimate then we can just leave it be, as it has never kept me from doing the work I need to do. Obviously, if it's potentially malicious I'd like to get rid of it. If it's unclear I could contact IT and find out. problem is it might take a while, it's the same reason I'm here for help, I can't afford a week plus without my laptop while it's shipped back to get worked on.

    I did install the 64-bit version of Java.

    I got some work done last night and then this morning and she's runnin' great! I have to say the service you guys provide is spot on. I test sw for a living so I think I have a handle on noticing "buggy" OSs. I wont bore you with all the "little things" that are now gone as well.

    Did the logs I attached in my last reply reveal any lingering issues? If so, I'm not seeing any effects.

    Thanks,
    Drayden
     
    Drayden, Jan 10, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It means an administrator made alterations to Internet Explorer options, or the home page, by changing certain settings in the registry.

    Glad everything is running well for you now. :)

    B]If you are not having any other malware problems, it is time to do our final steps:[/B]
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jan 11, 2014
    #6
  7. Drayden

    Drayden Private E-2

    Hi Kestrel13!

    Once again, THANK YOU!

    I've completed the steps in you last post and read through the link you posted for "How to Protect yourself from malware!"

    My laptop is running flawlessly!:)
     
    Drayden, Jan 13, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am so glad to hear that. :)
     
    Kestrel13!, Jan 13, 2014
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds