UKASH infection

Hi and thanks in advance for any help you can offer. my son came home from Uni for the weekend and has clicked on some link which has brought me a Ukash infection. I have previously removed another infection with the procedures on MG, but with this one I cannot gain access to the computer to start the process. On startup I get the blue screen of death and the PC immediately reboots so that I cannot read the dump message. I have tried "Del at Startup" but in the Boot section I cannot find an auto restart to disable. Pressing F8 at startup only gives me a menu of drives to boot from.
The PC is Fujitsu Siemens running Windows XP home and its genuine (I know it's old, but it works, well it did )

Any help to get into it and clear teh virus gratefully received.
Alan

 

Thanks. Downloaded the files to the USB and booted the infected PC from it - waiting with bated breath to see what happens.
I'll let you now how it goes.

 

Not too well so far, actually. Got the Kaspersky menu screen and selected the Graphic rescue mode, but then the screen goes black and it just sits there, hard drive running, but noithing appearing to happen. I left it for a couple of hours like that, but nothing ever seemed to happen.

 

No. Just constantly reboots like normal mode. I just tried malwarebytes hitmanpro kickstart which also loads up and presents a menu, but the keyboard won't type so I can choose an option.

 

The keyboard works as the PC boots so that it accepts the F8 command to select the boot from USB option. Once it boots up and the hitmanpro menu appears, the PC won't recognise the fact that I press 1 to select that option from the menu, or the Enter key to run the default option. Until I get to a GUI screen, I don't know if the mouse works or not. When I booted form the Kaspersky, the keyboard worked so that I could move up and down the menu and select the option, but the PC just sat there after that.
I can't run anything except whe the PC boots from the USB or CD. I have just managed to boot from the recovery CD which came with the PC and the keyboard allows me to select R for the recovery console, but I don't know if that will help. I just did a DIR command in DOS and got "An error occurred during directory enumeration" Can I run any of the programs you mentioned from the recovery console?
Thanks for trying to help.
Alan

 

A little more progress. The keyboard not working seems to be not always the case. After running the recovery console, although I couldn't find anything useful to do with it, the keyboard would let me select option 1 "Bypass master boot record". Unfortunately, this did not appear to work and the PC went back to continuous rebooting after a few seconds. During these reboots I press F8 and boot from the USB to try again, but the keyboard again doesn't work until I cycle power to the PC, then, after a rest, it will work again. (It's a USB keyboard, by the way - I can't see a conventional socket to replace it).
When I select option 1, I get 2 message lines - "hitman pro kickstart booting" and "MBR read" then it reboots as before. Trying option 2 adds "starting bootcode" then PC restarts goes back into constant reboots. option 3 displays as per option 1 and then system reboots before going bac into the constant rebooting.
Going back to try the Kaspersky again.
Alan

 

Aha - now the Kaspersky gets to the menu screens and I have selected the "risk of file damage" options. Completed first stage and now scanning files, although I can't connect to teh wireless so haven't updated the database yet. Will try to find the cable and connect that way. But at least it's progress!

 

Wireless network now reconnected and database updated. Virus scan completed and nothing found with bootsector and hidden startups checked. Now rerunning adding C; to the list.
53 minutes to go - will let you know what happens.
Alan

 

Scan complete. Nothing found!
Restarted and got same flash of BSOD followed by rebooting.

 

Hi, and thanks for your continuing help.
OK,I got the AVG rescue USB and have booted form it and run the scan option. There are two volumes, apparently, scanning one...
After a few minutes,it reaches 14% and then in the grey square it displays,
/mnt/sdc1/documents and settings/all users/application data/avg2013/ids/quarantine/c97437e8-02a3-47d0-8736-d15caf6185b1.zip Passsword-protected.

Shortly thereafter, text appears in a black bakground badly wrapped across the screen which says
Processing Command line...successfully; the faulting process should now crash
Cfg file not specified using opt/avg/av/cfg/diagcfg.xml.
Preparing output directory....
Failed to create diag temp/tmp/897819f4-06b3-4a33-8354-97af699b5369. Error code: 0xe00

Pressing return shows "Info: There are no infected files"

Scanning the other has much the same effect except that the text displays "

Processing command line...all transactions have been performed successfully; failed with error (e001930e)
Cfg file not specified using opt/avg/av/cfg/diagcfg.xml.
Preparing output directory....
Failed to create diag temp/tmp/3a980fad-2dc4-4082-b726-44ba9a022453. Error code:0xe002001c"
and then
"There are no infected files"
only gets to 14% in either volume. Different scan option selections appear to produce different error messages, but they always crash at 14%.
I'll be out for a coule of days so it will be Thursday before I can try anything else.
Regards
Alan

 

Thanks, been away for a couple of days. I'll have a go at that tomorrow.
Alan

 

OK, that took a bit longer than planned. I thought it prudent, with all this going on, to take the AVG2014 update, which promptly locked out the wifi on the rescue computer! So I had to dig out an old laptop to investigate that - not easy as the "g" and "delete" keys don't work! Anyway, I finally managed to uninstall, delete and rid myself of enough traces of it to do a System Restore. That got me back online so that I could download your programme and burn the CD. It's just booting up on the infected PC now.
More news in a minute.

 

Clicked on the OTLPE icon, selected the C: drive.

"RunScanner Error - Target is not windows 2000 or later"

It is, it's XP Home SP2.
Tried using the explorer and selecting c: I get "C:\ is not accessible. The file or directory is corrupted and unreadable."

Repeated OLTPE icon - same result

 

Thanks! I'll be out for most of the day, but tomorrow I'll try and save data from it using the linux boot USB.

 

Woo Hoo! Progress. PC now boots windows normally until the virus kicks in and locks the screen.
Back to your first suggestion now, I'm guessing?

Many thanks for your help so far.
Alan

 

Thanks to chaslang.
When the PC rebooted it went straight to the hijaack screen, so I could do nothing with it.
I had the hitmanpro kickstart still on the USB so I thought I'd try that first. I've selected option 1 and it's just rebooting in Windows - we'll see what happens.
If that doesn't work then I'll try the kaspersky again.
Will keep you informed of progress.
Thanks again.

 

Ah well, so much for hitmanpro! It said it would take over from the virus after a few minutes, but that's 45 now and still nothing has happened. I'll reload the USB with kaspersky and see what happens there.

 

Kaspersky got as far as selecting "Rescue disk in Graphics mode", then just sat there with a black screen as it did previously. I can't seem to find th esequence of events which let it run after that before. In the meantime, I still have the OLTPE CD, so I'm giving that a go.
It has produced a logfile which I shall try to attach.

 

OLT.txt should be attached to this post.

 

the storm has knocked out my internet. I will do it when i can reconnect. Hopeful won.t be too long. From my phone

 

Thanks. No damage done, but the phone lines are still out. I've borrowed some wifi and have copied your code to a text file. I'll get it into OLT tonight and let you know what happens.
Thanks again.

 

Fantastic! Thank you so much.
PC rebooted after running your script and seems back to normal. I ran AVG2014 and it found the screenlock in the OLT moved files. Once the phone lines are back up I'll download and run the stuff in the Run & Read Me section.

The log file is attached.

Again very many thanks, I'd have been lost without you.

Now, just have to sort out the AVG2014 that screwed up the netbook!

Thannks and Best wishes.
Alan

 

Thanks once again. Th ephone lines are now restored and I've run the Run & Read Me section stuff. I've attached the logs in case they are of any use/interest.

 

Thanks agai. I've run roguliller and attached are the two logs generated.
As I need to reboot, I thought I'd post them now.
More shortly!

 

Rebooted PC.
Couldn't find any file called .plz
Have rerun Hitman and it reports "No Threats Found" but 11 traces, all of which were deleted. Couldn't see a 'repairs' tab, but the log is attached.
Now about to run Windows repair.

 

OK, thanks.
Windows repair finished and PC rebooted OK, firewall appears to be working OK.
Have run RogueKiller again, scan only and log is attached. Should I not do anything about the 'susp path' and the 2 'PUM' it found?
MGtools now run and log attached.

Thanks agan.

 

There's more? Only surprised because everything seems to be back to normal.
Yes, AVG firewall said it was working. Free period expires today so I'll reinstate the Windows one before I downloaded a new one.
Next steps? Bring it on! (Feeling confident now:-D)

Thanks again,
Alan

 

OK. All done.
Got rid of AVG and replacing it with avast. Downloading another firewall as I type.
Thanks once more for your help. I do hope I won't need to trouble you again, but as long as I have a student in the house...who knows what they'll be up to.