UKash Ransomeware

Happy Xmas guys.

It's a long shot that anyone will have time to help me right now, but here goes.

My Father's Vista PC has the Metropolitan Police Ukash ransomeware. It has locked him out completely. He is not at all computer literate, and is totally freaked. He lives 150 miles away, but I am going there tomorrow. I will be there for 24 hours, and need to get him up an running in that time.

Can anyone tell me what I should take with me? I'll be taking my own Vista laptop, and my Linux laptop, but are there any tools I should download now and have ready on USB or CD?

And any clues as to where I should start when I get there will e really helpful!

 

Hi Tim. I have managed a system restore from safe mode. I now have access to the machine in normal mode. Norton went a bit mental performing a fix and now thinks it is cool. Where should I go from here to ensure we are clean?

 

Tim. I suppose you are busy. I am proceeding with the standard malware removal process. I have downloaded all the tools except MG Tools. This tells me that I do not have permission to save in that location (root of C: drive). Is there a way to give myself administrator privileges, or do I just need to save it somewhere else?

Thanks so much for helping.

 

Tim

RK report hopefully attached. Am now going to run MWB.

 

MWB didn't find anything. Log attached.

 

TDSSKiller didn't find anything. Log attached.

 

And finally, Hitman Pro. Can't run MG tools without your advice (see above). Would be good to hear what you make of the logs. Only RK appears to have found something.

Hitman Pro log attached.

Thanks again.

 

Well, I've now re-booted and the machine appears to be working normally. Will be out for a few hours this evening, but will keep an eye here for your reply. Would like to leave here tomorrow confident that the machine is clean.

Thanks for your help.

 

Thanks Tim. Hope you are out of the snow now!

MGTools ran, but threw multiple errors saying that it couldn't create the MGlog.zip file.

It reported the file was there at the end, and a copy was on the desktop, but there was no such file.

I will only be here until about 11am GMT tomorrow. After that any further action would mean coaching my Dad through it, and that could be...challenging.

In the mean-time, normal Windows functionality appears to be restored.

 

I've manually zipped all the .txt files in the MGtools directory. Hope this is what you need. Otherwise, please shout.

 

Many thanks indeed Tim.

Sadly, I am now four hours drive away from the machine. Will it be safe to leave these final steps for a few weeks, or is it critical that I embark on the very considerable challenge of getting my elderly father to do it?

 

I'm afraid I haven't managed to get my Dad to do this. You can't quite imagine how hesitant he is, and it's hard over the phone - he is 90, so I suppose he has an excuse.

Could I perhaps send him the regedit text as an e-mail attachment, so he could just copy the whole document to his desktop, and run it?

 

Thanks Tim. I haven't actually attempted that with him yet. I gave up when we failed on the cut and paste from the web page. I am guessing he can just type those file names into the search box, and then delete.

 

Hi Kestrel13 - Tim wanted to delete a couple of folders as well as registry edit - that's what i was referring to with the search and delete.

I've sent the text file, and I'll be trying to get him to run it this evening. Fingers crossed.

 

Hi Tim
Tried the e-mail attachment. Windows mail blocked it to start with, so I renamed the file and then changed it back. We got it onto the desktop, but when he double clicked it the message was "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Any thoughts?

 

Any ideas guys?

 

Thanks for your help, Tim. I really appreciate it.