PDA

View Full Version : Australian Federal Police (AFP) Ukash/ICSPA virus



NZHawk
22-05-2013, 12:54 PM
Windows 7
infected with Australian Federal Police (AFP) Ukash/ICSPA virus
won't allow me into Safe Mode - stalls at ClassPNP

any suggestions?

wainuitech
22-05-2013, 02:00 PM
use hitman Pro kickstart (http://www.surfright.nl/en/kickstart) Watch the videos on how to use it link for second one is at end of creation demo.

if the Computer for some reason wont boot from a USB drive, look on the right of that page about halfway down theres a ISO image to make a bootable CD.

Either option, make sure its connected to the interent so it can update.

Once boot normally, THEN run other antimalware / Antivirus through again to check.

NZHawk
22-05-2013, 02:10 PM
Thank you!

NZHawk
22-05-2013, 02:53 PM
Couldn't get the usb drive to work - it stated that it was password protected (not),
created an ISO image cd - booted to the cd but it did circumvent the virus - nothing happend

any other suggestions?

wainuitech
22-05-2013, 03:55 PM
Was it saying the USB drive is Password protected ??

Try another drive, as long as the USB drive is on another clean PC to install the software it usually works fine.

One of the 'tricks" they do is disable safe mode.

There is another way that sometimes works, restart the computer in safemode with Command prompt - at the prompt run system restore with the command rstrui.exe when restore opens run it back to before thee computer got infected, this will usually allow you to boot it normally, but it still needs to be scanned for malware, cleaned out etc. This infection also hides in the temp folder, and sometimes other places as well.

You can also try running restore back from a Windows 7 Rescue CD - as long as it hasn't disabled the ability to boot from a CD.

If that doesn't work, remove the HDD and slave it to another PC and scan with the usual Antimalware Programs. once its booted make sure you disable system Restore. You'll find depending on which one it is, it can actually be in several locations.

Last one I did it actually mascaraed as a bookmark - sneaky bloody thing ;)

NZHawk
22-05-2013, 04:51 PM
thank you
removed the hdd and am running a scan now.
will report back tomorrow
so far Malwarebytes has detected 4 infections

NZHawk
22-05-2013, 04:52 PM
thank you
removed the hdd and am running a scan now.
will report back tomorrow
so far Malwarebytes has detected 4 infections

Iantech
23-05-2013, 11:15 AM
use hitman Pro kickstart (http://www.surfright.nl/en/kickstart) Watch the videos on how to use it link for second one is at end of creation demo.

if the Computer for some reason wont boot from a USB drive, look on the right of that page about halfway down theres a ISO image to make a bootable CD.

Either option, make sure its connected to the interent so it can update.

Once boot normally, THEN run other antimalware / Antivirus through again to check.Created a CD from the ISO last night, it hung on loading and wouldnt work, sadly what I thought was going to be a 5 minute removal turned into a 3 hour nightmare - all .exe files wouldnt run, same in safe mode, no restore points, administrator profile disabled....it eventually ended up corrupting its own .exe. The system was running AVG Corporate Edition, what a load of crap, it didnt even detect them. Put ESET on it, it could see it, but wouldnt clean it. Still, got it all sorted and client extremely happy, didnt loose any data. Have to try the disk again and find out if it was the computers fault or disk issue, I suspect it was the computer.

wainuitech
23-05-2013, 11:26 AM
Some infections disable the ability to boot from CD and USB, makes life interesting when that happens :)

NZHawk
23-05-2013, 11:44 AM
I removed the HDD and slave it to another PC
then scanned with Malwarebytes & it cleaned up 5 infections enough for
me to reinstall the hdd & boot normally
ran Malwarebytes on the original computer & removed infected file
and am currently running a scan with a virus program

piva
23-05-2013, 08:00 PM
When I got this it hid in the app data directory with all its copied logos etc. Use two or three antimalware programs as none find evrything. I found Emisoft antit-malware good. Also used command prompt to bypass explores and msconfig to check start programs and disable almost anything that was not essential before loo0king deeper.
Piva

Chilling_Silence
23-05-2013, 08:56 PM
So I'm about to go fix this up too for a family friend... Any protips? :D

...Next time they'll take me up on the offer of Antivirus / Anti-malware a lot sooner, she says she's already written a cheque for 2 years worth of NOD32 :p

Iantech
23-05-2013, 09:33 PM
Some of these things I have found seem to be profile specific, if you are able, create a new user profile, so if it goes belly up when you are trying to clean it out, you should be able to log into the new profile and either clean it up or migrate the user data to the new profile. There is my tip :)

wainuitech
23-05-2013, 10:12 PM
The two programs I always take are the Hitman pro Kickstart as mentioned earlier on, along with the Nod32 Rescue Bootable CD.

You can make the bootable Rescue CD from any Nod32 install, BUT you also need either the Windows AIK or ADK installed, its Microsoft Software.
Automated Installation Kit (AIK) for Windows® 7 helps you to install, customize, and deploy the Microsoft Windows® 7 and Windows Server® 2008 R2 family of operating systems. Its a 1.7GB or 2.8GB download --This is to make the WINPE bootable environment.

These infections alter the Master boot record, that's why you cant boot into windows normally till its removed from there.

Chilling_Silence
23-05-2013, 10:39 PM
OK so it wasn't *too* hard....
As mentioned Safe Mode triggers a reboot and Ctrl + Shift + Del / Task Manager is disabled in normal mode

Kill power halfway through booting and tell it you want to do a system restore (I wasn't given the option to do-so from the F8 Boot Menu until I did that). That fixed it enough for me to get in and scan with NOD32 / Malwarebytes to remove the last of it.

Took a photo of it on the laptop, it's quite a cheeky bugger of an infection....
http://i.imgur.com/3KGOmXr.jpg

wainuitech
23-05-2013, 11:13 PM
Yep they are getting trickier ;) Notice on the right as well, it mentions Whitcoulls, a well known business + if camera is attached or a laptop, it can take a picture of the user and embed that -- all adding to the illusion that its real. It fools a LOT of people.

One I cleaned out the owner was crapping himself, he said he was looking at porn sites at the time and thought he had been nabbed (I said - No - Trying to keep a straight face) ;)

WayneMiddy
24-05-2013, 12:21 AM
I managed to remove the AFP virus with the Kaspersky rescue disk booted it from a flash drive, It took about 3 hours to complete then ran Spy Bot S&D. Malwarebytes & Super antispyware found about 200+ infected files
Cheers Wayne

linw
24-05-2013, 05:26 PM
It would scare you but you could figure it is rubbish prtetty quickly. Like, since when has paying money to an unknown entity saved you from prosecution? And when has it ever been a good idea to send unknown people money?

And since when have fines been 200 to 500 minimal wages??!!

Prick of a thing though.

But, yes, WT, your client must have shat himself!!!!

Chilling_Silence
24-05-2013, 05:57 PM
Did nobody else notice the NZ Police logo used ? :p

linw
25-05-2013, 04:12 PM
Now you mention it!

Agent_24
25-05-2013, 09:18 PM
Some infections disable the ability to boot from CD and USB, makes life interesting when that happens :)

How the heck would it manage that?

wainuitech
25-05-2013, 09:53 PM
How the heck would it manage that?
Its not a new trick, that's been around for years, there was several others that do similar. Maybe disabling the CD drive is not quite the correct way of describing it. Twice now I have had this infection on peoples Computers and as soon as the CD or USB drive try to boot and load in the antimalware removal program, it kills the program before it has time to load, and the Boot fails then carries on as normal, Normal being a standard Boot, which of course wont boot the OS, only the infections.

Once the PC is actually clean, the CD /USB drive boots fine. There are several newer ones around, so not all previous removal methods work.

In the past you simply used to boot into safe mode, but the newer versions have disabled that option as well.

Agent_24
26-05-2013, 12:31 AM
Twice now I have had this infection on peoples Computers and as soon as the CD or USB drive try to boot and load in the antimalware removal program, it kills the program before it has time to load, and the Boot fails then carries on as normal, Normal being a standard Boot, which of course wont boot the OS, only the infections.

Wouln't it have to infect the BIOS to do something like that though? Otherwise you'd just enter the BIOS boot menu and manually choose CD or USB etc? Or is there something I'm missing...?