ukash virus and others!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sharpy51, Oct 22, 2012.

  1. sharpy51

    sharpy51 Private E-2

    hii, i clicked on 'ok' for some flash player and got the ukash virus. i ran malwarebytes and it seemed to got rid of it , buut the scans found lots of other nasties, any help on this would be great! thanks
     

    Attached Files:

    sharpy51, Oct 22, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Oct 22, 2012
    #2
  3. sharpy51

    sharpy51 Private E-2

    whoops. i rebooted the pc and ukash came back. im putting up new logs, hopefully theyll all be there. thanks for any help!
     

    Attached Files:

    sharpy51, Oct 24, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Kes still needs the log from running MGTools.exe ----- C:\MGLogs.zip.
     
    TimW, Oct 24, 2012
    #4
  5. sharpy51

    sharpy51 Private E-2

    oops. there we go.
     

    Attached Files:

    sharpy51, Oct 25, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 5 detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : wevtutil (C:\Users\Becky\AppData\Local\Microsoft\Windows\1133\wevtutil.exe) -> FOUND
    • [RUN][SUSP PATH] HKCU\[...]\Run : midhf ("C:\Windows\System32\rundll32.exe" "C:\Users\Becky\AppData\Roaming\midhf.dll",Module_Type) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-2163881165-3505999642-775810887-1000[...]\Run : wevtutil (C:\Users\Becky\AppData\Local\Microsoft\Windows\1133\wevtutil.exe) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-2163881165-3505999642-775810887-1000[...]\Run : midhf ("C:\Windows\System32\rundll32.exe" "C:\Users\Becky\AppData\Roaming\midhf.dll",Module_Type) -> FOUND
    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-2163881165-3505999642-775810887-1000\$cde627563c54ce0c2afb2a02ec0d443f\n.) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    and the same for entries on the Files/Folders tab please....

    • [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2163881165-3505999642-775810887-1000\$cde627563c54ce0c2afb2a02ec0d443f\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2163881165-3505999642-775810887-1000\$cde627563c54ce0c2afb2a02ec0d443f\L --> FOUND

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.






    Now rescan with Hitman and have it delete these items:


    • Now rescan again with Hitman, just a scan and attach the new log.
    • Same for RogueKiller please.
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
    • Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Oct 25, 2012
    #6
  7. sharpy51

    sharpy51 Private E-2

    there we go
     

    Attached Files:

    sharpy51, Oct 27, 2012
    #7
  8. sharpy51

    sharpy51 Private E-2

    got a lil confused on the hitman deletions, all of the funmoods were deleted , but the trojan stuff got quarantined?
     

    Attached Files:

    sharpy51, Oct 27, 2012
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 5 detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : wevtutil (C:\Users\Becky\AppData\Local\Microsoft\Windows\1133\wevtutil.exe) -> FOUND
    • [RUN][SUSP PATH] HKCU\[...]\Run : midhf ("C:\Windows\System32\rundll32.exe" "C:\Users\Becky\AppData\Roaming\midhf.dll",Module_Type) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-2163881165-3505999642-775810887-1000[...]\Run : wevtutil (C:\Users\Becky\AppData\Local\Microsoft\Windows\1133\wevtutil.exe) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-2163881165-3505999642-775810887-1000[...]\Run : midhf ("C:\Windows\System32\rundll32.exe" "C:\Users\Becky\AppData\Roaming\midhf.dll",Module_Type) -> FOUND
    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-2163881165-3505999642-775810887-1000\$cde627563c54ce0c2afb2a02ec0d443f\n.) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Same for Files/Folders tab entries...

    • [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2163881165-3505999642-775810887-1000\$cde627563c54ce0c2afb2a02ec0d443f\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2163881165-3505999642-775810887-1000\$cde627563c54ce0c2afb2a02ec0d443f\L --> FOUND


    When it is finished, attach the log to your next message. (How to attach)
    Do not reboot your computer yet.



    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
C:\Users\Becky\AppData\Local\Microsoft\Windows\1133 
C:\Users\Becky\AppData\Roaming\midhf.dll 

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    What is inside this folder?
    C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

    Reboot!

    Re run Hitman and RogueKiller and attch the logs.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Oct 27, 2012
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds