Damn UKASH virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Fence_, Aug 9, 2012.

  1. Fence_

    Fence_ Private E-2

    Hi Geeks,

    I got this nasty virus yesterday and tried following several guides, but Im stuck with a white screen except if I select "Safe mode with command prompt"

    Would someone be so kind as to help me eradicate this nasty virus.

    Many thanks

    PS PC is a Dell Vostro 220 running windows 7 home premium
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
  3. Fence_

    Fence_ Private E-2

    Thanks for replying so quickly, after posting earlier I read ahead and ran the tool earlier.

    Please find the attached log file.

    Again thanks for responding so quickly....
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  5. Fence_

    Fence_ Private E-2

    Can I perform these steps in "safe mode with command prompt" ?

    If I try standard safe mode I just get a white screen blocking the desktop

    Thanks for the speedy response :)
     
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try under any mode you can, it's important we at least try as much as possible.
     
  7. Fence_

    Fence_ Private E-2

    Hi again,

    I ran through all the scans as instructed, I have attached all logs generated except malwarebytes as it was clean.

    To be honest Im not even sure if the other tools picked anything up, but I'll let you be the judge on that.

    rebooted out of "safe mode with command prompt" and still get the plain white screen :(

    Anything else we can try?

    Thanks again
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ask Toolbar <== uninstall this crap.

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 2 detections:
    • [SUSP PATH] HKCU\[...]\Winlogon : shell (explorer.exe,C:\Users\MWC Roffing\AppData\Roaming\msconfig.dat) -> FOUND
    • [SUSP PATH] HKUS\S-1-5-21-1595407089-3355998324-2248423983-1000[...]\Winlogon : shell (explorer.exe,C:\Users\MWC Roffing\AppData\Roaming\msconfig.dat) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the computer.


    C:\Users\MWC Roffing\AppData\Roaming\msconfig.ini <--- Delete this file if you can see it.

    Please give the below a go and let me know how you get on

    Kaspersky WindowsUnlocker to fight ransom malware


    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run

    Re run RogueKiller - no fix, just a scan and attach log.
     
  9. Fence_

    Fence_ Private E-2

    Hi Kestrel13!,

    Thanks for the additional steps you provided :)

    After running RougeKiller and removing the 2 enties the system rebooted back to the normal desktop with all files and folders visible :)


    I then found the following file and deleted it

    C:\Users\MWC Roffing\AppData\Roaming\msconfig.ini

    I then uninstalled all toolbars (ask/bing/google and a few others)

    I downloaded and burnt the kaspersky rescue cd and ran the Windows unlocker.

    Rebooted back into windows and then ran the TDSSKiller and skipped everything it found and copied and pasted the log output into a notepad file.

    I havent reconnected it to the internet as yet just incase there were any other steps you needed me to run first.

    I am so thankful that I didnt have to reload the whole lot.

    Please let me know if this is fully resolved and I will make a donation ;)

    Please see the attached logs.
     

    Attached Files:

  10. Fence_

    Fence_ Private E-2

    Just a quick update to let you know I ran malwarebytes and updated the database took it back offline and ran a full scan.

    It found something quarantined by one of the tools you asked me to run also found and msconfig file it wanted to remove and something in the system restore area.

    Removed all 3 and rebooted, everything is running as before.

    Thanks again for all your help, I will make a donation in the next 30 minutes.

    You guys n gals rock!!
     
  11. Fence_

    Fence_ Private E-2

    I just purchased a tshirt each for myself and a friend.

    Again many thanks for the expert advice.
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's great you bought a shirt. :) Appreciate it.


    Still a bit to do.


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 2 detections:
    • [SUSP PATH] HKCU\[...]\Winlogon : shell (explorer.exe,C:\Users\MWC Roffing\AppData\Roaming\msconfig.dat) -> FOUND
    • [SUSP PATH] HKUS\S-1-5-21-1595407089-3355998324-2248423983-1000[...]\Winlogon : shell (explorer.exe,C:\Users\MWC Roffing\AppData\Roaming\msconfig.dat) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot, and re run RogueKiller again attach log.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds