ukash virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pamul, Sep 24, 2012.

  1. pamul

    pamul Private E-2

    Hi,

    I have the ukash virus on my laptop. I was infected about a week ago with it and used malwarebytes anti-malware to remove it.
    Now ukash is back and malwarebytes anti-malware will not remove it. I can start laptop in safe mode. The os is vista sp2.

    I have carried out the READ & RUN ME FIRST Malware Removal Guide and also the FRST software, and I have attached the reports.

    I tried to start in normal start up using msconfig. I get as far as the log on screen for the accounts but cannot log into my account or the Administrator account.

    I dont know if i have attached the report from malware but I do remember that it did not find any problems.
     

    Attached Files:

  2. pamul

    pamul Private E-2

    I have attached 2 other files that I forgot from TDSS and MGlogs
     

    Attached Files:

    Last edited: Sep 24, 2012
  3. pamul

    pamul Private E-2

    just after running malwarebytes anti-malware again and it caught something. Please see attached log. Hope this helps.
     

    Attached Files:

  4. pamul

    pamul Private E-2

    done the restart for malwarebytes and tried to log on as normal. Get to the screen with my account and the Administrator account. I have control of the screen pointer but no control of the left or right button and also the double tap is not working. Still able to get in using safe mode.
     
  5. thisisu

    thisisu Malware Consultant

    Hello pamul,

    From Safe Mode, please find and delete this file:

    • C:\Users\paraic\Contacts\0.6910909410311864.exe

    __

    Will post further instructions as I continue reviewing your logs.
     
  6. thisisu

    thisisu Malware Consultant

    Whether or not you were successful with the above deletion, continue with the following instructions (this should delete that file too):

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.
     

    Attached Files:

  7. pamul

    pamul Private E-2

    file was deleted as per post. Frst then ran as per other post. I had to run this twice as the file fixlist.txt was not saved to my flash drive when I ran it the first time this evening. I also hit the Fix button when I ran Frst without the fix file.
    When I noticed what I had done, I saved fixlist correctly and ran Frst.
    Log is attached. Hope I have not messed up the test.
    Laptop still has the problem. Able to get in through safe mode, but when I try to get in as normal I can now select the account by right clicking but the laptop hangs on the welcome screen.
    (My first run of this test may have been done correctly. When I went to my flash drive after the first run of the test this evening to upload the log I did not see the fixlist.txt file in my flash drive, so I thought it had not been saved in the correct place. Therfore I saved it again and ran the test again. Hope you understand)
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    According to your logs, whenever you went into MSconfig, you also went into the Services tab and pressed Disable All without putting a checkmark into "Hide All Microsoft Services". Is this correct or not?

    Either way, these Microsoft Services are currently stopped and that's why you're experiencing those issues in Normal Mode.

    Let's try this:

    Go back into MSconfig while you're in Safe Mode and go back to the Services tab. Now press Enable All while the "Hide All Microsoft Services" checkbox is UNCHECKED.. Then press OK to save the changes and reboot normally (into Normal Mode). That should help, let me know if you encounter issues along the way.
     
  9. pamul

    pamul Private E-2

    I checked msconfig and all the boxes were checked and enable all was greyed out. I pressed enable all and the boxes unchecked. Going to try restart in normal mode.
     
  10. pamul

    pamul Private E-2

    After making the changes to system configuration as per my last post a restart was requested. Restart was completed. Got to the desktop but did not have much control and laptop was very slow. I looked in security center and swithched on UAC and carried out another restart.

    Was able to log in as normal. Seemed to have more control over laptop but still slow.Only problem that i found is that the double tap on the touchpad is not working but left and right buttons are working. Guess the touchpad just needs to be configured which I will be able to do later.

    I do not remember changing anything in the services tab of System Configuration earlier in the week, although I may have done it by mistake. It was not my intention to do this. I only remember selecting diagonistic start up and then normal start up in the General tab in order to be able to apply the normal start up.
    I just checked the services tab in System Configuration(ie not in safe mode) and all the boxes were checked and enable all was greyed out and the hide microsoft box was not checked. This is how I found the services tab when I went into check it in safe mode as per my last post. The changes I made in safe mode have not been kept.

    Is it possiible that there is an issue with the system configuration and did something else change the settings tab origionally.

    Do I need to run anymore tests on the laptop?

    Thanks for all your help its been a life saver. I am going to go through your posts about malware and protection when this is finished.
     
  11. pamul

    pamul Private E-2

    double tap fixed by going to sys tray and selecting tap to click
     
  12. thisisu

    thisisu Malware Consultant

    Do as many steps as you can from now while in Normal Mode.

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  13. pamul

    pamul Private E-2

    I have carried out the steps from READ & RUN ME FIRST Malware Removal Guide in normal mode. logs attached.
     

    Attached Files:

  14. pamul

    pamul Private E-2

    here are the file for tdss
     

    Attached Files:

  15. pamul

    pamul Private E-2

    log from MGtools
     

    Attached Files:

  16. thisisu

    thisisu Malware Consultant

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 35 (outdated)

    __

    [​IMG] Delete items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Once the scan is complete, go to the Registry tab and checkmark everything except the below item:
    • [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    Now press the Delete button.
    When it is finished, attach the very latest log of RogueKiller that is on your desktop. (How to attach)


    __

    [​IMG] Now install the current version of Sun Java from: here

    __

    Let me know what problems you are experiencing after you have completed these steps.
     
    Last edited: Sep 26, 2012
  17. pamul

    pamul Private E-2

    Java deleted, Rougekiller run and all registery enteries except the one in your post deleted. Log of Rougekiller attached . Java downloaded
     

    Attached Files:

  18. thisisu

    thisisu Malware Consultant

    What problems remain?
     
  19. pamul

    pamul Private E-2

    No other problems remain. Thanks for all your help, this is a magnificent site.
     
  20. thisisu

    thisisu Malware Consultant

    You're welcome, pamul

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds