ukash virus help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by draftiebrah, Sep 21, 2012.

  1. draftiebrah

    draftiebrah Private E-2

    Hi guys just recently I was hit with the ukash virus and now I cannot access anything at all. I can't seem to get into system restore to roll back, my computer is pretty much locked. How do I go about fixing this issue??
    Thanks.
     
  2. thisisu

    thisisu Malware Consultant

    Hello draftiebrah,

    Which operating system are you using?
     
  3. thisisu

    thisisu Malware Consultant

    If you are on Windows Vista or 7, try this:

    [​IMG] Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
  4. draftiebrah

    draftiebrah Private E-2

    Im running Vista SP2
     
  5. thisisu

    thisisu Malware Consultant

    Great! Then try running the above set of instructions.
    Let me know if you need help.
     
  6. draftiebrah

    draftiebrah Private E-2

    Here is my FRST log.
     

    Attached Files:

  7. thisisu

    thisisu Malware Consultant

    So you are able to boot into Safe Mode?
    Which mode did you run FRST from?
     
  8. draftiebrah

    draftiebrah Private E-2

    safe mode with command prompt. Any other way the white screen pops up and everything is locked again. If i go into system recovery the laptop just hangs.
     
  9. thisisu

    thisisu Malware Consultant

    how many times have you tried entering system recovery options?

    What happens if you type in explorer
    in the command prompt window, and then press ENTER?

    Are you able to see your desktop?
     
  10. draftiebrah

    draftiebrah Private E-2

    As for system restore even when i press F8 and it still bypasses it and boots up normally. But ive done it 3 times so far.*

    Yes i do get to see the desktop :)
     
  11. thisisu

    thisisu Malware Consultant

    In that case, complete as much of this as possible from Safe Mode with Command Prompt: Read and Run Me First - Malware Removal Guide. ;)

    If something doesn't run, just go to the next steps until you reach the very end.
     
  12. draftiebrah

    draftiebrah Private E-2

    Also when the time comes how do i save a log of RogueKiller??
     
  13. thisisu

    thisisu Malware Consultant

    As soon as you press the Scan button, there will be a log on your desktop ;)
     
  14. draftiebrah

    draftiebrah Private E-2

    Ok so here goes all logs required attached.
    Many thanks again for the help provided. Really do appreciate it.
     

    Attached Files:

  15. thisisu

    thisisu Malware Consultant

    • Open RogueKiller again.
    • Press Scan.
    • When the scan is finished, press the Delete button.
    • Attach the latest RogueKiller log to your next message.
     
  16. thisisu

    thisisu Malware Consultant

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Users\George\AppData\Roaming\msconfig.dat
    C:\Windows\Installer\{b47899fd-dd8f-4aa9-60cf-c3e77067d3ab} /d
    C:\Users\George\AppData\Local\{b47899fd-dd8f-4aa9-60cf-c3e77067d3ab} /d
    C:\Windows\Assembly\GAC\Desktop.ini /d
    [COLOR="DarkRed"]:commands[/COLOR]
    [emptyjava]
    [emptyflash]
    [reboot]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    __

    [​IMG] Now download the latest MGtools.exe to the root of your c: drive.
    • Replace your existing MGtools.exe with this one.
    • Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
    • When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)
     
  17. draftiebrah

    draftiebrah Private E-2

    that MGtools i downloaded seems to be the latest version. Im on a completely seperate laptop right now atm.

    EDIT: just tried getting in again from safe mode with networking and issue still there
     
  18. thisisu

    thisisu Malware Consultant

    What happened with the previous steps? RogueKiller, OTL? Those should have removed the ransom.

    Worry about MGtools last.
     
  19. draftiebrah

    draftiebrah Private E-2

    Thank You had some issues with the infected computer but as i did the OTL text fix, its worked. Now im going to run RK properly from the infected comp now.
     
  20. draftiebrah

    draftiebrah Private E-2

    latest roguekiller log.
     

    Attached Files:

  21. thisisu

    thisisu Malware Consultant

    This isn't the correct RogueKiller log. This is just another Scan log.
    I requested that you press Delete and then attach that log ;)

    Also remember to run the OTL steps I gave you afterwards and attach that log (The fix log). Use the steps provided so that you are attaching the correct log(s).
     
  22. draftiebrah

    draftiebrah Private E-2

    I hope this is it. Now im having other issues now, everytime i open OTL or RK Windows Explorer keeps crashing. Is this normal?
     

    Attached Files:

  23. thisisu

    thisisu Malware Consultant

    Yes that is the correct log. Looks good.

    Yes and no, RogueKiller will terminate Windows Explorer sometimes but OTL should only terminate explorer if a specific fix is run. The one I proposed for you to run should not kill explorer, but should prompt to reboot your computer instead.

    In an earlier post you mentioned that you ran the OTL fix. Can you attach that log?
     
  24. draftiebrah

    draftiebrah Private E-2

    Is this the OTL log you're after?
     

    Attached Files:

  25. thisisu

    thisisu Malware Consultant

    Yes and no, would have preferred if you ran the fix using the latest version of OTL

    Code:
    OTL by OldTimer - Version 3.2.22.3
    Current is 3.2.65.1

    Now try to download and run the latest version of MGtools.
     
  26. draftiebrah

    draftiebrah Private E-2

    Here are the correct MG logs??
     
  27. draftiebrah

    draftiebrah Private E-2

    Sorry can't edit older post to remove my old MGLogs.zip file. Can the admin do that so i can put up the new one. Thanks.
     
  28. thisisu

    thisisu Malware Consultant

    You are trying to attach the same MGlogs.zip as before -- This is why you are prevented from doing so.

    If you download the latest version of MGtools.exe and run it again, the contents of MGlogs.zip will be different -- therefore, you'll be able to attach them ;)
     
  29. draftiebrah

    draftiebrah Private E-2

    Ok re did it and i think it finally worked :)
     

    Attached Files:

  30. thisisu

    thisisu Malware Consultant

    Continue working while you are in Normal Mode.

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • BearShare
    • BitTornado 0.3.17
    • Conduit Engine
    • Freecorder Toolbar
    • Freecorder
    • Java(TM) 6 Update 24
    • LimeWire 5.5.16
    • SpyHunter


    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Users\George\AppData\Roaming\AVG2012
    C:\Users\George\AppData\Roaming\Microsoft\Windows\Templates\975398336
    C:\Users\George\AppData\Roaming\Microsoft\Windows\Templates\pirai1lq47da587rb223uw2n11j1s
    dir /s C:\svchost /c
    C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
    C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
    "startup"=dword:00000000
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A396A2D8-E2B5-4A51-ADA5-3684E10F79C3}]
    [COLOR="DarkRed"]:commands[/COLOR]
    [emptytemp]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    __

    [​IMG] Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to the Start Repairs tab.
    • Press the Start button
    • Create a System Restore point if prompted.
    • In the Repair Options window, choose the following repairs:
      • Reset Registry Permissions
      • Repair Windows Firewall
    • Place a checkmark in Restart/Shutdown System When Finished
    • Fill in the Restart System bubble
    • Now click the Start button.
    • Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

    __

    [​IMG] Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure all the options are checked
    • Press Scan.
    • It will create a log (FSS.txt) in the same directory the tool was run.
    • Please attach FSS.txt to your next message. (How to attach)
     
  31. draftiebrah

    draftiebrah Private E-2

    Quick questions with the uninstalls. BearShare and both Freecoder programs aren't uninstalling properly and what do i do about Live Security Platinum? I had a previous virus problem with that program and im not sure if that's completely off my system just yet.
     
  32. thisisu

    thisisu Malware Consultant

    What happens?
     
  33. draftiebrah

    draftiebrah Private E-2

    bearshare goes through the process fine, desktop icon is gone but its still in the add / remove list. the freecoder programs come up with error messages.
     
  34. thisisu

    thisisu Malware Consultant

    You should have told me what the error messages say.

    Just continue with the rest of the steps, skip freecoder.
     
  35. draftiebrah

    draftiebrah Private E-2

    Freecoder just says Invalid uninstall control file C:/Program Files/Freecoder/Uninstall/uninstall.xml
     
  36. draftiebrah

    draftiebrah Private E-2

    New OTL scan and FSS scan attached.
     

    Attached Files:

  37. thisisu

    thisisu Malware Consultant

    • Download each of the 3 files below onto the desktop of the computer with the issues:
    • Now double-click each of them, one at a time, and allow each one to merge into the Windows registry.
    • Let me know if you received a successful message for all three files.
      • If all were successful, reboot your computer and rescan with Farbar Service Scanner. Attach its latest log.
      • If they weren't successful, let me know but rescan with Farbar Service Scanner too.
     
  38. draftiebrah

    draftiebrah Private E-2

    New registries are successful and FSS scan included.
     

    Attached Files:

    • FSS.txt
      File size:
      2.8 KB
      Views:
      1
  39. thisisu

    thisisu Malware Consultant

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Let me know what problems remain.
     
  40. draftiebrah

    draftiebrah Private E-2

    here you go. As for issues i think they're all gone and no more google re-directs. Could you tell me if there is any trace of the Live Security Platinum virus on my comp and if its safe to get rid of it from the add / remove programs list. Other than that comp is running a bit slow but i think the laptop is on its way out...
    Thank You again for all the help.
     

    Attached Files:

  41. thisisu

    thisisu Malware Consultant

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:files[/COLOR]
    dir /s C:\Users\George\AppData\Local\{D9DD3F67-3AF8-4B65-83F0-2B32144C00A0} /c
    dir /s C:\Users\George\AppData\Local\{DF5D6CFE-2224-4F1F-9087-3C500EBEAF07} /c
    C:\Users\George\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum /d
    dir /s C:\ProgramData\036DFF8502A74619CCA9ED992F3B707C /c
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)
     
  42. draftiebrah

    draftiebrah Private E-2

    I believe that is all :) thanks again.
     

    Attached Files:

  43. thisisu

    thisisu Malware Consultant

    You can delete this folder:
    • C:\ProgramData\036DFF8502A74619CCA9ED992F3B707C

    __

    Rest of your logs are fine ;)

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds