Another Scotland Yard UKash virus

  1. cabaret.ampere

    cabaret.ampere New Member Bronze Member

    Joined:
    Dec 28, 2011
    Posts:
    12
    Likes Received:
    0
    Local time:
    12:04
    My System
    Loading...

    Hi,

    I wan't able to post in the other thread I hope this is OK.

    I've got the Scotland yard Ukash virus which prevents me from doing aything, even in safe mode. It pops up immediately when windows opens.

    I've used UBCD and tried full scans with superantispyware, Avari and others, but I haven;t been about to use Combofix nor Malwarebytes anti malware in the UBCD environment.

    SuperAS removed 2 registry files and now the virus takes 20 secs or so to appear. unfortunately I don;t have a record of them.

    I treid the fix in the other thread but it didn;t work, I suspect because the copied text needs to be bespoke.

    My OTL files are attached.

    Thank you for any assistance you might offer.

    (Windows XP SP3)
     

    Attached Files:

  2. Belahzur

    Belahzur Banned

    Joined:
    May 19, 2010
    Posts:
    1,867
    Likes Received:
    54
    Local time:
    12:04
    My System
    Loading...

    Hello.

    Please run OTL.exe.
    • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :OTL
      O3 - HKU\thomas1985_ON_C\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
      O3 - HKU\thomas1985_ON_C\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
      O3 - HKU\thomas1985_ON_C\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
      F3 - HKU\thomas1985_ON_C WinNT: Load - (C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\D9ECE3A9A8F8DC5F7A71.exe) - File not found
      O7 - HKU\thomas1985_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
      O7 - HKU\thomas1985_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
      
      :commands
      [emptytemp]
      [emptyflash]
      [reboot]
      
    • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
    • Click the red Run Fix button.
    • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTL.exe
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  3. cabaret.ampere

    cabaret.ampere New Member Bronze Member

    Joined:
    Dec 28, 2011
    Posts:
    12
    Likes Received:
    0
    Local time:
    12:04
    My System
    Loading...

    Thank you

    I copied that into OTL and ran fix to get this:

    I only copied the file path in and not the commands as that caused an error.

    I'll try running the commands again, and see if it helps.
     
  4. cabaret.ampere

    cabaret.ampere New Member Bronze Member

    Joined:
    Dec 28, 2011
    Posts:
    12
    Likes Received:
    0
    Local time:
    12:04
    My System
    Loading...

    The virus is still there.

    I should say that I'm only able to carry out anything in the UBCD environment, is that a problem?
     
  5. Belahzur

    Belahzur Banned

    Joined:
    May 19, 2010
    Posts:
    1,867
    Likes Received:
    54
    Local time:
    12:04
    My System
    Loading...

    Please download and run this tool.

    Download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    Note:
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately.


    Post the contents of the MBAM Log.
     
  6. cabaret.ampere

    cabaret.ampere New Member Bronze Member

    Joined:
    Dec 28, 2011
    Posts:
    12
    Likes Received:
    0
    Local time:
    12:04
    My System
    Loading...

    I've already tried to download and run malwarebytes anti malware in the UBCD environment, but it doesn't work, nor can I get a bootable version.

    I might be able to get it to work using another bootable environment, but that will take some time.

    I was wondering if it was possibile to manually remove the problem from the registry?
     
  7. Belahzur

    Belahzur Banned

    Joined:
    May 19, 2010
    Posts:
    1,867
    Likes Received:
    54
    Local time:
    12:04
    My System
    Loading...

    OTL should have done that, it removed the loader.

    Boot back to normal mode, see what happens.
     
  8. cabaret.ampere

    cabaret.ampere New Member Bronze Member

    Joined:
    Dec 28, 2011
    Posts:
    12
    Likes Received:
    0
    Local time:
    12:04
    My System
    Loading...

    I have done, the virus message still appears.

    I'll try to make Malwarebytes work. Thanks for your help so far
     
  9. Belahzur

    Belahzur Banned

    Joined:
    May 19, 2010
    Posts:
    1,867
    Likes Received:
    54
    Local time:
    12:04
    My System
    Loading...

    See if this will work.

    Please download the current version of HijackThis from HERE
    • Double click and run the installer.
    • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
    • After installing, you should get the user agreement, press accept and Hijack This will run.
    • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
     
  10. fckukash

    fckukash New Member

    Joined:
    Dec 29, 2011
    Posts:
    1
    Likes Received:
    0
    Local time:
    12:04
    My System
    Loading...

    Hi,

    Try Spybot (first),
    if it wont help use ComboFix (very powerfull, will remove even a system "activator").

    I ran both, worked for me.

    Virus is quite dodgy, cannot be closed down easily.
    I think all the obvious ways were blocked, below how I closed it down on my WIN7:

    Virus window was on the full screen.
    1.) I kept my system busy with CD (any software with autorun, plug stick or phone to usb also if cd will be not enough)
    2.) Log out and then cancel it

    Point 1.) is to slow down loggin out and cancel this when you'll see a list of closing apps, your choice then is: Force Shut Down or Cancel. The more you plug in, the more time you get.

    Annoying mix of "Paint" and "TXT" gone now, I can back to admire my wallpaper.
     
  11. cabaret.ampere

    cabaret.ampere New Member Bronze Member

    Joined:
    Dec 28, 2011
    Posts:
    12
    Likes Received:
    0
    Local time:
    12:04
    My System
    Loading...

    I cannot run anything in the target system. I can only do anything by using a bootable environment like UBCD4WIN. [The virus appears in safe mode too. EDIT: Actually I'm unable to enter safe mode at all, "Windows did not start successfully, this may be due to a recent hardware or software change....]

    I cannot run Malwarebytes anti malware. It needs to be run on the target system, which the virus makes impossible. The same applies for Combofix

    ^ Thanks for that, I've tried to do this, I assume you mean logging out blind using the keyboard? I don't think I can as the windows key gives an error alert. Already tried Spybot in UBCD.
     
  12. Belahzur

    Belahzur Banned

    Joined:
    May 19, 2010
    Posts:
    1,867
    Likes Received:
    54
    Local time:
    12:04
    My System
    Loading...

    UBCD4W has HiJack This integrated into it.
    UBCD for Windows

    Can you get that to run?

    Also, can you run msconfig? Start > Run, type msconfig & hit enter.

    Look under the win.ini tab, is there a [windows] bit?
     
  13. cabaret.ampere

    cabaret.ampere New Member Bronze Member

    Joined:
    Dec 28, 2011
    Posts:
    12
    Likes Received:
    0
    Local time:
    12:04
    My System
    Loading...

    I can't open msconfig in ubcd unfortunately.

    Can I disable the virus from startup without msconfig?

    Hijack this is unavailable from UBCD despite me including the plugin. I'll try re-creating the image.
     
  14. Belahzur

    Belahzur Banned

    Joined:
    May 19, 2010
    Posts:
    1,867
    Likes Received:
    54
    Local time:
    12:04
    My System
    Loading...

    Okay, can you try opening the registry manually?

    Start > Run > regedit

    Also, can you boot back to normal mode and get a picture of the lock screen that comes up? I'd like to know what I'm dealing with. Try make it a decent image if you can, get as much detail possible.
     
  15. cabaret.ampere

    cabaret.ampere New Member Bronze Member

    Joined:
    Dec 28, 2011
    Posts:
    12
    Likes Received:
    0
    Local time:
    12:04
    My System
    Loading...

    I can use regedit in ubcd, and I've looked through the registry for the files reported for the other ukash viruses, but it looks fine. I'm no expert though.

    Here's a picture of the lock out screen. It appears the second windows starts up. Sorry for the quality, I'm not at the PC at the moment, my mum took the picture. It's not possible to print the screen obviously.
     

    Attached Files:

Similar Threads
Forum Title Date
System Security Redirected to another site Jun 30, 2014
System Security Threat has been detected one after another Dec 6, 2013
System Security EXE*32 on all my files and webcam being used by another program Dec 5, 2013
System Security Another Win32 Malware-gen found... Jan 29, 2013