Ukash virus

Solved
Thread Status:
Not open for further replies.
  1. mogwai

    mogwai New Member Bronze Member

    Joined:
    Mar 19, 2012
    Posts:
    4
    Likes Received:
    0
    Local time:
    07:42
    My System
    Loading...

    Hi, my computer's infected with the ukash virus. I've gone through the prework instructions and attached the requested logs. Further assistance would be greatly appreciated. Thanks in advance!
     

    Attached Files:

  2. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    16:42
    My System
    Loading...

    Hi.Welcome to the forum

    I see from the log you have two virus scanners.Remove one as two cause conflicts and slowdowns.
    ============================

    Please run all these programs..

    Download the TDSSKiller.exe and extract to your Desktop.

    Execute TDSSKiller.exe by doubleclicking on it. You may be prompted to restart your machine. Type Y at the prompt.
    Once complete, a log will be produced at root. It will be named
    UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.

    Attach that log here please.

    ====================================================


    Please download Malwarebytes Anti-Malware from Malwarebytes.org
    Alternate link: Download Mirror

    (Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

    Double Click mbam-setup.exe to install the application.

    (Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)
    Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    If an update is found, it will download and install the latest version.
    Once the program has loaded, select "Perform Full Scan", then click Scan.
    The scan may take some time to finish,so please be patient.
    When the scan is complete, click OK, then Show Results to view the results.
    Make sure that everything is checked, and click Remove Selected.
    When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    Please save the log to a location you will remember.
    The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Copy and paste the entire report in your next reply.
    If Malwarebytes fails to download please use the following link:

    http://malwarebytes.org/mbam-download-exe-random.php
     
  3. mogwai

    mogwai New Member Bronze Member

    Joined:
    Mar 19, 2012
    Posts:
    4
    Likes Received:
    0
    Local time:
    07:42
    My System
    Loading...

    Thanks for your prompt response.

    I ran both programs. TDSSKiller apparently didn't show any infected files and I'm afraid I couldn't locate any log in the format you highlighted for it either.

    The MBAM report is as follows:


    Malwarebytes Anti-Malware 1.60.1.1000
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: v2012.03.21.02

    Windows Vista x86 NTFS (Safe Mode/Networking)
    Internet Explorer 7.0.6000.17037
    vaio :: VAIO-PC [administrator]

    21/3/2012 10:41:54 AM
    mbam-log-2012-03-21 (10-41-54).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 323402
    Time elapsed: 52 minute(s), 1 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Cryptbel.Gen) -> Data: C:\Users\vaio\AppData\Roaming\0.3166123393794082567f76.exe -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Worm.Palevo) -> Data: explorer.exe,C:\Users\vaio\AppData\Roaming\mmmpc.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    C:\Users\vaio\AppData\Roaming\0.3166123393794082567f76.exe (Trojan.Cryptbel.Gen) -> Quarantined and deleted successfully.
    C:\Users\vaio\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H89F1J5X\contacts[1].exe (Trojan.Cryptbel.Gen) -> Quarantined and deleted successfully.
    C:\Users\vaio\AppData\Local\Temp\0.3166123393794082567f76.exe (Trojan.Cryptbel.Gen) -> Quarantined and deleted successfully.
    C:\Users\vaio\AppData\Local\Temp\wpbt0.dll (Trojan.Cryptbel.Gen) -> Quarantined and deleted successfully.
    C:\Users\vaio\AppData\Roaming\wpbt0.dll (Trojan.Cryptbel.Gen) -> Quarantined and deleted successfully.

    (end)
     
  4. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    16:42
    My System
    Loading...

    Download Combofix from any of the links below, and save it to your desktop.
    Link 1
    Link 2
    Link 3
    When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.

    Refer to this image:
    To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.
    • Close any open windows and double click PCHelpForum.exe to run it.
      You will see the following image:
    [​IMG]

    Click I Agree to start the program.
    ComboFix will then extract the necessary files and you will see this:

    [​IMG]

    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7
    It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If you did not have it installed, you will see the prompt below. Choose YES.

    [​IMG]

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    Click on Yes, to continue scanning for malware.
    When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
    Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
    Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
     
  5. mogwai

    mogwai New Member Bronze Member

    Joined:
    Mar 19, 2012
    Posts:
    4
    Likes Received:
    0
    Local time:
    07:42
    My System
    Loading...

    The contents of the log:


    ComboFix 12-03-21.02 - vaio 21/03/2012 21:57:10.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.60.1033.18.2038.1479 [GMT 0:00]
    Running from: c:\users\vaio\Desktop\PCHelpForum.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-21 to 2012-03-21 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-21 22:04 . 2012-03-21 22:04 -------- d-----w- c:\users\vaio\AppData\Local\temp
    2012-03-21 20:00 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{93104547-8650-4DD4-A248-E704DFF702F8}\mpengine.dll
    2012-03-21 10:40 . 2012-03-21 10:40 -------- d-----w- c:\users\vaio\AppData\Roaming\Malwarebytes
    2012-03-21 10:39 . 2012-03-21 10:39 -------- d-----w- c:\programdata\Malwarebytes
    2012-03-21 10:39 . 2012-03-21 10:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-03-21 10:39 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-23 09:18 . 2010-05-01 08:25 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-05-02 1232896]
    "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-06 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-10 835584]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-04-08 4423680]
    "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-06-12 317560]
    "E-Flyer"="c:\program files\Sony\E-Flyer\SubFlyer.exe" [2006-10-16 456824]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-30 137752]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-30 154136]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-30 133656]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-07-13 115816]
    "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]
    VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2010-8-23 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2007-07-25 02:26 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-18 08:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - COMHOST
    *NewlyCreated* - ECACHE
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-01 23:41]
    .
    2012-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-01 23:41]
    .
    2012-02-13 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - vaio.job
    - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-07-13 09:13]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://vaio-online.sony.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\vaio\AppData\Roaming\Mozilla\Firefox\Profiles\tb1b0ra5.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-21 22:04
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-03-21 22:06:54
    ComboFix-quarantined-files.txt 2012-03-21 22:06
    .
    Pre-Run: 13,786,603,520 bytes free
    Post-Run: 17,138,360,320 bytes free
    .
    - - End Of File - - 6354F035A67A0855BBFBA1F734F6F727
     
  6. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    16:42
    My System
    Loading...

    Ok.All done.I see no more malware.Log looks good! All that was detected is now either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.

    You can now uninstall ComboFix

    • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
    • In the field, type in ComboFix /uninstall
    [​IMG]

    (Note: Make sure there's a space between the word ComboFix and the forward-slash.)

    • Then, press Enter, or click OK.
    • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

    Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.

    Please download OTC to your desktop.

    Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
    Click on the CleanUp! button and follow the prompts.
    You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
    After the reboot all the tools we used should be gone.
    Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

    Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.
    Afterwork
    Malware Prevention
    How Did I Get Infected
    More Tips on Prevention

    =============================
     
  7. mogwai

    mogwai New Member Bronze Member

    Joined:
    Mar 19, 2012
    Posts:
    4
    Likes Received:
    0
    Local time:
    07:42
    My System
    Loading...

    Yay! That's fantastic! I'll just go through the final instructions shortly then. Thanks a million! I seriously don't know what I would've done had I not found this forum. I definitely wouldn't have been able to go through the process hassle-free like I've been able to. So once again, thank you!! :)
     
  8. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    16:42
    My System
    Loading...

    You very welcome.Glad to assist. :)
     
Similar Threads
Forum Title Date
System Security Please help me to remove Ukash virus Dec 13, 2013
System Security UKASH VIRUS, CAN'T GET INTO SAFE MODE COMMAND HELP Nov 5, 2013
System Security Remove Cheshire Police Authority virus (Ukash Scam) Oct 14, 2013
System Security UKash Virus Oct 9, 2013

Thread Status:
Not open for further replies.