Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UKASH VIRUS ON VISTA


  • Please log in to reply
4 replies to this topic

#1 llangadoghouse

llangadoghouse

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 08 December 2011 - 05:59 AM

My computer has just been infected by a variant of the UKASH virus.

" ASSOCIATION OF CHIEF POLICE OFFICERS - INTERNET WATCH FOUNDATION"

YOUR COMPUTER HAS BEEN BEEN DOWNLOADING INDECENT IMAGES etc etc...."

Asking me to pay £50 via UKASH to unlock.

I have tried the usual solutions by going to safe mode but all safe mode options including "with command prompt" are blocked. I just get a small box on safe mode screen which just brings up the offending screen no other icons whatsoever

Any help for me out there?

Best wishes Peter

Edited by hamluis, 08 December 2011 - 07:23 AM.
Moved from Vista to Am I Infected.


BC AdBot (Login to Remove)

 


#2 cookmiester

cookmiester

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stoke-on-Trent
  • Local time:06:19 PM

Posted 15 December 2011 - 04:05 PM

Hello peter. Cookmiester here to help you today. This is fake as you know. What to do is easy.

Download Malwarebytes. And when installed, rename to zxcv on the shortcut. Now reboot in safe mode (tap f8 before windows start booting). Then run a full scan. When finished scanning. Post the log here to me so I can check if it's ok.

#3 llangadoghouse

llangadoghouse
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 16 December 2011 - 05:10 AM

Cookmiester, thanks for your interest.

My problem runs a little deeper as the virus has blocked access to all safe mode options. I get into safe mode but all I get is a icon less screen with only a small rectangular box which when clicked brings up the Ukash nonsense.

I have even removed the hard drive and scanned it via a seperate PC with malbytes, adaware and avg but nothing seems to remove the virus. I put it back in the main pc and up pops the virus screen.

Help. On the verge of a fresh install.

Peter

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:19 PM

Posted 16 December 2011 - 11:52 AM

llangadoghouse,


Let's try the following:
(You may need to use a USB Flash drive for this.)

Step 1:
Press Ctrl Alt Delete (simultaneously) to bring up Task Manager (You may need to do this a couple of times.)

In Task Manager, go to File, and select: New Task (Run…)

In the Create New Task prompt, in the ‘Open’ area, type in:
regedit

If you are now at the Registry Editor, let's make an export of a Registry key to see if the malware has invaded it.


Step 2:
In Registry Editor go to File (upper left), and click: Export
In the prompt that appears...
Save in: Desktop
File name: expreg

Under Export range (at the bottom):
Click: Selected branch
Then, delete whatever is there, and copy/paste the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Click: Save

Now, go to the Desktop, and right click the expreg file
Select: Open, or, Edit

Copy its contents.

Please post the info in the expreg in your reply.

Note:
If you cannot get to the Desktop, do Step 2 once again, but this time, plug in a USB Flash drive, and do a Save to it, instead of the Desktop.

Save in: (Use the drop arrow to find the letter where the USB flash drive is located)

Take the Flash drive to another computer, obtain the info, and post it in your reply.

Old duck...


#5 cookmiester

cookmiester

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stoke-on-Trent
  • Local time:06:19 PM

Posted 16 December 2011 - 01:09 PM

Thanks for your reply Peter. I see safe mode is blocked then. They guy above suggests Task Manager, however the virus totally overrules it and displays an error sound indicating the administrator blocked it.

I did get rid of it by system restore. But, here's something you can try. Boot to safe mode. But then on your keyboard press the windows key and r when on icon less desktop. This should open up the run command. Then type regedit. Then, navigate to the following directories:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “[random].exe”

The random exe is a bunch of numbers and letters. Just right click and delete the entries.

The following are also files associated with the virus. Just type the paths into the run command, then find and delete these:

%Windows%\system32\[random].exe
%appdata%\[random].exe
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Local Settings\Temp\[random].tmp
%Documents and Settings%\[UserName]\Desktop\[random].lnk

If you can not access the run command and any of these. Then it may be handy to have your installation disk with you as we may need to run a System Restore.

Cheers, Cookmiester.

Edited by cookmiester, 16 December 2011 - 01:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users