Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with RCMP ukash virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 sonamair

sonamair

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 06 May 2012 - 07:04 AM

I have been infected with RCMP ukash - on startup I get the ransom demand "Warning" screen. All of my files (images, music, favourites etc) have been 'locked' - I can start up in safe mode 'Directory Services Restore Mode'





DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by sue at 10:05:27 on 2012-05-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1255 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Blaze Media Pro\NMSAccess32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [84A4FBAB] c:\windows\system32\78FB30D984A4FBAB4F41.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Trojan Remover] "c:\program files\trojan remover\RMVTRJAN.EXE" /restart
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1310044879093
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C45776D7-796E-482C-8D32-6295ED54C49A} : DhcpNameServer = 192.168.2.1
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-5-5 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-5-5 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-5-5 44768]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-5-5 612184]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-10 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-18 253088]
S3 cpuz134;cpuz134;\??\c:\docume~1\sue\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\sue\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-10 136176]
.
=============== Created Last 30 ================
.
2012-05-05 05:15:54 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-05-05 05:15:34 41184 ----a-w- c:\windows\avastSS.scr
2012-05-05 05:15:22 -------- d-----w- c:\program files\AVAST Software
2012-05-05 05:15:22 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-05-05 05:01:08 -------- d-----w- c:\program files\HitmanPro
2012-05-05 05:00:17 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-05-05 04:55:54 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-05-05 04:55:54 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-05-05 04:55:54 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-05-05 04:55:54 598528 ----a-w- c:\windows\system32\ztv7z.dll
2012-05-05 04:55:54 178176 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-05-05 04:55:54 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-05-05 04:55:54 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-05-05 04:55:53 -------- d-----w- c:\program files\Trojan Remover
2012-05-05 04:55:53 -------- d-----w- c:\documents and settings\sue\application data\Simply Super Software
2012-05-05 04:55:53 -------- d-----w- c:\documents and settings\all users\application data\Simply Super Software
2012-05-05 04:24:17 -------- d-----w- c:\documents and settings\sue\application data\Systweak
2012-05-05 04:24:14 17280 ----a-w- c:\windows\system32\roboot.exe
2012-05-05 04:22:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-05 03:09:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-05-05 03:09:50 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-05 03:09:24 -------- d-----w- c:\program files\Firestorm-Release
2012-05-05 02:14:58 -------- d-----w- c:\documents and settings\sue\application data\Malwarebytes
2012-05-05 02:14:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-05 02:14:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-04 23:35:24 -------- d-----w- c:\documents and settings\sue\application data\Fcyszlr
2012-05-04 23:35:00 33280 ---ha-w- c:\windows\system32\78FB30D984A4FBAB4F41.exe
2012-04-18 16:04:49 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-15 22:55:36 -------- d-----w- c:\program files\IrfanView
.
==================== Find3M ====================
.
2012-04-18 16:04:49 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 10:06:31.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:57 PM

Posted 10 May 2012 - 08:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please run Msconfig
How To:
http://www.netsquirrel.com/msconfig/msconfig_xp.html

Stop this process.

uRun: [84A4FBAB] c:\windows\system32\78FB30D984A4FBAB4F41.exe

Delete this file.

c:\windows\system32\78FB30D984A4FBAB4F41.exe

Restart the computer normally.

===

Let me know what problem persists.

#3 sonamair

sonamair
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 10 May 2012 - 03:57 PM

Hi there! First off, thanks for the help :)

I followed your directions, and the fix seems to be effective for only 1 restart. The .exe that you had me delete seems to come back on subsequent startup.


also, is there a fix for my files that are 'locked' ? For example, my pics, notepads, music etc have all been renamed to: locked-<file name>.jpg.<4 random letters>

'File Type' being those 4 letters - RUQG, LPDX, FRUJ etc (all different)

Edited by sonamair, 10 May 2012 - 08:45 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:57 PM

Posted 11 May 2012 - 07:55 AM

This is a recent development.

Download and run this new removal tool.

http://www.anvisoft.com/wiki/how-to-remove-RCMP-Ukash-virus.html

When complete please post a fresh DDS log and let me know what problem persists.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:57 PM

Posted 17 May 2012 - 08:14 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users