Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RCMP UKash Virus Got Me


  • Please log in to reply
8 replies to this topic

#1 HD_Dave

HD_Dave

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 08 May 2012 - 12:00 PM

Hi

The RCMP UKash virus has infected my computer. I managed to get the main screen to go away but, all my files, doc,pdf,xls,ect are locked. The file names have changed and if I try to access them it says they are corrupted.

Say I had a file called newfile.doc. The file would now be called Locked-newfile.doc.ngh.

Any thoughts ?

Dave

BC AdBot (Login to Remove)

 


#2 dpasch

dpasch

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:45 PM

Posted 10 May 2012 - 02:00 PM

i'd be interested in finding out how to fix the files as well, my assumption is it modifies the headers of the file with some sort of code. i have looked via hex editor but cannot find the coding in it. i have seen many pages on how to remove the virus but none explain how to unlock the files

i should note that the locked files ie. pictures if you modify the file extention to be the proper one like jpg. will not open, and it does not pertain to that pc alone as you can put it on another system and it is the same results, hence the reason for my thoughts on it modifying the header of the file

#3 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 PM

Posted 10 May 2012 - 07:10 PM

Use this tool by Kaspersky to decrypt and restore your files: http://support.kaspersky.com/faq/?qid=208286527

#4 Doc_Judy

Doc_Judy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 10 May 2012 - 11:14 PM

Thank you thisisu for posting the fix. I used it to unlock the files that were left after I removed the UKash virus. It was a relief to be able to save all the photos. I had tried several different tools prior to this one, and they didn't fix the issue. I had pulled the HDD and scanned for the virus on a different machine as it was locked and gave me the BSOD if I tried to boot into Safe Mode. I scanned using MS Security Essentials on another machine, and then replaced the HDD and did an in-place Windows install to repair the corrupt files. This allowed me to boot into Safe Mode. Once I managed that, then all that was left was repairing the damage done with regards to locked files. The Kaspersky tool you posted the link to worked perfectly for me. Thank you again. :thumbup2:

#5 HD_Dave

HD_Dave
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 13 May 2012 - 06:08 AM

Thanks thisisu...that worked great for me. Just when I thought everything was gone.
Ran it the first time and only got less than half the files back. Found a different original file and ran it again. Everything came back.

Once again, thank you very much. :thumbup2:

#6 sig8

sig8

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 17 May 2012 - 10:55 AM

Hi, I managed to get this virus as well, but unlike every other post i've read, I'm unable to use safe mode with/without networking. The only way to avoid getting ukash to block my screen is by starting in sfe mode with command. I tried to get task manager running from there but it said that it was blocked by administrator. I was able to start up system restore from command prompt, but after waiting about 5 minutes to "initialize" I figured it wasn't working. Any ideas on how to take back my computer?

#7 gmbrereton

gmbrereton

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 29 January 2013 - 12:55 AM

OK which kapersy tool is it and what is the cost of it, I assume it is not a freebie?

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:45 AM

Posted 29 January 2013 - 05:13 PM

OK which kapersy tool is it and what is the cost of it, I assume it is not a freebie?

Hello -
Please note that all links to tools on the forum are Free versions, so if you still have a problem, please start your own fresh topic.
This way your problem will be treated as a separate topic, and you will get personal help -

Thank You -

#9 gmbrereton

gmbrereton

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 30 January 2013 - 12:47 PM

hello - is there a charge for this, i have been advised i have trojan.matsnu.20




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users