Ukash virus, assistance please

[mistercee]

I was asked to look at a friends Vista PC infected with what I believe is known as the Ukash, West Yorkshire Police ransomware.

The PC would boot and then a full screen internet explorer window would open, purporting to be from the police and demanding a payment to unlock the PC.

Booting from AVGs linux boot disk and runing a scan from there seems to have killed some of the nasties, but not all.

The PC now boots to a desktop and seems to run pretty much normally, until I try and run any form of virus scanner.

Windows Defender, Microsoft Security Essentials and Malwarebytes all fail to complete a scan, locking up and requiring a reboot.

So I assume there are still remnants of whatever infection was on the machine, and would appreciate any assistance in cleaning this PC up.

I have managed to run dds, and have attached logs to this post.

Thanks

Mike

attach.txt

dds.txt

[jeffce]

Hi and Welcome!! My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  
• The fixes are specific to your problem and should only be used for the issues on this machine.
  
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  
• It's often worth reading through these instructions and printing them for ease of reference.
  
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  
• Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable (.exe) every time you run them

with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

---------

[jeffce]

Have you tried to run Malwarebytes from the Chameleon folder? If not...

• Place Malwarebytes in Malwarebytes Chameleon folder.
  C:\Program Files\Malwarebytes' Anti-Malware\Chameleon
  
• Install the Chameleon driver by doing the following: Press the Windows key + R and in the Run box, copy and paste the following command in the Code Box below then press Enter.

  "C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o

  
  

• A black DOS prompt will appear with a prompt to press any key to continue, please do.
  
• Execute Malwarebytes by doubleclicking on it
  
• Press Quick Scan
  
• If Malicious objects are found be sure to remove them
  
• Once complete, a log will be produced and can be found at C:\Users\<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs
  
• Please attach that log in reply.
  

[mistercee]

Hi Jeff, thanks for helping.

OK, I have installed the Chameleon driver

Just to clarify, what exactly do you mean by "Place Malwarebytes in Malwarebytes Chameleon folder." do you mean move mbam.exe to the Chameleon folder?

Thanks

Mike

[jeffce]

Hi,

Yes that is what I mean. Sorry. Place MBAM.exe in the Chameleon folder.

[mistercee]

I have just moved mbam.exe and run it from within the Chameleon folder as administrator.

I get a Malwarebytes error message

PROGRAM_ERROR_MISSING_FILE (2,0,mbam.dll)

The system cannot find the file specified

Do I need to move other files, or just the .exe?

Mike

[jeffce]

No...let's move on.

Download Combofix from any of the links below but rename it to Vageta.com before saving it to your Desktop.

Link 1

Link 2

==================================

Right-click and Run as Administrator on the renamed ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt so we can continue cleaning the system.
  

[mistercee]

OK, here is combofix.txt....

Mike

ComboFix.txt

[jeffce]

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Right-click and Run as Administrator SystemLook.exe to run it.
  
• Copy the content within the following codebox into the main textfield:
  

  
  :dir
  C:\$HBCDTmp /s
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[mistercee]

Jeff

SystemLook.txt

Mike

SystemLook.txt

[jeffce]

How is your system running?

[mistercee]

I'll have a quick play and see how it behaves. I'll get back to you later today hopefully.

Thanks

Mike

[mistercee]

First impressions seem promising, I can now run malwarebytes, however it appears to have detected 3 threats. I haven't removed them yet. Log attached.

Mike

mbam-log-2012-12-21 (15-47-36).txt

[jeffce]

Good....run Malwarebytes and remove those entries. That is a bulk of your problem. Post the new log.

[mistercee]

Hmmm not good news

Got back to the PC to see that it seemed to have crashed and restarted (before I removed the threats)

I have now tried to rum Malwarebytes three times now, and each time it stops responding at the same point, and the whole PC is locked up.

Here is the crash report:

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 2057

Additional information about the problem:

BCCode: 77

BCP1: 00000001

BCP2: 00000000

BCP3: 00000000

BCP4: 8EC3FBC8

OS Version: 6_0_6002

Service Pack: 2_0

Product: 768_1

Files that help describe the problem:

C:\Windows\Minidump\Mini122112-01.dmp

C:\Users\David MacIntyre\AppData\Local\temp\WER-615813-0.sysdata.xml

C:\Users\David MacIntyre\AppData\Local\temp\WER6EA9.tmp.version.txt

Read our privacy statement:

http://go.microsoft....63&clcid=0x0409

Mini122112-01.dmp is attached, I can't find the other two files mentioned.

Mini122112-01.zip

[jeffce]

Are you able to boot to Safe Mode and run Malwarebytes? If so please do that.

[mistercee]

Shutdown PC, unfortunately it installed updates, didn't realise it was set for automatic download. Don't know if this will affect anything.

Tried to boot in all 3 variants of safe mode, won't boot in any, always hangs in same place.

Booted normally and ran Malwarebytes, which got further than usual, before hanging. But still hung

Thought we were getting somewhere :-)

Mike

[jeffce]

Hi,

We need to look at this another way...

FRST

Download the 32 bit version for your system of FRST and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

  [*]Select Command Prompt

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

----------

[mistercee]

Jeff

Here is the FRST.txt file

FRST.txt

[jeffce]

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Last Boot: 2012-12-22 23:47

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST/FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

----------

Are you able to boot back to your system?

[mistercee]

yes, i can boot into windows succesfully

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-12-2012

Ran by SYSTEM at 2012-12-23 00:52:37 Run:1

Running from F:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup

DEFAULT hive was successfully restored from registry back up.

SAM hive was successfully copied to System32\config\HiveBackup

SAM hive was successfully restored from registry back up.

SECURITY hive was successfully copied to System32\config\HiveBackup

SECURITY hive was successfully restored from registry back up.

SOFTWARE hive was successfully copied to System32\config\HiveBackup

SOFTWARE hive was successfully restored from registry back up.

SYSTEM hive was successfully copied to System32\config\HiveBackup

SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

[jeffce]

So your boot problem occurred last time after running malwarebytes?

[mistercee]

Not exactly

i have never been able to boot in safe mode (any of the three variants)

I can usually boot normally into Windows.

It is Malwarebytes itself that usually hangs, part way through a scan. Except for one occasion when I was able to find three threats, which I unfortunately did not fix before the PC rebooted itself.

This is the situation I was trying to document in my message of the 21st at 11:44

[jeffce]

Ok...

Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page.
  
• Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  
• Scan your system for malware
  
• If malware is found, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  

If no malware is found please let me know.

----------

[mistercee]

OK, will do, but it will be tomorrow before I get back to you, it's 2am here and i'll run a backup overnight.