You are not logged in.

Wednesday, April 23rd 2014, 1:10pm

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

  • "D37" started this thread

Date of registration:
Sep 1st 2012

Version:
Avira Internet Security

Operating System:
Windows Vista

  • Send private message

1

Saturday, September 1st 2012, 6:29pm

Need help checking if my computer is clean

Hi. My computer recently got infected with the ukash malware which blocked everything on my computer except a popup which asked me to pay 100 $ to unlock my computer. Anyway, I rebooted into safe mode and ran spybot S&D which found nothing. Opened avira and ran a complete system scan which found something called EXP/CVE-2012-1723.A.111. I figured that was it and rebooted, however, the popup appeared again.

I logged into another account which thankfully, didn’t suffer from the popup, and downloaded malwarebytes and ran a full scan from safe mode. It found a number of things, don’t remember the exact number however the quarantine shows Security.Hijack (registry key), Trojan.Phex.THAGen6 (registry value) and Trojan.Phex.THAGen6 (file). I re-ran the scan and nothing showed up. Rebooted and logged into my usual account and everything seemed ok.

Just to be sure I downloaded the online scanner from Eset and ran a full scan which came back almost clean (it detected some android related files of mine as trojans). I figured that was it and continued using my computer normally. The next day however, aviras realtime protection found: “Virus or unwanted program 'JAVA/Dldr.Kara.X.3 [virus]'”. This was tuesday morning. I re-scanned with all the aforementioned products but everything came up clean. This morning however I ran both eset and malwarebytes. Eset came back clean but malwarebytes again found: Security.Hijack (Registry Key) in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccleaner. I thought that maybe it’s a registry backup done by ccleaner but just to be sure my computer is clean I want someone to double check. I ran OTL as instructed in a number of posts here. It can be found at http://pastebin.com/MRRZwyUW

Any help is greatly appreciated.

avon

Community member

Date of registration:
Apr 15th 2008

Version:
Avira Antivirus Suite

Operating System:
Windows 8.1U Pro 32-bit Windows XP Home SP3 32-bit

  • Send private message

2

Saturday, September 1st 2012, 10:40pm

1) Disable Windows "System Restore"

2) Go to Avira's Configuration --> General Settings --> Threat categories => Select all -- > Apply.
http://forum.avira.com/wbb/index.php?pag…495#post1129495

3) Try the Avira Rescue CD
Tutorial for Avira Rescue CD
Note : It is strongly advised to create Avira Rescue CD on a clean PC, not the PC on which you will run it.

4) Enable Windows "System Restore".

This post has been edited 2 times, last edit by "avon" (Sep 1st 2012, 10:53pm)


  • "D37" started this thread

Date of registration:
Sep 1st 2012

Version:
Avira Internet Security

Operating System:
Windows Vista

  • Send private message

3

Sunday, September 2nd 2012, 9:12pm

Thanks for your reply. I did as instructed. The scan reported 0 infected files but 45 warnings. I took a quick look but nothing seems to be particularly dangerous. The report can be found here: http://pastebin.com/HTUg16pD. The report suggests that my computer is clean but considering avira failed to find the malware when i first got infected how confident should I be?
Again, thanks for your help. It is much appreciated.

avon

Community member

Date of registration:
Apr 15th 2008

Version:
Avira Antivirus Suite

Operating System:
Windows 8.1U Pro 32-bit Windows XP Home SP3 32-bit

  • Send private message

4

Sunday, September 2nd 2012, 10:52pm

Thanks for your reply. I did as instructed. The scan reported 0 infected files but 45 warnings. I took a quick look but nothing seems to be particularly dangerous. The report can be found here: http://pastebin.com/HTUg16pD.

Regarding "warnings"=
Are the warnings in the scanner reports dangerous?
Warning: The file is password protected

Quoted

The report suggests that my computer is clean but considering avira failed to find the malware when i first got infected how confident should I be?
Again, thanks for your help. It is much appreciated.

When you got infected, all "Threat categories" were selected or not?
(Configuration --> General Settings --> Threat categories)
-------------

As second opinion, you can try the Hitman Pro
Hitman Pro 3 - Second Opinion Malware Scanner
------------
A similar case like yours=

Quoted

....Recently i infected with metropolitan police virus {ukash}
at that i found you guys and by using your software i managed to delete all the Trojans
but recently i found that while am scanning MWB i found a trojan present in registry key
i used to delete it at that the system reboots but it appears again....
http://forums.malwarebytes.org/index.php…sh&fromsearch=1

-------------

Regarding OTL results, I 'm not an OTL expert. :(

This post has been edited 2 times, last edit by "avon" (Sep 2nd 2012, 11:15pm)


  • "D37" started this thread

Date of registration:
Sep 1st 2012

Version:
Avira Internet Security

Operating System:
Windows Vista

  • Send private message

5

Monday, September 3rd 2012, 6:49pm

Yes all threat categories were selected and AHeAD on both system scanner and realtime protection was set to high detection level before I got infected. Anyway I ran hitman pro as you suggested and it came back clean. Considering that all recent scans show that my computer is clean it probably means that it is. Thank you for your help. It was greatly appreciated.

avon

Community member

Date of registration:
Apr 15th 2008

Version:
Avira Antivirus Suite

Operating System:
Windows 8.1U Pro 32-bit Windows XP Home SP3 32-bit

  • Send private message

6

Monday, September 3rd 2012, 10:16pm

.....
Considering that all recent scans show that my computer is clean it probably means that it is.
...

I suppose so.

Thanks for the feedback. :thumbup:

Date of registration:
Dec 5th 2012

Version:
Avira Antivirus Premium

Operating System:
Windows XP, Windows 7

  • Send private message

7

Wednesday, December 5th 2012, 1:10pm

A friend of mine was infected with the UKASH police virus,Metropolitan Police Ukash Virus/ransomware. There are many version of this virus/malware it seems. I downloaded the Avira recovery CD and it did remove the virus. It allowed me to access the system again - the system had been locked by the virus. HOwever after accessing the system I didn't clean the system with SpyBot S&D or CCleaner etc. Then after about 3-4 days of using the system the virus was reactivated. This was despite the Avira scan saying the system was clean. I ran the recovery disk again, and this time it did not detect the virus at all. I ran the Kaspersky recovery disk which did detect a single virus but I was still unable to access the system. I was able to run the computer in safe mode was able to run explorer from the command line by typing "explorer" and then restore to a previous restore point. This allowed me to access the system, install Spybot S&D and re-install a virus killer (this time AVG). I also installed CCleaner. I basically scanned and cleaned up the whole system using these tools. AVG did find another couple of suspicious files, including some assocaited with the startup. The system now seems to be running fine. One of the problems my friends system may have had was he had not installed the latest windows Malicious Software Removal tool, or the SP1 for Windows 7.
The moral of this story is that the UKASH virus is nasty and it seems that recovery disks downloaded and updated (as of 05/12/12) do not remove this virus.

avon

Community member

Date of registration:
Apr 15th 2008

Version:
Avira Antivirus Suite

Operating System:
Windows 8.1U Pro 32-bit Windows XP Home SP3 32-bit

  • Send private message

8

Friday, December 14th 2012, 8:21pm

A friend of mine was infected with the UKASH police virus,Metropolitan Police Ukash Virus/ransomware.
....
The moral of this story is that the UKASH virus is nasty and it seems that recovery disks downloaded and updated (as of 05/12/12) do not remove this virus.

----->

Quoted

HitmanPro.Kickstart Introduction

HitmanPro.Kickstart is the solution against police ransomware and other persistent malware that has taken your computer hostage or prevents normal computer use....
http://www.surfright.nl/en/kickstart

HitmanPro.Kickstart FAQ:
http://dl.surfright.nl/Kickstart-FAQ.pdf