How-To Geek
Fix the Fake UPS Tracking Number Virus Rebooting Your Machine
If you or somebody you know was recently infected because they were tricked into opening a fake shipping label in an email, there’s a quick and easy way to get rid of it. At least, these are the steps that worked on our test machine.
The email would have come in with an attachment named something like UPS_invoice_NR34073.zip, with the following text:
Dear customer!
The courier company was not able to deliver your parcel by your address. Cause: Error in shipping address. You may pickup the parcel at our post office personaly! Please attention! The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Naturally, this is a virus that causes your machine to repeatedly reboot itself.
Luckily, there’s a quick and easy fix.
Fixing the Fake UPS Tracking Nmber Virus
When your PC reboots again, hit the F8 key right before Windows starts so you can access the boot options, and then choose Safe Mode.
Once it starts up into Safe Mode, open the Run box and type in shell:startup to get straight to the startup folder, and then delete the file named raryp32.exe from the folder.
You should be able to reboot your machine at this point, and get back into your system. Make sure to run a full virus scan at this point! If you don’t have an anti-virus application, we recommend the free Microsoft Security Essentials.
Note: These are the steps that worked for us on a test machine here at the office. Viruses change over time, so the same steps may not work for you.
Got Feedback? Join the discussion at discuss.howtogeek.com
Comments (33)
Programmer by day, geek by night, The Geek, also known as Lowell Heddings, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on Google+ if you'd like.
- Published 01/18/10
it’s beyond me why someone would consider opening a shipping label attachment that’s in a .ZIP file!
Even more staggering that people will believe an e-mail full of spelling and grammar errors actually came from UPS.
@krhainos
Yeah, I think a lot of people don’t read the email, and just open the attachment. Had two people at work get infected with this thing in a day.
I got the same email but it was supposedly from fedex from some warehouse in nigeria .. like yeah ok .. snuffaluffagus .. lol
@D, krhainos,smac:
Yep, you would be surprised what types of email scams people fall for. You would think since it’s 2010 that people would be more aware of what we know are obvious attempts at fraud… but like The Geek said.. two people clicked on it. In a busy work environment.. they don’t read the email… they just see UPS and an icon and click on it or open the attachment in this case.
With the destruction that took place in Haiti last week, I am just waiting to hear about the amount of email scams that will be taking place.
If I get an email like that, I don’t even bother to open the attachment. Instead I just delete the email.
However to your average computer user, this would seem like a word doc(the icon), even though most email clients show the file extension.
Scam emails usually have spelling or grammar mistakes too. For example the one in this article contained “please attention!”, which makes no sense at all. Also “personally” was spelt wrong.
I would never opened up in the first place but , Nod 32 deteced it and cleaned it up all nicely for me :)
As was mentioned earlier, it was full of spelling and grammar errors. That’s one of the reasons I was supsicious of it.. besides it being to an email address that I use purely for a web business. But what gets me is why do folks send these things out to people that they don’t know, have never met and also they wouldn’t be around to see the results of their malicious pranks.. They’re totally nuts!!
the only times those crazy emails show up with improper numbers is when i am waiting for some deliveries. Interesting coincidence ???
The spelling and grammar mistakes in virus/spam messages tend to go unnoticed because the hoi polloi are themselves illiterate these days. Have you seen the comments people leave on YouTube, or the texts that kids send? Poor English; it was barely a language to start with.
i have suffered this problem on home computer last night,but can not even open computer in safe mode even using the f8 procedure, please can anyone help ?????
I too got this e-mail this morning and like Brenda I was tempted in the same way. Here in the UK we very rarely get parcels from UPS so I deleted it.
If you are using a USB keyboard and can’t seem to press F8 to get to the boot menu, you may have to enable USB legacy mode in BIOS. Either that or you aren’t spamming the F8 key at the right time. :)
the spelling and grammar flags don’t really apply, because EVERYONE has virtual assistants these days who can’t spell, speak, or compose english that well. 90% of customer service departments I deal with have representatives from somewhere in asia. I fell for it because I am actually missing some recent packages from UPS and I got excited when I read the email!
Well, I can’t believe I fell for this, but here it is. I tried this solution, but I didn’t find any unusual files in the startup folder (of both the user who ran the zip nor the admin account). Maybe there is a newer version now? If you are willing to test it, I can email it to you. Thank you in advance for any help!
Update: I succesfully ran AVG Anti-Virus and it found a virus called FakeAlert. It says it removed it and put it in the Virus Vault. Is there a reason to keep it? Or should I delete it from the vault?
Also, my last virus scan before this attack was about 12 hours earlier and it was clean. So, I’m feeling fairly confident this was the problem. However, in my newfound virus paranoia, are there some other scans/software you would recommend?
Thank you again for any help!
Hmmm Im very good with these things but its caught me although no sign of it yet. Anoying thing is the Yahoo mail virus scanner failed to detect it too.
I cannot get the start button to respond so this isn’t working for me. Any suggestions?
AVG is one of the best you can get. If you’re not sure it worked, check for a definition update. They tend to have updates every few days, as they keep trying to keep up with the malware engineers.
However, with a virus this simple and this old, it probably worked.
I had Just received an email similar to this one but this time the file was UPS_invoice_3532. I was suspicious of it ,So i tired scanning it with Mcafee, Scan’s clean. So I open it, the file that was on my desktop disappears. I open up Task Manager looking to see if it had opened up and if i can find the image name, but nothing suspicious. I am thinking that this virus is now invisible. How can I remove this Virus ?
I just got the UPS Email and STUPIDLY I opened the file. Why??? because i’m actually expecting a UPS package today of all days! I still can’t believe I double clicked it and soon as i did, I knew I had done myself wrong.
Now I’m trying to find out how to clean this up! I can’t believe how stupid I am today!!! ARG!!!!
————-
Dear customer!
Unfortunately we were not able to deliver the postal package you have sent on the 27th of March in time because the recipient’s address is erroneous.
Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.
——=_NextPart_000_0006_01CAEBD1.2C8F9520
Content-Type: application/zip;
name=”UPS_invoice_7978.zip”
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=”UPS_invoice_7978.zip
I booted in safe-mode, did a search for:
*UPS_invoice*
and my computer found nothing. I’m pretty sure I got it, because stupidly, I double clicked the ZIP file, then double clicked the fake word file and of course it did not open. Anyone know how to clean this up?
Thanks.
i have my computer in safe mode and i followed the instructions but i couldn’t find the file
raryp32.exe can someone help me, thanks in advance
I did so too. I was actually awaiting an OVERDUE shipment from UPS. No Brainer right? No computer. There were only 2 files in my startup directory and neither was “raype32″. Any other suggestions?
Thanks
Chris
Would ‘restore’ correct the problem?
Boot in safe mode f8
install and run ccleaner
install and run free malware bytes
install and run combofix
this always works however can take upto 2 hrs on badly infected machines
Friend got this yesterday takes forever to open in safe mode then begins running the scam info wanting him to pay $90 for program to remove……won’t allow him to open run or anything….help and thankyou!!!
What all of these folks fail to realize is, If you ordered something from an internet cliant, and you are told it is being sent thru Fedx or UPS, they tell you to click the tracking # to see when Item is shipped,and to follow it’s progress,
This is how i got zapped, and i still can,t get the (show desktop ) to open so i can change from hide icons to show icons, It simply will not display this icon when i rite click the desk top,
Ok so i missed spelled the word right, point is, it happens, and the (show icon ) window will not open, no matter what i have tried
Nope im quite computer literate , and have never fallen foul of a dodgy email.
I got succered into it as was expecting some deliverys. There was no spellling errors and looked official.
i qoute “it’s beyond me why someone would consider opening a shipping label attachment that’s in a .ZIP file!”
Dont be a smart ass, people do, i did, we get bombarded with so many junk emails these days its easy to get caught out on occasion.
Good point Guy…
So do we have a final remedy for this ? i got hit hard and it states no access to my hard drive.
Holy crap!!! I’m doing a system recovery now. Does this email virus work on apple/Mac pc ?