• ARTICLES
SEARCH

How-To Geek

Fix the Fake UPS Tracking Number Virus Rebooting Your Machine

If you or somebody you know was recently infected because they were tricked into opening a fake shipping label in an email, there’s a quick and easy way to get rid of it. At least, these are the steps that worked on our test machine.

The email would have come in with an attachment named something like UPS_invoice_NR34073.zip, with the following text:

Dear customer!

The courier company was not able to deliver your parcel by your address. Cause: Error in shipping address. You may pickup the parcel at our post office personaly! Please attention! The shipping label is attached to this e-mail.

Please print this label to get this package at our post office.

image

Naturally, this is a virus that causes your machine to repeatedly reboot itself.

image

Luckily, there’s a quick and easy fix.

Fixing the Fake UPS Tracking Nmber Virus

When your PC reboots again, hit the F8 key right before Windows starts so you can access the boot options, and then choose Safe Mode.

image

Once it starts up into Safe Mode, open the Run box and type in shell:startup to get straight to the startup folder, and then delete the file named raryp32.exe from the folder.

image

You should be able to reboot your machine at this point, and get back into your system. Make sure to run a full virus scan at this point! If you don’t have an anti-virus application, we recommend the free Microsoft Security Essentials.

Note: These are the steps that worked for us on a test machine here at the office. Viruses change over time, so the same steps may not work for you.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 01/18/10

Comments (33)

  1. D

    it’s beyond me why someone would consider opening a shipping label attachment that’s in a .ZIP file!

  2. krhainos

    Even more staggering that people will believe an e-mail full of spelling and grammar errors actually came from UPS.

  3. The Geek

    @krhainos

    Yeah, I think a lot of people don’t read the email, and just open the attachment. Had two people at work get infected with this thing in a day.

  4. smac

    I got the same email but it was supposedly from fedex from some warehouse in nigeria .. like yeah ok .. snuffaluffagus .. lol

  5. Mysticgeek

    @D, krhainos,smac:

    Yep, you would be surprised what types of email scams people fall for. You would think since it’s 2010 that people would be more aware of what we know are obvious attempts at fraud… but like The Geek said.. two people clicked on it. In a busy work environment.. they don’t read the email… they just see UPS and an icon and click on it or open the attachment in this case.

    With the destruction that took place in Haiti last week, I am just waiting to hear about the amount of email scams that will be taking place.

  6. Realitizer

    If I get an email like that, I don’t even bother to open the attachment. Instead I just delete the email.

    However to your average computer user, this would seem like a word doc(the icon), even though most email clients show the file extension.

    Scam emails usually have spelling or grammar mistakes too. For example the one in this article contained “please attention!”, which makes no sense at all. Also “personally” was spelt wrong.

  7. Ricci

    I would never opened up in the first place but , Nod 32 deteced it and cleaned it up all nicely for me :)

  8. Inquisitor

    As was mentioned earlier, it was full of spelling and grammar errors. That’s one of the reasons I was supsicious of it.. besides it being to an email address that I use purely for a web business. But what gets me is why do folks send these things out to people that they don’t know, have never met and also they wouldn’t be around to see the results of their malicious pranks.. They’re totally nuts!!

  9. Brenda

    the only times those crazy emails show up with improper numbers is when i am waiting for some deliveries. Interesting coincidence ???

  10. Alec S.

    The spelling and grammar mistakes in virus/spam messages tend to go unnoticed because the hoi polloi are themselves illiterate these days. Have you seen the comments people leave on YouTube, or the texts that kids send? Poor English; it was barely a language to start with.

  11. paul

    i have suffered this problem on home computer last night,but can not even open computer in safe mode even using the f8 procedure, please can anyone help ?????

  12. dogbone

    I too got this e-mail this morning and like Brenda I was tempted in the same way. Here in the UK we very rarely get parcels from UPS so I deleted it.

  13. ZB

    If you are using a USB keyboard and can’t seem to press F8 to get to the boot menu, you may have to enable USB legacy mode in BIOS. Either that or you aren’t spamming the F8 key at the right time. :)

  14. david

    the spelling and grammar flags don’t really apply, because EVERYONE has virtual assistants these days who can’t spell, speak, or compose english that well. 90% of customer service departments I deal with have representatives from somewhere in asia. I fell for it because I am actually missing some recent packages from UPS and I got excited when I read the email!

  15. Scared

    Well, I can’t believe I fell for this, but here it is. I tried this solution, but I didn’t find any unusual files in the startup folder (of both the user who ran the zip nor the admin account). Maybe there is a newer version now? If you are willing to test it, I can email it to you. Thank you in advance for any help!

  16. Scared

    Update: I succesfully ran AVG Anti-Virus and it found a virus called FakeAlert. It says it removed it and put it in the Virus Vault. Is there a reason to keep it? Or should I delete it from the vault?

    Also, my last virus scan before this attack was about 12 hours earlier and it was clean. So, I’m feeling fairly confident this was the problem. However, in my newfound virus paranoia, are there some other scans/software you would recommend?

    Thank you again for any help!

  17. Paul

    Hmmm Im very good with these things but its caught me although no sign of it yet. Anoying thing is the Yahoo mail virus scanner failed to detect it too.

  18. ann

    I cannot get the start button to respond so this isn’t working for me. Any suggestions?

  19. Xenophon Garcia

    AVG is one of the best you can get. If you’re not sure it worked, check for a definition update. They tend to have updates every few days, as they keep trying to keep up with the malware engineers.

    However, with a virus this simple and this old, it probably worked.

  20. Alex

    I had Just received an email similar to this one but this time the file was UPS_invoice_3532. I was suspicious of it ,So i tired scanning it with Mcafee, Scan’s clean. So I open it, the file that was on my desktop disappears. I open up Task Manager looking to see if it had opened up and if i can find the image name, but nothing suspicious. I am thinking that this virus is now invisible. How can I remove this Virus ?

  21. Nowhere Man

    I just got the UPS Email and STUPIDLY I opened the file. Why??? because i’m actually expecting a UPS package today of all days! I still can’t believe I double clicked it and soon as i did, I knew I had done myself wrong.

    Now I’m trying to find out how to clean this up! I can’t believe how stupid I am today!!! ARG!!!!

    ————-
    Dear customer!

    Unfortunately we were not able to deliver the postal package you have sent on the 27th of March in time because the recipient’s address is erroneous.
    Please print out the invoice copy attached and collect the package at our office.

    United Parcel Service of America.

    ——=_NextPart_000_0006_01CAEBD1.2C8F9520
    Content-Type: application/zip;
    name=”UPS_invoice_7978.zip”
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename=”UPS_invoice_7978.zip

  22. Nowhere Man

    I booted in safe-mode, did a search for:

    *UPS_invoice*

    and my computer found nothing. I’m pretty sure I got it, because stupidly, I double clicked the ZIP file, then double clicked the fake word file and of course it did not open. Anyone know how to clean this up?

    Thanks.

  23. walter

    i have my computer in safe mode and i followed the instructions but i couldn’t find the file
    raryp32.exe can someone help me, thanks in advance

  24. Chris

    I did so too. I was actually awaiting an OVERDUE shipment from UPS. No Brainer right? No computer. There were only 2 files in my startup directory and neither was “raype32″. Any other suggestions?

    Thanks
    Chris

  25. dee

    Would ‘restore’ correct the problem?

  26. IT Geek

    Boot in safe mode f8

    install and run ccleaner

    install and run free malware bytes

    install and run combofix

    this always works however can take upto 2 hrs on badly infected machines

  27. Shari

    Friend got this yesterday takes forever to open in safe mode then begins running the scam info wanting him to pay $90 for program to remove……won’t allow him to open run or anything….help and thankyou!!!

  28. Tim

    What all of these folks fail to realize is, If you ordered something from an internet cliant, and you are told it is being sent thru Fedx or UPS, they tell you to click the tracking # to see when Item is shipped,and to follow it’s progress,
    This is how i got zapped, and i still can,t get the (show desktop ) to open so i can change from hide icons to show icons, It simply will not display this icon when i rite click the desk top,

  29. Tim

    Ok so i missed spelled the word right, point is, it happens, and the (show icon ) window will not open, no matter what i have tried

  30. Guy

    Nope im quite computer literate , and have never fallen foul of a dodgy email.
    I got succered into it as was expecting some deliverys. There was no spellling errors and looked official.
    i qoute “it’s beyond me why someone would consider opening a shipping label attachment that’s in a .ZIP file!”
    Dont be a smart ass, people do, i did, we get bombarded with so many junk emails these days its easy to get caught out on occasion.

  31. Denis

    Good point Guy…

  32. charlie

    So do we have a final remedy for this ? i got hit hard and it states no access to my hard drive.

  33. Gullible

    Holy crap!!! I’m doing a system recovery now. Does this email virus work on apple/Mac pc ?

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!