Friday, May 18, 2012 3:17 PM
Hello, I am running Windows 7 (64bit) on a Dell XPS.
It has been hit by the UKASH Virus. This virus is so advanced that even when I boot in Safety Mode (with networking) the virus is still active.
I have even booted from my OEM Windows 7 (64bit) cd and tried to recover the system files from the OEM CD. The recovery fails :-( Somehow the Virus prevents the Microsoft Recovery from writing operating system files back. It think it changes permissions on files so that they can't be overwritten.
Here is exactly what I see.
1. If I boot normally everything looks normal and the Windows 7 login screen comes up. After I login my desktop is replaced with a banner telling me that they are repoting me to the RCMP and have locked down the pc .... It will be unlocked if I pay them ransom money. Can we call this "ransomware"??? :0
2. I now boot into Safemode with Networking. After I login my desktop comes up with the same banner. Uggggg .. Safe mode is no longer safe.
When I try to bring up the task manager (so that I can terminate the virus process so that I can get to work on removing the thing) on 1 or 2, an error comes up telling me that I do not have access. The virus removed my access. I have seen this with other viruses before so I will give this virus a -1 for copying from others.
At this point I don't want to reformat the disk and re-install from scratch so I wanted to ask MicroSoft if they have a solution. I hear that this virus is going viral in Canada. BTW my system was patched with all the most recent MS Security Patches .. Even on the day it happened (May 16).
I suspect that I am going to have to attack the thing from a dos prompt which is a pain. I am hoping to video the solution and put it up on YouTube for others. Note: the current solutions on YouTube are booting into safe mode .. but that does not work anymore .. virus modified.
Thank You, Rob
- Edited by Rob_00001 Tuesday, May 22, 2012 3:35 PM
Saturday, May 19, 2012 7:32 AM
Use a working machine to download Windows Defender Offline. Download the appropriate 32-bit or 64-bit version here http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline?SignedIn=1&SignedIn=1 and burn a CD. Boot from the CD and run a full scan.
- Marked As Answer by Rob_00001 Tuesday, May 22, 2012 3:36 PM
Tuesday, May 22, 2012 8:52 AMModerator
Please refer to the advice suggested by BurrWalnut.
For information about Security updates, visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates.
TechNet Community Support
- Edited by Juke ChouMicrosoft Contingent Staff, Moderator Tuesday, May 22, 2012 8:54 AM
Tuesday, May 22, 2012 11:18 AMDownload and run the technician version of superantispyware (http://www.superantispyware.com/portablescannertech.html), run it in safe mode (NO networking) and let us know the results.
Tuesday, May 22, 2012 3:27 PM
I would like to thank everyone for responding!!! It is very appreciated.
I followed BurrWalnut's advice and created a bootable USB with Defender on it. Kudos here . This was very easy to do. I booted from the USB.
After booting the Defender menu came up and I think it already started the scan on its own. Very nice. It did find the UKash virus and removed what it could.
I then thought I would give it a try and I booted the system up into full windows mode. The system came up and I was now able to log in to windows without my desktop being locked to the Ransomware screen. However, I was still unable to access TAsk Manager as admin. I then rebooted in "Safe Mode With Networking" and ran the regedit. I then removed all traces of the virus that I could find. I may have removed more than I should have as it was not always obvious to me what was virus and what was not.
I then rebooted the entire system and logged in. I now seem to have all of my admin privilages again and everything seems fine. All my files are there.
Then my system ran about 40 microsoft patches (probably because I tried to recover to an earlier instance at some point in time).
I still don't completely trust the system and will go over it again just to make sure.
I will make another post when I do this.
Thank You, Robert
Saturday, August 04, 2012 6:03 AMDon't bother with all the geeky stuff, start computer in safe mode with networking (keep hitting F8 when you switch on) screen looks odd with big icons but carry on, down load Malwarebytes the freeware version and do a full scan, this could take a couple of hours. It got rid of this horrible virus off my machine and cost nothing. :-) Happy cleaning Cumpygrunt
Monday, August 13, 2012 5:21 PM
just using the malwarebytes resolution now.... seems to be working. Bit concerned that my anti-virus package didn't stop it if its a well known bug
Monday, August 13, 2012 5:47 PM
yep, the malwarebytes solution worked :)
Thursday, August 16, 2012 9:22 PM
Don't bother with all the geeky stuff, start computer in safe mode (keep hitting F8 when you switch on) screen looks odd with big icons but carry on, go to computer repair and just do a system restore !!!
worked for me :-)
Thursday, September 06, 2012 9:43 PM
My problem is I can not even get to safe mode. I am totally locked out of my laptop. I tried to boot with a bootable disk with avg it ran and said it cleaned up my system but it did not. At the moment I have the hard drive out and have connected it as an external drive to my pc and using pc's malware bytes to clean it up. Hopefully it will work.
Friday, September 14, 2012 1:07 AMI am in the middle of trying to remove this virus right now. At first I couldn't get past the warning screen (safe mode didn't work for me either), I couldn't even get task manager up & running. But I found that if you hit ctrl+alt+delete immediately after logging in you can get task manager up.
Thursday, September 20, 2012 1:40 PM
Hello Rob,These type of malware attacks are difficult to keep up with because they trick you into letting them install. They usually come from an infected web site, and usually through an advertisement. You get a pop-up from the infection and you click it to close the pop-up - which allows the infection to install. They can also be delivered in a "drive-by" fashion with no action needed by the user due to the system being unpatched, no matter what security software is running.
When you encounter one of these fake virus pop-ups while browsing, immediately do the following:
-Do not touch any browser window to close it or browse further.
-Use the key combination <ALT>+<F4> to close all running programs, especially the web browser
-Immediately press Ctrl-Alt-Del and bring up Task Manager and forcibly end all instances of iexplore.exe, if using Internet Explorer, or the executable for your browser for any other web browser.
-Go to Start/Shut Down and restart the PC without touching any browser windows.
-If you used task manager to close browser instances, reboot the machine.
-Then go to Control Panel/Internet Options and delete all temporary Internet Files and cookies. If you are using an alternate web browser, open the browser settings to do the same - delete the local cached files and cookies.
-Perform a full scan with MSE.
The above steps should prevent the infection from taking hold.
Start here - https://support.microsoftsecurityessentials.com/
and select the link that says - I think my computer is infected. Options will vary by region, but phone support leads you to Microsoft Answer Desk (http://www.answerdesk.com/) in the US at this time. After an initial free consultation, a fee will be charged for assistance, based on the details of the case.
This web site - http://www.2-remove-virus.com - contains details for many of these common infections, often immediately after they began to appear in the wild, and instructions are provided for how to remove the infections using their malware removal guides.
You may wish to download (on an uninfected PC) one or more of the following rescue scanners to create bootable media to scan the infected PC (list courtesy of forum member, GreginMich,Stephen Boots):
Monday, October 01, 2012 4:18 AMHey guys, I've been hit by the Ukash virus and im completely locked out. I tried using the windows defender but no luck. It detects 14 bugs but when i try to delete them the program cannot find them. Any advice?
Sunday, October 14, 2012 12:38 PM
i don't know if this will work for you but it worked for me.
I kept hitting the windows key on the keyboard, bringing up the taskbar for a very short time, and launching programs (a ton of them) via the quick launcher, or the start menu (open automatically with the windows key)
Then, when i have a LOT of windows open, i do ctrl+alt+suppr and i chose "close session"
Because it should take some time before closing everything, Windows 7 will ask you if you want to close all the remaining programs or cancel closing the session. Wait till the ukash window in background is closed, and then rush to press "cancel".
Now you should have the session open without ukash, and you can download spyhunter/malwarebytes to remove ukash permanently...
- Edited by coyotte508 Sunday, October 14, 2012 12:39 PM
Wednesday, October 24, 2012 5:47 PM
I hit the F8 before pc started. When I had the main screen witk all my icons, I went to programs, + Accessories + System tools + System retore and restored to an earlier date. To my surprise, solved the problem.
Saturday, March 09, 2013 3:40 PM
This ransomeware has been evolved to worse those days.The new version locks you out of safe mode also.My way of solving this issue is by following these steps: 1.Download superantispyware setup file and put it in a flash disk.
2.Boot your pc to safe mode with command prompt.
3.In the command prompt open flash disk letter (E: or something)
4.Type superantispyware.exe and hit enter
5.Install the program and when it opens select critical point scan and then scan your computer.
It will find and quarantine the ukash virus. Now restart in normal mode and update superantispyware. Scan your Pc with a complete scan.
Hopefully you are ok now.