none
Hit by UKASH Virus - Completely Locked Down

    Question

  • Hello, I am running Windows 7 (64bit) on a Dell XPS.

    It has been hit by the UKASH Virus.  This virus is so advanced that even when I boot in Safety Mode (with networking) the virus is still active.

    I have even booted from my OEM Windows 7 (64bit) cd and tried to recover the system files from the OEM CD.  The recovery fails :-(  Somehow the Virus prevents the Microsoft Recovery from writing operating system files back.  It think it changes permissions on files so that they can't be overwritten.

    Here is exactly what I see.

    1.  If I boot normally everything looks normal and the Windows 7 login screen comes up.  After I login my desktop is replaced with a banner telling me that they are repoting me to the RCMP and have locked down the pc ....  It will be unlocked if I pay them ransom money.  Can we call this "ransomware"??? :0 

    2.  I now boot into Safemode with Networking.  After I login my desktop comes up with the same banner.  Uggggg  ..  Safe mode is no longer safe.

    When I try to bring up the task manager (so that I can terminate the virus process so that I can get to work on removing the thing) on 1 or 2,  an error comes up telling me that I do not have access.  The virus removed my access.  I have seen this with other viruses before so I will give this virus a -1 for copying from others.

    At this point I don't want to reformat the disk and re-install from scratch so I wanted to ask MicroSoft if they have a solution.  I hear that this virus is going viral in Canada.  BTW my system was patched with all the most recent MS Security Patches .. Even on the day it happened (May 16).

    I suspect that I am going to have to attack the thing from a dos prompt which is a pain.  I am hoping to video the solution and put it up on YouTube for others.  Note: the current solutions on YouTube are booting into safe mode .. but that does not work anymore .. virus modified. 

    Thank You, Rob


    • Edited by Rob_00001 Tuesday, May 22, 2012 3:35 PM
    Friday, May 18, 2012 3:17 PM

Answers

All replies

  • Bob

    Use a working machine to download Windows Defender Offline. Download the appropriate 32-bit or 64-bit version here http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline?SignedIn=1&SignedIn=1  and burn a CD. Boot from the CD and run a full scan.

    • Marked as answer by Rob_00001 Tuesday, May 22, 2012 3:36 PM
    Saturday, May 19, 2012 7:32 AM
  • Hi,

    Please refer to the advice suggested by BurrWalnut.

    For information about Security updates, visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates.


    Juke Chou

    TechNet Community Support


    Tuesday, May 22, 2012 8:52 AM
    Moderator
  • Download and run the technician version of superantispyware (http://www.superantispyware.com/portablescannertech.html), run it in safe mode (NO networking) and let us know the results.

    www.pc-support.uk.com

    Tuesday, May 22, 2012 11:18 AM
  • Hello,

    I would like to thank everyone for responding!!!  It is very appreciated. 

    I followed BurrWalnut's advice and created a bootable USB with Defender on it.  Kudos here . This was very easy to do. I booted from the USB.

    After booting the Defender menu came up and I think it already started the scan on its own.  Very nice.  It did find the UKash virus and removed what it could.

    I then thought I would give it a try and I booted the system up into full windows mode.  The system came up and I was now able to log in to windows without my desktop being locked to the Ransomware screen.  However, I was still unable to access TAsk Manager as admin.  I then rebooted in "Safe Mode With Networking" and ran the regedit.  I then removed all traces of the virus that I could find.  I may have removed more than I should have as it was not always obvious to me what was virus and what was not.

    I then rebooted the entire system and logged in.  I now seem to have all of my admin privilages again and everything seems fine.  All my files are there.

    Then my system ran about 40 microsoft patches (probably because I tried to recover to an earlier instance at some point in time).

    I still don't completely trust the system and will go over it again just to make sure.

    I will make another post when I do this.

    Thank You, Robert

    Tuesday, May 22, 2012 3:27 PM
  • Don't bother with all the geeky stuff, start computer in safe mode with networking (keep hitting F8 when you switch on) screen looks odd with big icons but carry on, down load Malwarebytes the freeware version and do a full scan, this could take a couple of hours. It got rid of this horrible virus off my machine and cost nothing. :-) Happy cleaning Cumpygrunt
    Saturday, August 04, 2012 6:03 AM
  • just using the malwarebytes resolution now.... seems to be working. Bit concerned that my anti-virus package didn't stop it if its a well known bug

    Monday, August 13, 2012 5:21 PM
  • yep, the malwarebytes solution worked :)

    Monday, August 13, 2012 5:47 PM
  • Don't bother with all the geeky stuff, start computer in safe mode (keep hitting F8 when you switch on) screen looks odd with big icons but carry on, go to computer repair and just do a system restore !!!

    worked for me :-)

    Thursday, August 16, 2012 9:22 PM
  • My problem is I can not even get to safe mode. I am totally locked out of my laptop. I tried to boot with a bootable disk with avg it ran and said it cleaned up my system but it did not. At the moment I have the hard drive out and have connected it as an external drive to my pc and using pc's malware bytes to clean it up. Hopefully it will work.

    Thursday, September 06, 2012 9:43 PM
  • I am in the middle of trying to remove this virus right now. At first I couldn't get past the warning screen (safe mode didn't work for me either),  I couldn't even get task manager up & running. But I found  that if you hit ctrl+alt+delete immediately after logging in you can get task manager up. 
    Friday, September 14, 2012 1:07 AM
  • Hello Rob,

    These type of malware attacks are difficult to keep up with because they trick you into letting them install. They usually come from an infected web site, and usually through an advertisement. You get a pop-up from the infection and you click it to close the pop-up - which allows the infection to install.  They can also be delivered in a "drive-by" fashion with no action needed by the user due to the system being unpatched, no matter what security software is running.

     

    When you encounter one of these fake virus pop-ups while browsing, immediately do the following:

    -Do not touch any browser window to close it or browse further.

    -Use the key combination <ALT>+<F4> to close all running programs, especially the web browser

    --or--

    -Immediately press Ctrl-Alt-Del and bring up Task Manager and forcibly end all instances of iexplore.exe, if using Internet Explorer, or the executable for your browser for any other web browser.
    --or--
    -Go to Start/Shut Down and restart the PC without touching any browser windows.
    -If you used task manager to close browser instances, reboot the machine.
    -Then go to Control Panel/Internet Options and delete all temporary Internet Files and cookies. If you are using an alternate web browser, open the browser settings to do the same - delete the local cached files and cookies.
    -Perform a full scan with MSE.

    The above steps should prevent the infection from taking hold.

    Start here - https://support.microsoftsecurityessentials.com/

    and select the link that says - I think my computer is infected. Options will vary by region, but phone support leads you to Microsoft Answer Desk (http://www.answerdesk.com/) in the US at this time. After an initial free consultation, a fee will be charged for assistance, based on the details of the case.

    This web site - http://www.2-remove-virus.com  -  contains details for many of these common infections, often immediately after they began to appear in the wild, and instructions are provided for how to remove the infections using their malware removal guides.

    You may wish to download (on an uninfected PC) one or more of the following rescue scanners to create bootable media to scan the infected PC (list courtesy of forum member, GreginMich,Stephen Boots):

    http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

    http://support.kaspersky.com/viruses/rescuedisk?level=2

    http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/rescue-cd/

    http://www.bitdefender.com/support/How-to-create-a-BitDefender-Rescue-CD-627.html

    http://www.avira.com/en/support-download-avira-antivir-rescue-system

    http://www.avg.com/us-en/avg-rescue-cd-download

    http://www.freedrweb.com/livecd/

    http://www.superantispyware.com/portablescanner.html

    http://support.kaspersky.com/faq/?qid=208283363

    Thursday, September 20, 2012 1:40 PM
  • Hey guys, I've been hit by the Ukash virus and im completely locked out. I tried using the windows defender but no luck. It detects 14 bugs but when i try to delete them the program cannot find them. Any advice?
    Monday, October 01, 2012 4:18 AM
  • i don't know if this will work for you but it worked for me.

    I kept hitting the windows key on the keyboard, bringing up the taskbar for a very short time, and launching programs (a ton of them) via the quick launcher, or the start menu (open automatically with the windows key)

    Then, when i have a LOT of windows open, i do ctrl+alt+suppr and i chose "close session"

    Because it should take some time before closing everything, Windows 7 will ask you if you want to close all the remaining programs or cancel closing the session. Wait till the ukash window in background is closed, and then rush to press "cancel".

    Now you should have the session open without ukash, and you can download spyhunter/malwarebytes to remove ukash permanently...


    • Edited by coyotte508 Sunday, October 14, 2012 12:39 PM
    Sunday, October 14, 2012 12:38 PM
  • Hello there

    I hit the F8 before pc started. When I had the main screen witk all my icons, I went to programs, + Accessories + System tools + System retore and restored to an earlier date. To my surprise, solved the problem.

    Wednesday, October 24, 2012 5:47 PM
  • Hi there,

    This ransomeware has been evolved to worse those days.The new version locks you out of safe mode also.My way of solving this issue is by following these steps: 1.Download superantispyware setup file and put it in a flash disk.

                                        2.Boot your pc to safe mode with command prompt.

                                        3.In the command prompt open flash disk letter (E: or something)

                                        4.Type superantispyware.exe and hit enter

                                        5.Install the program and when it opens select critical point scan and then scan your computer.

    It will find and quarantine the ukash virus. Now restart in normal mode and update superantispyware. Scan your Pc with a complete scan.

    Hopefully you are ok now.

    Saturday, March 09, 2013 3:40 PM
  • Hi there,

    This ransomeware has been evolved to worse those days.The new version locks you out of safe mode also.My way of solving this issue is by following these steps: 1.Download superantispyware setup file and put it in a flash disk.

                                        2.Boot your pc to safe mode with command prompt.

                                        3.In the command prompt open flash disk letter (E: or something)

                                        4.Type superantispyware.exe and hit enter

                                        5.Install the program and when it opens select critical point scan and then scan your computer.

    It will find and quarantine the ukash virus. Now restart in normal mode and update superantispyware. Scan your Pc with a complete scan.

    Hopefully you are ok now.

    Ended up on this page after looking for the registry key Ukash uses to lock the screen.

    I've just removed this virus pretty much in the same fashion as Steliosairman laid out, except in case of Superantispyware I used combofix.  After comming to the conclusion normal safe mode/safe mode with network support ended up in rebooting, i tried the option command prompt.  Apparently no reboot there, launched combofix from a usb stick and let it run.  It does have to run in restricted mode due to being in this type of safe mode, but it seems to be enough to get the virus removed.

    Afterwards I proceeded to boot the machine to the desktop, ran combofix again, let it update and do a full scan.  Afterwards I usually run Hitman Pro and Malwarebytes as well for good measure.

    Monday, May 27, 2013 11:30 AM
  • Hi, I cannot boot my customers system (Windows XP) in any safe mode. The ransomware detects this state somehow and reboots the system. I will try the Defender off line option today and let you know.
    • Proposed as answer by Jacco Slok Tuesday, June 18, 2013 11:56 AM
    • Unproposed as answer by Jacco Slok Tuesday, June 18, 2013 11:56 AM
    Tuesday, June 18, 2013 11:22 AM
  • Hi Bob,

    Sorry to hear that you’ve been affected by this ransomware scam, and thank you to everyone who has provided advice on how to remove it.

    Although the virus is not in any way related to Ukash, we would ask that you report the scam to the appropriate law enforcement agency (for example, Action Fraud in the UK). If you have obtained a Ukash code in connection with the scam, please also let us know.

    For tips on keeping yourself and your money safe in the future, take a look at our online security tips at ukash.com.

    Wednesday, June 19, 2013 9:28 AM
  • Hi just to let you know that UKASH Virus now clears your system restore points so you cant restore to an earlier point.  Got hit by the virus & cleared it but my system has not got any restore points now.  anyone got any ideas how to check my system to find out if they are still in here somewhere?

    Tuesday, June 25, 2013 4:29 PM
  • Use the bit defender, avg, and kaspersky rescuse disks one after the other on a bootable usb drive. Then try safe mode. Also try connecting the infected hard drive to another computer and run malware bytes off that computer onto the infected hard drive.
    Thursday, July 04, 2013 9:49 PM
  • Great advice, worked perfectly. Thank you!
    Tuesday, July 16, 2013 5:57 AM
  • Assuming you are running Vista or W7 or W8 (XP is 10 years old) - if this is true, the fact that it deletes System Restore Points is a HUGE concern to all of us, as they can only be deleted by a process running with Admin according to MS and my experiences.  In Vista or later, processes run by a user even with Admin privileges do NOT execute with admin privileges unless you tell them to explicitly.  This means the user would have to EXPLICITLY SAID "VIRUS I AUTORIZE YOU TO EXECUTE WITH ADMIN".

    A user authorizing a virus to run with admin privileges would be the height of stupidity and I'm sure you would have told us if you'd done something as stupid as that (so that we don't waste our time helping someone who likes to stick their fingers into the electrical sockets and then complain that they got an electrical shock).

    We should all be concerned if a non-admin process can delete our System Restore Points.

    And it should be obvious that replying "Run this process with Admin privileges" and disabling UAC is the same thing - if you disabled UAC, you EXPLICITLY authorized all processes that want, like a virus, to do whatever they want.

    But you aren't that stupid to disable UAC and honest enough to tell us if you were that stupid, right?

    Please post further info - a non admin process should not be able to do this and we would all like to know any/all details. 

    If a non-admin process can do this, we should all be concerned.

    Wednesday, October 23, 2013 8:34 AM