Sunday, January 15, 2012
How To Remove the Ukash Virus.
Yesterday I got hit with the particularly nasty malware scam. Though it took me about 90 minutes to solve, I found the whole thing was an awful lot of lead of faith and trial and error. If you've found me by a search engine, congratulations, you've probably got it. Stay calm. Get something with caffeine in. This will take about 20 minutes.
First off, you'll find your entire system is locked down so there are just two options. Task Manager, starting any new programmes, accessing anything in almost every application, all locked down. I could open .jpgs, so luckily, baby pics on a USB drive saved me.
The typical page looks like this. Yep. The usual, illiterate you were look at violence child pornography nonsense. How do you get rid of it? It's a wee bit techy, but not beyond anypne.
1. Insert a USB stick and open a file in Firefox or Chrome. (This is how I got to google the instructions to solve it and do the research). Navigate to google, and search the virus name.
2. You may have to do a hard reboot by yanking your power plug or holding down the "start" button for a few seconds. When the start page boots up, press F8 repeatedly. Boot in Safe Mode. From here, click on start. In the text box, type msconfig. From here, you will be able to see what programmes are in your start-up options when the machine boots under a normal configuration.
3. Look for a file that is a totally random string of numbers such as 08896765658807655.exe. It should be located in C:\Users\(Your Name)\AppData\Local\Temp. The manufacturer may be "unknown". Unclick the "Startup Item" box, so this will not start the program when you boot up. Tick "Apply". It was probably enabled about the exact time your system was compromised.
The virus will be called something like "Shark Fear Wait", run by The Orb Network, and have a modifed/installed date/time identical to when your system got locked down, in this menu.
4. Reboot in normal mode. Open Windows Explorer. Set it so it shows "Hidden files and folders". Navigate to the location you found the file (totally random set of numbers).exe in. Delete that file. Go to your recycle bin. Empty it. Clear out your cache, temp files, and internet history. Just to be sure.
5. Update and run a complete virus scan. Lots of people recommend Malawarebytes. I don't have a preference.
6. Reboot your system, you should now be clean.
What a ruthlessly executed idea - to lock down all your permissions apart from those needed to pay the £100 ransom demanded by a non existent police force that cannot spell. The intelligence and devious thinking demonstrated is certainly smarter than your average malware scam, and it probably wasn't cheap. Whoever coded this knew exactly what they were doing. And they didn't care about the effects on anyone apart from making money through theft.
Now. If only they'd used that to create something that wasn't a criminal scam.