1 2 Previous Next 12 Replies Latest reply on Jul 26, 2012 6:27 AM by dondwaly

    ukash ransom virus

      Ciao,

       

      I am affected with the Ukash ransom virus, in which my computer was totally blocked with the note from "the police" saying I have to pay €100 in order to unlock my system.

       

      I already found out how to start the pc in "safety mode" and I was able to recover to an older "system recovery point".

      Afterwards I started a full system scan (I am using McAfee Total Protection), and it said my system is 100% safe and protected, although it has located 1 trojan horse( which obviously is the Ukash Ransom)

       

      Each time I do a full system scan it says it has found no virusses and no further action is needed, but how can I get rid off this trojan horse? (win32.ransom)

       

      Is it really that simple that I just have to stop making new system recovery points (windows XP) which I read in another question on McAfee forum so that in a couple of weeks the trojan vanishes, or do I have to take further action?

      please let me know, so I am sure my pc is safe (also for online payments) and I do not spread this trojan amongst friends!

       

      thanx!

      Eric

        • 1. Re: ukash ransom virus

          BTW: This was the thread I referred to:

           

          https://community.mcafee.com/message/248402#248402

           

          Please help me out!

          (NB: I'm having the Dutch variant)

          • 2. Re: ukash ransom virus
            Peter M

            If you restored the computer to a time before it all happened then you should be OK and what is being detected is probably the infected restore point.  To get rid of that simply disable System Restore temporarily and the infected restore point will be deleted.

             

            Run Stinger and Malwarebytes Free, both linked in the last link in my signature below.    There are other tools listed there too so read it all.

            1 of 1 people found this helpful
            • 3. Re: ukash ransom virus

              Thanx.

               

              The problem occured last sunday, so I restored it to a recovery point which was 2 weeks ago.

              Tonight I will disable the System Retsore. I already took a look at that and it said all recovery points would be deleted if I disable it, so I wanted to wait for an answer before taking such action (what if this didn't help, then all "good" restore points would also be gone).

               

              Afterwards I will also run Stinger and Malwarebytes Free.

              Are these easy to run for somebody who isn't very technical?

               

              I'll let you know if this helps solving my problem.

               

              By chance, do you know how I can see a detailed report of my last scan? I'm working with Total Protection, but I cab only see when it is ready and if it has found any virusses, but no details.

              Also when opening the list of items in Quarantaine, it keeps on running (tried about 40 minutes) without ending or results. The run doesn't seem to stop.

               

              Thanx again for your quick reply!

              • 4. Re: ukash ransom virus
                Peter M

                Well you have to make sure first that the restore was successful and then get rid of all the restore points.    That will also serve the double purpose of freeing up disk space by the way.

                 

                Stinger is really easy, just download and run.  Malwarebytes Free needs to be updated before running, that;s hardly complicated either.

                 

                The quarantine folder is obviously so full that it's having difficulty displaying, I've experienced that issue myself.

                 

                To see a record of what has happened click View Reports on the SecurityCenter main page, but that only gives a summary.    If you can't open quarantine then the detail is lost.

                 

                You have to do something a little technical to cure that situation - empty the folders manually.

                 

                It's a little complicated but if you follow each step slowly and methodically and don't panic you will succeed.

                 

                Quarantined Items Wont Delete

                It's a known issue, when there are too many the deletion jams up.   You can physically remove them from within the Windows environment.

                First double-click the taskbar icon to open SecurityCenter

                Click Navigation (top right)

                Click General Settings & Alerts (left)

                Click Access Protection to expand that section

                Uncheck Access Protection and click Apply

                Leave SecurityCenter open on your desktop because you should re-enable Access Protection after the following steps.

                Open any internal page such as Computer, Control Panel or Documents and go to Tools on the top Menu Bar, then go to Folder Options and click the View tab

                Look for the 'Hidden Files and Folders' item, and check the item 'View Hidden Files and Folders' if not already checked and click Apply and OK

                *Go to C:\ProgramData\McAfee\VirusScan\Quarantine and click Edit/Select All

                Click Shift and Delete simultaneously and the folder should empty.

                Take care to delete only the contents of that folder, not the folder itself.

                Re-enable Access Protection as mentioned above and click Apply and then exit SecurityCenter.

                Those instructions are for Vista/Windows 7. 

                *For XP the folder is found at:  C:\Documents & Settings\All Users\Application Data\McAfee\Virusscan

                You can reduce their number in future considerably if you are prepared to accept Tracking Cookies.  Those enable websites to remember your sign-in details etc.

                With SecurityCenter open click Virus and Spyware Protection to expand that section.

                Click Real-Time Scanning

                Click Settings and scroll down to Tracking Cookies

                Uncheck that and click Apply.

                 

                 

                 

                 

                 

                 

                .

                 

                 

                 

                Message was edited by: Ex_Brit on 24/07/12 8:09:00 EDT AM
                1 of 1 people found this helpful
                • 5. Re: ukash ransom virus

                  I ran Stinger tonight and no possible infections were found.

                   

                  Is it still needed to install MalwareBytes-Free?

                  While installing it, it says to shut off all firewalls and antivirus progs... a bit scary..  so if not needed

                   

                  Following the steps mentioned for deleting all items in quarantaine were easy to follow... so compliments for writing it down so clearly!

                  There were just... 26.488 items to be deleted (since 2009..)?!

                  You were mentioning : if you are prepared to accept tracking cookies...

                  What harm could that do? Do not website have to ask you if you want to remember your password first?

                  For now I have unchecked this, because I know at work they also accept this...

                   

                  So final questions for me:

                  1. do I really need to run MBAM, because both Stinger and Total Protection do not see any threat.

                  2. is accepting tracking cookies 'dangerous'

                  3. after what period can I make new "System Recovery Points" (from now, 2 days, a week?)

                   

                  If I have answer to these questions I can really say that this was really the best online help I have ever had!

                  Simple, Understandable, Quick....   My compliments, but even more my thanx!!!!

                  • 6. Re: ukash ransom virus
                    Peter M

                    Ignore the warnings to turn off this and that - install it and update it then run a full scan.

                     

                    Run MBAM as a precaution and keep it around for future use,  All you need to do is update it befoire running it the next time.

                    Tracking cookies are not dangerous and in fact the latest edition o9f McAfee ignores them by default anyway.

                    System Restore points can start to be made once you realise everything is OK.

                     

                    Those statistics you read are a sum total since you got the software.

                     

                    My guess is your quarantine folder is so full it wont allow you to empty it so follow this:

                     

                    It's a known issue, when there are too many the deletion jams up.   You can physically remove them from within the Windows environment.

                    First double-click the taskbar icon to open SecurityCenter

                    Click Navigation (top right)

                    Click General Settings & Alerts (left)

                    Click Access Protection to expand that section

                    Uncheck Access Protection and click Apply

                    Leave SecurityCenter open on your desktop because you should re-enable Access Protection after the following steps.

                    Open any internal page such as Computer, Control Panel or Documents and go to Tools on the top Menu Bar, then go to Folder Options and click the View tab

                    Look for the 'Hidden Files and Folders' item, and check the item 'View Hidden Files and Folders' if not already checked and click Apply and OK

                    Go to C:\ProgramData\McAfee\VirusScan\Quarantine and click Edit/Select All

                    Click Shift and Delete simultaneously and the folder should empty.

                    Take care to delete only the contents of that folder, not the folder itself.

                    Re-enable Access Protection as mentioned above and click Apply and then exit SecurityCenter.

                    Those instructions are for Vista/Windows 7. 

                    For XP the folder is found at:  C:\Documents & Settings\All Users\Application Data\McAfee\Virusscan

                    You can reduce their number in future considerably if you are prepared to accept Tracking Cookies.  Those enable websites to remember your sign-in details etc.

                    With SecurityCenter open click Virus and Spyware Protection to expand that section.

                    Click Real-Time Scanning

                    Click Settings and scroll down to Tracking Cookies

                    • 7. Re: ukash ransom virus

                      Okay, will install MBAM when I come home after work.

                      Both Stinger and Total Protection have found no infected of possible infected items, nor trojans, so my guess is that MBAM will also be good.

                      Will run it just to be safe.

                       

                      The Quarantine was indeed full with 26.488 items. I already followed the steps you mentioned yesterday and deleted all items.

                       

                      When I get reaction from MBAM, I'll let you know and then we can close this thread.

                      Thanx again for your great support.

                      • 8. Re: ukash ransom virus
                        Peter M

                        I just realised that I had repeated myself regarding emprtying the quarantined items, ah well, better that than no instructions at all,  ;-)

                         

                        Good luck.

                        • 9. Re: ukash ransom virus

                          haha, no sweat!

                           

                          After running MBAM it still had found 3 register keys which were defected...

                          I have removed them and ran MBAM again... now they are all gone..

                           

                          I'm going to restart my pc again and run all of them one last time: Stinger, MBAM as Total Protection

                          if nothing has been found, I'll make a new System Recovery Point and all of my problems have been solved.

                          I'll let you know when all has been done.

                          1 2 Previous Next