Removal instructions for Ukash ransom trojan

[Metallica]

What is Ukash ransom trojan?

The Malwarebytes research team has determined that the Ukash ransom trojan is ransomware. Ransomware typically makes your system unusable and ask for payment to undo the damage. You are strongly advised to follow our removal instructions below.

How do I know if I am infected with Ukash ransom trojan?

This is what you will see, without any options to start other programs. It will be claiming you have been fined for looking at pornographic material.

How did Ukash ransom trojan get on my computer?

Trojans use different methods for spreading themselves. This particular one was offered as a movie on a site with explicit content.

How do I remove Ukash ransom trojan?

Our program Malwarebytes Anti-Malware can detect and remove this rogue application, but because this rogue blocks the normal use of programs we will use Chameleon to remove it.

• If Malwarebytes Anti-Malware is not installed on the infected computer.
  In order for this to work, you could need a second PC which is not infected and a USB flash drive or blank CD and CD burner or some other means to transfer files from one computer to the other.
  
  1. Download Chameleon from the Malwarebytes site.
     
  2. Reboot the infected computer into Safe Mode with Networking
     
  3. Unzip the contents of the zip-file to a folder in a convenient location on the infected computer.
     
  4. If you were unable to do this directly on the infected PC, then copy the folder from the clean computer to the infected one.
     
  5. Make certain that your infected PC is connected to the internet and then open the folder you created or copied, on your infected computer and double-click on svchost.exe.
     
  6. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for you.
     
  7. Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click OK when it says that the database was updated successfully
     
  8. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan
     
  9. Upon completion of the scan, if anything has been detected, click on Show Results
     
  10. Have Malwarebytes Anti-Malware remove any threats that are detected and click Yes if prompted to reboot your computer to allow the removal process to complete
      
  11. After your computer restarts, open Malwarebytes Anti-Malware and perform one last Full scan to remove the remaining components of the trojan.
      

Is there anything else I need to do to get rid of Ukash ransom trojan?

• No, Malwarebytes' Anti-Malware removes Ukash ransom trojan completely.
  

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes Anti-Malware for additional protection.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Ukash ransom trojan rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

Technical details for experts

Malwarebytes Anti-Malware logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 913012704

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

1/27/2013 2:25:57 PM
mbam-log-2013-01-27 (14-25-57).txt

Scan type: Quick scan
Objects scanned: 243770
Time elapsed: 14 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\{username}\Application Data\skype.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 913012704

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/27/2013 3:12:12 PM
mbam-log-2013-01-27 (15-12-12).txt

Scan type: Full scan (C:\|)
Objects scanned: 287185
Time elapsed: 39 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent.RNS) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SoftwareDistribution\Download\bf49909ce752e055c371e276a09e60765239945b (Trojan.Llac) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallKB978251$\mrxsmb.sys (Rootkit.0access) -> Quarantined and deleted successfully.

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
  
• Malware Execution Prevention
  

Save yourself the hassle and get protected.