Your computer has been Locked (Paysafecard or Ukash virus)

What is Ukash virus?

Ukash virus is a ransomware that prevents you from accessing your desktop by covering the desktop with a certain image. It's from the family of Trojan:Win32/Reveton. It targets Europeen users. It locks your computer and displays a fake EUROPOL or fake Local Police warning that covers your desktop and demands the payment of a ransom of 100EUR in the form of a Ukash for the supposed possession of illicit material.

Some Ukash virus screenshots:
Ukash virus
Ukash virus
Ukash virus

The EUROPOL or Local Police Ransomware is configured to start automatically when you login to Windows. It displays a large warning that pretends to be from the EUROPOL or Local Police and states that your computer has been blocked due to it being involved with the distribution of pornographic material, SPAM, or copyrighted content. In order to regain access of your computer you must first pay a fine of 100EUR in the form of a Paysafecard or Ukash or it will be confiscated and you will be arrested, charged and convicted for up to 5 years in prison time and registered as a thief for the rest of your life. This alert is a scam and should be ignored.

The text of this Ukash virus ransom note is:
Your PC is blocked due to at least one of the reasons specified below: Your computer has been trying to download and/or to install pirated software or multimedia files protected by international laws and has been blocked. According to EU legislation you are required to pay 100 EUR administrative fees if this is the first time you have violated the copyright law. Downloading, installing and distributing such materials is highly punishable and may leave a long lasting effect on your job and on your friends and relatives. If we don't receive a payment within 48 hours your personal information will be sent to your local police authorities. Your hardware used for distribution of pirated software will be confiscated and you will be arrested, charged and convicted for up to 5 years in prison time and registered as a thief for the rest of your life.
To help you make your payment faster and totally anonymous to you, we decided to accept vouchers that are spread nationwide and can be purchased in all major stores.
Legislation s. 163.1 (3) Every person who transmits, makes available, distributes, sells, advertises, imports, exports or possesses for the purpose of transmission, making available, distribution, sale, advertising or exportation any child pornography is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years and to a minimum punishment of imprisonment for a term of five years.

These warnings and anything they state is just a scam to trick you into paying the ransom. Fortunately, it is not necessary to pay the ransom as we have described a method below that can be used to remove this malware from your computer. Once again, Ukash virus is a scam and should be ignored.

Associated Ukash virus System Entries and files

Ukash virus Processes

Ukash virus Files

Ukash virus Registry Entries


How to Stop Ukash virus Fake Alerts

To register Ukash virus and stop its fake warnings, use the following fake license key.

Ukash virus registration code: 6337180116517630998

NOTE: this code will NOT remove Ukash virus from your computer, it will JUST stop the annoying alerts and messages.


Ukash virus Removal Instructions

Step 1: Reboot in Safe Mode with Networking

To restart your computer in Safe Mode with networking:

  1. Restart your computer.

  2. When you see the computer manufacturer's logo, press and hold the F8 key.

  3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.
    Safe Mode with Networking Screen

  4. Log on to your computer with a user account that has administrator rights.


Step 2: Stop Ukash virus processes

In order to stop Ukash virus from interfering with our removal procedure, we need to end and kill its processes. For this, we will use a FREE powerful utility called RogueKiller.

RogueKiller (by Tigzy) is a tool written in C++, which scans the running processes, and kills those which are malicious. This tool was developed based on speed execution, which will clean the running processes before being killed.

To terminate Ukash virus process:

  1. Always in Safe Mode Download RogueKiller to your desktop from the following link:

    RogueKiller Download link
    RogueKiller Setup Icon
    RogueKiller is a portable application, so you don't need to install anything.

  2. Ukash virus may block all executable files, so when you launch the RogueKiller file, it will execute itself. So Rename RogueKiller.exe to RogueKiller.com or winlogon.exe or iexplore.exe

  3. At this point a "pre-scan" will complete and stop any malicious process. Also a list of options will appear along the right-hand side.
    RogueKiller Pre-Scan


Step 3: Remove Ukash virus registry keys

To remove Ukash virus malicious registry entries, we will need RogueKiller again.
RogueKiller also checks for rogue Registry entries, rogue drivers, and Master Boot Record (MBR) issues, so rootkits will be cut.
RogueKiller can also fix and restore a Host file, delete any Proxy entries, repair shortcut problems and unhide files.

CAUTION: This tool is not for beginners. In this step we will ONLY use the Registry tab.

To Delete Ukash virus Registry entries:

  1. Always in Safe Mode run a scan, open RogueKiller and click on Scan.
    RogueKiller Scan Progress

  2. After a while, you should see a screen with scan results like the following one:
    RogueKiller Scan Results

  3. Click on the Registy tab, then click on the Delete button.
    RogueKiller Delete Registry Entries


Don't Reboot you computer yet, please stay in Safe Mode.


Step 4: Remove Ukash virus files

Malwarebytes Anti-Malware is simply the best known FREE malware removal tools online.

To remove Ukash virus files:

  1. Download Malwarebytes to your desktop from the following link:
    Malwarebytes Anti-Malware Download link
    MBAM Setup Icon

  2. Just Follow the easy setup process. Do not make any changes to the default settings
    When the setup is finished, make sure you leave both the Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware checked.
    You can check or uncheck the Enable free trial of Malwarebytes Anti-Malware PRO as the malware removal is FREE.
    Then click on the Finish button. If Malwarebytes prompts you to reboot, please do not do so.
    Malwarebytes Anti-Malware Setup Wizard

  3. When Malwarebytes is launched, it will ask you to update the databse. Just click OK.
    Malwarebytes Anti-Malware Updating

  4. On the Scanner tab,select Quick scan and then click on the Scan.
    Malwarebytes Anti-Malware Quick Scan Screen

  5. When the scan is finished a message box will appear, click OK to continue.
    Then the screen results will show the various malware infections including Ukash virus that Malwarebytes has found on your computer.
    the image below is just an example, your results will be different.
    Click on the Remove Selected button.
    Malwarebytes Anti-Malware Quick Scan Results Screen

  6. After Malwarebytes has finished the removal of Ukash virus, you will get a message stating that you need to reboot your computer.
    Just Do so, and restart your computer in Normal Mode.
    Malwarebytes Anti-Malware Quick Reboot Message


Step 5: Check for any Ukash virus left over

To make sure that your computer is now completely free of Ukash virus, redo a Malwarebytes scan in Normal Mode.
After your are finished, Reboot your PC as asked by Malwarebytes anti-malware.


About

Sarah MelbenchI am Sarah Melbench and I am an Anti-Malware Enthusiast! I created this website to spread the word about the lastest malware infections. I write guides and tutorials about malware removal as well as reviews of anti-malware programs.Follow me on G+

Tagged with: ,
Posted in Manual Malware Removal

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>