This is a ransom-ware type of virus that demand you pay $100 to “ucash”. Now really why would the AFPwant you to pay money to someone called ucash? It doesn’t. This is a scam to try to trick you out of your hard earned cash.
This virus is very tricky to remove. About a month ago you could use this really good little program that runs on start-up called hitman.kickstart pro. You just register for the one month trial version. That when I tried it this morning it did not work for this virus anymore. I also tried the Kaspersky rescue disk with no luck. And whats really bad about this virus is when you boot to safe mode the computer restarts itself.
What I did to get rid of it is boot to safe mode with command prompt. To do that as the computer is starting up press the “F8” key repeatedly and the windows boot options will appear. Select “safe mode with command prompt”. Now it will boot up and open a command prompt window.
We need to make a new user by using the command “net user virusremoval /add” this will create a new user called virusremoval.
Now we want to add the user to the local administrators group by using the command “net localgroup administrators virusremoval /add”.
Now you can reboot the PC by using the command “shutdown /r /t 0”
Once the PC has rebooted log in as the new user that we have just created as this user will not be infected. From here we will need to do a system restore.
After the system restore on PC is finished you will only have the original users again anf you will be able to log in as your normal user again.
Once logged in as your normal user follow the instructions on this post about how to remove the virus. I would run combofix fir this virus, after running mbam I still got a hit on combo fix today when removing this virus.
People often ask me to remove their viruses from there computer and i charge them for my time, which is fair enough, but why would you want to pay someone to do something you can do for free yourself. When I remove my friends viruses I show them how to do it themselves and they are usually surprised at how simple it is. I have decided to make this little tutorial to show you all how to kill your own viruses.
So your computer is doing weird stuff and you think you might have been infected. What do o you do now? Well there are two options. First you can pay anywhere from $50 to $200 to get someone to fix it, or you can do it yourself at home for nothing using the exact same virus removal tools they use.
You will need:
A backup drive(optional): to back up your data.
RKill: This stops any suspicious processes that your computer has running
CCleaner: To clean your registry after the virus removal process
Malwarebytes: This is the actual virus removal tool to run a virus scan and remove the detected files
Combofix: This is a last resort, it is a dangerous program to use because it can make low level changes to your operating system and render it unusable.
All of these programs are free!! The only thing that will cost you money is the backup drive. The backup drive is optional but i recommend it because sometimes the virus may have adverse effects on your data during the removal stage or even while it is infected. Always make sure you update your virus removal programs before use.
Removal
Step 1
Boot to safe mode. You do this by powering on your computer and repeatedly pressing the “F8” key until the boot menu is opened. You want to select “Safe mode with networking” as we will need to update the virus removal software once it is started.
Step 2(Optional but recommended)
Back up all of your important data. This is usually located in the “My Documents”, “My Pictures”, “My Video’s” and “My Music” folders.
You may also want to back up your outlook data if you have e-mails coming through outlook. Outlook Data is located at “drive:\Users\user\AppData\Local\Microsoft\Outlook” in windows Vista , 7 and 8. In XP it is stored at “rive:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook”.
Step 3
Download and run RKill, when you download it make sure you download the one marked iexplorer.exe and run that. The name of the program has been changed so malware does not know what it is and stop it from running.
Step 4
Download and install Malwarebytes. At the end of the installation it will ask you if you want to enable a trial of Malwarebytes Pro, uncheck this box as we do not need it leave the other boxes checked that say to run on completion and to update the program.
Step 5
Run Malwarebytes and do a full scan on all drives that are showing. This may take anywhere from an hour to all day so you might as well take a break. Have a coffee or a beer maybe…
Step 6
At the end of the scan Malwarebytes will give you the results of the malware scan. I recommend removing all of them. But you may not want to because it can show some useful utilities as hack-tools or suspicious files. If your not sure then just select clean all. Once all of the viruses are removed it will prompt you to restart your computer, you definitely want to do this as some viruses may hide in your RAM and re-install themselves without you knowing.
Step 7
Once your PC you will need to run Kaspersky TDS Killer. This will do another scan but inside of your system files. TDS Killer looks for root-kits which hide themselves as part of your operating system. If the scan from TDS Killer finds anything remove it. Hopefully it wont.
Step 8
Now we use CCleaner to clean out the registry. This will remove any keys that point to not existent files, keys that have duplicates and also keys that your virus may have left behind.
Now it is time to test your computer, just do some normal things on it like browse the internet and what ever else you feel like doing on it. If you go to 3 minutes and 10 seconds on the video below it will show you how to clean out the registry. Always make sure you save a backup copy of the registry in case the program accidentally deletes something it wasn’t meant to then you can go through and restore the registry to a previous state.
If you still have problems…
So you still have problems??
That is not good. This means you will need to bring in the big guns.
WARNING: Combofix makes low level changes to your operating system. This is a utility that can leave your computer inoperable
Now we run Combofix. This anti root-kit utility may reboot your computer a few times while it runs. Once it has finished it will show a report outlining the changes that have been made. After running Combofix to remove your virus or root-kit you will want to run CCleaner to clean the registry again.
If you still have problems you most likely need to re-install your operating system or take it to a professional.
