Remove the second version of the Ukash - Paysafe ransomware Virus

The Ukash virus is a scareware-ransomware-trojan made for late Windows Versions that loads a screen with a message from a police department demanding from the user to pay a fine or else ... The fine is to be paid with Ukash or Paysafe --tough to trace methods of payment. It has been seen speaking English , Russian , Ukranian , Greek , and other Languages. Most probably it is a kit that someone can purchase and start its own little business.

It was relatively easy to get rid off it with F8 and system restore up to its previous version but when I tried to fix again ( yeah this friend has been attracting and hosting all the strains of this piece of malware so far ) a friend' s computer, I was unable to clean the system that easy.

On it's latest version the writers added a little piece of code that simply restarts the system when a user attempts to log in to the GUI safemode.

I tried to log in with the Command Line Safe Mode and disable the restart functionality with msconfig but no cigar.

Finally, while logged in with the Command Line Safe Mode I simply started the restore program rstrui.exe in .\restore\rstrui.exe and I was able to restore the system. Or you could simply type the following upon logging in to Safe Mode with Command Line ;
cd restore
rstrui.exe 


The Ukash malware attempts a connection with some IP address in Russia when someone enters a number that matches the Ukash or Paysafe format. Disabling the whole scheme and busting the dudes behind it should not be that hard. The incompetence of the e-crime investigation units in Eastern and South Europe lets the people who operate the scam to get away with it.

I would guess that the next strain of this piece of malware will attempt to disable rstrui.exe better, since it stands on its way to take over the world.



Remove ukash paysafe ransomware malware virus v2