Remove UKash malware

Just removed the first virus (not from my machine) after several years of virus-free happiness on Linux

Here’s how to remove the Austrian variant of the UKash virus, which threatens that the Austrian Federal Police (Bundeskriminalamt) will get at you if you don’t pay …

  • The malware prevents any meaningful user interaction, so Ctrl-Alt-Delete and reboot
  • go into Windows Safe Mode by hitting F8 when Windows starts
  • launch the registry editor (regedit), and go to the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • in the “Load” entry, there’s the path to the malware (in my case, it was in C:\Users\myuser\Local Settings\Temp\msonlhe.bat)
  • set the value to an empty string, if you can’t, you’re probably lacking the permissions, which can be changed in “Edit -> Permissions”
  • remove the file (which only looks like a bat file, but is really a windows executable)
  • if this doesn’t help (the virus might have pitched a tent in a different place), try Malwarebytes
  • the next time when surfing shady sites, use a live Linux (e.g. Ubuntu)
This entry was posted in Computer. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please solve this little equation for verifying that you\'re human *