The CashU Virus - How to remove

The CashU virus also known as CashU cryptovirus is a ransomware that blocks an infected computer’s screen and demands a fine to be paid using CashU prepaid payment system. The blocking message is designed to look as if it is sent from a legitimate company or organization of authority such as the local police. There is more than one version of this virus depending on the country which is targeted, mostly African countries and Middle East, e.g. United Arab Emirates, Lebanon, Palestinian Territory(The Palestinian Civil Police Force virus), Saudi Arabia, Jordan(The Kingdom of Jordan CashU virus; The Public Security Directorate virus), Morocco (Morocco Sûreté Nationale virus), Qatar (The State of Qatar Ministry of Interior CashU virus).

The CashU virus is programmed to work as follows: as soon as it gets inside the computer it waits for some time without initiating any action. This is done in order to hide the traces of the source of infection. Later on it blocks computer’s screen with a bogus message. It has a logo and a name of a local police or other legitimate authority. The text informs about a breach of laws related to illegal usage and distribution of copyrighted content (such as music, movies, and software), using computer for sending spam or even committing crimes related to child pornography. If there is a webcam installed to an infected computer, the CashU virus activates it and films the surroundings. The text near the cam window explains that video information will be used for criminal’s identification. An infected computer does not respond to almost any commands. If you restart it, you will see the same message again. All of these psychological tricks are used to scare a victim and make her pay the fine.

A prepaid payment system CashU is chosen not accidentally. It is particularly difficult to trace criminals according to the PINs entered and, on the contrary, it is very easy to cash them. Usually scammers sell the PINs in underground forums or pay for illegal services using them.

Please note, paying the fine will not unblock your computer. The only way to get rid of the CashU virus is by removing it using special antivirus tools. Below are removal instructions. You should choose the one that best suits your situation:

Method I – using unaffected user’s account

If you have more than one user’s account and at least one of them is not infected, login to it and scan your computer with Spyhunter. The CashU virus will be removed and other users’ accounts unblocked.

Method II – using System Restore

• Press and hold F8 while it is restarting in order to select safe mode with a Command prompt.
• At the command prompt, type cd restore, and then press enter.
• Type rstrui.exe and press enter (for Windows Vista, 7 and 8, you should type : C:windowssystem32rstrui.exe; for Windows XP – C:windowssystem32restorerstrui.exe).
• When the System Restore starts, select a restore point previous to this infection. Do not forget to scan your computer with Spyhunter for the malicious files to be removed.

Method III – using Safe Mode or Safe Mode with Networking

• Restart your computer. Press F8 while it is restarting.
• Choose safe mode or safe mode with networking.
• Launch MSConfig.
• Disable startup items rundll32 turning on any application from Application Data. Please note, that other locations can be also used.
• Restart the system once again.
• Scan with https://www.2-viruses.com/downloads/spyhunter-i.exe. It should detect and delete the CashU virus. Watch a video guide of a similar virus illustrating the steps above:

Method IV – using Safe Mode with Command Prompt

• Restart your computer choosing Safe Mode with Command Prompt.
• Run Regedit.
• Search for WinLogon Entries. Write down all files it references that are not explorer.exe or blank. Replace them with explorer.exe.
• Search registry for the CashU virus files and delete the registry keys referencing the files.
• Try to reboot and scan with Spyhunter.
• Here’s a video guide that illustrates the removal of a similar virus:

Method V – using USB or bootable DVD

If none of the above worked and you have an access to another computer, download Spyhunter to a bootable DVD or USB, insert it to an infected machine. The antivirus program will start automatically and remove the infection.

In order to avoid similar infection in the future you should be aware of the possible channels of its distribution. It might be spread via spam e-mails with malicious attachments, freeware, codecs, torrents or shareware on peer-to-peer sharing platforms. One of the most common distribution channels is infecting another website (it might be a legitimate webpage such as the one for job search), including multiple exploit kits such as Blackhole, Sweet Orange, RedDot, Cool EK, v2, Neutrino and other. One gets infected while visiting such a compromised site. You should also be aware of a social engineering tactics when a victim installs the virus herself thinking it is some useful program or an update. Download anything only from official websites.

Automatic Malware removal tools

Manual removal