How to remove Ukash Virus

 

Ukash Virus is an aggressive group of ransomware scams that tries to swindle your money from you. It is a very convincing virus because it uses alerts presented as given by an official institution, e.g. local or country’s police. It locks your computer completely therefore the only thing you can do is to see the message. If one wants to unlock the computer, the message advices to pay the fine. Of course, this is only a scam and paying the fine will not change anything. The institutions vary from police to copyright ones. However, in many cases the messages and designs are similar or even shared between versions and there are little unique details.

This ransomware is named Ukash Virus under the payment system it requires. The fines are paid using a pre-paid system called Ukash. None of official institutions would ask any payments via systems like this therefore it only confirms that this is not a real warning but a virus used by scammers. One should note, that the payment system Ukash is perfectly legitimate and accepted in some of the countries, mostly European ones, Canada and Australia.  Starting of 2013, this ransomware started targeting South American sites as well. Most recent additions include Bolivia and Argentina.

Typically, Ukash Virus will be installed silently when you visit infected website or one displaying malicious advertisements. In most of the cases website owners are not aware of malware and sooner or later clean the site. The risks are increased if you run vulnerable Java or Flash versions. Thus it is impossible to tell which websites are safe or dangerous without good antivirus protection. Additionally, Ukash Virus might be installed by network worms, torrent downloads or email spam.

The biggest problem is that Ukash Virus comes in several flavors and no single approach will be successful in all cases.

Special Removal Instructions for Ukash Virus

If you have access to other account on infected PCs, you should scan whole PC with anti-malware programs, e.g. spyhunter. This is by far simplest way to remove parasite. System restore would be an option too. However, if you can’t do this, these are several other strategies. To determine which one you should use, do following:
Reboot;
Press F8;
Choose between safe modes in following order : Safe mode, Safe mode with networking and Safe mode with command prompt.
Depending on outcome, use following guides :

Ones that allow booting to Safe mode or Safe mode with networking (Malex / Reveton )

  1. Restart your computer. Press F8 while it is restarting.
  2. Choose safe mode or safe mode with networking.
  3. Launch MSConfig.
  4. Disable startup items rundll32 turning on any application from Application Data. Note, that these are typical locations for Ukash Virus but some others might be used.
  5. Restart the system once again.
  6. scan with http://www.2-viruses.com/downloads/spyhunter-i.exe to identify Ukash Virus files and delete it.

Video for one of such ransomwares:

Versions that allow booting to safe mode with command prompt

Gimemo and Epubb trojans are behind this version of Ukash Virus. This is more difficult version to remove.

  1. Reboot PC in safe mode with command prompt.
  2. Run Regedit.
  3. Search for WinLogon Entries. write down all files it references that are not explorer.exe or blank. Replace them with explorer.exe.
  4. Search registry for Ukash Virus files and delete the registry keys referencing the files.
  5. Try to reboot and scan with Spyhunter.
  6. If this fails, try doing system restore from safe mode with command prompt (rstrui.exe).

Ukash Virus that disables all safe modes

Some versions of Ukash Virus Disable all safe modes, but give a short gap that you can use to run anti-malware programs. Then do following:

  1. Reboot normally.
  2. Start->Run.
  3. Enter : http://2-viruses.com/downloads/spyhunter-i.exe . If malware is loaded, just press alt+tab once and keep entering the string blindly. Press Enter.
  4. Press Alt+tab and then R couple times. The Ukash Virus process should be killed.

Here a video detailing this approach:

Hitman Pro USB disk

Lastly, you might resort to scanning PC with a bootable USB or DVD disk. These should be able to remove all versions of Ukash Virus, but will not work if your hard drive is encrypted.

For that, we recommend using Hitman Pro Kickstarter USB.

  1. Download Hitman Pro on uninfected PC. 
  2. Run Hitman and ask to create Kickstarter USB (option on initial screen).
  3. When USB ready, reboot infected PC with USB attached and press DEL.
  4. Choose USB as primary boot device.
  5. Boot normally.
  6. Run Hitman Pro and http://www.2-viruses.com/downloads/spyhunter-i.exe . One of these programs should detect and remove malware from your PC.

 

Automatic Ukash Virus removal tools

 
  Download Spyhunter for Ukash Virus detectionNote: Spyhunter trial provides detection of parasite like Ukash Virus and assists in its removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.
 

Manual Ukash Virus removal

 

Important Note: Although it is possible to manually remove Ukash Virus, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Spyhunter or other tools found on 2-viruses.com.

Processes:
Files:

It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other Ukash Virus infected files and get help in Ukash Virus removal by using Spyhunter scanner. 

 

Ukash Virus screenshots

 
ukash-virus
 
 
 
 
 
 
 
 
 
 

86 thoughts on “Ukash Virus

  1. Thomas Smith
     

    It was all good until the “Fix Threats” Stage. Turns out you need to buy the full version to “remove threats”. This is a dead end. Either way you have to pay to get rid of the virus… It would have been easier if you mentioned it before

     
  2. Andy
     

    Download the AVG PC Rescue iso on another computer, burn it to a disk (using ImgBurn or similar software) and boot up using the disk. Update AVGPCR, run virus scan. Boom done. All for the price of a CD. (also works on pen drives)

     
  3. HugoM
     

    Lost a full hour on it. After detection, you need to buy the software to remove the threats. This should be indicated clearly.

     
  4. victor harris
     

    I tried all the above and to no avail. Then you have to buy software etc.
    Simple solution as follows.
    Open your computer in safe mode.
    Go to control panel. Hit system restore to an erlier date. You should have some idea as to when this virus arrived.
    Restore your system to a date previous to this visus attack.
    Your computer will re-load itself when complete.
    Bingo my Ikash virus is gone.

     
  5. Sourin Bose
     

    1. This virus has affected my computer and it does not allow to start Windows.
    2. I started in Safe Mode, and removed all the sensitive files to an EHD.
    3. I started WIN-XP from CD to install it new.
    4. Reformatted the HD (C:) while installing.
    5. The Windows Program does not install – it keeps looping.
    Any answers?

    SB

     
  6. K.E.Parker
     

    I had UKash on my computer luckily I have three user names on it, So I just changed user name and ran Malawarebytes suprisingly AVG then sprang upand found the virus as well got rid and now back to normal.

     
  7. Jimmy
     

    When I click enter to ‘start on safe networking mode’ the virus is still there and I can’t open the start menu or do anything else. Help :(

     
    1. Giedrius Majauskas (admin)
       
       
      Post author

      Jimmy: There are 3 ways to solve this
      1. It might be version that blocks all modes but command prompt. Then these removal instructions are applicable : http://www.2-viruses.com/remove-gimemo-trojan
      2. It might be versions that blocks all modes. If there is a small gap to launch http://www.youtube.com/watch?v=1Yl0JcAV5Ic (the video in the post shows how to get rid of it)
      3. If everything fails, boot from Norton Power eraser or other alternate os scanner. These solve the problem

       
  8. neil
     

    i was infected last friday it happend to me twice this summer period, thanks to youtub and these kind of websites i was able to get rid of the infections with avg. i lost £200 to the ukash viris theire the wons who should be fined.

     
  9. Dan
     

    I cant bring up the start menu or do anything!! If i turn the laptop off and back on again it comes straight back up! I dont know what to do!! Please help!!

     
  10. Jim Bob
     

    I am not very computer literate but did what Victor Harris #7 sugested re restoring to earlier date and am now full opeational again :).
    Are ther any drawbacks to this simple solution? Could I still have files affected and not know by using this method?

     
  11. paul
     

    I can’t seem to get into my system, can’t open safe mode as it tells me i need a windows bitlocker drive encryption recovery key….any ideas anyone?

     
  12. Aggie
     

    I have got the Ukash virus 2 days ago.. I have restored the system, scanned it with McAffee anti-virus tha found 2 trojans (including Ukash), deleted them. I also scanned my system with Malwarebytes but it didn’t detect anything.. do you think the Ukash virus is now totally gone??

     
  13. Sam Dossa
     

    I have two customers came with the similar issues. I ran the virus scanner which didn’t find anything on the system. I remove users profile from the registry and rename the profile which resolve the issue.

     
  14. ukash
     

    Sam : As long as you can access disk, one needs to delete one file only (usually directly from %AppData%. Removal of all user settings is not needed in most cases

     
  15. Mark
     

    Simply removed without all the mumbo-jumbo.
    In safe mode go to system restore, select a system restore point that is dated prior to the problem. Restore … fixed.

    Note .. it will not alter your file, all will be there as you last used them.

    Cheers

     
  16. PI Maintenance Man
     

    You can get rid of this nasty little pest by rebooting into safemode with networking. When it has booted up do the following:
    Click Start
    Click on Computer
    In the Search computer box top right of the screen type *.exe and press enter.
    The computer will start a long searche for .exe files
    Once the search is finished, the virus file will be at the top of the list as the latest .exe it may have a wierd name but it will have the date itas downloaded which should be say, the current date or the previous day.
    After locating the offending file, highlight it and delete it.
    Once deleted it will be in your recycle bin.
    Empy the recycle bin.

     
  17. DOGSNOB
     

    My mate got it, UKASH using West Yorkshire Police ransom page, a second time yesterday, after a lengthy job of clearing it the first time, he uses Vista, I then set up a “Guest user” account with no log on, opened that, accessed “msconfig” and selected for SAFE MODE in BOOT UP, when it restarted I could then select the main account, then opened, control panel, back up & restore, then selected a scheduled back up from 2 days before. After the successful restart, everything OK, then went back to , msconfig, deselected safe mode, after restart everything OK. I checked for the suspect files in AppTemp & AppData, they were not present, but did a full scan with AVG which found the offenders and got rid of them.

     
  18. JohnnieB
     

    Hi, I’ve tried all methods and none are working. The system restore one sounds the easiest but I have restore functions disabled and have to be logged in normally to amend, and as you know – this damn virus doesn’t allow you to do that for more than 5 seconds! Any help would be appreciated! I’m on XP. Thanks!

     
  19. ricky p
     

    i had this horrible virus today and removed it after a while , i am lucky enough to have two laptops , and downloaded the trial version of malwarebytes anti malware software ,then i put the installer onto a memory stick , i opened my infected computer in safe mode with command prompt then i wrote explorer in the command, i then opened in safe mode ,put memory stick in and installed the malware bytes software, it took about an hour and fifteen minutes to scan ,then when it had finished scanning i put a check in every infected file then restarted and it worked hope it works for you

     
  20. JJ
     

    I’ve been infected with this virus twice now, but managed to get rid of it without downloading any other programmes . . after all the last thing you wanna do is download even more stuff to your computer only to find that you have to pay at the end of the Scan . Waste of time . so instead of paying the virus makers, you pay someone else who takes advantage at your hour of need . . Honestly software pushers . . we aren’t interested in that, we want it gone . . and for free. I already had SUPERantiSpyware . . (free edition) installed from when i bought my computer. Restarted my computer then pressed F8 like mad, chose safe mode with Dos prompt, waited for it to start up . . typed “explorer” in the prompt to give me access to window explorer . . then started the Scan using SuperantiSpyware . . it located the trojans, and corrected the registry all in one scan . . . booted my computer up normally after this was done, and hey presto . . no annoying white screen or police guy telling me i owe him 100 bucks . . . how about i give ya nothing buddy . . will that do ya? If you haven’t got this programm i would recommend it . . search on google and it’s the first thing that comes up . . and all for free, what ya got to loose ?

     
    1. Giedrius Majauskas (admin)
       
       
      Post author

      JJ: I recommend you follow your own advice and purchase full version of SuperAntiSpyware – if it detected the version of trojans you had, you would not be infected at the first place. Sadly, free SAS is scanner only, and it is surprising that updates were installed as well. Personally, I do not like it – it is set up to be launched on startup even if it provides 0 protection without a license, Its detection ratio is not the best too (in my opinion) and it detects lots of cookies without good enough reason.

       
  21. JJ
     

    @Giedrius Majauskas (admin) I think i will purchase the whole package for SUPERAntispyware when my subscription to another virus protection program i use runs out (Don’t really wanna be paying for 2, especially when the one i am paying for doesn’t detect it). But it just goes to prove that payed for software sometimes doesn’t catch these things, But my FREE version of SAS did and fixed it . . i can even update it’s virus database. I was unaware that the free version is scanner only, since mine updated, scanned and cleaned my machine?? Just thought i’d post my little success here, just incase others find it useful. I think it didn’t detect the threat initially as i wasn’t running it and used my paid for antivirus, thinking i would be safe . . i’ll keep SAS running now instead to see if Ukash virus gets through it, if it does i’ll repost so prople know. Thanks for all your advice here, it’s good to know there are people out there whom help :-).

     
    1. Giedrius Majauskas (admin)
       
       
      Post author

      JJ: SAS does not replace full antivirus. It does not fix infected files, and does not work against other threats. It is anti-malware only, so if you want an antivirus, go for Kaspersky, ESET, AVG, AVAST, AVira. Sometime they fail and anti-malware fixes the problem.

       
  22. JJ
     

    @Giedrius Majauskas (admin)

    Thanks a lot, i’ve wrote those down . . i’ve used AVG before and recall it was a good programme that caught most things. But you are right, i did scan my computer with everything i had PCtoolsSpyware doctor (Monthly sub), microsoft defender and of course SAS. I think between all of em . . they cleaned my system. :-). Thanks again, and i hope this horrible virus doesn’t strike again.

     
  23. JH
     

    I have got this Ukash virus and ive had it for a few days now and cant get rid of it. Ive tried in safe mode with networking but nothing seems to happen and when i turn my laptop on it goes straight to Ukash, i cant even click on the “start” button. I literally cant do anything. Im totally lost without my laptop. Someone help :(

     
  24. Michael
     

    I also have a version of this virus … It actually locks the keyboard so I can’t use it, I’m able to use to get to the boot menu , at that point I have the option of starting windows normally, in safe mode , etc. but that’s when my keyboard stops functioning.. Any ideas?

     
  25. Chandra
     

    Yesterday I got ransomware on my computer. I am writing this from another laptop. I have gone through all the posts here. To solve my problem I created another admin user via safemode command prompt. New user is working fine. Logged in through new user and scanned using AVG & Hitman pro but the virus is still not going which affected to the main user. Can you please help me to clean the main user.

     
  26. David
     

    Got this today, and got rid within an hour.
    Switch off m/c, re-start but keep pressing f8 whilst m/ c restarts.
    Open m/c in SAFE MODE WITH NETWORKING.
    Once m/c has started, in search, find free anti- malware download,
    Download and then run full system scan. Switch off m/c when scan has finished, restart in normal mode and then do a quick scan using the same software again. Finally, update your own antivirus software , as this may well be out of date!
    If this does not work, then I suggest a system restore back to before you got the infection!
    Don’t forget to update your own security syst to ensure that this infection is found and destroyed BEFORE it shuts you down.

     
  27. Pingback: PaysafeCard Virus - how to remove

  28. nola
     

    What is the easiest way to get rid of this as I am not good at computers
    and find it hard to understand. can you help me

     
  29. Liam
     

    Thank you so much for the helpful video instructions who knew a technological idiot like myself could rid my of of a virus thanks again

     
  30. mattyboy
     

    press f8 on starting computer. Select’repair my computer’ from here goto’system restore and restore computer to an earlier point(pre virus)…job done!

     
  31. Ian B
     

    Just found a way around this, having spent an hour or so scratching my head looking at the trojan’s “Cheshire Police” page. Here’s how to get round it-

    Reboot your computer. When bootup has completed, you get a couple of seconds when the Start Menu is active but Ukash hasn’t loaded yet. So, being fast;

    Hit the start button on your keypad, quickly type “notepad” and hit enter, then type some random letters into Notepad. You can just do this before the trojan takes over. Now, when the trojan has taken over,

    Ctrl-Alt-Del and select “log off”.

    Windows attempts to log you off, it shuts down the Ukash trojan, but can’t shut down notepad because it has unsaved data in it (the random letters you typed) and the log off stalls. Now cancel logging off.

    You now have control of the PC and can hunt down the Ukash trojan. registry keys etc and delete it at leisure.

    I was unable to do anything with Safe Mode because my version of UKash was shutting the computer down again if I tried to boot into Safe Mode.

    Hope this kludge helps someone who finds this page, like me, because of desperation with this.

     
  32. AlexF
     

    Contracted what seems to be a particularly nasty version of the Hadopi virus yesterday.

    I’ve tried all the ideas above but no joy – this version seems to disable the keyboard even during boot up so I can’t use safe mode (F8 invokes safe mode but I can’t then scroll to any of the options so it times out and boots Windows (XP));

    I have downloaded AVG Rescue CD but “press any key to boot from CD” doesn’t work, so it boots Windows;

    I’ve tried Ian B’s pressing the start button trick, but start menu doesn’t become active so this doesn’t work;

    I only have (had) one user partition so I can’t access an alternative…

    Help!!…please!!!!

     
  33. AlexF
     

    @Giedrius Majauskas (admin)
    Logitech USB keyboard. I like the idea of removing the HDD and scanning it on another machine; unfortunately, the infected HDD has a SATA interface and I only have IDE on my other PC :(

    However, I can report some progress – have removed the block, but I’m not entirely sure how! I found that if I let the machine start windows, then in the couple of seconds before it entered blocked state, if I pressed the on/off button it hung with the desktop background image and an error message: “xxxDLL failed because windows is shutting down”. At that point, I managed to open Notepad, as in IanB’s solution above, and create an unsaved file. Clicking OK in the error window, it repeated with umpteen DLLs which hadn’t finished loading.

    After this I started Windows Task Manager with ctrl/alt/del and found I could log off as current user, which brought me back to the normal log on screen with my user name (this screen used to appear, but stopped a few weeks ago). Logging back in gave me my normal desktop which seems fully useable. I then downloaded SpyHunter and tried to install it, but this failed because my boot drive letter is F: (for some reason better known to Microsoft when I upgraded my mobo and reinstalled WinXP a couple of years ago!).

    I’m currently stuck at this point because I’m not allowed to rename the drive to the C: that SH is looking for (and fails to install if it can’t find it).

    I’m now very keen to scan the drive and am running Norton full system scan, but I’m not confident with this because Norton failed to intercept the Hadopi virus (Catch 22!).

     
  34. Ian B
     

    AlexF-

    Once you’ve got control of the machine back, it’s pretty easy to remove this, at least the version I had.

    It lives in your directory /Users/[Account Name]/AppData/Roaming

    Look for some directories with random names (mine was “Ymno”) in the Roaming folder, and also there was a file called “skype.dat” in the Roaming folder; the trojan will apparently pick a random but “normal” looking name like that for itself. Delete them.

    Also, look in MSConfig for a strange startup entry, pointing to those directories mentioned above, and disable it (you can then remove it entirely by removing it from the registry).

    By the way, the point of the Notepad file was to *prevent* the logging off process completing; the idea is, you CTRL-ALT-DEL and select log off; the logging off process then closes down UKASH, but stalls at the Notepad file because it has unsaved data. At that point, you can cancel logging off and get to work deleting the virus.

     
    1. Giedrius Majauskas (admin)
       
       
      Post author

      Ian : The names and locations varies depending on version. In many cases it is easier to run MSConfig and check for location there, and if not – run regedit and check Shell variable for malicious programs. It is not allways in %AppData%.

       
  35. AlexF
     

    Ian B

    Many thanks for the tips. I can’t find a Roaming directory. It’s not in my AppData directory and a search on the C: drive (actually F: in my case, as mentioned above!). However, I’ve run HitmanPro and the machine now seems to be behaving itself.

    MSConfig throws up a load of wierd entries (in addition to recognisable ones) and I’m a bit nervous of deleting something I may actually need! Thanks for the clarification about the Notepad file. My problem was, with the Hadopi version of the Ukash virus I had was that it seemed to disable the keyboard, so I couldn’t CTRL-ALT-DEL or use the Start key to ‘get in’. I eventually managed to get in by hitting the on/off button briefly during the couple of seconds the desktop background image showed before the white virus ‘block’ screen appeared. This had the effect of bringing up “can’t run … because the machine is shutting down” errors and so let me in. I’ve now set up alternative user accounts just in case.

    Something I would like to know is, whilst HitmanPro, Ukash virus removal tool, etc will/claim to get rid of the virus once you’ve got it, is there any tool which will intercept it before it gets in? I run Norton Internet Security but the Hadopi clearly got past that quite easily!

    Very many thanks to Giedrius and yourself for all your help; much appreciated :)

     

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>