Ukash Virus - How to remove

Ukash Virus is an aggressive group of ransomware scams that tries to swindle your money from you. It is a very convincing virus because it uses alerts presented as given by an official institution, e.g. local or country’s police. It locks your computer completely, therefore, the only thing you can do is to see the message. If one wants to unlock the computer, the message advises paying the fine. Of course, this is only a scam and paying the fine will not change anything. The institutions vary from police to copyright ones. However, in many cases, the messages and designs are similar or even shared between versions and there are few unique details.

This ransomware is named Ukash Virus under the payment system it requires. The fines are paid using a pre-paid system called Ukash. None of the official institutions would ask any payments via systems like this, therefore, it only confirms that this is not a real warning but a virus used by scammers. One should note, that the payment system Ukash is perfectly legitimate and accepted in some of the countries, mostly European ones, Canada and Australia.  Starting of 2013, this ransomware started targeting South American sites as well. Most recent additions include Bolivia and Argentina.

Ukash Virus has a few features to recognise it by. They reveal that this ransomware’s warnings should be ignored:

Behaviour of the ransomware
  • Blocks access to the infected computer
  • Demands you to pay a police fine
  • Uses the Ukash system to collect the payments
Spreading of the virus
  • Malvertising
  • Trojans preinstalled on the infected computer
Affected devices
  • PCs
  • Mac computers
  • iOS and Android devices
Removal of Ukash virus
  • Use Safe Mode to bypass the screen locker
  • Scan the infected device with anti-malware tools (Spyhunter, Combo-Cleaner)

How Ukash virus is categorized

There are 2 distinct types of ransomware: “Police” one or crypto one. The first one extorts money by using someones else authority to justify paying (not necessarily police, but it can be some copyright authority too), the second one holds ones data hostage. While payment methods might vary, Ukash was used for Police viruses the most.

The lockers that encrypt your data are very dangerous because they may as well have deleted it. But most Ukash viruses are screen lockers that stop you from accessing your computer by displaying various fake warnings and don’t corrupt your files.

The exact name of parasite depends on several things. For one, there are various independent straits of this ransomware.  Secondly, it will change name depending on the country the computer runs in even if the text used is basically the same one (although it might be translated). In most of the cases, the law will be cited incorrectly, as it is translations from single source mostly. They don’t bother to check local law.

Typically, Ukash Virus will be installed silently when you visit an infected website or one displaying malicious advertisements. In most of the cases, website owners are not aware of malware and sooner or later clean the site. The risks are increased if you run vulnerable Java or Flash versions. Thus it is impossible to tell which websites are safe or dangerous without good antivirus protection. Additionally, Ukash Virus might be installed by network worms, torrent downloads or email spam.

The biggest problem is that Ukash Virus comes in several flavours and no single approach will be successful in all cases. Due to the fact that the virus is really diverse, it can affect various systems and even programs.

Ukash infects mac

For instance, some users on Apple support forum are complaining that Ukash virus hit their Mac computer. Also there have been reports of the virus infecting Android phones and tablets, so basically no one is safe.

Also known as Metropolitan Police virus (because declares to come from them), Ukash virus adapted to specific countries and the name varies – it is called GVU trojanner or Bundesamt für Polizei in Germany, Police Nationale in France and Polizia Di Stato in Italy.

This variety shows that the ransomware must have affected some people enough for them to actually pay the ransom. Unfortunately, that’s unsurprising — invoking the names “violation of federal law”, “FBI”, and other trusted and powerful institutions will strongly affect a lot of people.

Special Removal Instructions for Ukash Virus

If you have access to other accounts on the infected PCs, you should scan the whole PC with anti-malware programs, e.g. spyhunter This is by far the simplest way to remove the parasite. System restore would be an option too. However, if you can’t do this, there are several other strategies. To determine which one you should use, do the following:
Reboot;
Press F8;
Choose between safe modes in the following order : Safe mode, Safe mode with networking and Safe mode with command prompt.
Depending on the outcome, use the following guides :

Ones that allow booting to Safe mode or Safe mode with networking (Malex / Reveton )

  1. Restart your computer. Press F8 while it is restarting.
  2. Choose safe mode or safe mode with networking.
  3. Launch MSConfig.
  4. Disable startup items rundll32 turning on any application from Application Data. Note, that these are typical locations for Ukash Virus but some others might be used.
  5. Restart the system once again.
  6. scan with https://www.2-viruses.com/downloads/spyhunter-i.exe to identify Ukash Virus files and delete it.

Video for one of such ransomwares:

Versions that allow booting to safe mode with command prompt

Gimemo and Epubb trojans are behind this version of Ukash Virus. This is more difficult version to remove.

  1. Reboot PC in safe mode with command prompt.
  2. Run Regedit.
  3. Search for WinLogon Entries. write down all files it references that are not explorer.exe or blank. Replace them with explorer.exe.
  4. Search registry for Ukash Virus files and delete the registry keys referencing the files.
  5. Try to reboot and scan with Spyhunter.
  6. If this fails, try doing a system restore from safe mode with command prompt (rstrui.exe).

Ukash Virus that disables all safe modes

Some versions of Ukash Virus Disable all safe modes, but give a short gap that you can use to run anti-malware programs. Then do following:

  1. Reboot normally.
  2. Start->Run.
  3. Enter : http://2-viruses.com/downloads/spyhunter-i.exe . If malware is loaded, just press alt+tab once and keep entering the string blindly. Press Enter.
  4. Press Alt+tab and then R couple times. The Ukash Virus process should be killed.

Here a video detailing this approach:

Hitman Pro USB disk

Lastly, you might resort to scanning PC with a bootable USB or DVD disk. These should be able to remove all versions of Ukash Virus, but will not work if your hard drive is encrypted.

For that, we recommend using Hitman Pro Kickstarter USB.

  1. Download Hitman Pro on uninfected PC. 
  2. Run Hitman and ask to create Kickstarter USB (option on initial screen).
  3. When USB ready, reboot infected PC with USB attached and press DEL.
  4. Choose USB as the primary boot device.
  5. Boot normally.
  6. Run Hitman Pro and https://www.2-viruses.com/downloads/spyhunter-i.exe . One of these programs should detect and remove malware from your PC.

Remove Ukash virus from MAC

  1. Download and scan your computer with Combo Cleaner;
  2. Restore locked files by following this “Restore Mac to a Previous Date” guide.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

Manual removal

Removal guides in other languages

89 responses to “Ukash Virus

  1. Ukash Virus now restarts PC if safe mode is attempted – until “start windows normally” is selected.

  2. It was all good until the “Fix Threats” Stage. Turns out you need to buy the full version to “remove threats”. This is a dead end. Either way you have to pay to get rid of the virus… It would have been easier if you mentioned it before

  3. Download the AVG PC Rescue iso on another computer, burn it to a disk (using ImgBurn or similar software) and boot up using the disk. Update AVGPCR, run virus scan. Boom done. All for the price of a CD. (also works on pen drives)

  4. Lost a full hour on it. After detection, you need to buy the software to remove the threats. This should be indicated clearly.

  5. I tried all the above and to no avail. Then you have to buy software etc.
    Simple solution as follows.
    Open your computer in safe mode.
    Go to control panel. Hit system restore to an erlier date. You should have some idea as to when this virus arrived.
    Restore your system to a date previous to this visus attack.
    Your computer will re-load itself when complete.
    Bingo my Ikash virus is gone.

  6. 1. This virus has affected my computer and it does not allow to start Windows.
    2. I started in Safe Mode, and removed all the sensitive files to an EHD.
    3. I started WIN-XP from CD to install it new.
    4. Reformatted the HD (C:) while installing.
    5. The Windows Program does not install – it keeps looping.
    Any answers?

    SB

  7. I had UKash on my computer luckily I have three user names on it, So I just changed user name and ran Malawarebytes suprisingly AVG then sprang upand found the virus as well got rid and now back to normal.

  8. When I click enter to ‘start on safe networking mode’ the virus is still there and I can’t open the start menu or do anything else. Help 🙁

  9. i was infected last friday it happend to me twice this summer period, thanks to youtub and these kind of websites i was able to get rid of the infections with avg. i lost £200 to the ukash viris theire the wons who should be fined.

  10. I cant bring up the start menu or do anything!! If i turn the laptop off and back on again it comes straight back up! I dont know what to do!! Please help!!

  11. I am not very computer literate but did what Victor Harris #7 sugested re restoring to earlier date and am now full opeational again :).
    Are ther any drawbacks to this simple solution? Could I still have files affected and not know by using this method?

  12. @Victor Harris….you have just made my friend very happy…… Easy solution and it got rid of UKASH Virus….. ! ! ! xx

  13. I can’t seem to get into my system, can’t open safe mode as it tells me i need a windows bitlocker drive encryption recovery key….any ideas anyone?

  14. I have got the Ukash virus 2 days ago.. I have restored the system, scanned it with McAffee anti-virus tha found 2 trojans (including Ukash), deleted them. I also scanned my system with Malwarebytes but it didn’t detect anything.. do you think the Ukash virus is now totally gone??

  15. I have two customers came with the similar issues. I ran the virus scanner which didn’t find anything on the system. I remove users profile from the registry and rename the profile which resolve the issue.

  16. @victor harris
    Yay! Thanks Victor. You saved me. All the other instructions were so complex. Yours were simple easy and worked. Thank you a million 🙂

  17. Thankyou so much for the advice with this. Real help and has saved me a lot of worry. Thanks again!

  18. Sam : As long as you can access disk, one needs to delete one file only (usually directly from %AppData%. Removal of all user settings is not needed in most cases

  19. Simply removed without all the mumbo-jumbo.
    In safe mode go to system restore, select a system restore point that is dated prior to the problem. Restore … fixed.

    Note .. it will not alter your file, all will be there as you last used them.

    Cheers

  20. Quick question when you say go to control panel and select restore to earlier date, where do I find that. Thanks for the help

  21. Vic is the man…does that work for all such? made my day and saved my ass from having to buy anything..

  22. @joe oct 15 2012 post…control panel>system and security..then it shud say “restore to earlier date”

  23. You can get rid of this nasty little pest by rebooting into safemode with networking. When it has booted up do the following:
    Click Start
    Click on Computer
    In the Search computer box top right of the screen type *.exe and press enter.
    The computer will start a long searche for .exe files
    Once the search is finished, the virus file will be at the top of the list as the latest .exe it may have a wierd name but it will have the date itas downloaded which should be say, the current date or the previous day.
    After locating the offending file, highlight it and delete it.
    Once deleted it will be in your recycle bin.
    Empy the recycle bin.

  24. It will not let me on Safe mode and doesn’t give me time to get to system restore any ideas?

  25. My mate got it, UKASH using West Yorkshire Police ransom page, a second time yesterday, after a lengthy job of clearing it the first time, he uses Vista, I then set up a “Guest user” account with no log on, opened that, accessed “msconfig” and selected for SAFE MODE in BOOT UP, when it restarted I could then select the main account, then opened, control panel, back up & restore, then selected a scheduled back up from 2 days before. After the successful restart, everything OK, then went back to , msconfig, deselected safe mode, after restart everything OK. I checked for the suspect files in AppTemp & AppData, they were not present, but did a full scan with AVG which found the offenders and got rid of them.

  26. Hi, I’ve tried all methods and none are working. The system restore one sounds the easiest but I have restore functions disabled and have to be logged in normally to amend, and as you know – this damn virus doesn’t allow you to do that for more than 5 seconds! Any help would be appreciated! I’m on XP. Thanks!

  27. i had this horrible virus today and removed it after a while , i am lucky enough to have two laptops , and downloaded the trial version of malwarebytes anti malware software ,then i put the installer onto a memory stick , i opened my infected computer in safe mode with command prompt then i wrote explorer in the command, i then opened in safe mode ,put memory stick in and installed the malware bytes software, it took about an hour and fifteen minutes to scan ,then when it had finished scanning i put a check in every infected file then restarted and it worked hope it works for you

  28. Yeah the virus got me by surprise. Turned off computer turned it backon and everything is cool
    cheers

  29. I’ve been infected with this virus twice now, but managed to get rid of it without downloading any other programmes . . after all the last thing you wanna do is download even more stuff to your computer only to find that you have to pay at the end of the Scan . Waste of time . so instead of paying the virus makers, you pay someone else who takes advantage at your hour of need . . Honestly software pushers . . we aren’t interested in that, we want it gone . . and for free. I already had SUPERantiSpyware . . (free edition) installed from when i bought my computer. Restarted my computer then pressed F8 like mad, chose safe mode with Dos prompt, waited for it to start up . . typed “explorer” in the prompt to give me access to window explorer . . then started the Scan using SuperantiSpyware . . it located the trojans, and corrected the registry all in one scan . . . booted my computer up normally after this was done, and hey presto . . no annoying white screen or police guy telling me i owe him 100 bucks . . . how about i give ya nothing buddy . . will that do ya? If you haven’t got this programm i would recommend it . . search on google and it’s the first thing that comes up . . and all for free, what ya got to loose ?

  30. JJ: I recommend you follow your own advice and purchase full version of SuperAntiSpyware – if it detected the version of trojans you had, you would not be infected at the first place. Sadly, free SAS is scanner only, and it is surprising that updates were installed as well. Personally, I do not like it – it is set up to be launched on startup even if it provides 0 protection without a license, Its detection ratio is not the best too (in my opinion) and it detects lots of cookies without good enough reason.

  31. @Giedrius Majauskas (admin) I think i will purchase the whole package for SUPERAntispyware when my subscription to another virus protection program i use runs out (Don’t really wanna be paying for 2, especially when the one i am paying for doesn’t detect it). But it just goes to prove that payed for software sometimes doesn’t catch these things, But my FREE version of SAS did and fixed it . . i can even update it’s virus database. I was unaware that the free version is scanner only, since mine updated, scanned and cleaned my machine?? Just thought i’d post my little success here, just incase others find it useful. I think it didn’t detect the threat initially as i wasn’t running it and used my paid for antivirus, thinking i would be safe . . i’ll keep SAS running now instead to see if Ukash virus gets through it, if it does i’ll repost so prople know. Thanks for all your advice here, it’s good to know there are people out there whom help :-).

  32. JJ: SAS does not replace full antivirus. It does not fix infected files, and does not work against other threats. It is anti-malware only, so if you want an antivirus, go for Kaspersky, ESET, AVG, AVAST, AVira. Sometime they fail and anti-malware fixes the problem.

  33. @Giedrius Majauskas (admin)

    Thanks a lot, i’ve wrote those down . . i’ve used AVG before and recall it was a good programme that caught most things. But you are right, i did scan my computer with everything i had PCtoolsSpyware doctor (Monthly sub), microsoft defender and of course SAS. I think between all of em . . they cleaned my system. :-). Thanks again, and i hope this horrible virus doesn’t strike again.

  34. I have got this Ukash virus and ive had it for a few days now and cant get rid of it. Ive tried in safe mode with networking but nothing seems to happen and when i turn my laptop on it goes straight to Ukash, i cant even click on the “start” button. I literally cant do anything. Im totally lost without my laptop. Someone help 🙁

  35. I also have a version of this virus … It actually locks the keyboard so I can’t use it, I’m able to use to get to the boot menu , at that point I have the option of starting windows normally, in safe mode , etc. but that’s when my keyboard stops functioning.. Any ideas?

  36. Yesterday I got ransomware on my computer. I am writing this from another laptop. I have gone through all the posts here. To solve my problem I created another admin user via safemode command prompt. New user is working fine. Logged in through new user and scanned using AVG & Hitman pro but the virus is still not going which affected to the main user. Can you please help me to clean the main user.

  37. Got this today, and got rid within an hour.
    Switch off m/c, re-start but keep pressing f8 whilst m/ c restarts.
    Open m/c in SAFE MODE WITH NETWORKING.
    Once m/c has started, in search, find free anti- malware download,
    Download and then run full system scan. Switch off m/c when scan has finished, restart in normal mode and then do a quick scan using the same software again. Finally, update your own antivirus software , as this may well be out of date!
    If this does not work, then I suggest a system restore back to before you got the infection!
    Don’t forget to update your own security syst to ensure that this infection is found and destroyed BEFORE it shuts you down.

  38. What is the easiest way to get rid of this as I am not good at computers
    and find it hard to understand. can you help me

  39. Great help
    Thanks for the You-tube tutorial hopefully that’s the last I see of the virus

  40. Thank you so much for the helpful video instructions who knew a technological idiot like myself could rid my of of a virus thanks again

  41. i get as far as safe mode, put in my password then that white screen appears.. why cant i get any further on?

  42. press f8 on starting computer. Select’repair my computer’ from here goto’system restore and restore computer to an earlier point(pre virus)…job done!

  43. Just found a way around this, having spent an hour or so scratching my head looking at the trojan’s “Cheshire Police” page. Here’s how to get round it-

    Reboot your computer. When bootup has completed, you get a couple of seconds when the Start Menu is active but Ukash hasn’t loaded yet. So, being fast;

    Hit the start button on your keypad, quickly type “notepad” and hit enter, then type some random letters into Notepad. You can just do this before the trojan takes over. Now, when the trojan has taken over,

    Ctrl-Alt-Del and select “log off”.

    Windows attempts to log you off, it shuts down the Ukash trojan, but can’t shut down notepad because it has unsaved data in it (the random letters you typed) and the log off stalls. Now cancel logging off.

    You now have control of the PC and can hunt down the Ukash trojan. registry keys etc and delete it at leisure.

    I was unable to do anything with Safe Mode because my version of UKash was shutting the computer down again if I tried to boot into Safe Mode.

    Hope this kludge helps someone who finds this page, like me, because of desperation with this.

  44. Contracted what seems to be a particularly nasty version of the Hadopi virus yesterday.

    I’ve tried all the ideas above but no joy – this version seems to disable the keyboard even during boot up so I can’t use safe mode (F8 invokes safe mode but I can’t then scroll to any of the options so it times out and boots Windows (XP));

    I have downloaded AVG Rescue CD but “press any key to boot from CD” doesn’t work, so it boots Windows;

    I’ve tried Ian B’s pressing the start button trick, but start menu doesn’t become active so this doesn’t work;

    I only have (had) one user partition so I can’t access an alternative…

    Help!!…please!!!!

  45. @Giedrius Majauskas (admin)
    Logitech USB keyboard. I like the idea of removing the HDD and scanning it on another machine; unfortunately, the infected HDD has a SATA interface and I only have IDE on my other PC 🙁

    However, I can report some progress – have removed the block, but I’m not entirely sure how! I found that if I let the machine start windows, then in the couple of seconds before it entered blocked state, if I pressed the on/off button it hung with the desktop background image and an error message: “xxxDLL failed because windows is shutting down”. At that point, I managed to open Notepad, as in IanB’s solution above, and create an unsaved file. Clicking OK in the error window, it repeated with umpteen DLLs which hadn’t finished loading.

    After this I started Windows Task Manager with ctrl/alt/del and found I could log off as current user, which brought me back to the normal log on screen with my user name (this screen used to appear, but stopped a few weeks ago). Logging back in gave me my normal desktop which seems fully useable. I then downloaded SpyHunter and tried to install it, but this failed because my boot drive letter is F: (for some reason better known to Microsoft when I upgraded my mobo and reinstalled WinXP a couple of years ago!).

    I’m currently stuck at this point because I’m not allowed to rename the drive to the C: that SH is looking for (and fails to install if it can’t find it).

    I’m now very keen to scan the drive and am running Norton full system scan, but I’m not confident with this because Norton failed to intercept the Hadopi virus (Catch 22!).

  46. AlexF-

    Once you’ve got control of the machine back, it’s pretty easy to remove this, at least the version I had.

    It lives in your directory /Users/[Account Name]/AppData/Roaming

    Look for some directories with random names (mine was “Ymno”) in the Roaming folder, and also there was a file called “skype.dat” in the Roaming folder; the trojan will apparently pick a random but “normal” looking name like that for itself. Delete them.

    Also, look in MSConfig for a strange startup entry, pointing to those directories mentioned above, and disable it (you can then remove it entirely by removing it from the registry).

    By the way, the point of the Notepad file was to *prevent* the logging off process completing; the idea is, you CTRL-ALT-DEL and select log off; the logging off process then closes down UKASH, but stalls at the Notepad file because it has unsaved data. At that point, you can cancel logging off and get to work deleting the virus.

  47. Ian : The names and locations varies depending on version. In many cases it is easier to run MSConfig and check for location there, and if not – run regedit and check Shell variable for malicious programs. It is not allways in %AppData%.

  48. Ian B

    Many thanks for the tips. I can’t find a Roaming directory. It’s not in my AppData directory and a search on the C: drive (actually F: in my case, as mentioned above!). However, I’ve run HitmanPro and the machine now seems to be behaving itself.

    MSConfig throws up a load of wierd entries (in addition to recognisable ones) and I’m a bit nervous of deleting something I may actually need! Thanks for the clarification about the Notepad file. My problem was, with the Hadopi version of the Ukash virus I had was that it seemed to disable the keyboard, so I couldn’t CTRL-ALT-DEL or use the Start key to ‘get in’. I eventually managed to get in by hitting the on/off button briefly during the couple of seconds the desktop background image showed before the white virus ‘block’ screen appeared. This had the effect of bringing up “can’t run … because the machine is shutting down” errors and so let me in. I’ve now set up alternative user accounts just in case.

    Something I would like to know is, whilst HitmanPro, Ukash virus removal tool, etc will/claim to get rid of the virus once you’ve got it, is there any tool which will intercept it before it gets in? I run Norton Internet Security but the Hadopi clearly got past that quite easily!

    Very many thanks to Giedrius and yourself for all your help; much appreciated 🙂

  49. IAN B THANKS!

    using notepad to prevent log off worked after I kept attempting it if it didn’t work I just attempted log off again

Leave a Reply

Your email address will not be published. Required fields are marked *