Ukash Virus - How to remove?


Ukash Virus is an aggressive group of ransomware scams that tries to swindle your money from you. It is a very convincing virus because it uses alerts presented as given by an official institution, e.g. local or country’s police. It locks your computer completely therefore the only thing you can do is to see the message. If one wants to unlock the computer, the message advices to pay the fine. Of course, this is only a scam and paying the fine will not change anything. The institutions vary from police to copyright ones. However, in many cases the messages and designs are similar or even shared between versions and there are little unique details.

This ransomware is named Ukash Virus under the payment system it requires. The fines are paid using a pre-paid system called Ukash. None of official institutions would ask any payments via systems like this therefore it only confirms that this is not a real warning but a virus used by scammers. One should note, that the payment system Ukash is perfectly legitimate and accepted in some of the countries, mostly European ones, Canada and Australia.  Starting of 2013, this ransomware started targeting South American sites as well. Most recent additions include Bolivia and Argentina.

Typically, Ukash Virus will be installed silently when you visit infected website or one displaying malicious advertisements. In most of the cases website owners are not aware of malware and sooner or later clean the site. The risks are increased if you run vulnerable Java or Flash versions. Thus it is impossible to tell which websites are safe or dangerous without good antivirus protection. Additionally, Ukash Virus might be installed by network worms, torrent downloads or email spam.

The biggest problem is that Ukash Virus comes in several flavors and no single approach will be successful in all cases.

Special Removal Instructions for Ukash Virus

If you have access to other account on infected PCs, you should scan whole PC with anti-malware programs, e.g. Spyhunter. This is by far simplest way to remove parasite. System restore would be an option too. However, if you can’t do this, these are several other strategies. To determine which one you should use, do following:
Press F8;
Choose between safe modes in following order : Safe mode, Safe mode with networking and Safe mode with command prompt.
Depending on outcome, use following guides :

Ones that allow booting to Safe mode or Safe mode with networking (Malex / Reveton )

  1. Restart your computer. Press F8 while it is restarting.
  2. Choose safe mode or safe mode with networking.
  3. Launch MSConfig.
  4. Disable startup items rundll32 turning on any application from Application Data. Note, that these are typical locations for Ukash Virus but some others might be used.
  5. Restart the system once again.
  6. scan with to identify Ukash Virus files and delete it.

Video for one of such ransomwares:

Versions that allow booting to safe mode with command prompt

Gimemo and Epubb trojans are behind this version of Ukash Virus. This is more difficult version to remove.

  1. Reboot PC in safe mode with command prompt.
  2. Run Regedit.
  3. Search for WinLogon Entries. write down all files it references that are not explorer.exe or blank. Replace them with explorer.exe.
  4. Search registry for Ukash Virus files and delete the registry keys referencing the files.
  5. Try to reboot and scan with Spyhunter.
  6. If this fails, try doing system restore from safe mode with command prompt (rstrui.exe).

Ukash Virus that disables all safe modes

Some versions of Ukash Virus Disable all safe modes, but give a short gap that you can use to run anti-malware programs. Then do following:

  1. Reboot normally.
  2. Start->Run.
  3. Enter : . If malware is loaded, just press alt+tab once and keep entering the string blindly. Press Enter.
  4. Press Alt+tab and then R couple times. The Ukash Virus process should be killed.

Here a video detailing this approach:

Hitman Pro USB disk

Lastly, you might resort to scanning PC with a bootable USB or DVD disk. These should be able to remove all versions of Ukash Virus, but will not work if your hard drive is encrypted.

For that, we recommend using Hitman Pro Kickstarter USB.

  1. Download Hitman Pro on uninfected PC. 
  2. Run Hitman and ask to create Kickstarter USB (option on initial screen).
  3. When USB ready, reboot infected PC with USB attached and press DEL.
  4. Choose USB as primary boot device.
  5. Boot normally.
  6. Run Hitman Pro and . One of these programs should detect and remove malware from your PC.


Automatic Ukash Virus removal tools


Other tools

  0   0
  0   0
    Malwarebytes Anti-Malware
  Download Reimage for Ukash Virus detectionNote: Reimage trial provides detection of parasite like Ukash Virus and assists in its removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.
  We might be affiliated with some of these programs. Full information is available in disclosure

Manual Ukash Virus removal


Important Note: Although it is possible to manually remove Ukash Virus, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on


It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other Ukash Virus infected files and get help in Ukash Virus removal by using Reimage scanner. 


Ukash Virus screenshots

October 2nd, 2016 05:12, October 2nd, 2016 05:12
Fill this form to subscribe to our newsletter

90 thoughts on “Ukash Virus

  1. Frank Hull

    Ukash Virus now restarts PC if safe mode is attempted – until “start windows normally” is selected.

  2. Thomas Smith

    It was all good until the “Fix Threats” Stage. Turns out you need to buy the full version to “remove threats”. This is a dead end. Either way you have to pay to get rid of the virus… It would have been easier if you mentioned it before

    1. Giedrius Majauskas (admin)
      Post author

      Thomas Smith
      In worst case, you can remove detected files manually if you wish. However, It is nearly impossible to list all the random file names used by these parasites.

  3. Andy

    Download the AVG PC Rescue iso on another computer, burn it to a disk (using ImgBurn or similar software) and boot up using the disk. Update AVGPCR, run virus scan. Boom done. All for the price of a CD. (also works on pen drives)

  4. HugoM

    Lost a full hour on it. After detection, you need to buy the software to remove the threats. This should be indicated clearly.

    1. Giedrius Majauskas (admin)
      Post author

      HugoM: If it is detected, you can delete manually if you wish.

  5. victor harris

    I tried all the above and to no avail. Then you have to buy software etc.
    Simple solution as follows.
    Open your computer in safe mode.
    Go to control panel. Hit system restore to an erlier date. You should have some idea as to when this virus arrived.
    Restore your system to a date previous to this visus attack.
    Your computer will re-load itself when complete.
    Bingo my Ikash virus is gone.

  6. Sourin Bose

    1. This virus has affected my computer and it does not allow to start Windows.
    2. I started in Safe Mode, and removed all the sensitive files to an EHD.
    3. I started WIN-XP from CD to install it new.
    4. Reformatted the HD (C:) while installing.
    5. The Windows Program does not install – it keeps looping.
    Any answers?


    1. Giedrius Majauskas (admin)
      Post author

      Sourin : You might need special drivers for your windows instalation or there is infection in MBR. Remove the C: Partition then recreate it anew.

  7. K.E.Parker

    I had UKash on my computer luckily I have three user names on it, So I just changed user name and ran Malawarebytes suprisingly AVG then sprang upand found the virus as well got rid and now back to normal.

  8. paul

    @victor harris
    thank you so very much for your help it worked a treat im up and running again. wot a very nasty virus that is. thank you once again paul

  9. Emily

    Does deleting the infected user account get rid of the virus?

    1. Giedrius Majauskas (admin)
      Post author

      Emily: For some versions of this, yes, especially if account was limited on the first place and it was Vista / Windows 7. For some cases, no.

  10. Jimmy

    When I click enter to ‘start on safe networking mode’ the virus is still there and I can’t open the start menu or do anything else. Help 🙁

    1. Giedrius Majauskas (admin)
      Post author

      Jimmy: There are 3 ways to solve this
      1. It might be version that blocks all modes but command prompt. Then these removal instructions are applicable :
      2. It might be versions that blocks all modes. If there is a small gap to launch (the video in the post shows how to get rid of it)
      3. If everything fails, boot from Norton Power eraser or other alternate os scanner. These solve the problem

  11. Scott

    @victor harris is the man, it worked a treat thanks

  12. neil

    i was infected last friday it happend to me twice this summer period, thanks to youtub and these kind of websites i was able to get rid of the infections with avg. i lost £200 to the ukash viris theire the wons who should be fined.

  13. Dan

    I cant bring up the start menu or do anything!! If i turn the laptop off and back on again it comes straight back up! I dont know what to do!! Please help!!

    1. Giedrius Majauskas (admin)
      Post author

      Dan: Long-press Power button. Your laptop goes into hibernation mode, and does not power down.

  14. Jim Bob

    I am not very computer literate but did what Victor Harris #7 sugested re restoring to earlier date and am now full opeational again :).
    Are ther any drawbacks to this simple solution? Could I still have files affected and not know by using this method?

    1. Giedrius Majauskas (admin)
      Post author

      Jim Bob
      Scan your PC with some anti-malware (for example, some cloud scanners like ). There might be other trojans, that are not removed by system restore that downloaded the ukash virus in the first place.
      There are no other drawbacks.

  15. Sue

    @Victor Harris….you have just made my friend very happy…… Easy solution and it got rid of UKASH Virus….. ! ! ! xx

  16. paul

    I can’t seem to get into my system, can’t open safe mode as it tells me i need a windows bitlocker drive encryption recovery key….any ideas anyone?

  17. Aggie

    I have got the Ukash virus 2 days ago.. I have restored the system, scanned it with McAffee anti-virus tha found 2 trojans (including Ukash), deleted them. I also scanned my system with Malwarebytes but it didn’t detect anything.. do you think the Ukash virus is now totally gone??

    1. Giedrius Majauskas (admin)
      Post author

      Aggie: yes. Though I would recommend updating the antivirus that let Ukash through.

  18. Sam Dossa

    I have two customers came with the similar issues. I ran the virus scanner which didn’t find anything on the system. I remove users profile from the registry and rename the profile which resolve the issue.

    1. Giedrius Majauskas (admin)
      Post author

      Sam : As long as you can access disk, one needs to delete one file only (usually directly from %AppData%. Removal of all user settings is not needed in most cases.

  19. valerie

    @victor harris
    just want to say thanks a mill. I was trying everything and it wasnt working then came across your simple solution and it worked
    thanks again

  20. Paula Mullane

    @victor harris
    Yay! Thanks Victor. You saved me. All the other instructions were so complex. Yours were simple easy and worked. Thank you a million 🙂

  21. Jamie

    Thankyou so much for the advice with this. Real help and has saved me a lot of worry. Thanks again!

  22. ukash

    Sam : As long as you can access disk, one needs to delete one file only (usually directly from %AppData%. Removal of all user settings is not needed in most cases

  23. Callum

    Thank you guys sooo much

  24. Frank

    Thank you so much. You just saved my life (well a lot of grief)@victor harris

  25. Mark

    Simply removed without all the mumbo-jumbo.
    In safe mode go to system restore, select a system restore point that is dated prior to the problem. Restore … fixed.

    Note .. it will not alter your file, all will be there as you last used them.


  26. Micheal

    @victor harris
    The system restore worked ! Many thanks ! All else failed !

    Thanks again

  27. Joe

    Quick question when you say go to control panel and select restore to earlier date, where do I find that. Thanks for the help

  28. Peter

    Vic is the man…does that work for all such? made my day and saved my ass from having to buy anything..

  29. Peter

    @joe oct 15 2012 post…control panel>system and security..then it shud say “restore to earlier date”

  30. PI Maintenance Man

    You can get rid of this nasty little pest by rebooting into safemode with networking. When it has booted up do the following:
    Click Start
    Click on Computer
    In the Search computer box top right of the screen type *.exe and press enter.
    The computer will start a long searche for .exe files
    Once the search is finished, the virus file will be at the top of the list as the latest .exe it may have a wierd name but it will have the date itas downloaded which should be say, the current date or the previous day.
    After locating the offending file, highlight it and delete it.
    Once deleted it will be in your recycle bin.
    Empy the recycle bin.

    1. Giedrius Majauskas (admin)
      Post author

      PI Maintenance Man: this depends on particular trojan name. Some versions (Reveton) uses DLL’s instead of exe and files without any extensions.

  31. hello

    I removed a file named: Game. It is fine now.

  32. jack

    It will not let me on Safe mode and doesn’t give me time to get to system restore any ideas?

    1. Giedrius Majauskas (admin)
      Post author

      jack: Check other methods in the guide. Some versions do not work when internet is turned down, for example.


    My mate got it, UKASH using West Yorkshire Police ransom page, a second time yesterday, after a lengthy job of clearing it the first time, he uses Vista, I then set up a “Guest user” account with no log on, opened that, accessed “msconfig” and selected for SAFE MODE in BOOT UP, when it restarted I could then select the main account, then opened, control panel, back up & restore, then selected a scheduled back up from 2 days before. After the successful restart, everything OK, then went back to , msconfig, deselected safe mode, after restart everything OK. I checked for the suspect files in AppTemp & AppData, they were not present, but did a full scan with AVG which found the offenders and got rid of them.

  34. JohnnieB

    Hi, I’ve tried all methods and none are working. The system restore one sounds the easiest but I have restore functions disabled and have to be logged in normally to amend, and as you know – this damn virus doesn’t allow you to do that for more than 5 seconds! Any help would be appreciated! I’m on XP. Thanks!

  35. Ian

    Mark’s advice worked for me point # 34

  36. ricky p

    i had this horrible virus today and removed it after a while , i am lucky enough to have two laptops , and downloaded the trial version of malwarebytes anti malware software ,then i put the installer onto a memory stick , i opened my infected computer in safe mode with command prompt then i wrote explorer in the command, i then opened in safe mode ,put memory stick in and installed the malware bytes software, it took about an hour and fifteen minutes to scan ,then when it had finished scanning i put a check in every infected file then restarted and it worked hope it works for you

  37. edd

    thanks guys.
    I,m back to normal,once again thank very much.

  38. edd

    Yeah the virus got me by surprise. Turned off computer turned it backon and everything is cool

  39. JJ

    I’ve been infected with this virus twice now, but managed to get rid of it without downloading any other programmes . . after all the last thing you wanna do is download even more stuff to your computer only to find that you have to pay at the end of the Scan . Waste of time . so instead of paying the virus makers, you pay someone else who takes advantage at your hour of need . . Honestly software pushers . . we aren’t interested in that, we want it gone . . and for free. I already had SUPERantiSpyware . . (free edition) installed from when i bought my computer. Restarted my computer then pressed F8 like mad, chose safe mode with Dos prompt, waited for it to start up . . typed “explorer” in the prompt to give me access to window explorer . . then started the Scan using SuperantiSpyware . . it located the trojans, and corrected the registry all in one scan . . . booted my computer up normally after this was done, and hey presto . . no annoying white screen or police guy telling me i owe him 100 bucks . . . how about i give ya nothing buddy . . will that do ya? If you haven’t got this programm i would recommend it . . search on google and it’s the first thing that comes up . . and all for free, what ya got to loose ?

    1. Giedrius Majauskas (admin)
      Post author

      JJ: I recommend you follow your own advice and purchase full version of SuperAntiSpyware – if it detected the version of trojans you had, you would not be infected at the first place. Sadly, free SAS is scanner only, and it is surprising that updates were installed as well. Personally, I do not like it – it is set up to be launched on startup even if it provides 0 protection without a license, Its detection ratio is not the best too (in my opinion) and it detects lots of cookies without good enough reason.

  40. JJ

    @Giedrius Majauskas (admin) I think i will purchase the whole package for SUPERAntispyware when my subscription to another virus protection program i use runs out (Don’t really wanna be paying for 2, especially when the one i am paying for doesn’t detect it). But it just goes to prove that payed for software sometimes doesn’t catch these things, But my FREE version of SAS did and fixed it . . i can even update it’s virus database. I was unaware that the free version is scanner only, since mine updated, scanned and cleaned my machine?? Just thought i’d post my little success here, just incase others find it useful. I think it didn’t detect the threat initially as i wasn’t running it and used my paid for antivirus, thinking i would be safe . . i’ll keep SAS running now instead to see if Ukash virus gets through it, if it does i’ll repost so prople know. Thanks for all your advice here, it’s good to know there are people out there whom help :-).

    1. Giedrius Majauskas (admin)
      Post author

      JJ: SAS does not replace full antivirus. It does not fix infected files, and does not work against other threats. It is anti-malware only, so if you want an antivirus, go for Kaspersky, ESET, AVG, AVAST, AVira. Sometime they fail and anti-malware fixes the problem.

  41. JJ

    @Giedrius Majauskas (admin)

    Thanks a lot, i’ve wrote those down . . i’ve used AVG before and recall it was a good programme that caught most things. But you are right, i did scan my computer with everything i had PCtoolsSpyware doctor (Monthly sub), microsoft defender and of course SAS. I think between all of em . . they cleaned my system. :-). Thanks again, and i hope this horrible virus doesn’t strike again.

    1. Giedrius Majauskas (admin)
      Post author

      PC Tools has antivirus (with AV module present), and has nice behavioral scanner. But for AV, I would recommend others.

  42. matthew

    @Thomas Smith
    nope just do control alt del and shut down then cancel and its gone LOOOOOOOOOL
    ,but you have to do this each time your pc turns on

  43. JH

    I have got this Ukash virus and ive had it for a few days now and cant get rid of it. Ive tried in safe mode with networking but nothing seems to happen and when i turn my laptop on it goes straight to Ukash, i cant even click on the “start” button. I literally cant do anything. Im totally lost without my laptop. Someone help 🙁

  44. Jordan

    I can’t access the start menu do you know how I can get onto this? Thanks

    1. Giedrius Majauskas (admin)
      Post author

      Jordan: Use bootable scanners like kaspersky boot CD.

  45. Michael

    I also have a version of this virus … It actually locks the keyboard so I can’t use it, I’m able to use to get to the boot menu , at that point I have the option of starting windows normally, in safe mode , etc. but that’s when my keyboard stops functioning.. Any ideas?

    1. Giedrius Majauskas (admin)
      Post author

      Michael : Try using alternate OS scanner like Kaspersky rescue disk or Hitman Pro Kickstarter. These should work.

  46. Chandra

    Yesterday I got ransomware on my computer. I am writing this from another laptop. I have gone through all the posts here. To solve my problem I created another admin user via safemode command prompt. New user is working fine. Logged in through new user and scanned using AVG & Hitman pro but the virus is still not going which affected to the main user. Can you please help me to clean the main user.

    1. Giedrius Majauskas (admin)
      Post author

      Hitman Pro might fail if the account is not the one affected. Do a full system scans with anti-malware programs like MBAM, Spyhunter, Superantispyware.

  47. David

    Got this today, and got rid within an hour.
    Switch off m/c, re-start but keep pressing f8 whilst m/ c restarts.
    Once m/c has started, in search, find free anti- malware download,
    Download and then run full system scan. Switch off m/c when scan has finished, restart in normal mode and then do a quick scan using the same software again. Finally, update your own antivirus software , as this may well be out of date!
    If this does not work, then I suggest a system restore back to before you got the infection!
    Don’t forget to update your own security syst to ensure that this infection is found and destroyed BEFORE it shuts you down.

  48. barrie

    @PI Maintenance Man
    used your worked. many thanks

  49. rol

    Great help

    Thanks for the You-tube tutorial hopefully that’s the last I see of the virus

  50. Pingback: PaysafeCard Virus - how to remove

  51. nola

    What is the easiest way to get rid of this as I am not good at computers
    and find it hard to understand. can you help me

  52. nola

    I dont know how to do this please help me

  53. Jimmy

    How do I start my computer in safe mode?

    1. Giedrius Majauskas (admin)
      Post author

      Reboot, and press F8 at that point when windows starts loading. You might have to press it couple times. Then choose safe mode from menu.


    Great help
    Thanks for the You-tube tutorial hopefully that’s the last I see of the virus

  55. j.james

    Wow. was mildly scary im getting antimalware protection now. thanksguys!

  56. Steve w

    Thank you for helping me with this
    Phew – recommended
    Thanks again

  57. Liam

    Thank you so much for the helpful video instructions who knew a technological idiot like myself could rid my of of a virus thanks again

  58. sammij

    i get as far as safe mode, put in my password then that white screen appears.. why cant i get any further on?

    1. Giedrius Majauskas (admin)
      Post author

      sammij: It is different version. Use safe mode with command prompt. Then search for Shell variable under winlogon, which refers to different program than explorer.exe. Watch other video.

  59. mattyboy

    press f8 on starting computer. Select’repair my computer’ from here goto’system restore and restore computer to an earlier point(pre virus)…job done!

  60. Ian B

    Just found a way around this, having spent an hour or so scratching my head looking at the trojan’s “Cheshire Police” page. Here’s how to get round it-

    Reboot your computer. When bootup has completed, you get a couple of seconds when the Start Menu is active but Ukash hasn’t loaded yet. So, being fast;

    Hit the start button on your keypad, quickly type “notepad” and hit enter, then type some random letters into Notepad. You can just do this before the trojan takes over. Now, when the trojan has taken over,

    Ctrl-Alt-Del and select “log off”.

    Windows attempts to log you off, it shuts down the Ukash trojan, but can’t shut down notepad because it has unsaved data in it (the random letters you typed) and the log off stalls. Now cancel logging off.

    You now have control of the PC and can hunt down the Ukash trojan. registry keys etc and delete it at leisure.

    I was unable to do anything with Safe Mode because my version of UKash was shutting the computer down again if I tried to boot into Safe Mode.

    Hope this kludge helps someone who finds this page, like me, because of desperation with this.

  61. AlexF

    Contracted what seems to be a particularly nasty version of the Hadopi virus yesterday.

    I’ve tried all the ideas above but no joy – this version seems to disable the keyboard even during boot up so I can’t use safe mode (F8 invokes safe mode but I can’t then scroll to any of the options so it times out and boots Windows (XP));

    I have downloaded AVG Rescue CD but “press any key to boot from CD” doesn’t work, so it boots Windows;

    I’ve tried Ian B’s pressing the start button trick, but start menu doesn’t become active so this doesn’t work;

    I only have (had) one user partition so I can’t access an alternative…


    1. Giedrius Majauskas (admin)
      Post author

      AlexF : what type of keyboard are you using ? Try connect different one. In worst case, connect your hard drive as slave to other PC and scan with anti-malware programs the whole disk.

  62. AlexF

    @Giedrius Majauskas (admin)
    Logitech USB keyboard. I like the idea of removing the HDD and scanning it on another machine; unfortunately, the infected HDD has a SATA interface and I only have IDE on my other PC 🙁

    However, I can report some progress – have removed the block, but I’m not entirely sure how! I found that if I let the machine start windows, then in the couple of seconds before it entered blocked state, if I pressed the on/off button it hung with the desktop background image and an error message: “xxxDLL failed because windows is shutting down”. At that point, I managed to open Notepad, as in IanB’s solution above, and create an unsaved file. Clicking OK in the error window, it repeated with umpteen DLLs which hadn’t finished loading.

    After this I started Windows Task Manager with ctrl/alt/del and found I could log off as current user, which brought me back to the normal log on screen with my user name (this screen used to appear, but stopped a few weeks ago). Logging back in gave me my normal desktop which seems fully useable. I then downloaded SpyHunter and tried to install it, but this failed because my boot drive letter is F: (for some reason better known to Microsoft when I upgraded my mobo and reinstalled WinXP a couple of years ago!).

    I’m currently stuck at this point because I’m not allowed to rename the drive to the C: that SH is looking for (and fails to install if it can’t find it).

    I’m now very keen to scan the drive and am running Norton full system scan, but I’m not confident with this because Norton failed to intercept the Hadopi virus (Catch 22!).

    1. Giedrius Majauskas (admin)
      Post author

      Run MSConfig and see if there are weird startup entries. Disable them.
      Also, run :
      Hitman Pro ( , does not require install )
      and Malwarebytes . If Rootkit is detected, run TDSS Killer.

  63. Ian B


    Once you’ve got control of the machine back, it’s pretty easy to remove this, at least the version I had.

    It lives in your directory /Users/[Account Name]/AppData/Roaming

    Look for some directories with random names (mine was “Ymno”) in the Roaming folder, and also there was a file called “skype.dat” in the Roaming folder; the trojan will apparently pick a random but “normal” looking name like that for itself. Delete them.

    Also, look in MSConfig for a strange startup entry, pointing to those directories mentioned above, and disable it (you can then remove it entirely by removing it from the registry).

    By the way, the point of the Notepad file was to *prevent* the logging off process completing; the idea is, you CTRL-ALT-DEL and select log off; the logging off process then closes down UKASH, but stalls at the Notepad file because it has unsaved data. At that point, you can cancel logging off and get to work deleting the virus.

    1. Giedrius Majauskas (admin)
      Post author

      Ian : The names and locations varies depending on version. In many cases it is easier to run MSConfig and check for location there, and if not – run regedit and check Shell variable for malicious programs. It is not allways in %AppData%.

  64. AlexF

    Ian B

    Many thanks for the tips. I can’t find a Roaming directory. It’s not in my AppData directory and a search on the C: drive (actually F: in my case, as mentioned above!). However, I’ve run HitmanPro and the machine now seems to be behaving itself.

    MSConfig throws up a load of wierd entries (in addition to recognisable ones) and I’m a bit nervous of deleting something I may actually need! Thanks for the clarification about the Notepad file. My problem was, with the Hadopi version of the Ukash virus I had was that it seemed to disable the keyboard, so I couldn’t CTRL-ALT-DEL or use the Start key to ‘get in’. I eventually managed to get in by hitting the on/off button briefly during the couple of seconds the desktop background image showed before the white virus ‘block’ screen appeared. This had the effect of bringing up “can’t run … because the machine is shutting down” errors and so let me in. I’ve now set up alternative user accounts just in case.

    Something I would like to know is, whilst HitmanPro, Ukash virus removal tool, etc will/claim to get rid of the virus once you’ve got it, is there any tool which will intercept it before it gets in? I run Norton Internet Security but the Hadopi clearly got past that quite easily!

    Very many thanks to Giedrius and yourself for all your help; much appreciated 🙂

  65. matt


    using notepad to prevent log off worked after I kept attempting it if it didn’t work I just attempted log off again

  66. matt

    I had a pretty nasty version of the virus, couldn’t do much but notepad solution worked

  67. Jeremy

    Can someone share the answer how to remove this infection from my android tablet?

  68. Kim

    Thanks for great removal tutorial, helped me to get rid of this ukash infection!


Leave a Reply

Your email address will not be published. Required fields are marked *