Ukash Virus

Ukash Virus Description

Ukash Virus Screenshot 1The Ukash Virus is a colloquial nickname for a family of ransomware Trojans that display fraudulent police alerts, block you from using other applications and threaten you with legal action if you don’t pay a fee within a short time period. Preferred payment methods for this fine include Paysafecard and Ukash – hence the Ukash Virus’s name. The Ukash Virus family is especially notable for tailoring its warning messages to local regions and having many different variants for different countries. malware researchers have noted that the Ukash Virus is particularly widespread in Europe, but there are also variants of the Ukash Virus that are designed for American or Canadian PCs. If you see a warning message that resembles a Ukash Virus’s pop-up, you should, firstly, try to disable the Ukash Virus, and secondly, use appropriate anti-malware software to delete the Ukash Virus infection. Under no cases should you ever feel it necessary to pay a Ukash Virus fine, which is, itself, an illegal request.

The Ukash Virus: a Globetrotter with Crime on Its Mind

Variants of the Ukash Virus may be distributed in a number of ways, although malware researchers have noted that many recent Ukash Virus attacks have involved drive-by-download exploits from malicious websites. Ukash Virus infections are immediately noticeable due to their primary symptom: an HTML page that covers your entire desktop and Windows interface. This web page is crafted to look like a country-specific legal warning against embarrassing or common crimes such as child pornography trafficking or illegal music downloads. Most variants of Ukash Virus pop-ups will also display your IP address, some will display a fake ‘video recording’ notice, and all of them will claim to be from some form of unrelated law enforcement organization.

Examples of the widespread and nationality-tailoring nature of individual Ukash Viruses include:

Where the Buck Stops with the Ukash Virus

Although Ukash Virus pop-ups claim to have legal authority and may even warn you of consequences to your PC (such as file deletion) if you don’t pay their fines, you should never feel the need to pay the ransom from Ukash Virus infections or other ransomware attacks. Resolutions to most Ukash Virus problems are easier to find than you might expect, since malware researchers have found that common variants of the Ukash Virus only use their pop-ups to block other programs and, therefore, can be disabled to renew complete access to your PC. No known variants of the Ukash Virus actually possess any ability to carry out their threats, and ignoring their warnings is safer for both your PC and bank account than the converse.

Disabling the Ukash Virus is achievable through various methods, with popular techniques including booting to Safe Mode or booting Windows from a USB-based HD device. Since recent Ukash Virus infections have been distributed via browser exploits, malware research team stresses that having good browser settings and a strong anti-malware program to block drive-by-downloads can help to prevent your PC from being the Ukash Virus’s next target. In spite of their nicknames, Ukash Virus-based PC threats aren’t true viruses and do not have any known ability to infect wide varieties of other files.


Pakes2_c.NRL [AVG]W32/Foreign.AOV!tr [Fortinet]Ransom:Win32/Urausy.E [Microsoft]TR/Urausy.230400 [Avira]Troj/Ransom-AOV [Sophos]Trojan.Winlock.11647 [DrWeb]Gen:Variant.Kazy.515679 (B) [Emsisoft]Trojan-Ransom.Win32.Foreign.lhds [Kaspersky]Win32:Hoblig-B [Heur] [Avast]TROJ_GEN.R047H09LD14 [TrendMicro-HouseCall]

More aliases (821)

Ukash Virus Automatic Detection Tool (Recommended)

Is your PC infected with Ukash Virus? To safely & quickly detect Ukash Virus we highly recommend you run the malware scanner listed below.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
  • The following files were created in the system:
    # File Name Detection Count
    1 %ALLUSERSPROFILE%\ Q3d38543.exe 300
    2 %ALLUSERSPROFILE%\MigAutoPlay.exe 300
    3 %AllUsersProfile%\Local Settings\Temp\[RANDOM CHARACTERS].pif 300
    5 %ALLUSERSPROFILE%\Application Data\Sun\[RANDOM CHARACTERS].exe 294
    6 %WINDIR%\system32\0_0u_l.exe 294
    7 %ALLUSERSPROFILE%\ acuvzomo.exe 290
    8 %WINDIR%\ autoosk.dll 290
    9 %APPDATA%\0_0u_l.exe 290
    10 %USERPROFILE%\Local Settings\Application Data\lollipop\[RANDOM CHARACTERS].exe 290

    More files

Registry Modifications

Tutorial: To edit and delete registry entries manually, read the tutorial on how to remove malicious registry entries.

Tip & Warning: Editing and removing the wrong registry keys can severely damage your PC, so remember to backup your Windows Registry! To optimize your Windows Registry and speed up your PC, download RegHunter's registry cleaner.
  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}*\shellex\ContextMenuHandlers\ExplorerWAS*\shellex\ContextMenuHandlers\secure_delSoftware\Classes\*\ShellExt\ContextMenuHandlers\ExplorerWASSoftware\Classes\*\ShellExt\ContextMenuHandlers\secure_delHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}Sysyem Cleaner
  • The following CLSID's were detected:
    HKEY..\..\{CLSID Path} {51164744-9696-9919-9702-756205740524}

Related Posts

Posted: July 15, 2012 | By
Rate this article:
1 Star2 Stars3 Stars4 Stars5 Stars (161 votes, average: 3.32 out of 5)
Loading ... Loading ...
Threat Metric
Threat Level: 9/10
Detection Count: 135,481


  • Nige says:

    I think this virus has ‘evolved’. I’ve got it on an old Toughbook running XP Service Pack3. I have tried everything to get it to run in safe mode but it just won’t have it. Even Comodo’s rescue disk is ignored. And I suspect that most of the sites offering fixes just install more viruses!

  • David Linton says:

    The Virus allows me to boot up into Safe Mode but the taskbar at the bottom with Start Button only appears on screen for a split second and then closes windows down and then the Metropolitan Police Screen appears so cannot get in to the Control Panel.

  • roman latvia says:

    good information, thanks!

  • twisted1 says:

    ty t the people above for yer info i restored my pc via safe mode with prompts and it removed the ukash screen completely..

  • DENISE says:

    Has anyone run into the Ukash virus leaving a file called: \Appdata\Roaming\"wkbtwb",set_error_fn in the reg file?

  • gfhj says:

    good effort.

  • Scott says:

    Thanks for the info regarding system restore, safe mode then system restore works thanks very much thought I’d never get rid of ukase virus .

  • Laird Collins says:

    I have a virus called PUP.bProtector and I don’t have money to remove. I’v been printing every piece of info. about it and now have came up with this site. Will someone please with everything they know help me

  • Genevieve says:

    hello guys! I Had same crap 3 days ago. I was able to take off screen lock by myelsf but then i found out that almost all my files are encrypted and i decide to pay $300. I was not sure that i get any codes but i had no choice. My business and system were down for 5 hours. In 1 hour after i sent moneypak code i receive codes for encrypted files and after paste codes in fields it start decrypting files and everything back to normal.Here are codes for decrypting i received, try them to decrypt files maybe its gonna be work for you guys too :First Passcode: Nope Not Here buddySecond Passcode: Nope Not Here buddy

  • Alan Poirier says:

    Thanks Fred Jenkinson. Worked like a charm to remove it from one of my student’s computers.

  • Fred Jenkinson says:

    My fix: Boot in Safe Mode with Command Prompt. Type "regedt32.exe". Search for "winlogon". It will find a few different entries but you need one with a key called "shell". It will say something like "explorer.exe,c:\users\…\skype.dat" make it just explorer.exe. Reboot.

  • John D W says:

    I have been attacked by the Ukash virus. Fortunately I was able to boot in F8 mode and go to a previous restore point. Some damage has been done. I can’t open JPEG,PDF.WORD.Excel files. Internet Explorer is acting strange. my favourites don’t open anymore. I have downloaded all sorts of anti malware/syware/virus tools via a clean computer to USB stick. These programs seem to be a scam in themself. The ones that charge seem to find hundreds of problems. scare the s…t out of you so you pay o and register to get them cleaned. The free programs find little or nothing. It’s all bull

  • Tsanko says:


  • mardol says:

    just start the pc whitout internet connection (in this case you won’t be bothered with ukash), then simply start system restore to a previous date when the pc was not infected yet!!!!

  • william says:

    i tried with safemode i didnt work

  • Max Momsen says:

    To remove the Ukash – Trojan from a XP System is no easy task and almost impossible. Even when starting with a current update Linux or knoppix antivirus Boot CD, none of these "Antivirus" Programs seems to find the Trojan. Which is very strange indeed. Seems to me done on purpose. And the criminals who collect the money also seem to be in the east somewhere outside Europe. But it does not get rid of the virus. You must check the registry and check with msconfig the startup programs. Ukash sits there with different names and hiding.

  • Brian says:

    How to start in safe mode with internet? I don’t get the same black menu with the same options as explained in other fora concerning removal of this ukash virus when pressing F8. And I can’t run the Spyhunter without starting in safe mode I think. I have tried, but not in safe mode.

  • Andy L says:

    Ukash evil buggers. I appreciate the candour of Fred Ives et al that you paid, but seriously, and assuming you’re not just trolling, WHY would you pay ??? Surely you are joking ? And yes, altho’ system restore didn’t work first time, persisting with repeat attempts and frantic f8-ing got into safe mode (with command prompt) worked for me – at least, as far as regaining control, disappearing the ransom screen, and restore to previous date . . . I’m with Tony (September) – WHY would you pay ? Are there really so many people living in a police state of mind ? God help us all if so. P.S. and a Merry New Year :-)

  • paul says:

    just tried to download spyhunters malware scanner to detect ukash virus from the above link
    downloaded ok but my computer administrator (which is me)stopped it
    any ideas or solutions on how to get it up and running welcome

  • merldutch says:

    I have experienced ukash or similar several times on my laptop (W7-32bit) with paid DGATA-progr. and once on my desktop. Several user accounts. Restore to previous point (ctrl-alt-del admin-account restore-system) seemed to help. But i get "filename".pad (ism_0_llatsni.pad=4.3MB; lsass.exe=rundll32=44kB; dsgsdgdsgdsgw.pad=90MB !!! since restoring) desktop shortcuts/links of substantial volumes (mb). Why?

  • Paul Bareham says:

    Hi. I downloaded Spyhunter 4 from your link and it confirmed I was infected by UKASH virus. When I tried to register Spyhunter it opened a read only document in word entitled and when I tried to follow either of the links to pay I got the following message. "This operation has been canceled due to restrictions in effect on this computer.Please contact your systems administrator." I am using a stand alone home PC and have little or no technical knowledge. How do I proceed from here to register Spyhunter 4?

  • anass says:

    je veux un carte web UKASH

  • Blake says:

    I live in Canada, and was a victim of the ukash virus. The banner at the top of the page said police in german. Last time I checked german wasn’t an official language of Canada. Stupid hackers!

  • John Mich says:

    Rick. Try using safe mode with networking it worked for me yesterday. Then iused system restore to the day b4 to get rid of it

  • John Mich says:

    Try using safe mode with networking. It worked for me yesterday. I then got out of UKash clutches by doing system restore to the day before. Goodluck!

  • Rick says:

    I have just got the ukash virus, it will not even allow me to start up in safe mode without networking. any solutions HELP!!!!!

  • Phil says:

    Had a problem with Ukash virus, I have a number of accounts on one lap top, the virus only affected one account, I was able to solve the problem by loggin on to another account and setting my lap top to the last date my lap top was updated.. I didnt loose any documents and the Ukash virus was gone!! Hope this helps

  • jos smink says:

    ukash virus

  • andrew says:

    Ukash is an official payments system used via newsagents in France. Their UK HQ say transactions are anonymous but they are willing to identify to whom money was sent on a police request (if taken off a police demand Ukash page)

  • Jon Martinez says:

    This has happened twice on my dads computer.

    First time he took it to a PC shop who charged £120.00 to wipe windows and install new virus protection (AVG).
    Within 3 days of having the laptop back the same thing happened again. AVG does not recognise it as a virus and after doing several scans it reports "no threats". Does this thing bypass all antivirus software???

  • dave london says:

    I totally support what Tony says "NEVER PAY!" – a friend recently did and of course your system is not restored you just lost your money to some fraudster. I’m no computer whizz-kid but thanks to all the helpful advice I got from this website I have been able to successfully restore my system whilst running in SAFEMODE and have now run security software and removed the virus. I’m so pleased – thanks again.

  • Tony says:

    I cannot believe you people who actually paid !
    All you needed to do was restart your Pc in Safe-Mode and then run your virus scanner or remove the virus manually as i have just done. As suggested it’s easy to find the startup file and then you have th random .exe name. Search it out and delete it. Then search the registry with Regedit and delete all signs of it.

  • Ken Sandham says:

    Perhaps I am naive but I think it should be possible for UKash to identify the scammers and at least stop transacting payments to them. They should also assist the authorities to bring them to Justice. This of course assumes that UKash is a legitimate finance organization and is not in league with the criminals.

  • Stephen says:

    ive deleted like half my stuff and removed the virus/trojan now my internet doesnt work any1 kno y is tht? maybe i deleted something wrong?

  • Sun Tzu says:

    ****** schedcli is a New Ukash Filename ********


    The UKASH virus is pretty smart because the hackers

    have compiled the code to adapt to different operating systems &

    software platforms & also detect PC users geographical location

    in order to make the annoying banner Country(Region) specific.

    As was stated earlier the UKASH application

    has lots of different file names and will embeded itself in different

    directory locations depending on the PC’s O/S, using it’s different filenames.



    However there is currently a pattern that is common to all UKASH Ransomeware

    virus files. To find out the file name and location of the virus

    on a Windows plaform, follow these simple steps:

    run the infected laptop in SAFEMODE.

    (1) re-boot laptop > immediately during bootup press & hold the F8

    button until you hear a beep, then unpress the F8 button

    (2) Once in SAFEMODE, nagivate to run command, there are two

    ways to get to run, hold down the windows symbol key + r together or

    go to start & type run

    (3) in the run command type msconfig.exe and hit return

    (4) You are now in the system configuration window, nagivate

    to the startup tab. Look for any application that you do not

    recognize and the manufacturer is stated as UNKNOWN.

    Be very careful when investigating & performing this process

    especially if you have installed lots of jail broken, cracked or

    unlicensed applicaitons.

    (5) The UKASH file will normally be installed in Appdata directory

    under the account name being used when the laptop became infected.

    For Windows Vista and WIndows 7 the UKASH Virus locations are:



    (REMEMBER the .exe filename could be different)


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\schedcli








    GOOD LUCK : )

  • calum mccubbin says:

    i just got this today after i relised it was a scam i turned off my pc rebooted and done a system restore and all seems fine i dunn know if i have gotten it compleatly out but luckly i have full back up off all my programs and games ect on disk just wondering if any1 has tried a factory default reset just wondering if that would wipe it out 100%

  • liane says:

    ukash is the biggest scam to hit uk through western union bank, if you hsve psid for your voucher using a credit or debit card you are at risk of identity theft. i know this through experience of customer feed back of where i work. ukash vouchers used to be a viable way to pay for things online untill these scams came on the go. newest one to date, if you have been online looking for finance, they phone, verify bank details so you can receive funds, then purchase a voucher to make your first months payment to them, your so wrapped up with what they are offering, you dont realise YOU, gave them your bank details, like my husband 3 mnths ago!!!! took 24 hrs to wipe out our bank account and 6wks to reclaim 1/3rd of our money back

  • Sam Yuells says:

    I got the UKASH malware on my computer a couple of days ago. I quickly realised it was a half-arsed attempt to extort money with no legal validity.It only seems to have invaded MY log on, not my wife’s (ok prolly via a bit of porn – sue me!). I have found a short term solution, which is to log on, open some stuff on my desktop before the UKASH page catches me and then, when it catches up, press the off button on my comp very quickly. What happens is my desktop comes back with the things I’ve opened (explorer, i-tunes, skype etc) just for a couple of seconds. If I can start working on them very quickly – start playing a tune in I tunes, type a browse subject in google, or call someone in skype – the comp doesnt close down and UKASH goes away for one session. Obv. I need a longer term solution, so I’ll be downloading the above

  • Hans Grimm says:

    I am a victim of ucash virus,I paid 100 euros to remove virus but it will not take voucher no.

  • hlkr says:

    Just recieved the virus here in Valencia Spain, second time of having it! First time it took over hole screen but after a frantic couple of hours of translating the page I discovered it was a virus so after swithing lap top off and on the antivirus took over and got rid of it for me. This time it’s taken over the hole screen again but this time it has turned my cam on trying to film me!!! and anti virus isn’t working!!!! …doh! Nice seeing this site though being reminded that it is an annoying and scary ‘prank’!!!

  • Ian D Phillips says:

    F8 does not always solve this as it does not always allow enough time to back up. My suggestion is have the operating system on a partition on your hard drive and have a seperate hard drive for programs and data. If you do get infected, use the HARD DRIVE MANUFACTURERS software, eg Seagate drive Seatools, Western Digital drive DataLifeguard, to erase the drive, writing x’s or 1’s to every sector. I know this is a pain, cos you then have to re-install your operating system and your programs. Windows OS takes about an hour, but that is a lot better than 100 quid. I have just done this !

  • Carlos Pereira says:

    Caro vladimir, o que você fez para o virus sair do seu pc?
    Eu com o virus nao consigo executar qualquer programa

  • E Booth says:

    how do you remove this virus and how can I get my money back

  • KEN LYON says:

    I had UCASH on my XP desktop – what a pain – I looked at some recommendations but did my own thing. I simply went to an old RESTORE POINT which got rid. Having done that I realised there was a risk so also, as I had access to all my current files, decided to back-up and format my drive to be absolutely sure. I mentioned this as anyone caught will not have access to anything but booting up and F8 restore might buy you time to save stuff and then go for fdisk, the only real way to erase everything.

  • Vladimir says:

    Today my laptop was blocked by this virus. Fortunately I did not paid only because my wife was suspicious why the police does not give an option the fine to be paid on line. It makes sense.

  • denzo says:

    i have been a victin twice to the police ukash virus and the best solution is to download anti-malware its free and can catch any virus that is trying to stop you using your laptop,can only be used in safe mode if u have virus.

  • guy says:

    same. i paid 100 euro to unlock vomputer. Any risk for further damage ? bank acount intrusion ?

  • fred Ives says:

    I have been a victim of the virus and swidled out of 100 pounds. can you tell me what i can do about this, my payment was through paypoint vouchers, transaction 69779 on 7/8/12 please advise

  • Fred Ives says:

    I was a victim of ukash today, I paid 100 pounds to remove it from my computer although
    i have mcaffee anti virus on my computer is there anything i can do about this?, thanks fred

Leave a Reply

What is 4 + 10 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)