Hadopi virus/ Ukash virus / Police Virus

August 2016

The information in this FAQ are based on this article: http://www.malekal.com/2012/01/10/virus-gendarmerie-activite-illicite-demelee/
The ransomwares propagate through malicious advertising (Malvertising) streaming/downloads websites etc..
These ads lead to malicious WEB exploits which aim to automatically infect the visitors.
PCs with outdated software (Adobe Reader/Flash, Java) are more vulnerable to this type of infection.
Hence the importance of keeping your software up to date.
The "Hadopi" ransomware exists in two variants Urausy and Reventon.
The Urausy variant - normally safe mode does not work.
This variant is characterized by the presence of the handcuff image
This variant normally prevents booting in safe mode.

The Reveton variant - handcuffs image is replaced with a WebCam image.
This variant doesn't block access to safe mode.

Safe Mode (Reveton variant)

  • Restart the computer in Safe mode with network support.
  • Download on the desktop: RogueKiller (by tigzy)
  • Start RogueKiller.exe.
  • Wait until the prescan has finished
  • Run a scan from the Scan button located at the top right.
  • RogueKiller will detect the following elements msconfig/CTFMON.
  • Click Delete to remove the malicious elements.

System Restore

Start a system restore using the command prompt http://forum.malekal.com/windows-recuperer-son-systeme-t20428.html#p166263

If you are using Windows Seven, launch System Restore from the "Repair my computer" menu.

Command prompt in safe mode (Urausy variant)

See this page: http://www.malekal.com/2012/01/10/virus-gendarmerie-activite-illicite-demelee/

Malekal Live CD

  • Download and burn the Live CD Malekal (or put it on a USB key).
  • Boot from the live CD
  • RogueKiller starts, do a scan and then click Delete.
  • Restart the computer, you should be rid of ransomware.
  • Malekal Live CD: http://www.malekal.com/2013/02/22/malekal-live-cd/

Kaspersky Live CD

Download Kaspersky Live CD: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso


  • If the above methods doesn't work, you can always create a topic in the Virus forum.
  • If you succeed in removing the infection, you must update your installed software as your computer is still vulnerable.

See also :

This document entitled « Hadopi virus/ Ukash virus / Police Virus » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.