Ukash Virus or Ransom Virus is an annoying Malware that is spreading widely all over the internet. It used to be only on “suspicious” porn sites, but it’s also known to invade normal download sites displaying only harmless video content.
Fear not …. it is removable !
First, if you see yourself on a webcam on the web site, don’t worry. Its not going to be displayed anywhere. Its just a hoax.
Also, this site does not corporate with any Police force anywhere. The makes of this are just thieves and scam artists … but very clever thieves and scam artists!
All though, the Virus is changing all the time, the below guide is a pretty safe bet and has been tested on all the variants we have found.
- Shut down your computer on the ON / OFF button
- Remove / Deactivate any wireless or internet cable.
- Start your computer and keep pressing F8 to active Safe Mode Start options
( some computers like Medion might want you to press something else than F8) - When Restart in Safe Mode options are available, choose :
- Restart in Safe Mode with COMMAND PROMPT (this is important)
No other Safe Mode or Restore option will work - When Windows has started in Safe Mode you will only see a Command line
(you might have to log-in using your Windows password first) - On the command line, write : RSTRUI.EXE
- This will prompt the Windows Restore function to open
8. Choose a Restore file from a time you know your computer was working fine.
9. Let Windows Restore itself …. it might take 20-30 minutes.
When Windows is backed up, you need to clean the VIRUS leftovers
10. Download and install Chica PC-shield from ChicaLogic.com It’s free!
11. Scan with Chica PC-shield and it should find any leftover threats.
ProgramData\DSGSDGDSGDSGW.PAD (Exploit.Drop.GSA) -> Quarantined and deleted successfully.
Users\(yourname)\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\runctf.lnk (Trojan.Ransom.SUGen)
Please notice, that in some cases there will not be any leftovers since you have Restored, but in most cases it will.
12. You might also experience a pop-up after reboot that a file with a name like “wgsdgsdgdsgsd.exe” or something related “can not be found”.
Don’t worry about that. Either find the reference in Registry or SLOWPCfighter to remove the entries.
Note : Your Anti-Virus or Spyware might have been deactivate and signature database deleted by the Virus so make sure you update or reinstall the product
Good luck, and please be careful out there 
loading...
This no longer works, many of the newest variants stop you from starting up in safe mode completely, thus rendering this particular fix ineffective. The only way I found to do this is to restart the computer and let it start up as normal, login, and immediately press CTRL+ALT+DELETE to try and get the task manager up before the ransomware page appears, and quit the application that is running. It usually requires several attempts, and you have to be quick. It’s worth trying this repeatedly until you succeed. Once you get it to quit, you can start the removal process, and run anti-malware and anti-virus software.
In win 7 I found that you can open a program if you’re quick when windows loads, if you do this and let the virus run after this you can hit ctrl+alt+delete and hit log off.
Because the other program is running when you log off it will prompt you “there are still programs running” are you sure you want to log off – just hit cancel.
From there you can install / run your anti-virus, AVG whatever.
On WIn 7 I did manage to get this off my computer following the safe mode with command prompt instructions. After I swept up with Microsoft Security Essentials and computer was reported clean I notoced Microsoft Security Essentials had turned off 10 mins later..
I did another sweep with Malware Bytes and found more stuff. Then swept again with MSE and found more stuff also. It seems to respawn very quickly. By the time I had managed to restart the security services and get the thing off my computer it had changed my firewall settings so I could no longer have local network sharing. Entries were greyed out and could not be accessed to turn back on. I looked for a long time on the internet to find a remedy for this but could not and I gave up and reformatted. Just check your network settings after you think the virus is gone.. Good luck
I had a reader come to me with this issue and your article was very helpful! Anybody that is having trouble with say getting the task manager to run cause this virus activates when loading the desktop, try running Rkill.exe. It’s free software but you will have to google to find the page and download it. When Rkill runs, it automatically kills bad processes like the Ukash virus. Then you can run your cleanup programs without the virus trying to mess with it! Hope that helps.
P.S. I like the way you put pictures in your post.
Hi,
I was unfortunate to get this virus and had my system blocked.
I tried to get to the Task manager but could’t do it so I tried to swich the user and logged on to my guest’s account.
From there it was easy to start Norton Security which found and cleaned 46 threats then I restored the computer settings to a previous date using the system restore.
Val
Logging in with another account saved me also. For some reason, the variant I had did not affect the second user ID. Logging on normally with that ID, I ran malwarbytes and removed (hopefully..) After rebooting 3 times, running malwarbytes 3 times, looks clean. If possible create a second user ID for emergency purposes. It just might save you serious aggrevation.
Dear Phillip,
In the middle of tyring to rid my computer of this virus from hell right now but freaked out they’d send my picture all over the internet. That was reassuring my friend. I’ve had this horrible thing before but not with the picture so that was a little unsettling. Thanks.
I have finally had some success removing this virus.
I hit ‘CTRL+ALT+DELETE while Windows is loading and before the Ransomware page loads (takes some doing). I then quickly hit ‘Shutdown’ button and when the ‘Force Shutdown’ screen appears I fire up an application. I can then ran ‘SpyHunter 4′ that seemed to identify the virus and remove it
Thanks so much! This was really helpful!
Thank you all for your suggestions for further help it’s appreciated.
@Matt
Yes I had the virus myself and it took a picture and it also freaked me out a bit to start with.
@Luke
Thank you for that tip!
Hi
I used microsoft defender offline
http://windows.microsoft.com/is-is/windows/what-is-windows-defender-offline
Boot from usb device and scan worked perfectly
Br ove
When considering that there are guides online, outlining the process of altering an ukash virus, to point to your custom URL, this will be a very real threat, very soon!
Thanks for the warning, I think I’ve installed it: (
Thank you very much, ‘caught’ this and you guide was fantastic.
seems to have cleared up using dos prompt and restore.
just need to clean the registry.
Thank you again
way way way ukash viruss
thanks for the info