Current category:General

How to remove the Ukash Virus

The Ukash Virus or Ransom Virus is an annoying Malware that is spreading widely all over the internet. It used to be only on “suspicious” porn sites, but it’s also known to invade normal download sites displaying only harmless video content.

Please note that Ukash is a respectable online money transfer service taken advantage of by this scam that is in no way affiliated with them.

Fear not …. it is removable !

Ukash virus removal

First, if you see yourself on a webcam on the web site, don’t worry. Its not going to be displayed anywhere. Its just a hoax.

Also, this site does not corporate with any Police force anywhere. The makes of this are just thieves and scam artists … but very clever thieves and scam artists!

All though, the Ukash virus is changing all the time, the below guide is a pretty safe bet and has been tested on all the variants we have found.

Ukash Virus removal process

  1.  Shut down your computer on the ON / OFF button
  2.  Remove / Deactivate any wireless or internet cable.
  3.  Start your computer and keep pressing F8 to active Safe Mode Start options
    ( some computers like Medion might want you to press something else than F8)
  4. When Restart in Safe Mode options are available, choose :
    – Restart in Safe Mode with COMMAND PROMPT (this is important)
    No other Safe Mode or Restore option will work
  5. When Windows has started in Safe Mode you will only see a Command line
    (you might have to log-in using your Windows password first)
  6. On the command line, write : RSTRUI.EXE
  7. This will prompt the Windows Restore function to open

 Ukash virus System restore

8. Choose a Restore file from a time you know your computer was working fine.
9. Let Windows Restore itself …. it might take 20-30 minutes.

When Windows is backed up, you need to clean the Ukash VIRUS leftovers

10. Download and install Chica PC-shield from It’s free!
11. Scan with Chica PC-shield and it should find any leftover threats.

Filesystem scanning for Ukash virus
ProgramData\DSGSDGDSGDSGW.PAD (Exploit.Drop.GSA) -> Quarantined and deleted successfully.

Users\(yourname)\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\runctf.lnk (Trojan.Ransom.SUGen)

Please notice, that in some cases there will not be any leftovers since you have Restored, but in most cases it will.

12. You might also experience a pop-up after reboot that a file with a name like “wgsdgsdgdsgsd.exe” or something related “can not be found”.

RunDLL popup from Ukash virus

Don’t worry about that. Either find the reference in Registry or SLOW-PCfighter to remove the entries.

Note : Your Anti-Virus or Spyware might have been deactivated and the signature database deleted by the Virus so make sure you update or reinstall the product

Good luck, and please be careful out there 🙂

If all else fails use Chica-PCShield which runs on the Malwarebytes engine. This unique program automatically removes most infections instantly for future help as well.

GD Star Rating
How to remove the Ukash Virus, 3.6 out of 5 based on 122 ratings

About Philip Mahler

VP of Marketing at SPAMfighter. Find me on Google+, Twitter or LinkedIn
This entry was posted in General. Bookmark the permalink.


  1. Bill says:

    This no longer works, many of the newest variants stop you from starting up in safe mode completely, thus rendering this particular fix ineffective. The only way I found to do this is to restart the computer and let it start up as normal, login, and immediately press CTRL+ALT+DELETE to try and get the task manager up before the ransomware page appears, and quit the application that is running. It usually requires several attempts, and you have to be quick. It’s worth trying this repeatedly until you succeed. Once you get it to quit, you can start the removal process, and run anti-malware and anti-virus software.

  2. Paddy says:

    In win 7 I found that you can open a program if you’re quick when windows loads, if you do this and let the virus run after this you can hit ctrl+alt+delete and hit log off.

    Because the other program is running when you log off it will prompt you “there are still programs running” are you sure you want to log off – just hit cancel.

    From there you can install / run your anti-virus, AVG whatever.

  3. Rob says:

    On WIn 7 I did manage to get this off my computer following the safe mode with command prompt instructions. After I swept up with Microsoft Security Essentials and computer was reported clean I notoced Microsoft Security Essentials had turned off 10 mins later..
    I did another sweep with Malware Bytes and found more stuff. Then swept again with MSE and found more stuff also. It seems to respawn very quickly. By the time I had managed to restart the security services and get the thing off my computer it had changed my firewall settings so I could no longer have local network sharing. Entries were greyed out and could not be accessed to turn back on. I looked for a long time on the internet to find a remedy for this but could not and I gave up and reformatted. Just check your network settings after you think the virus is gone.. Good luck

  4. Joe says:

    I had a reader come to me with this issue and your article was very helpful! Anybody that is having trouble with say getting the task manager to run cause this virus activates when loading the desktop, try running Rkill.exe. It’s free software but you will have to google to find the page and download it. When Rkill runs, it automatically kills bad processes like the Ukash virus. Then you can run your cleanup programs without the virus trying to mess with it! Hope that helps.

    P.S. I like the way you put pictures in your post.

  5. Val Ovtcharov says:

    I was unfortunate to get this virus and had my system blocked.
    I tried to get to the Task manager but could’t do it so I tried to swich the user and logged on to my guest’s account.
    From there it was easy to start Norton Security which found and cleaned 46 threats then I restored the computer settings to a previous date using the system restore.

  6. James says:

    Logging in with another account saved me also. For some reason, the variant I had did not affect the second user ID. Logging on normally with that ID, I ran malwarbytes and removed (hopefully..) After rebooting 3 times, running malwarbytes 3 times, looks clean. If possible create a second user ID for emergency purposes. It just might save you serious aggrevation.

  7. matt helstrom says:

    Dear Phillip,

    In the middle of tyring to rid my computer of this virus from hell right now but freaked out they’d send my picture all over the internet. That was reassuring my friend. I’ve had this horrible thing before but not with the picture so that was a little unsettling. Thanks.

  8. Luke says:

    I have finally had some success removing this virus.

    I hit ‘CTRL+ALT+DELETE while Windows is loading and before the Ransomware page loads (takes some doing). I then quickly hit ‘Shutdown’ button and when the ‘Force Shutdown’ screen appears I fire up an application. I can then ran ‘SpyHunter 4’ that seemed to identify the virus and remove it

  9. Ames says:

    Thanks so much! This was really helpful! 🙂

  10. Thank you all for your suggestions for further help it’s appreciated.

    Yes I had the virus myself and it took a picture and it also freaked me out a bit to start with.

    Thank you for that tip!

  11. Ove says:


    I used microsoft defender offline

    Boot from usb device and scan worked perfectly
    Br ove

  12. One says:

    When considering that there are guides online, outlining the process of altering an ukash virus, to point to your custom URL, this will be a very real threat, very soon!

  13. ukash says:

    Thanks for the warning, I think I’ve installed it: (

  14. beeni says:

    Thank you very much, ‘caught’ this and you guide was fantastic.
    seems to have cleared up using dos prompt and restore.
    just need to clean the registry.

    Thank you again

  15. ukash says:

    way way way ukash viruss

  16. ukash says:

    thanks for the info

  17. David says:

    My PC got a Police spam, can someone out there help me to remove it.
    Thank you.

  18. Geoff Devlin says:

    Thanks for the information. I followed your advice to the letter and removed the UKASH virus. Geoff

  19. says:

    Thanks for the information. I followed your advice to the letter and removed the UKASH virus. Geoff – See more at:

  20. Grace says:

    I wasn’t able to startup in safe mode with command prompt as it would shut down automatically and restart in normal mode.

    I started playing around on my desktop while it was displaying the afp/fbi ukash screen. I found I could press the windows button on my keyboard and access the start menu. From there I typed in command prompt in the search bar and clicked on command prompt in the start menu search results. It won’t allow the program to show on the screen but you can see it in the task bar if you press the windows button again. From here I realised that if I hovered my mouse on the command prompt button on the task bar I was able to see the miniature version of it just above the task bar. If I then hovered on that it would let me see the actual command prompt program on the screen. I could type rstrui.exe and hit enter and it worked. Even though the screen quickly reverts back to the FBI/afp screen it still accepts my typing. I keep hovering over the task bar and continue to go through the system restore process. So happy I discovered this as no other solutions were working for me!

  21. Rik Dollekamp says:

    If you can’t get it removed by booting with an usb stick or bootable CD-rom and safe mode is not working try the following:

    search google for autoruns, this program lets you edit the startuplist of an offline disk or computer. downloadable here:

    search in the top of the list for a “.dat” file usually located in “application data\*”

    remove it

    offline scan the harddrive with malwarebytes (free)

    re-insert the harddrive into your pc or laptop.

    restart in safe-mode and scan it with Hitman Pro.

    after the files have been detected and removed make sure to uninstall the java component in software and programs, since there is no real use for the program anymore, unlike a few years ago. The reason you are getting the infection in the first place is because of an security breach in dated versions of Java.

    Java is not needed for online javascript websites.

    Hope this helps

  22. Dank u wel Rik.

    A great solution as well.

  23. Dave P says:

    Thanks! I run a Dell Vostro laptop with windows 7. I did a hard shut down (hold power button) which triggered the safe mode option screen on restart. The safe mode with command prompt (the only one that worked) allowed me to get around the pesky virus, and the restore (back to a week ago) only took about 10 minutes. I did not download the recommended virus program as I have Trend Micro installed (um…thanks Trend for allowing this virus to take over my computer…NOT!) and am running a full scan right now. I also wiped all of my temp and internet cache files to clear out any lurking triggers. If that doesn’t work I may be searching for a new anti-virus program so PC Chica shield you may be next up….

  24. usa ex-pat says:

    ukash = (one) of the scums of the earth.may you rot in prison

  25. Alan D says:

    Excellent. Just fixed my computer. Thank you!!!

  26. says:

    Excellent. Just fixed my computer. Thank you!!!

  27. Siroj says:

    Thanks Alottttt …love u man !!! Great job u saved my $100. Thanks alotttt

  28. Thanks says:

    Thank you guys, especially Grace. I ran into this trouble, nothing worked in my win7 pc (none of the safe mode). Grace your technique worked great. When I got system restore, then I just TAB to select NEXT press enter (since my mouse didnt work). Now I’ll be running alot of scans.

    Thanks very much.

  29. Ausguy says:

    Worst virus because It disabled all versions of system restore in F8 safe mode, so no other solution than to get a voucher and pay the $100 (a risk but worth it for me). It says a couple of hours to wait for payment to register but took about 4-10 hours (when i woke up it had unlocked). From there i run my Auslogics registry cleaner and boostspeed antivirus stuff and it cleaned it up. To be sure i system restored in safe made and again ran the Auslogics programs to make sure.

  30. Ausguy says:

    Note: Once unlocked, avoid changing msconfig to safeboot if you couldn’t load safe mode when you had the virus (keeps restarting), it can get you stuck again even if your PC is unlocked.
    To locate some files of the virus and delete them:
    start – search – all files created (choose day you got virus) delete bad files

  31. Larry H. says:

    Thanks for your information about “How to remove the Ukash Virus” – it was a useful resource and I’ve bookmarked your site for future reference.

    Are there any other antivirus removal tool blogs (or web resources in general) that you can recommend to me?


  32. Aninda says:

    Thanks for the information. I followed your advice to the letter and removed the UKASH virus. Geoff

  33. Honeybl says:

    You should also run a program called hijackthis to periodically check for viruses, malware, browser hijacks, and so forth.

  34. Nigel Bull says:


    I can not get my computer to start with the command prompt, it just starts up as normal and I get the police screen. I can get a start screen for an instant using the windows key and whatever programmes I try to open come up along the bottom of the screen. Unlike Grace that is where it ends as I cannot progress any further.

    Any help is most welcome.

    Thank you


  35. Alon says:

    Hi Nigel, I think what Grace means is that you can carry on typing provided you have made the command window current – I used “alt-tab” to get to it. Typing still works even though when you are typing you can only see the hijack screen of the Ukash virus. So, alt-tab until the command window is “current” and then type in your command rstrui.exe and press enter. alt-tab again and you will see the restore program on one of the tabs.

  36. Vince says:

    OVE solution works, i just had this virus and the boot device from usb under windows 7 worked 100%. So try OVE solution from March 2013 first

  37. Catherine Clarke says:

    Success! I though I would share my experience here as it might help another victim to get this fixed in less time than it took me!

    Like others, I couldn’t get into safe mode, I tried following instructions to clear it using Karsparsky without much success…that caught one virus, but although it identified others, it couldn’t remove them. I also ran the Krasparsky Windowsunlocker command from the Terminal function. Again, it found stuff, but when I attempted to restart, I still could not get safe mode to run and Windows remained blocked.

    I then followed instructions to create and boot from a HitmanPro boot disk. This got me in, but hitman just crashed every time. Very frustrating.

    Next, I created a Microsoft offline Defender boot disk and booted from that. That identified and removed another virus. However, restarting, I found the problem was not fixed.

    Thank you for the hint about doing Ctrl alt delete and cancelling the log off process! ( I wish I had found this thread earlier, it could have saved me hours!) My pc was doing the Log Off too fast to cancel, but because I could get to the start menu, I opened Word, then did the log off…that gave me time to cancel. When I had control of the desktop, I could then create an additional user. I tried to install malwarebytes at this point, but nothing seemed to work properly…the virus was affecting all software that I was trying to use to remove it. However, restarting the pc again, I found that I was now able to open windows in Safe Mode.

    Once in safe mode with networking, I had to completely uninstall both Malwarebytes and HitmanPro as neither was working properly. Malwarebytes have a utility for complete removal which I downloaded and ran, Hitman pro doesn’t, so I took the precaution of removing all references to it from the registry. Once reinstalled I ran both programs (twice for good measure). Both found viruses and removed them. Phew.

    At this point I rebooted in standard mode, then ran Ccleaner. I was running Avg AV …I’m not sure whether that was compromised, certainly it failed to block the original infection, so I have uninstalled it and replaced it with Avast. All now appears to be well, and the pc is running normally.

  38. Adonis says:

    Just put of your internet connection router and the virus will be gone. it worked for me its not always that the virus is in the computer so try it and let me know if it worked for u. it worked for me haha.

  39. Adonis says:

    but im still gonna scan and check my whole computer. it looks like the virus needs internet to work but cant doo anything without internet so first put internet off and then scann with da anti-viruses u want happy luck.

  40. Craig says:

    In windows 8.1, simply hit CTRL ALT DELETE, then click on task manager, click on the browser you are using in the tasks and then click END TASK……the browser will then close. Then run your Malware program. Simple!

  41. Luanne Hanify says:

    Really good read, thanks!

  42. justme says:


  43. Kevin Andrews says:

    I had a very nasty new Ransomware attack yesterday in the UK, I run dual boot Windows 7/Windows8.1. I could not do anything with Windows 8.1, no boot screen nothing. Worst of all no recovery disk to hand, not sure if this would have solved the issue though.

    So I opted for Automatic repair, tried Safe Mode not a chance, I then tried Startup repair, Refresh and Reset nothing worked. I then came across Microsoft instructions to rename Software and System in system32 via command prompt and then attempt refresh or reset this failed big time.

    So this is what I ended up doing including instructions that Microsoft omitted:
    1. Restart PC – hit F8 to start Auto Repair.
    2. Go to Troubleshoot>Advanced Options and select Command Prompt.
    3. Enter password when prompted and CMD will open, its default drive will be X:.
    4. Type your drive i.e. C: your drive may have a different letter if more than one so check volume label to confirm.
    5. Type cd windows\system32\config.
    6. Type ren system system.001 and then type ren software software.001.
    7. Shutdown and reboot the system, Auto Repair will start.
    8. Go to Troubleshoot>Advanced Options and select Startup Repair.
    9. Once complete the system will reboot and allow you to login as normal.
    10.Install Malwarebytes Anti-Malware scan and remove any infected files, reboot when prompted.
    11.You should now be infection free and no changes are made to your current system.

    Hope this is helpful, having experienced Ransomware it is not nice but is fixable.

  44. irfan says:

    Thanx it was a very useful content.Lately i have been having lots of issues with these malwares and Viruses,could you guide me which antivirus suite i should buy.I would like an economical one, which could give me overall protection from all the threats as i do lot of purchasing online..

  45. BK says:

    Hi – i got this virus yesterday and my machine will not boot in safe mode.. Trying to reinstall Windows 7 and that not working either.. any tips or has this virus just trashed my $2000 machine….Would love to meet the “genius” that made this virus..Any help would be great. Thanks

  46. RikDol says:

    I was able to remove it from a Windows XP computer, by removing the harddrive from the infected pc, hooked it up to another pc by using either an USB interface (external hdd housing) or connecting it on a free sata port. Then after hooking the drive up, i started a malwarebytes scan (on the connected drive) which removed 2 files. (after approx 2 hours of scanning).

    after reboot indeed the error message came up that a file was missing, so i ran a new malwarebytes scan (full), superantispyware-scan (full) and used adwcleaner +jrt (junkware removal tool) to get rid of the last bits and pieces.

    This was done for a client and took half a day for all scans to complete,clean, reboot etc.

  47. Tarek Said says:

    I got the ukash virus, i used msconfig to allow “safe mode alternate shell start” to be able to do system restore, when I hit restart, the windows 8 can’t boot, keeps trying over and over again unsuccessfully.

  48. Kim Falkner says:


    Wow, that was quite a job you did there and just shows how difficult Ukash can be to get rid of. Thank you for the input.

  49. Nat Dobson says:

    I have a new computer n no matter what i do i cant get rid of the ukash virus. I have a hp n its windows 8.1

  50. Nat Dobson says:

    I have a new computer with windows 8.1, but i can’t get rid of the ukash virus

  51. Craig Povey says:

    In windows 8 or 8.1 simply hit CTRL ALT DELETE, then click on task manager, click on the browser you are using in the tasks and then click END TASK……the browser will then close. Then run your Malware program. Simple!

  52. It’s hard to find educated people about this topic, but
    you sound like you know what you’re talking about! Thanks

  53. Paul says:

    Was easy to remove .Restart press F8 orF12. Choose “safe mode” then “system repair”.
    That’ll teach me to enter those disgustingly vile porn sites. Haven’t opened them since.

  54. daniel says:

    well i was going to write how i got rid of it,but then i realized that the people making this virus is probably looking online how people get rid of it and make new versions that bypass….crap..i was going to tell all how i deleted this virus …. 🙁

  55. Computer Guy says:

    Malware like this can be such a pain to get rid of, particularly for computer users who are inexperienced with this sort of thing. Being careful is really important point with regards to removing these programs on your own, and I’m glad you mentioned it. A few months ago a friend of mine got his computer infected with something that looked incredibly similar to this, and tried to fix it on his own. Unfortunately in the end he deleted a lot of files and folders he shouldn’t have, making his computer useless. Sometimes you do have to ask for some help!

  56. phil says:

    Does anyone know how to fget rid of it off your phone????

  57. errold sedems says:

    I have the ukash virus on my kobo arc10hd tablet and have no way of starting it in a safe mode. HOW DO I GET RID OF THIS ON A TABLET???

  58. Christina Urban Sørensen says:

    Hi Errold Sedems,
    Unfortunately we can’t help you, but I would recommend you to google “Remove Ukash virus on Android” and try to follow a guide from there.
    Best of luck!

  59. Available 24×7 to troubleshoot issues related to computers using state of the art technology called (Remote Desktop Troubleshooting)

    Contact us for Microsoft Outlook Technical Support issues at 1-877-693-1662

  60. Christine says:

    I have the FBI virus on my Samsung tablet and cannot reboot to safe mode, it just pops up into the virus page. Can I clean this out via a USB cord to my PC? Any ideas?

  61. Thanks for posting this interesting post. I found your article very helpful.

  62. This is a wonderful post, with many details. Ukash is a weird virus and hard to remove from any computer or laptop. The information on your blog is very useful even for a normal user.

  63. Henry Price says:

    Thank you for this! From now on, I will activate my ESET Antivirus and bookmarked your site for future references.

  64. carter says:

    Thanks for sharing and giving information. I rally found your post very helpful.

  65. If some one wishes expert view regardinhg blogging and site-building then i suggest him/her too go to see
    this web site, Keep up the nice job.

  66. BenjamineDupont says:

    Thank you for sharing this information with us. We appreciate you for this valuable information.

  67. jackjek says:

    It will also eradicate worms.
    Josef, Heidbergweg 33, 45257 Essen PatientenPortal Aktuelle Informationen 21.
    In addition, Health Canada investigates complaints related to the sale or use of therapeutic drugs, including complaints about Web sites that sell drugs, and takes action where appropriate.


  68. Hattie Skertchly says:

    Keep up the good work!

Leave a Reply

Your email address will not be published. Required fields are marked *