Current category:General

How to remove the Ukash Virus

The Ukash Virus or Ransom Virus is an annoying Malware that is spreading widely all over the internet. It used to be only on “suspicious” porn sites, but it’s also known to invade normal download sites displaying only harmless video content.

Please note that Ukash is a respectable online money transfer service taken advantage of by this scam that is in no way affiliated with them.

Fear not …. it is removable !

Ukash virus removal

First, if you see yourself on a webcam on the web site, don’t worry. Its not going to be displayed anywhere. Its just a hoax.

Also, this site does not corporate with any Police force anywhere. The makes of this are just thieves and scam artists … but very clever thieves and scam artists!

All though, the Ukash virus is changing all the time, the below guide is a pretty safe bet and has been tested on all the variants we have found.

Ukash Virus removal process

  1.  Shut down your computer on the ON / OFF button
  2.  Remove / Deactivate any wireless or internet cable.
  3.  Start your computer and keep pressing F8 to active Safe Mode Start options
    ( some computers like Medion might want you to press something else than F8)
  4. When Restart in Safe Mode options are available, choose :
    - Restart in Safe Mode with COMMAND PROMPT (this is important)
    No other Safe Mode or Restore option will work
  5. When Windows has started in Safe Mode you will only see a Command line
    (you might have to log-in using your Windows password first)
  6. On the command line, write : RSTRUI.EXE
  7. This will prompt the Windows Restore function to open

 Ukash virus System restore

 
8. Choose a Restore file from a time you know your computer was working fine.
9. Let Windows Restore itself …. it might take 20-30 minutes.

When Windows is backed up, you need to clean the Ukash VIRUS leftovers

10. Download and install Chica PC-shield from ChicaLogic.com It’s free!
11. Scan with Chica PC-shield and it should find any leftover threats.

Filesystem scanning for Ukash virus
ProgramData\DSGSDGDSGDSGW.PAD (Exploit.Drop.GSA) -> Quarantined and deleted successfully.

Users\(yourname)\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\runctf.lnk (Trojan.Ransom.SUGen)

Please notice, that in some cases there will not be any leftovers since you have Restored, but in most cases it will.

12. You might also experience a pop-up after reboot that a file with a name like “wgsdgsdgdsgsd.exe” or something related “can not be found”.

RunDLL popup from Ukash virus

Don’t worry about that. Either find the reference in Registry or SLOW-PCfighter to remove the entries.

Note : Your Anti-Virus or Spyware might have been deactivated and the signature database deleted by the Virus so make sure you update or reinstall the product

Good luck, and please be careful out there :-)

If all else fails use Chica-PCShield which runs on the Malwarebytes engine. This unique program automatically removes most infections instantly for future help as well.

GD Star Rating
loading...
How to remove the Ukash Virus, 3.7 out of 5 based on 104 ratings

About Philip Mahler

Digital Marketing Manager at SPAMfighter. Find me on Google+, Twitter or LinkedIn
This entry was posted in General. Bookmark the permalink.

43 Comments

  1. Bill says:

    This no longer works, many of the newest variants stop you from starting up in safe mode completely, thus rendering this particular fix ineffective. The only way I found to do this is to restart the computer and let it start up as normal, login, and immediately press CTRL+ALT+DELETE to try and get the task manager up before the ransomware page appears, and quit the application that is running. It usually requires several attempts, and you have to be quick. It’s worth trying this repeatedly until you succeed. Once you get it to quit, you can start the removal process, and run anti-malware and anti-virus software.

  2. Paddy says:

    In win 7 I found that you can open a program if you’re quick when windows loads, if you do this and let the virus run after this you can hit ctrl+alt+delete and hit log off.

    Because the other program is running when you log off it will prompt you “there are still programs running” are you sure you want to log off – just hit cancel.

    From there you can install / run your anti-virus, AVG whatever.

  3. Rob says:

    On WIn 7 I did manage to get this off my computer following the safe mode with command prompt instructions. After I swept up with Microsoft Security Essentials and computer was reported clean I notoced Microsoft Security Essentials had turned off 10 mins later..
    I did another sweep with Malware Bytes and found more stuff. Then swept again with MSE and found more stuff also. It seems to respawn very quickly. By the time I had managed to restart the security services and get the thing off my computer it had changed my firewall settings so I could no longer have local network sharing. Entries were greyed out and could not be accessed to turn back on. I looked for a long time on the internet to find a remedy for this but could not and I gave up and reformatted. Just check your network settings after you think the virus is gone.. Good luck

  4. Joe says:

    I had a reader come to me with this issue and your article was very helpful! Anybody that is having trouble with say getting the task manager to run cause this virus activates when loading the desktop, try running Rkill.exe. It’s free software but you will have to google to find the page and download it. When Rkill runs, it automatically kills bad processes like the Ukash virus. Then you can run your cleanup programs without the virus trying to mess with it! Hope that helps.

    P.S. I like the way you put pictures in your post.

  5. Val Ovtcharov says:

    Hi,
    I was unfortunate to get this virus and had my system blocked.
    I tried to get to the Task manager but could’t do it so I tried to swich the user and logged on to my guest’s account.
    From there it was easy to start Norton Security which found and cleaned 46 threats then I restored the computer settings to a previous date using the system restore.
    Val

  6. James says:

    Logging in with another account saved me also. For some reason, the variant I had did not affect the second user ID. Logging on normally with that ID, I ran malwarbytes and removed (hopefully..) After rebooting 3 times, running malwarbytes 3 times, looks clean. If possible create a second user ID for emergency purposes. It just might save you serious aggrevation.

  7. matt helstrom says:

    Dear Phillip,

    In the middle of tyring to rid my computer of this virus from hell right now but freaked out they’d send my picture all over the internet. That was reassuring my friend. I’ve had this horrible thing before but not with the picture so that was a little unsettling. Thanks.

  8. Luke says:

    I have finally had some success removing this virus.

    I hit ‘CTRL+ALT+DELETE while Windows is loading and before the Ransomware page loads (takes some doing). I then quickly hit ‘Shutdown’ button and when the ‘Force Shutdown’ screen appears I fire up an application. I can then ran ‘SpyHunter 4′ that seemed to identify the virus and remove it

  9. Ames says:

    Thanks so much! This was really helpful! :)

  10. Thank you all for your suggestions for further help it’s appreciated.

    @Matt
    Yes I had the virus myself and it took a picture and it also freaked me out a bit to start with.

    @Luke
    Thank you for that tip!

  11. Ove says:

    Hi

    I used microsoft defender offline
    http://windows.microsoft.com/is-is/windows/what-is-windows-defender-offline

    Boot from usb device and scan worked perfectly
    Br ove

  12. One says:

    When considering that there are guides online, outlining the process of altering an ukash virus, to point to your custom URL, this will be a very real threat, very soon!

  13. ukash says:

    Thanks for the warning, I think I’ve installed it: (

  14. beeni says:

    Thank you very much, ‘caught’ this and you guide was fantastic.
    seems to have cleared up using dos prompt and restore.
    just need to clean the registry.

    Thank you again

  15. ukash says:

    way way way ukash viruss

  16. ukash says:

    thanks for the info

  17. David says:

    My PC got a Police spam, can someone out there help me to remove it.
    Thank you.
    david

  18. Geoff Devlin says:

    Thanks for the information. I followed your advice to the letter and removed the UKASH virus. Geoff

  19. ukash.web.tr says:

    Thanks for the information. I followed your advice to the letter and removed the UKASH virus. Geoff – See more at: ukash.web.tr

  20. Grace says:

    I wasn’t able to startup in safe mode with command prompt as it would shut down automatically and restart in normal mode.

    I started playing around on my desktop while it was displaying the afp/fbi ukash screen. I found I could press the windows button on my keyboard and access the start menu. From there I typed in command prompt in the search bar and clicked on command prompt in the start menu search results. It won’t allow the program to show on the screen but you can see it in the task bar if you press the windows button again. From here I realised that if I hovered my mouse on the command prompt button on the task bar I was able to see the miniature version of it just above the task bar. If I then hovered on that it would let me see the actual command prompt program on the screen. I could type rstrui.exe and hit enter and it worked. Even though the screen quickly reverts back to the FBI/afp screen it still accepts my typing. I keep hovering over the task bar and continue to go through the system restore process. So happy I discovered this as no other solutions were working for me!

  21. Rik Dollekamp says:

    If you can’t get it removed by booting with an usb stick or bootable CD-rom and safe mode is not working try the following:

    search google for autoruns, this program lets you edit the startuplist of an offline disk or computer. downloadable here: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

    search in the top of the list for a “.dat” file usually located in “application data\*”

    remove it

    offline scan the harddrive with malwarebytes (free)

    re-insert the harddrive into your pc or laptop.

    restart in safe-mode and scan it with Hitman Pro.

    after the files have been detected and removed make sure to uninstall the java component in software and programs, since there is no real use for the program anymore, unlike a few years ago. The reason you are getting the infection in the first place is because of an security breach in dated versions of Java.

    Java is not needed for online javascript websites.

    Hope this helps

  22. Dank u wel Rik.

    A great solution as well.

  23. Dave P says:

    Thanks! I run a Dell Vostro laptop with windows 7. I did a hard shut down (hold power button) which triggered the safe mode option screen on restart. The safe mode with command prompt (the only one that worked) allowed me to get around the pesky virus, and the restore (back to a week ago) only took about 10 minutes. I did not download the recommended virus program as I have Trend Micro installed (um…thanks Trend for allowing this virus to take over my computer…NOT!) and am running a full scan right now. I also wiped all of my temp and internet cache files to clear out any lurking triggers. If that doesn’t work I may be searching for a new anti-virus program so PC Chica shield you may be next up….

  24. usa ex-pat says:

    ukash = (one) of the scums of the earth.may you rot in prison

  25. Alan D says:

    Excellent. Just fixed my computer. Thank you!!!

  26. Ukashal.com.tr says:

    Excellent. Just fixed my computer. Thank you!!!

  27. Siroj says:

    Thanks Alottttt …love u man !!! Great job u saved my $100. Thanks alotttt

  28. Thanks says:

    Thank you guys, especially Grace. I ran into this trouble, nothing worked in my win7 pc (none of the safe mode). Grace your technique worked great. When I got system restore, then I just TAB to select NEXT press enter (since my mouse didnt work). Now I’ll be running alot of scans.

    Thanks very much.

  29. Ausguy says:

    Worst virus because It disabled all versions of system restore in F8 safe mode, so no other solution than to get a voucher and pay the $100 (a risk but worth it for me). It says a couple of hours to wait for payment to register but took about 4-10 hours (when i woke up it had unlocked). From there i run my Auslogics registry cleaner and boostspeed antivirus stuff and it cleaned it up. To be sure i system restored in safe made and again ran the Auslogics programs to make sure.

  30. Ausguy says:

    Note: Once unlocked, avoid changing msconfig to safeboot if you couldn’t load safe mode when you had the virus (keeps restarting), it can get you stuck again even if your PC is unlocked.
    To locate some files of the virus and delete them:
    start – search – all files created (choose day you got virus) delete bad files

  31. Larry H. says:

    Thanks for your information about “How to remove the Ukash Virus” – it was a useful resource and I’ve bookmarked your site for future reference.

    Are there any other antivirus removal tool blogs (or web resources in general) that you can recommend to me?

    Cheers!

  32. Aninda says:

    Thanks for the information. I followed your advice to the letter and removed the UKASH virus. Geoff

  33. Honeybl says:

    You should also run a program called hijackthis to periodically check for viruses, malware, browser hijacks, and so forth.

  34. Nigel Bull says:

    Hello

    I can not get my computer to start with the command prompt, it just starts up as normal and I get the police screen. I can get a start screen for an instant using the windows key and whatever programmes I try to open come up along the bottom of the screen. Unlike Grace that is where it ends as I cannot progress any further.

    Any help is most welcome.

    Thank you

    Nigel

  35. Alon says:

    Hi Nigel, I think what Grace means is that you can carry on typing provided you have made the command window current – I used “alt-tab” to get to it. Typing still works even though when you are typing you can only see the hijack screen of the Ukash virus. So, alt-tab until the command window is “current” and then type in your command rstrui.exe and press enter. alt-tab again and you will see the restore program on one of the tabs.

  36. Vince says:

    OVE solution works, i just had this virus and the boot device from usb under windows 7 worked 100%. So try OVE solution from March 2013 first

  37. Catherine Clarke says:

    Success! I though I would share my experience here as it might help another victim to get this fixed in less time than it took me!

    Like others, I couldn’t get into safe mode, I tried following instructions to clear it using Karsparsky without much success…that caught one virus, but although it identified others, it couldn’t remove them. I also ran the Krasparsky Windowsunlocker command from the Terminal function. Again, it found stuff, but when I attempted to restart, I still could not get safe mode to run and Windows remained blocked.

    I then followed instructions to create and boot from a HitmanPro boot disk. This got me in, but hitman just crashed every time. Very frustrating.

    Next, I created a Microsoft offline Defender boot disk and booted from that. That identified and removed another virus. However, restarting, I found the problem was not fixed.

    Thank you for the hint about doing Ctrl alt delete and cancelling the log off process! ( I wish I had found this thread earlier, it could have saved me hours!) My pc was doing the Log Off too fast to cancel, but because I could get to the start menu, I opened Word, then did the log off…that gave me time to cancel. When I had control of the desktop, I could then create an additional user. I tried to install malwarebytes at this point, but nothing seemed to work properly…the virus was affecting all software that I was trying to use to remove it. However, restarting the pc again, I found that I was now able to open windows in Safe Mode.

    Once in safe mode with networking, I had to completely uninstall both Malwarebytes and HitmanPro as neither was working properly. Malwarebytes have a utility for complete removal which I downloaded and ran, Hitman pro doesn’t, so I took the precaution of removing all references to it from the registry. Once reinstalled I ran both programs (twice for good measure). Both found viruses and removed them. Phew.

    At this point I rebooted in standard mode, then ran Ccleaner. I was running Avg AV …I’m not sure whether that was compromised, certainly it failed to block the original infection, so I have uninstalled it and replaced it with Avast. All now appears to be well, and the pc is running normally.

  38. Adonis says:

    Just put of your internet connection router and the virus will be gone. it worked for me its not always that the virus is in the computer so try it and let me know if it worked for u. it worked for me haha.

  39. Adonis says:

    but im still gonna scan and check my whole computer. it looks like the virus needs internet to work but cant doo anything without internet so first put internet off and then scann with da anti-viruses u want happy luck.

  40. Craig says:

    In windows 8.1, simply hit CTRL ALT DELETE, then click on task manager, click on the browser you are using in the tasks and then click END TASK……the browser will then close. Then run your Malware program. Simple!

  41. Luanne Hanify says:

    Really good read, thanks!

  42. justme says:

    ADONIS THANKSSHUTTING DOWN INTERNET DID THE JOB 11 09 2014 2PM

  43. Kevin Andrews says:

    I had a very nasty new Ransomware attack yesterday in the UK, I run dual boot Windows 7/Windows8.1. I could not do anything with Windows 8.1, no boot screen nothing. Worst of all no recovery disk to hand, not sure if this would have solved the issue though.

    So I opted for Automatic repair, tried Safe Mode not a chance, I then tried Startup repair, Refresh and Reset nothing worked. I then came across Microsoft instructions to rename Software and System in system32 via command prompt and then attempt refresh or reset this failed big time.

    So this is what I ended up doing including instructions that Microsoft omitted:
    1. Restart PC – hit F8 to start Auto Repair.
    2. Go to Troubleshoot>Advanced Options and select Command Prompt.
    3. Enter password when prompted and CMD will open, its default drive will be X:.
    4. Type your drive i.e. C: your drive may have a different letter if more than one so check volume label to confirm.
    5. Type cd windows\system32\config.
    6. Type ren system system.001 and then type ren software software.001.
    7. Shutdown and reboot the system, Auto Repair will start.
    8. Go to Troubleshoot>Advanced Options and select Startup Repair.
    9. Once complete the system will reboot and allow you to login as normal.
    10.Install Malwarebytes Anti-Malware scan and remove any infected files, reboot when prompted.
    11.You should now be infection free and no changes are made to your current system.

    Hope this is helpful, having experienced Ransomware it is not nice but is fixable.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>