Gpcode Ransomware

Malware removal
By Kristopher on March 28, 2011

Traditional ransomware is difficult to build, but a few talented hackers and web scammers have put together some impressive ransomware threats over the years—including Trojan.Gpcoder.F and Gpcode.AK. The folks at Kaspersky recently discovered a new addition in this Gpcode series, and while this new one is much like the older version, it does have some infuriating new features.

Long story short, this ransomware virus barges into your computer through badware websites and drops a text file claiming that “All your personal files (photo, documents, texts, databases, certificates, video) have been encrypted by a very strong cypher RSA-1024.” It goes on to say that to get your files back you will need to send $125 via “Ukash/PSC pre-paid cards.” You’ll also see a desktop image resembling the picture to the left. The text reads:

Attention!!!!!!

All your personal files were encrypted with a strong algorithm RSA-1024 and you can’t get an access to them without making of what we need!

Read the TXT file on desktop!

Just do it as fast as you can!

Remember: Don’t try to tell someone about this message if you want to get your files back! Just do all we told.

Unfortunately, manual removal for the Gpcode ransomware is not easy unless you’re a computer whiz, so the best option is to restart in Safe Mode with Networking and run a full scan with STOPzilla or another legitimate antibadware program. If that doesn’t work, you can also run a system restore to return your computer to a time before you got the Gpcode ransomeware.

DIY Gpcode Ransomware Removal Instructions

Start by removing the above files. If you're not sure how to do this, refer to the instructions below.

Note: In any files I mention above, “%UserProfile%” is a variable referring to your current user’s profile folder. (Not an iEuphemism for muth@fugg@#*!@.) So if you’re using Windows NT/2000/XP/7, by default this is “C:\Documents and Settings\[CURRENT USER]” (e.g., “C:\Documents and Settings\NoahFence”).

How to Manually Delete Badware Files

Need some removing badware files help? No biggie. While you should only manually delete badware files if you're comfy editing your system, you'll find it's pretty easy. And probably really satisfying.

How to delete badware files in Windows XP/Vista/7:

  1. Click your Windows Start menu, then click "Search."
  2. A pop up will ask, "What do you want to search for?" Click "All files and folders."
  3. Type a badware file in the search box, and select "Local Hard Drives."
  4. Click "Search." Once the badware file is found, delete it.

How to stop badware processes:

  1. Click the Start menu, select Run.
  2. Type taskmgr.exe into the the Run command box, and click "OK." You can also launch the Task Manager by pressing keys CTRL + Shift + ESC.
  3. Click Processes tab, and find badware processes.
  4. Once you've found the badware processes, right-click them and select "End Process" to kill badware.

badware processes

How to remove badware registry keys:

Backup your registry before you edit it. Then...

  1. Click the Start menu, and click "Run." An "Open" field will appear. Type "regedit" and click "OK " to open up your Registry Editor. In Windows 7, just type "regedit" into the "Search programs and files" box in the Start menu.
  2. Registry Editor opens as a two-paned window: the left side lets you select registry keys,the right side shows the values of any selected registry key.
  3. To find a badware registry key, select "Edit," then select "Find," and in the search bar type any of badware 's registry keys.
  4. When the badware registry key appears, to delete the badware registry key, right-click it, and select "Modify," then select "Delete."

Deleting badware Registry Keys

How to delete badware DLLs:

  1. Open the Start menu, and click "Run." Type "cmd" in Run, and click "OK." (In Windows 7, just type "regedit" into the "Search programs and files" box in the Start menu.)
  2. To change your current directory, type "cd" in the command box, press "Space," and enter the full directory where the badware DLL is located. If you're not sure where the badware DLL is located, enter "dir" in the command box to display a directory's contents. To go one directory back, type "cd .." in the command box and press "Enter."
  3. When you've found a badware DLL, type "regsvr32 /u SampleDLLName.dll" (e.g., "regsvr32 /u jl27script.dll") and press "Enter."

That's it. If you want to restore any badware DLL you removed, type "regsvr32 DLLJustDeleted.dll" (e.g., "regsvr32 jl27script.dll") into your command box, and press "Enter."

Did badware change your homepage?

  1. Select Start menu > Control Panel > Internet Options > General.
  2. Type your preferred home page's URL.
  3. Click "Use Default," "Apply," and "OK."