Australian Federal Police (AFP) scam - Ukash virus

Australian Federal Police scam (MoneyPak Virus) - how to unblock your PC?

Australian Federal Police scam is one of many ransomware infections (screen lockers) which targets unsuspecting PC users all over the world. Such method of stealing money from PC users has become very popular among Cyber criminals and they are continuing to create and distribute new ransomware infections. This particular ransomware is targeted at computer users from Australia, such screen lockers are able to detect your computer's IP address and present the localised version of the deceptive message which blocks computer's screen.

For example if you would be the citizen of Sweden you would be presented with a message which supposedly comes from Den Svenska Polisen IT-Sakerhet. Cyber criminals have translated their ransomware infections to most of European languages. The deceptive message which it shown in Australian Federal Police ransomware states that your PC was blocked because you were using or distributing copyrighted content. This statement is totally false, neither Australian Federal Police nor any other authority is using such screen lockers to collect any fines. In reality this screen is designed by Cyber criminals who are hoping that you will fall for the deceptive message shown in this ransomware and you will pay the non existent fine. Notice that there are several different ransomware families that target PC users from Australia (Urausy, Reveton, etc.) this removal guide will work when dealing with either of them.

Screenshot of a different variant of AFP ransomware virus:

Australian Federal Police ransomware as it's predecessors is distributed using Trojans and exploit kits. Cyber criminals are setting up malicious websites and using other misleading methods to infect as many computers as possible. This particular ransomware infection originates from a family or screen lockers named Urausy. This rogue family is targeting computer users from Australia, United States, Poland and many other countries. If you PC is blocked by Australian Federal Police ransomware you can use the provided removal guide to help eliminate it from your computer.

Ukash (Smart Voucher Limited) is a legitimate company and it's not related to ransomware viruses - Cyber criminals are using this service to extort money from unsuspecting PC users.

Fake message shown in Australian Federal Police ransomware:

ATTENTION! Your PC is blocked due to at least one of the reasons specified below. You have been violating "Copyright and Related Rights Law o (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article 128 of the Criminal Code of Australia.
Article 128 of the Criminal Code provides for a fine of 200 to 500 minimal wages or a deprivation of liberty for 2 to 8 years.
You have been viewing or distributing prohibited Pornographic content (Child Porn/Zoophilia and etc). Thus violating Article 202 of the Criminal Code of Australia. Article 202 of the Criminal Code provides for a deprivation of liberty for 4 to 12 years. Illegal access to computer data has been initiated from your PC, or you have been... Article 208 of the Criminal Code provides for a fine of up to AUD $100,000 and/or a deprivation of liberty for 4 to 9 years.
Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law On Neglectful Use of Personal Computer.
Article 210 of the Criminal Code provides for a fine of AUD $2,000 to AUD $8,000.
Spam distribution or other unlawful advertising has been effected from your PC as a profit. seeking activity or without your knowledge, your PC may be infected by malware.
Article 212 of the Criminal Code provides for a fine of up to AUD 0250,000 and a deprivation of liberty of up to 6 years. In case this activity has been effected without your knowledge, you fall under the above mentioned article 210 of the Criminal Code of Australia.
Your personality and address are currently being identified, a criminal case is going to be initiated against you under one or more articles specified above within the next 72 hours.
Pursuant to the amendment to the Criminal Code of Australia of February 04, 2013, this law infringement (if it is not repeated. first time) may be considered as conditional in case you pay the fine to the State.
Fines may only be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!
The amount of fine is AUD $100. You can pay a fine Ukash. When you pay the fine, your PC will get unlocked in 1 to 72 hours after the money is put into the State's account.
Since your PC is unlocked, you will be given 7 days to correct all violations.
In case all violations are not corrected after 7 working days, your PC will be blocked again, and a criminal case will be initiated against you automatically under one or more articles specified above.

Australian Federal Police MoneyPak Virus removal:

Step 1

Windows XP, Vista and Windows 7 users:

Start your computer in safe mode. Click Start, then click Shut down. Select Restart and click OK. During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with networking from the list and press ENTER.

Windows 8 users:

Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced startup options, in the opened "General PC Settings" window select Advanced startup. Click on "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into Startup Settings screen. Press "5" to boot in Safe Mode with Networking.

Step 2

Log in to the account that is infected with Australian Federal Police ransomware. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all the entries that it detects.

remover for Australian Federal Police ransomware

Can't boot in Safe Mode with Networking? (Australian Federal Police virus blocks Safe Mode with Networking)

If you have more than one user account in your operating system - please log-in to the clean account and download the recommended anti-spyware software, install it and run a full system scan, remove all the security infections it will detect, however if you have only one user account please follow this guide (this guide will show you how to create a new user account using safe mode with command prompt - using this newly created user account you will be able to remove Australian Federal Police virus).

If Australian Federal Police virus also blocks your operating system's Safe Mode with Networking follow these removal instructions:

1. Start your computer in Safe Mode with Command Prompt - During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.

WIndows 8 users: Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced startup options, in the opened "General PC Settings" window select Advanced startup. Click on "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into Startup Settings screen. Press "6" to boot in Safe Mode with Command Prompt.

2. When command prompt mode loads enter the following line: net user removevirus /add and press ENTER.

3. Next enter this line: net localgroup administrators removevirus /add and press ENTER.

4. Finnaly enter this line: shutdown -r and press ENTER.

5. Wait for your computer to restart,  then boot your PC in Normal Mode and login to the newly created user account ("removevirus"). This account won't be affected by the ransomware infection and you will be able to download and install recommended anti-spyware software to eliminate this virus from your computer.

6. Download and install recommended anti-spyware software to eliminate this ransomware infection from your computer:

remover for Australian Federal Police virus

If the newly created user account is also affected by the ransomware infection try doing a System Restore (this function helps restore one's operating system files to an earlier point in time). If successful you will be able to restore you operating system to the point when this ransomware infection hadn't infected your computer.

1. Start your computer in Safe Mode with Command Prompt - During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.

2. When command prompt mode loads enter the following line: cd restore and press ENTER.

3. Next type this line: rstrui.exe and press ENTER.

4. In the opened window click "Next".

5. Select one of the available restore point and click "Next" (this will restore your computer's system to an earlier time and date, before the ransomware infiltrated your PC).

6. In the opened window click "Yes".

7. After restoring your computer to a previous date download and scan your PC with a recommended anti-spyware software to eliminate any left remnants of Australian Federal Police virus.

Alternative Australian Federal Police ransomware removal guide:

If this ransomware blocks your screen when you start your computer in safe mode with networking, try starting your PC in safe mode with command prompt.

1. During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.

2. In the opened command prompt type explorer and press Enter. This command will open explorer window, don't close it and continue to the next step.

3. In the command prompt type regedit and press Enter. This will open the registry editor window.

4. In the registry editor window you should navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

5. In the right side of the window locate "Shell" and right click on it. Click on Modify. The default value data is Explorer.exe if you see something else written in this window remove it and type in Explorer.exe (you can write down whatever else was written in the value data section - this is a path of the rogue execution file) - use this information to navigate to the rogue executable and remove it.

6. Restart your computer, download and install a legitimate anti-spyware software and perform a full system scan to eliminate any left remnants of Australian Federal Police ransomware.

remover for Australian Federal Police ransomware

If you can't start your computer in safe mode with networking (or with command prompt) you should boot your computer using a rescue disk. Some variants of ransomware disables safe mode making it's removal more complicated. For this step you will need access to another computer. After removing Australian Federal Police ransomware from your PC restart your computer and scan it with a legitimate antispyware software to remove any possibly left remnants of this security infection.

Anti-spyware programs known to detect and remove Australian Federal Police ransomware scam:

Some malicious software modifies browser settings and disables downloads of spyware and virus removing software. If you have problems downloading anti-spyware software with Internet Explorer, try downloading with Chrome, FireFox, Opera, etc.

If you can't access Internet:

Load your computer in safe mode. Click Start, click Shut down, click Restart, click OK. During your computer starting process press F8 key on your keyboard multiple times until you see Windows Advanced Option menu, then select Safe mode with networking from the list.

Start Task manager. Press ctrl+alt+del (or ctrl+shift+esc) and end task the processes of rogue program. ( if after this procedure you can't access any programs press ctrl+alt+del, click File, select New Task, and type explorer.exe then press OK.

Open Internet explorer, click Tools and select Internet Options. Select Connections, then click LAN settings, if a Use a proxy server for your LAN is checked, un-check it and press OK.

After this procedure you should be able to access Internet. Now you can download anti-spyware software from our "Top spyware removers" section and run a full scan. Download, install and don't forget to update your selected anti-spyware program.

Manual Australian Federal Police ransomware removal:

If you were unable to remove Australian Federal Police ransomware using the steps above, you can use this manual removal instruction. Use it at your own risk. If you don't have strong computer knowledge you could harm your operating system. Be careful and use it only if you are an experienced computer user. (Instructions on how to end processes, remove registry entries...)

End these Australian Federal Police ransomware processes:

random.exe

Delete these Australian Federal Police ransomware files:

%Temp%\<random>.exe
%StartupFolder%\ctfmon.lnk