Milliken’s Cure For The Australian Federal Police Ukash virus

Majorgeeks reader Tom Milliken sent us his instructions on removing the Australian Federal Police Ukash virus that is currently spreading in beautiful Australia!

We have to give a disclaimer before you attempt this. We are based in the United States so we have no way to test this. This is completely at your own risk. Majorgeeks can and will not be held responsible. It was done on Windows XP, so it should work on other operating systems, however as many of you know, some steps in here might be slightly different in their location or naming.

It seems like a pretty safe way to remove the virus from our experience because what you end up doing (in short) is creating a new account called Test, or whatever you want, and deleting index.html from your infected account in the /Temp folder. From there you reboot, log back into your main account, make sure you are not infected and delete the new Test account.

If you are not comfortable doing these steps we recommend ANY one of the below three programs that are most effective at the latest malware removal:

1: Malwarebytes Anti-Malware
2: IObit Malware Fighter
3: SUPERAntiSpyware Free


If you want to try manual removal, here are the steps from Tom:

1. Boot your computer and whilst booting keep tapping the F8 key to interrupt the boot process and get “Windows Advanced Options Menu”. You will see other messages on the screen but still keep tapping F8.
2. Use the up-down arrow to select “Safe Mode With Command Prompt” and then click on Enter.
3. You may think the computer has stopped working. Just wait for it to boot (1-2 minutes).
4. The Start-up window will appear then click on your Account name.
5. A window with the name cmd.exe will be presented with the following text
C:\Documents and Settings\username>
Type in nusrmgr.cpl and click on Enter
The familiar User Account Windows will be displayed.
6. Create a new computer administrator account ‘TEST’
7. Press Control + Alt + Delete together to open the ‘Windows Task Manager’
8. Select the tab ‘Shut Down’ and select ‘Restart’.
9. Allow Windows to boot normally.
10. When the ‘Account Name’ window appears, select your new account “TEST”
11. It is helpful, at this stage, to show the hidden files and folders so
- Open ‘My Computer’
- Select the menu ‘Tools/Folder Options”
- In Folder Options, click on the tab ‘View’ and select ‘Show hidden files and folders’ and ‘OK’.
12. Open C drive
13. Open ‘Documents and settings’
14. Now open YOUR account NOT the ‘TEST’ Account.
15. Open ‘Local Settings’ (which was previously hidden)
16. Open the ‘Temp’ folder and the file you are looking for is “index.html”.
17. The writer opened this and it displayed as a normal webpage. You may choose just to delete it.
18. To tidy up. In the ‘Start Menu’, select ‘Log Off TEST’ and the computer should revert to the ‘Account’ window
19. Select YOUR account and the AFP Ukash virus should no longer be apparent.
20. Go to Start\Settings\Control Panel\User Accounts and delete the ‘TEST’ account

For reference the path\filename is:
Documents and Settings\username\local settings\temp\index.html