An Garda Siochana virus. How to fix locked PC
An Garda Siochana is a scam that targets many computers today, primarily located in Ireland and in some other neighboring countries. Great Britain, by the way, is also attacked by this virus massively, in addition to the PCEU (Metropolitan Police) virus locker. This scam belongs to the ransomware category, i.e. this is the malware that blocks the desktop of the target computer with the scary police warning. In this particular case, the scary warning is allegedly coming from the Ireland’s National Police Service (which is called An Garda Siochana, by the way). The truth, however, is that this warning that you see depicted below has nothing to do with the Irish police, so you should be careful not to trust any deceitful statement contained in this virus that locked your system.
An Garda Siochana virus screenshot
Text of An Garda Siochana virus scary warning:
Your Computer has been locked!
The work of your computer has been suspended on the grounds of unauthorized cyber activity.
Described below are possible violations, you have made: Article 274 – Copyright
A fine or imprisonment for the term of up to d years (The use or sharing of copyrighted files – movies, software)
Article 183- Pornography
A fine or imprisonment for the term of up to 2 years (The use or distribution of pornographic files)
Article 184 – Pornography involving children (under 18 years)
imprisonment for the term of up to 15 years (The use or distribution of pornographic files) Article 104 – Promoting Terrorism
imprisonment for the term of up to 25 years (You have visited websites of terrorist organizations)
Article 297 – Neglect computer use, entailing serious consequences A fine or imprisonment for the term of up to 2 years
(Your computer has been infected with a virus, which, in turn, infected other computers) Article 108 – Gambling
A fine or imprisonment for the term of up to 2 years (You have been gambling, but according to the lav/ residents of the your country are not allowed gambling in any format)
in connection with the decision of the Government as of August 22, all of the violations described above could be considered as conditional in case of payment of a fine.
Amount of the fine is €100 . Payment must be made within 48 hours after the discovery of the violation. If the fine has not been paid, you will become the subject of criminal prosecution.
After paying the fine your computer will be unblocked
An Garda Siochana scam first accuses users of performing various crimes online while surfing the web. In particular, the virus tells that user was noticed to perform a lot of illegal activity, for example:
- Sending unsolicited spam to various addressees
- Visiting the sites of terrorist organizations for the purpose of supporting them
- Downloading illegal audio and video materials and spreading them in the web
- Downloading illegal software samples and distributing them online
- Watching a lot of explicit and sinful content, thus violating the Irish legislation
Of course, you have never committed any crimes of which you’re being accused by the malware. You need to understand the fact clearly that this malware has nothing to do with the Irish police. This is just the way hackers want to scare you into paying the ransom (release fee) to unlock your system. The crooks want you to pay the funds (ransom) via Ukash or Paysafecard payment systems, but doing so is as serious mistake on your part. We hope that you will never commit such a serious mistake. Instead, please follow the removal guide below that will help you unlock your PC from An Garda Siochana scam.
Ransomware removal solutions
Solution 1 (automatic)
NB! This solution is applicable for all GreenDot MoneyPak, Ukash and Paysafecard ransomwares.
- Reboot your system and press F8 repeatedly while it is restarting.
- Select Safe Mode with Networking.
- Click Start and in the open space type Run, or press [Win]+R on keyboard.
- Type msconfig and press “OK“.
- Disable startup items rundll32 turning on any application from Application Data.
- Reboot your computer once again.
- Scan your system with GridinSoft Trojan Killer to identify the infected file and delete it.
NB! Some versions of these viruses disable all safe modes, but give a short gap that you can use to run anti-malware tools. Then act as follows:
- Reboot normally.
- Click Start and in the open space type Run.
- Enter the text http://trojan-killer.net/download.php in the open field.
- If the malware is loaded, just press Alt+Tab once and keep entering the string blindly then press Enter. Press Alt+tab and then R (letter) a couple of times. The process of ransomware virus should be killed after you succeed to download, install our recommended software and scan your system with it.
Solution 2 (automatic)
- Go to your friend, relative or anybody else who has computer with Internet connection.
- Take your USB flash drive / Memory Stick with you.
- Download GridinSoft Trojan Killer installation file from this site http://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.
- Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
- Perform hard reset (press reset button on your computer) if your infected PC has been on with ransomware’s background. If not, then simply turn your PC on.
- Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
- In the window that appeared select “Safe Mode with Command Prompt” option and press Enter.
- Choose your operating system and user account which was infected with ransomware virus.
- In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
- Select “My Computer” and choose your USB flash drive / Memory Stick.
- Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
- When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
- In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
- Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
- However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing ransomware virus to infect your PC.
Similar automatic removal video
Solution 3 (manual)
- Restart your system into “Safe Mode with Command Prompt“. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” (for Windows XP) or “Advanced Boot Options” (for Windows 7 and Vista) as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
- Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer.exe“, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
- Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit.exe” and hit Enter button of your keyboard. The Registry Editor should open.
- Find the following registry entry:
- In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe“. However, ransomware virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.
- Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of ransomware virus is located.
- Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
- Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step.
- Get back to “Normal Mode“. In order to reboot your system, when at the command prompt, type-in the following phrase “shutdown /r /t 0” (without the quotation marks) and hit Enter button.
- The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer.