Removal Guide for U.S. Department of Homeland Security Ransom Virus

U.S. Department of Homeland Security
National Cyber Security Division
This computer has been blocked
THE WORK OF YOUR COMPUTER HAS BEEN SUSPENDED ON THE GROUNDS OF THE VIOLATION OF THE LAW OF THE UNITED STATES OF AMERICA.
(…)
Article 184. Pornography involving childrenImprisonment for the term of up to 10-15 years(The use or distribution of pornography material)
Artticle 171. CopyrightImprisonment for the term of up to 2-5 years. (The use or sharing copyrighted files)
Article 113. The use of unlicensed softwareImprisonment for the term of up to 2 years (The use of unlicensed software)
(…)
To unlock the computer you are obliged to pay a fine of $300. You must pay the fine through MoneyPAK.
You have 48 hours to pay the fine. If the fine has not been paid, you will become the subject of criminal prosecution without the right to pay the fine.
The Department for the Fight Against Cyberactivity will confiscate your computer and take You to Court.

Knowledge of Homeland Security virus
Homeland Security virus (Alias as U.S. Department of Homeland Security virus) is a destructive ransom virus which especially spreads fast in USA. To get stuck with such annoying ransomware virus, you will generally receive an announcement like above. In a simple explanation, all the contents will only be aimed to convince that you have done something illegal so that you need to pay fine $300 to release your blocked PC. Supposed that you wouldn’t pay fine timely, you would be taken to Court and get punishment. Once your computer is locked by such screen and displays those messages, the first thing you need to do is DO NOT PAY MONEY on it, as it is virus which will damage your PC and get your money only.

However, to handle this hazardous ransom virus, antivirus programs seem to be frail to clean up the virus from your PC. In fact, Homeland Security virus has the ability to block your security tools and antivirus programs so that to permeate into compromised machine smoothly. Usually, victims cannot do anything on affected machine, and the alert popup will cover the screen stubbornly. The longer Homeland Security virus exists in your PC, the more threats it will bring. To be more specific, it may even cut off the network of your PC and make some functions of system unusable. The worse results may also include Blue Screen and computer crash and etc. it is urgent to remove Homeland Security ransom virus from your computer before worse situation.

Malicious properties of Homeland Security virus
1. It downloads and installs rogue software without your permission.
2. It disables executable applications and antivirus on your computer.
3. It gives fake warnings to mislead you to pay for it.
4. It blocks opening legitimate websites but its purchase page.
5. It causes your computer slowing down and even crashing from time to time.

Detailed removal guide step by step
1) Boot your computer into Safe Mode with Networking

To perform this procedure, please restart your computer. -> As your computer restarts but before Windows launches, tap “F8? key constantly. -> Use the arrow keys to highlight the “Safe Mode with Networking” option and then press ENTER. -> If you don’t get the Safe Mode with Networking option, please restart the computer again and keep tapping “F8? key immediately.

2) Show hiden files of Homeland Security Ransom virus:
Open Folder Options: clicking the Start button> Control Panel> Appearance and Personalization, and then clicking Folder Options.   After that clicking the View tab.

Under Advanced settings, click Show hidden files and folders, uncheck Hide protected operating system files (Recommended) and then click OK.

3) In order to get rid of Homeland Security virus thoroughly from your infected machine, you need to end its related processes, search and remove associated registry values, DLL and then other relevant files.

1. The associated processes of Homeland Security virus to be stopped are listed below:
[random].exe

2. The associated files of Homeland Security virus to be deleted are listed below:
%Documents and Settings%\All Users\Application Data\[random]\
%Documents and Settings%\All Users\Application Data\[random]\[random].exe
%Documents and Settings%\All Users\Application Data\[random]\[random].mof
%Documents and Settings%\All Users\Application Data\[random]\[random].dll
%Documents and Settings%\All Users\Application Data\[random]\[random].ocx
%Documents and Settings%\All Users\Application Data\[random]\[random]\
%UserProfile%\Application Data\Anti-Malware Lab\
%UserProfile%\Application Data\Anti-Malware Lab\cookies.sqlite
%UserProfile%\Application Data\Anti-Malware Lab\Instructions.ini

3. The registry entries of Homeland Security virus that need to be removed are listed as follows:
HKEY_CLASSES_ROOT\PersonalSS.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Anti-Malware Lab?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options “Debugger” = “svchost.exe”.

Source: http://fixingcomputervirus.blogspot.in/2013/03/removal-guide-for-us-department-of.html

High Tech Crime Solutions


http://computer-security-expert.com, http://hiphopsecurity.com, http://www.GregoryDEvans.com