Baza wiedzy

Homeland Security Ransomware removal guide



The following article provides information on how to remove the Homeland Security infection from your Dell PC. Please be aware that most of the steps here are not covered under your warranty and are carried out at your own risk.


Table of Contents:

  1. A description of what Homeland Security Ransomware is and the support possible under the warranty
  2. Removal Instructions
  3. Associated Homeland Security Ransomware Files
  4. Prevent Re-Infection

1. A description of what Homeland Security Ransomware is and the support possible under the warranty

The Homeland Security Malware is a PC infection that locks your system until you're ready to pay to get rid of it. This infection pretends to be an alert from the US Department of Homeland Security National Cyber Security Division. It advises that you've transgressed one of several scenarios, such as distributing copyrighted media, child pornography or using pirated software. The malware demands you pay a fine of $300 in order to avoid criminal prosecution. They want paid by a MoneyPak voucher and demand payment within 48 hours to let you back on your PC. It is important to remember that this is NOT a fine by a legitimate government agency.

Note: As always the decision to use this information is at the end user’s risk as malware removal is not a pro-support entitlement. This information is provided AS IS.

The surest way to resolve this issue is to either perform a factory restore or a clean Operating system install on your system. Taking you through this reinstall is what is covered under your pro support warranty. You can also find articles taking you through this for your particular operating system and situation on the link pages below.

(Fig.1 Ransom Screen)

This infection usually comes from visiting web sites that have been hacked and contain exploit kits. These kits look for vulnerable spots on your PC. It doesn't need your permission to install on your PC. Once it installs, it automatically starts whenever you login to your system. You'll get an online alert message which will look something like:

Homeland Security
National Cyber Security Division
This computer has been blocked!
The work of your computer has been suspended on the grounds of the violation of the law of the United States of America.

Article - 184 Pornography involving children (under 18 years)
Imprisonment for the term of up to 10-15 years
(The use or distribution of pornographic files)

Article - 171 Copyright
Imprisonment for the the term of up to 2-5 years
(The use or sharing of copyrighted files)

Article - 113 The use of unlicensed software
Imprisonment for the term of up to 2 years
(The use of unlicensed software)

The first violation may not entail the criminal liability if the payment of the fine would be executed in connection with the law of loyalty to the people, on 1 March 2013. If repeated violations occur, the prosecution is inevitable.

To unlock the computer you are obliged to pay a fine of $300. You must pay a fine by MoneyPak.

You have 48 hours to pay the fine. |If the fine has not been paid, you will become the subject of criminal prosecution without the right to pay the fine. The Department for the Fight against Cyberactivity will confiscate your computer and take you to court.

Ignore anything it displays, as this malware was created with the sole purpose of getting your money.


Back to Top


2. Removal Instructions

Note: Please print out these instructions as you will not have access to this page during the removal process. You will also need a USB drive of at least 32 MB. Be aware the drive will be formatted during this process, so it will lose any date already on it that hasn't been backed up.

Because the Ransomware locks your desktop, you will need to create a bootable USB drive that contains the removal software. In this case I'm using HitmanPro.Kickstart program as it's the program I'm most familiar with. You can find another program that does the same job as HitmanPro and use that program instead, However the steps below will be for HitmanPro. Please download the cleaner program to your desktop. We will boot your PC using a bootable USB drive and clean the infection from outside the operating System (OS).


You can download HitmanPro from the following link and save it to the desktop of a working PC.

When you go to the download page, please select the correct type for your Version of Windows. (32 Vs 64) you will be using it to create the Kickstart USB drive. Once HitmanPro has been downloaded, please insert the USB key.


Double-click on the file named HitmanPro.exe (32 bit) or HitmanPro_x64.exe (64 bit).

(Fig.2.1 Hitman Download Screen)

Click on the icon of the person performing a kick at the bottom of the screen to open an information screen on how to create the kickstart USB drive.

(Fig.2.2 Hitman Install Screen)

It should list any USB drives currently attached to your PC. Choose the USB drive that you want to use and click the Install Kickstart button.

An alert states the USB drive will be erased. Click on the Yes button to proceed. The program will download the needed files and install them to the USB Drive. When its complete, click on the Close button to shut the program down.

Remove the Kickstart USB drive and plug it into the infected computer. Turn the infected PC on and tap rapidly on the F12 key to bring up the boot once menu.

(Fig.2.3 Dell Splash Screen)

Select the USB option from the menu. Your PC will automatically load the HitmanPro.Kickstart program from the USB drive. A screen pops up asking you to make a selection from a menu.

(Fig.2.4 Boot Once Menu)

Please press the 1 key on your keyboard and it should begin to load Windows. Please login as normal when Windows starts up. The ransomware will load, but after about 30 seconds the removal application will appear on top of the screen.

(Fig.2.5 Hitman Application)

Click the Next button to start the cleaning process. The HitmanPro setup screen pops up, please ensure that it's set to to the option No, I only want to perform a one-time scan to check this computer.

(Fig.2.6 Hitman Setup)

Click on the Next button to proceed. The cleaner scans your PC for infections. It will display a list of everything it's found when it's finished.

(Fig.2.7 Hitman Report Screen)

Click the Next button to remove the detected infections. A Removal Results screen shows the results when it's done. Click the Next button again to bring up the last screen and click on the Reboot button.

Once your PC restarts you should be back on your desktop as normal.

Your computer should now be free of the Homeland Security infection. If your current anti-virus solution let this infection through, you may want to consider purchasing the licensed version of HitmanPro or another similar program in order to protect against these types of threats in the future.

If you are still having problems with your PC once this guide has been completed, then you are left with two options. The first one is to use the reinstall guides at the start of the article to wipe your PC and start again. The other is to join one of the many forums such as BleepingComputers, Tech Guys or Tech Forum and put a request out for help. (Try and include as much information as possible in the request. Such as OS type and version, what's already been done and any logs or errors seen.)


Back to Top


3. Associated Homeland Security Ransomware Files

Associated Homeland Security Ransomware Files
%CommonAppData%\<random>.dll
File Location Notes
%CommonAppData%

refers to the Application Data folder for the All Users profile. By default, this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7 and Windows 8.


Back to Top


4. Prevent Re-Infection

To minimise the risk of a repeat infection, make sure that you have a real-time antivirus program running on your PC and see that it stays updated. If you don't want to spend money on a paid service, then you can install one of the free programs that are available.


In addition to installing traditional antivirus software, you might consider consider reading the guide below for some basic rules for safe surfing online.

Always double check any online accounts such as online banking, webmail, email, and social networking sites. Look for suspicious activity and change your passwords, you can't tell what info the malware might have passed on.

If you have an automatic backup for your files you will want to run virus scans on the backups to confirm that it didn't backup the infection as well. If virus scans aren't possible such as online backups, you will probably want to delete your old backups and save new versions.

Keep your software current. Make sure that you update then frequently. If you receive any messages about this and aren't sure of their validity, then always contact the company in questions support to clarify it.


Back to Top





Identyfikator artykułu: SLN284240

Data ostatniej modyfikacji: 09/11/2017 06:47 AM


Oceń ten artykuł

Trafne
Przydatne
Łatwe do zrozumienia
Czy ten artykuł był przydatny?
Tak Nie
Wyślij nam swoją opinię
Komentarze nie mogą zawierać znaków specjalnych: <>()\
Niestety, nasz system przekazywania opinii jest obecnie niedostępny. Spróbuj ponownie później.

Dziękujemy za uwagi.