Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

Article Number: 000136833

Homeland Security Ransomware removal guide

Summary: The following article provides information about how to remove the Homeland Security infection from your Dell computer. Most of the steps here are not covered under your warranty and are carried out at your own risk. ...

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Symptoms

Table of Contents:

  1. A description of what Homeland Security Ransomware is and the support possible under the warranty
  2. Removal Instructions
  3. Associated Homeland Security Ransomware Files
  4. Prevent Re-Infection

 

A description of what Homeland Security Ransomware is and the support possible under the warranty

 

The Homeland Security Malware is a computer infection that locks your computer until you are ready to pay to get rid of it. This infection imitates an alert from the US Department of Homeland Security National Cyber Security Division. It advises that you have transgressed one of several scenarios, such as distributing copyrighted media, child pornography, or using pirated software. The malware demands you pay a fine of $300 in order to avoid criminal prosecution. They want paid by a MoneyPak voucher and demand payment within 48 hours to let you back on your computer. Remember that this is NOT a fine by a legitimate government agency.

 
Note: As always, the decision to use this information is at the end user’s risk as malware removal is not a prosupport entitlement. This information is provided AS IS.

The surest way to resolve this issue is to either perform a factory restore or a clean Operating system install on your computer. Taking you through this reinstall is covered under your prosupport warranty. You can also find articles taking you through this for your particular operating system and situation on the link pages below:

homeland security ransomware virus

(Figure.1 Ransom Screen)

 

This infection usually comes from visiting websites that have been hacked and contain exploit kits. These kits look for vulnerable spots on your computer. It does not need your permission to install on your computer. Once the installation completes, it automatically starts whenever you log in to your computer. You see an online alert message which looks something like:

Homeland Security
National Cyber Security Division
This computer has been blocked!
The work of your computer has been suspended on the grounds of the violation of the law of the United States of America.

Article - 184 Pornography involving children (under 18 years)
Imprisonment for the term of up to 10-15 years
(The use or distribution of pornographic files)

Article - 171 Copyright
Imprisonment for the the term of up to 2-5 years
(The use or sharing of copyrighted files)

Article - 113 The use of unlicensed software
Imprisonment for the term of up to 2 years
(The use of unlicensed software)

The first violation may not entail the criminal liability if the payment of the fine would be executed in connection with the law of loyalty to the people, on 1 March 2013. If repeated violations occur, the prosecution is inevitable.

To unlock the computer you are obliged to pay a fine of $300. You must pay a fine by MoneyPak.

You have 48 hours to pay the fine. |If the fine has not been paid, you will become the subject of criminal prosecution without the right to pay the fine. The Department for the Fight against Cyberactivity will confiscate your computer and take you to court.

Ignore anything that it displays, as this malware was created with the sole purpose of getting your money.

Cause

Removal Instructions

 

Note: Print these instructions as you are not likely to have access to this webpage during the removal process. You require a USB drive of at least 32 MB. The drive is formatted during this process, so it loses any date already on it that has not been backed up.

Because the Ransomware locks your desktop, you must create a bootable USB drive that contains the removal software. I am using the HitmanPro.Kickstart program as it is the program I am most familiar with. You can use another program. However, the steps below are for HitmanPro. Download the cleaner program to your desktop. You can boot your computer using a bootable USB drive and clean the infection from outside the operating System.

You can download HitmanPro from the following link and save it to the desktop of a working computer.

When you go to the download page, select the correct type for your Version of Windows. (32 Versus 64) you are using it to create the Kickstart USB drive. Once HitmanPro has been downloaded, insert the USB drive.

Double-click on the file named HitmanPro.exe (32 bit) or HitmanPro_x64.exe (64 bit).

hitman start screen

(Figure.2 Hitman Download Screen)

Click on the icon of the person performing a kick at the bottom of the screen. It opens an information screen on how to create the kickstart USB drive.

create kickstart usb drive

(Figure.3 Hitman Install Screen)

It should list any USB drives currently attached to your computer. Choose the USB drive that you want to use and click the Install Kickstart button.

An alert states that the USB drive is to be erased and formatted as part of the installation. Click on the Yes button to proceed. The program downloads the needed files and installs them to the USB Drive. When it is complete, click on the Close button to shut the program down.

Remove the Kickstart USB drive and plug it into the infected computer. Turn the infected computer on and tap rapidly on the F12 key to bring up the boot once menu.

boot menus

(Figure.4 Dell Splash Screen)

Select the USB option from the menu. Your computer automatically loads the HitmanPro.Kickstart program from the USB drive. A screen appears asking you to make a selection from a menu.

kickstart usb boot options

(Figure.5 Boot Once Menu)

Press the 1 key on your keyboard and it should begin to load Windows. Log in as normal when Windows starts up. The ransomware loads, but after about 30 seconds the removal application appears on top of the screen.

hitman kickstart

(Figure.6 Hitman Application)

Click the Next button to start the cleaning process. The HitmanPro setup screen appears, ensure that it is set to the option: No, I only want to perform a one-time scan to check this computer

hitman setup

(Figure.7 Hitman Setup)

Click on the Next button to proceed. The cleaner scans your computer for infections. It displays a list of everything that it has found when it is finished.

hitman homeland security ransomware

(Figure.8 Hitman Report Screen)

Click the Next button to remove the detected infections. A Removal Results screen shows the results when it is done. Click the Next button again to bring up the last screen and click on the Reboot button.

Once your computer restarts, you should be back on your desktop as normal.

Your computer should now be free of the Homeland Security infection. If your current anti-virus solution lets this infection through, you may want to consider purchasing the licensed version of HitmanPro or another similar program. Protect yourself against these types of threats in the future.

If you are still having problems with your computer once this guide has been completed, then you are left with two options. You can use the reinstall guides at the start of the article to wipe your computer and start again. Alternatively, you can join one of the many forums such as BleepingComputers, Tech Guys, or Tech Forum and put a request out for help. (Include as much information as possible in the request. Such as operating system type and version, what has already been done and any logs or errors seen.)

Resolution

Associated Homeland Security Ransomware Files

 

Associated Homeland Security Ransomware Files
%CommonAppData%\<random>.dll
File Location Notes
%CommonAppData%:

Shows the Application Data folder for the All Users profile, by default this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7, and Windows 8

Prevent Re-Infection

 

To minimize the risk of a repeat infection, ensure that you have a real-time anti-virus program running on your computer. Ensure that it is kept updated. If you do not want to spend money on a paid service, then you can install one of the free programs that are available.


In addition to installing traditional anti-virus software, you might consider reading the guide below for some basic rules for safe surfing online:

Always double check any online accounts such as:

  • Online banking
  • Webmail
  • Email
  • Social networking sites 
Look for suspicious activity and change your passwords, you cannot tell what information the malware might have passed on.

Run virus scans on the backups if you have an automatic backup for your files and want to confirm it did not backup the infection. If virus scans are not possible, such as online backups you must delete your old backups and save new versions.

Keep your software current. Ensure that you update then frequently. If you receive any messages about this and are not sure of their validity, then always contact the company in question to clarify it. 

Article Properties

Affected Product

Inspiron, Latitude, Vostro, XPS, Fixed Workstations

Last Published Date

03 Oct 2023

Version

5

Article Type

Solution

Back to Top