Wednesday, March 20, 2013

Remove Department of Justice virus

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Imagine that one day you are surfing the net and suddenly an alarming warning pops up with an official seal of the U.S. Department of Justice. The pop-up informs you that you must pay $300 dollars or even more in order to get your computer unlocked because the presence of an illegal download or adult content has been detected on your computer. It may even claim that your actions have been recorded with your own webcam. Your IP address is there, as well as instructions on how to pay the fine. No matter how many times you turn the computer on and off again, or if you try logging on multiple times, you still get the same frozen screen. What do you do?

Well, hopefully, you will ignore the insidious warning and take it directly to a professional to get help, restore the system to a previous date, or run a real anti-malware program you've downloaded on a clean computer. If you see any of the fake warnings shown in the images below, your computer is definitely infected with the Department of Justice. To remove this virus from your computer, please follow the steps in the removal guide below.

There are a few different variants if this virus. The fake warnings are slightly different too. The latest variant does't display victim's IP and doesn't attempt to take a picture using victim's web cam.


However, other variants still display IPs and take pictures. They are still being distributed, so you may get infected with any of these.


Some of the warnings displayed by this virus are truly awful. Accessing your webcam to take a picture of you or your place or showing you a "file" of illegal adult materials that have been "found" on your computer. Many users become confused, scared, or are afraid that law enforcement will soon knock at their doors. This virus is becoming such a problem that at the end of last year the Internet Crime Complaint Center (IC3), a governmental agency that deals with cybercrime, released a scam warning about this very virus due to the number of complaints they were receiving about it, daily. The situation hasn't changed much. The virus is still active.

The United States Department of Justice virus will display the following warning:

Your computer has been blockedThe work of your computer has been suspended on the grounds of the violation of the law of the United States of America. 
Article 274 – Copyright
A fine or imprisonment for the term of up to 4 years.
Article 183 – Adult materialA fine or imprisonment for the term of up to 2 years
Article 104 - Promoting Terrorism
Article 297 – Neglect computer use, entailing serious consequences

Some European versions of ransomware virus demand as much as $3,800 in payment before the cyber criminals will "unlock" your computer. Not only that, but some users who have been infected report that even after paying the fine (through wire transfer, the purchase of a prepaid money card, or through an online service where customers cannot get their money refunded) that the virus still comes back to demand even more money if they do not have their systems properly cleaned, fixed or restored. That is partially where the virus name comes from: it often asks victims to purchase GreenDot MoneyPak prepaid cards at major retailers. Furthermore, one of the newer versions may actually encrypt your documents refusing to release them until the money has been paid. Such variants, however, are less common here, in the United States. But who knows, they might use the same tactics hare soon.

It sounds hard to believe that someone would actually fall for such a scam, but, surprisingly, some people actually pay the fine. Cyber criminals employing Department of Justice virus could easily make up to $54,000 in a single day. So, do not fall for this scam. There are plenty of things that you can do in order to protect yourself, your computer, and your documents from this sort of attack before it happens. First of all, do not visit any suspicious websites, be careful about file-sharing, download software and other stuff from websites your trust and know to be safe, and do not open email attachments or messages from people you do not know.

These tips seem to be fairly basic but even if you do all these things, there is no guarantee that your computer will not become infected. Many of those infected were not taking part of illegal download activities, peer-to-peer sharing, or were even on any suspicious sites, and they still were attacked by Department of Justice virus. They simply visited a legal but infected websites. Unfortunately, their antivirus programs didn't stop the virus. So, it's very important to use a reliable antivirus program and to make sure that it's updates.

Firstly, one of the easiest ways to defeat this virus yourself (without the help of expensive services or other programs) is to have a system restore point saved on your computer. Of course, you will have to use anti-malware programs one way or another, because system restore may only stop the virus for some time or remove it partly. With this, you can start up your system in safe mode with command prompt by pressing and holding the F8 key as your computer restarts, selecting the operating system to start in safe mode, and pressing enter. You want to make sure you have administrator privileges on your machine, log in using those credentials, and then type, "C:\windows\system32\rstrui.exe" in the command prompt screen. Just hit enter again, and follow the given instructions. In this way, you can roll back your machine to a previous state before you got infected with Department of Justice moneypak virus .

After your computer is restored, you should install recommended anti-malware software immediately and download all the updates available. Feel free to use any program you believe works, and that you trust. You will find a download link below. This ensures that the virus is gone and will stay that way. You can even find a few videos online that will guide you through this process but honestly, they are either incomplete or outdated. Scammers repack this virus often, so it's kinda difficult to keep up with them.

If this seems too difficult for you, or you're still unsure, you can always call a professional. Note, that won't be cheap. Also, if you do get help from a professional, or even do the roll back yourself, you want to be sure that the virus is completely erased from your system before using your machine again. Failure to not fully remove the virus may result in repeated frozen screens, or may allow cyber criminals to gain access to personal information such as emails, passwords, usernames, and more.

Last but not least, don't forget to file a complaint at the Internet Crime Complaint Center by visiting their website www.IC3.gov. When you report the cybercrime, you are helping to protect other users not only in the United States, but around the globe.

To remove Department of Justice virus from your computer, please follow the removal instructions below. Do you have any additional information or questions on this virus? Post your comment or question below. Good luck and be safe online!

Written by Michael Kaur, http://spywareremovalx.blogspot.com


Method 1: Department of Justice virus removal instructions using System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the virus will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Department of Justice virus.


Method 2: Department of Justice virus removal instructions using System Restore in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
  • Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
  • Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
3. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.

4. Select a restore point from well before the Department of Justice virus appeared, two weeks should be enough.

5. Restore it. Please note, it can take a long time, so be patient.

6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the Department of Justice virus.


Method 3: Department of Justice virus removal instructions using MSConfig in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

4. Disable the malicious entry and click OK to save changes.

5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake Department of Justice.

6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the virus.


Method 4: Department of Justice virus removal instructions in Safe Mode with Command Prompt (requires registry editing):

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to Trojan Ransomware executable file.



Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.

5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. In our case, "Department of Justice was run from the Desktop. There was a file called movie.exe.

Full path: C:\Documents and Settings\Michael\Desktop\movie.exe



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



6. Download recommended anti-malware software (direct download) and run a full system scan to remove the leftovers of this virus from your computer. That's it!


Method 5: Department of Justice virus removal using Kaspersky Rescue Disk:

1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.

2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.

For demonstration purposes we will use ImgBurn.

So, open up ImgBurn and choose Write image file to disc.



Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.



OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.



3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.



The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.

If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.



Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.



4. Let's boot your computer from Kaspersky Rescue Disk.

Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.



5. Select your language and press Enter to continue.



6. Press 1 to accept the End User License Agreement.



7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.



8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Department of Justice Virus. It won't take very long.



9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.



10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.



11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.



12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.



13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Department of Justice virus and to protect your computer against these types of threats in the future.

0 comments:

Post a Comment

 
//PART 2