Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Homeland Security Virus - how to remove without safe mode access

  • This topic is locked This topic is locked
No replies to this topic

#1 ammobake


  • Members
  • 29 posts
  • Local time:03:08 PM

Posted 05 February 2014 - 10:33 PM

So I wanted to start a thread here with some helpful and relevant information on how to remove the Homeland Security ransomware virus (aka Cryptor) without needing safe mode or command prompt.  Took me a day and a half to remove the virus but I was able to do it without resorting to system restore and possibly losing data - this is how...

A friend was having some serious problems and brought me their computer...


Dell Vostro 200

Windows XP Pro SP3



I knew I had a fight ahead of me because I had seen this ransomware before - only this one was particularly nasty.


You typically will boot up, then after your computer logs in to windows you will see a screen that locks you out of everything else.


The image typically sais either "ICE" or "Homeland Security", something like that.


The program typically sais you've done something illegal and to fix it you must pay a 300 dollar fine through something called "Moneypak".  In actuality it is a virus.  Do not send any money to anyone!


This particular virus prevented me from loading safe mode, safe mode with networking, safe mode with command prompt, nothing would work.  After trying to load safe mode it would boot up, then immediately shut down and reboot in regular mode - which inevitably displays the image demanding money which locks you out of everything.


At one point in trying to load safe mode it rebooted and the virus crashed while windows was loading.  I immediately ran scans with spybot search & destroy and malwarebytes anti-malware.  I removed multiple infected objects and rebooted.  My friend took their computer home, booted up, hooked up the internet cable and the virus lockout message reappeared as if nothing happened.


When he brought it back to me I tried doing a few other things but nothing would work.


Kaspersky Rescue Disk V10 - was able to boot from the rescue CD and complete multiple scans but nothing was ever detected.

Anvisoft Rescue Disk - was able to boot from the rescue CD and run full scan.  One "error" was discovered and resolved but the virus went undetected.

Hitman Pro Kickstart USB - "Hitman Pro" writes a bootable file to a USB that you boot up on the infected computer.  Hitman pro would be displayed on system startup but there was no way to boot up windows XP in anything other than Legacy boot mode (option 3 on the list).  I attempted the other two options multiple times but only a black screen would be displayed.  The legacy boot would lead to the virus locking me out.


I then stumbled across a thread here on bleeping computer that changed all that.




Though the virus messages were different I had a hunch that the Homeland Security and Chiefs of police viruses were related.


So I followed the instructions on that thread and everything worked out.


Apparently,  creating and then booting from the "AVG Rescue Disk" was the solution - per step by step instruction from JSntgRvr in the thread above.


One thing I would say is make sure that before you boot up with the AVG rescue disk you have your network cable hooked up because one of the first things you will need to do is update.


Another interesting fact: I experimented with doing a variety of scans without applying the update.  Nothing was detected.  Only after AVG applied the updates was the virus detected and dealt with.


In my case the virus name was "Win32/Cryptor" and it had infected a temporary file under documents and settings with .cpp file type.


Also important to note - as mentioned in the above thread - do not delete the infected file.  you want to select "rename".  You can deal with the infected file after you do a standard Windows XP bootup per the instructions provided.



BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users