The United States of America are these days being massively targeted with a relatively new ransomware hijacker (virus). We said “relatively” because the virus has been encountered in many countries before but it now has a different name, whereas the principles of its malicious activity remained the same. The virus is masked as fake US Department of Justice warning about illegal activities supposedly revealed on your computer (either during your work with it or with the work of other people). It is titled as Computer Crime & Intellectual Property Section notice, but, as we said, these are fake messages users might get on their screens from time to time. Needless to say, such piece of lie must not be trusted by you. Please pay attention to the information you see below. Here is the fake accusation users could get when surfing the web and eventually being infected with the above-said ransomware Trojan.

Computer Crime & Intellectual Property Section
United States Department of Justice
Attention!
This operating system is locked due to the violation of the federal laws of the United States of America! Following violations were detected:
Your IP address is “[removed]“. This IP address was used to visit websites containing pornography, child pornography, zoophilia and child abuse. Your computer also contains video files with pornographic content, elements of violence and child pornography! Spam-messages with terrorist motives were also sent from your computer.
This computer lock is aimed to stop your illegal activity.

To unlock the computer you are obliged to pay a fine of $ 100.
You must pay the forfeit through Paysafecard:
To do this, you should enter the 16 digits resulting code (if necessary with a password) in the payment form and press OK (if you have several codes, enter them one after the other and press OK).
If an error occurs, send the codes to address surcharge@cyber-usa-police.gov.

Paying funds via Paysafecard system is the waste of your funds you’ve been earning so hard. There is no any guarantee that your desktop will be unlocked. In the same manner indicating Paysafecard PIN codes via surcharge@cyber-usa-police.gov e-mail address is the technique prepared by hackers for unwary users. This is the fraudulent method some crooks have selected for ripping users off. Whether you’ve committed things you are being accused of by this virus or not – it does not make any crucial difference when it comes to ransomware virus removal. This is simply the malicious program that can’t help and it will do all it can to convince you to share your funds with these online fraudsters. Below please find the good removal guide how to delete this pest.

Ransomware removal sequence of steps:

1. Restart your system into Safe Mode with Command Prompt. While your PC is booting hit “F8 key” on your keyboard repeatedly. This will lead you to “Windows Advanced Options Menu” as depicted below. Apply your arrow keys to go to Safe Mode with Command Prompt and then hit Enter key. Important! You need to login as the same user you were previously logged in with in the normal Windows mode. Please find more detailed information on rebooting into safe mode in this guide.



2. While Windows boots the Windows command prompt will appear as depicted in the screenshot below. In the command prompt you need to type “regedit” (without quotation marks) and hit Enter. The Registry Editor window comes up.



3. Find the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand panel select the registry key named Shell. Right click on this registry key and select Modify.



The default value is Explorer.exe.



Now you must amend the value data to iexplore.exe. Click OK to save your changes and now quit (shut down) the Registry editor.



Now return to “Normal Mode“. In order to reboot your PC, at the command prompt, type “shutdown /r /t 0” (without quotation marks) and hit Enter.



4. Once Windows OS boots you will not see any desktop icons. Do not panic, this problem will be resolved soon. First of all, use the key combination “Ctrl+Alt+Del” or “Ctrl+Shift+Esc” (recommended) and launch Task Manager. Click File → New Task (Run…)



Type in iexplore and hit OK or click Enter keyboard button.



5. This would open Internet Explorer broswer. Now you must download clean explorer.exe file and over-write the existing one which is infected. Please make sure you download the correct file for your version of Windows OS:
• Windows XP SP2
• Windows XP SP3
• Windows Vista SP2
• Windows 7 SP1

Click on the link to download the file. Select Save. Then go to C:\Windows folder and select available explorer.exe file. Click Save to overwrite the malicious explorer.exe file.



6. Important! At this stage it is also strongly recommended that you download and scan your PC with realiable anti-virus software.
7. Remove all detected infections but do not reboot PC yet.
8. Open up Task Manager once again. For this purpose click File → New Task (Run…) as you made in previous steps.



9. Type in regedit and click OK to open Registry Editor.



Find the same registry entry referred to in the step 3 of this tutorial.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand panel choose the registry entry with the name Shell. Right click on this registry entry and select Modify. Delete iexplore.exe and type in Explorer.exe as it was initially. Click OK to save performed amendments.



Shut down Registry Editor and reboot your PC now. This should reslove your problem. The last but not the least – make sure to scan your PC with reliable and powerful anti-virus software.

Important! If this ransomware removal solution did not help you please consider another similar guide available here.

• Previous Entry: Uninstall Best Virus Protection (removal guide)
• Next Entry: Uninstall Internet Security virus (removal guide)