New type of Ransomware using user32.dll Removal Guide

Threat Level:
Rate this Article:
Comments (3)
Article Views: 15918
Category: Malware

Department of Justice virus is a genuine ransomware program that infects computers surreptitiously and locks users out of their systems. We have seen plenty of similar infections before, like FBI Moneypak Virus, Metropolitan Police Virus and so on. However, the new variant of Department of Justice Virus that appeared in January 2014 displays new infection symptoms. It is hard to tell whether it is more dangerous that previous ransomware application, but it surely becomes hard to remove Department of Justice Virus from the infected computer. This article provides a concise report on the specifics of a new version of this ransomware infection, and what you can do to get rid of it.

Ransomware programs are notorious for entering target systems via Trojan infections. Urausy, Reveton Trojans are known for distributing various types of ransomware infections. Usually, whenever a ransomware application enters a computer, it usually drops an executable file on the system and once the file is run, ransomware gets installed on a system. However, with the new version of Department of Justice Virus on board, we encounter yet another way of infection. This new type of ransomware infects the Windows system DLL file – user32.dll. This infection makes the file’s resource section larger and it automatically gives away the fact that the file contains an encrypted payload.

Usually user32.dll system file is located in C:\Windows\System32\user32.dll or C:\Windows\SysWOW64\user32.dll. Based on security expert observations so far, the new version of Department of Justice virus seems to be infecting the 32-bit version of the file. When the ransomware infects user32.dll, it allocates a new executable block of virtual memory for the encrypted payload. The payload also has a decryption code, and when the entire encrypted payload in new blocks of virtual memory is decrypted, the infection executes the plain malicious code. As a result, Department of Justice Virus settles down on your system and exhibits the first infection symptoms.

The main symptoms of the infection include the most common ransomware behavior. For example, Department of Justice Virus will block Windows Task Manager, Registry Editor and Command Prompt on the Normal mode. What is more, you will also see the common ransomware notification on your screen, saying that your computer has been blocked due to criminal activity: “The work of your computer has been suspended on the grounds of the violation of the Law of the United States of America.” Needless to say, that this notification embodies the infection’s efforts to swindle you out of your money.

It is of no surprise that the new version of Department of Justice Virus is still trying to steal your money. Yet, just like it exhibits a new way of infection, it also has a new infection symptom that is rather disturbing. The new ransomware application can disable CD-ROM drives. For some it may seem like a random symptom, but the truth is that some ransomware removal techniques involve using Windows installation CD. Thus, if your CD-ROM is blocked, you can no longer recover CD for Windows operating system. What is more, CD-ROM remains blocked even in all Safe Modes.

With this new type of infection users have to be extremely careful about browsing unfamiliar websites. Refrain from clicking links to unknown websites and do not open attachments received from senders you do not know. It is better to prevent an infection than to battle one, and it order to avoid potential threats you should also invest in licensed computer security tool that would help you protect the system from various infections. Regular system security scans are a must!

We also provide two sets of manual removal instructions in the article. However, keep in mind that if you are not an advanced computer user, you should think twice before carrying any of the following actions. Do not forget that if you make a mistake or something goes wrong, you might literally kill your operating system. In other words, follow the instructions at your own risk.


  1. Restart your computer and when BIOS splash loads press F8 key several times.
  2. Select Safe Mode with Networking on Advanced Boot Options menu. Press Enter.
  3. Open Start menu and enter cmd into the Search box. Press Enter.
  4. Enter sfc /scannow command into the Command Prompt and press Enter.
  5. Restart computer and load system in Normal Mode.


  1. Reboot the PC and tap F8 repeatedly when BIOS screen loads.
  2. Use arrow keys to navigate and select Safe Mode with Networking. Hit Enter.
  3. Open Start menu and type cmd into the search box.
  4. When cmd appears in search results, right-click it and select Run as administrator.
  5. Enter takeown /f C:\Windows\System32\user32.dll into Command Prompt and press Enter.
  6. Enter another command: cacls C:\Windows\System32\user32.dll /G <username>:F. Press Enter.
  7. Close Command prompt and navigate to C:\Windows\Winsxs directory.
  8. Perform a search for user32.dll file. Copy the file.
  9. Go to C:\Windows\System32 directory and paste user32.dll to replace the infected file.
  10. Go to C:\Windows\SysWOW64 directory and paste user32.dll there too.
  11. Restart the computer in Normal Mode.

Take note that the infection does not affect the system file in C:\Windows\SysWOW64 directory often, but it does that sometimes, so you need to take every possibility into consideration. Also, the <username> in the instructions is your computer’s username (it usually appears at the top of your Start menu), and you have to type it in WITHOUT <> symbols (not like in the instructions). For any further questions, you can always contact us by leaving a comment in the box below this article.

Download Remover for New type of Ransomware using user32.dll *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.


  1. I am having this problem right now. The machine is unable to boot properly into safe mode, and also there is no backup copy of user32.dll in the Winsxs folder. I tried loading a copy of the file from a Windows CD, but that hasn't worked (machine won't even boot following this step). Any suggestions would be greatly appreciated. I am wondering if there is any software that can actually 'clean' the infected file, since this machine won't run properly without it. Thanks.

  2. Hi, i had this problem too. i used a bootable CD like "Hiren Boot CD" with MiniXP and i did run "HitmanPro" program. it will scan your machine and replace user32.dll with original one automatically.
    I hope it was useful for you

  3. The first instruction set worked for me and properly replaced user32.dll. Although after scannow completed and rebooted, the computer also did chkdsk and I allowed the full run of that as well.

    However, the virus prevented me from opening a cmd box so first steps must be taken around that. The most important step is to disconnect the computer from the internet. Mine was connected via ethernet so I could just unplug it. The virus establishes contact with a server and then takes over the screen with its image. I also deleted netadapt, netar and netflt drivers from the system32/drivers/etc folder. I find that when I disconnect the internet and delete these drivers the virus does not take over the screen and even allows the running of programs. But it is still operational and blocks task manager amongst other things. However, this way I could run the cmd prompt and get rid of the corrupt user32.dll

Leave a Reply to Behnam Araz Cancel reply

Your email address will not be published.


Enter the numbers in the box to the right *