Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing the DOJ virus...Can't boot in Safe mode....


  • This topic is locked This topic is locked
26 replies to this topic

#1 jmc7676

jmc7676

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 24 February 2013 - 01:55 AM

Hi,

    I'm new to this site so I'm not sure of protocol but, here we go ......I have a Netbook w/ Win XP that is locked up with the "Department of Justice" virus and  can't be loaded into any form of safe mode ....I've tried Hitmanpro/Kickstart, Anvisofts' Rescuedisk, and I tried re-installing WinXP from USB).....Any help would be much appreciated....Thx

 



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,599 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:13 PM

Posted 27 February 2013 - 09:46 AM

Greetings jmc7676 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the StartNewTopic.gif button but use the AddReply.gif button instead.
  • In the upper right hand corner of the topic you will see the WatchTopic.gif button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================
 

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Can you tell me if you have a Windows XP installation disk?


Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 jmc7676

jmc7676
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 28 February 2013 - 03:28 PM

Thank U in advance for ur time and patience..... yes I have an XP installation disk....



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,599 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:13 PM

Posted 28 February 2013 - 04:33 PM

Greetings,

You are most welcome for the help. Hopefully we will make some quick progress after getting a report from you computer.

Here is what I would like us to do please.


===================================================


Running Farbar's Recovery Scan Tool in Windows XP Recovery Console

--------------------

For this step you will need a USB flash drive and download the proper version of Farbar's Recovery Scan Tool from a clean computer.

  • For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
  • For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
  • Plug the flashdrive into the infected PC
  • Insert the Windows XP CD in your infected computer
  • Restart your computer so you are booting off of the CD. When you see press any key to boot off CD ... press a key. (if you don't get this you have to change the boot order from the BIOS)
  • When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console
  • The Recovery Console will start and ask you which Windows installation you would like to log on to.
  • If you have just one Windows installation, type 1 and press Enter. If you have multiple Windows installations (less typical), it will list each one. Enter the number associated with the operating system of concern
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter. If you do not know your password then see this
  • If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console
  • In the command prompt type in Notepad and press Enter
  • Under File menu select Open
  • Select Computer and find your flash drive letter and close the notepad
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • When the tool opens click Yes to disclaimer
  • Press Scan button
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • FRST log

Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 jmc7676

jmc7676
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 28 February 2013 - 04:48 PM

the infected PC is a Netbook....no cd/dvd drive to boot from...but I can boot from USB....



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,599 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:13 PM

Posted 28 February 2013 - 05:04 PM

OK, try it.


Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 jmc7676

jmc7676
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 28 February 2013 - 05:14 PM

I need to make a Bootable USB w/ Win XP on it ....gonna use WINtoFLASH to create the USB....



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,599 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:13 PM

Posted 28 February 2013 - 05:20 PM

Sounds good.  Thanks for adapting.


Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 jmc7676

jmc7676
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 28 February 2013 - 05:44 PM

when I run the Installation from the USB drive it makes it to the Windows setup screen and starts loading files , then says "Setup is starting Windows" then stops at a blue screen w/ an error message:

 

"A problem has been detected and windows has been shut down to prevent damage to your computer. (blah ,blah)

 

Check for viruses on your computer......"

 

Technical info:

 

STOP:0x0000007B(0xF7A88524,0xc0000034,0x000000000,0x00000000)



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,599 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:13 PM

Posted 28 February 2013 - 06:18 PM

Greetings,

OK, let's try this.


===================================================


xPUD MBR Dump and Driver Scan using USB

--------------------

Try this please. You will need a USB drive with no less than 64 mb of space.

  • Insert your USB drive. Caution: The next step will remove all information from your USB device.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK.
  • Note: If you receive the message "You must select a distribution to load" just follow the instructions/image below
  • Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.

SelectDiskImage.gif

  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert.
  • Confirm that you see driver.sh that you downloaded there
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

dd if=/dev/sda of=mbr.zip bs=512 count=1

  • After it has finished (within just a few seconds) a file will be located on your USB drive named mbr.bin.
  • Remove the USB drive, insert it back in your working computer
  • Copy and paste the contents of filefind.txt in your reply
  • Please zip and attach report.txt to your reply
  • Please attach mbr.zip to your reply

 

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • filefind.txt
  • report.zip
  • mbr.zip

Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 jmc7676

jmc7676
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 01 March 2013 - 01:21 AM

Here are the results....srry if I sent them the wrong way had to attach files to my response ....couldn't "copy and Paste"? Probably me ...

Attached Files



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,599 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:13 PM

Posted 01 March 2013 - 08:57 AM

The attached MBR file is corrupted. Can you run just that portion of the instructions again for me please.

Edited by Oh My, 01 March 2013 - 08:58 AM.

Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 jmc7676

jmc7676
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 01 March 2013 - 09:55 AM

yeah....I thought there might be a problem....I won't be able to return till later this afternoon...so thank you for ur patience....



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,599 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:13 PM

Posted 01 March 2013 - 10:01 AM

No problem,

If we run into problems again we can use a small program to automatically produce the MBR report within the xPUD environment.

We will chat again later today.
Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,599 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:13 PM

Posted 01 March 2013 - 10:03 AM

In fact, let me give you the steps just in case you need it.


===================================================


xPUD Master Boot Record (MBR) Report Using Dumpit

--------------------
  • Insert your USB drive into your clean computer
  • Right click this dumpit link, select "save link/target as", and save the file directly to your USB
  • Remove your USB device and insert it into your infected computer
  • Boot the Sick computer using your GETxPUD CD
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1, sdc1, etc.). If it is not there remove the USB device for 5 seconds then reinsert.
  • Double click on the Dumpit file
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users