Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Department of Justice virus removal. (Difficult)


  • Please log in to reply
8 replies to this topic

#1 sacredmelon

sacredmelon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 30 June 2014 - 10:40 PM

I have windows 7 32 bit. This virus prevent safe mode and also disables CD-ROM drives. I cannot use a recovery disk. The file "User32.dll" seems to be the problem. I can start up with one account, Ctrl+Alt+Delt and switch users to access the other account without the virus prevention anything from starting up. This is a new virus and has a low detection rate. Please help.

Edit: Moved topic from Windows 7 to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:25 PM

Posted 01 July 2014 - 10:45 AM

Hi sacredmelon,

 

Can you boot in any mode, in any account?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 sacredmelon

sacredmelon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 01 July 2014 - 03:54 PM

Yes I can boot up normally. But I have to switch accounts. For example, I boot up in admin and then CRTL+ALT+DELT and switch users.



#4 sacredmelon

sacredmelon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 01 July 2014 - 04:04 PM

The virus only seems to be able to active in one account. Here is a virustotal of "User32.dll"

 

https://www.virustot...sis/1404233288/

 

Is it possible you can upload your User32.dll and User32.ini files for me? I want to see If I can replace mine because the virus seems to be located in these 2 times.



#5 copiman

copiman

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:25 PM

Posted 01 July 2014 - 05:38 PM

I think if you go to the tab "virus removal" here on Bleeping Computer at the top you will find the virus you are refering to and get the solution. There are several types. I bet yours is in there.


Edited by copiman, 01 July 2014 - 05:40 PM.


#6 Adam Rose

Adam Rose

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 02 July 2014 - 09:18 AM

HitmanPro has an article specifically DOJ ransomeware caused by user32.dll located here: 

http://hitmanpro.wordpress.com/2014/06/13/ransomware-infecting-user32-dll/ 

I would start there.


Edited by Adam Rose, 02 July 2014 - 09:28 AM.


#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:25 PM

Posted 02 July 2014 - 10:24 AM

Hi sacredmelon,
 
There's no need for a User32.dll from any other computer (it can be risky doing this anyway, my computer may be running a different type of Windows which could cause problems if you were to use my file), your computer should have a clean version anyway.
 
Log into the admin account and then switch to your normal account, and run the tool below.
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

--------------
 
We need to search for a file with FRST:

  • Double-click on FRST.exe/FRST64.exe to open it, in the search box, type the following: User32.dll
  • Press the Search Files button, allow FRST to run
  • A log file Search.txt will appear when complete, please post this in your next reply

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt
  • Search.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 sacredmelon

sacredmelon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 02 July 2014 - 02:00 PM

Ok sorry for the trouble. I got it fixed after using the HITMANPRO scan and repaired it. Thank you for all the help and effort. Close thread please.



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:25 PM

Posted 02 July 2014 - 02:21 PM

Hi sacredmelon,
 
No worries, thank you for letting me know :)
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users