Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Department of Justice virus from aug 20th no safemode


  • Please log in to reply
46 replies to this topic

#1 Lemmi

Lemmi

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 22 August 2014 - 05:53 PM

hello, its been 5 years since my last virus, but now i have that DoJ virus which happened on august 20th. when i got it i tried to get into safe mode but i could not. i was just surfing a website ive been going to for 7 years and then i noticed my taskmanager was gone when i tried to get it back up it would pop  up for 1 second then disappear so i rebooted and thats when the DoJ crap showed up, no new programs installed

i am on winxp sp3 x32 and i wish to clean it just to get the stuff off my HD. im getting a new computer for christmas

 

first i tried the kaspersky resue disc and after that scan found one item and left it on there (never asked me to fix or remove anything)
i tried the hitprokickstart
 i followed the blog you set up about it http://www.bleepingcomputer.com/virus-removal/remove-department-of-justice-ransomware but i still have it.

hitmanprox32 wont download because this computer (im borrowing) is x64 and wont let it make a usb, so i scanned my infected computer with the x64 version and it found 3 items that it zipped and sent somewhere (i forgot to save that file/log) but its still happening and kaspersky found one password protected file which it leaves on my computer (content.ie5/w16663??????/mod1-4[1].rar) there was more stuff after the numbers but didnt write it all down (i think its a rar file i have saved to my desktop)

 

i really dont know what to do, f8 also stopped working for safe mode, im really lost now please help



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:09 AM

Posted 22 August 2014 - 08:46 PM

Hello Lemmi.
Mar 2009 was a while ago, and you have done well up to now.
Is there a healthy XP 32bit anywhere that you know of, since this is the best.

hitmanprox32 wont download because this computer (im borrowing) is x64

Part of the removal / repair instructions ===>>

snip<As the Department of Justice Ransomware infection locks you out of your computer, you will need to create a bootable USB drive that contains the HitmanPro.Kickstart program. We will then boot your computer using this bootable USB drive and use it to clean the infection so that you are able to access Windows normally again.
In order to do this please download HitmanPro from the following link and save it to your Windows desktop.
http://www.bleepingcomputer.com/download/hitmanpro/
When you visit the above page, please download the version that corresponds to the bit-type of the Windows version you will be using to create the Kickstart USB drive.>snip
 

The information is posted in the hope that you do have access to the required features.

I would have thought that most XP units were 32bit, so you do need to ask around a bit more.

 

Many people are now throwing older XP units in the tip (I have 3 waiting to go), and upgrading now - - -

Just another option, but the Malware Response Team can help if you can work with them (may be a day or 3 wait)

 

Just another few options to think of -

 

Please follow (read) the instructions in ==>This Prep Guide<== starting at Step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>To Malware Removal Area<==

NOTES :If (since) you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why along with a description of your computer issues.

 

Post a link back here if you do decide on this option and we will lock this topic so that only the Malware Response Team responds to your topic.

 

Thanks.



#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:09 AM

Posted 23 August 2014 - 06:39 AM

Hi Lemmi,

 

Do you have your windows XP disk?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 23 August 2014 - 11:20 AM

Hello,

I am still hunting for a x32 machine everyone I know uses a phone now for internet. will a cell phone be-able to make the hitmankickstart usb program? (my cell phone can only do calls)

 

I do have a winxp disk but its a bootleg cause I lost my original during one of my many moves over the past 10 years and I got it from a friend who no longer used xp

so im not sure if the CD has all the bells and whistles  that might be needed

 

but im still looking



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:09 AM

Posted 23 August 2014 - 11:51 AM

Hi Lemmi,

 

No, a windows computer is needed to make the HitmanPro bootable USB.

 

Lets try this, if it doesn't work then we can try something else.

 

You will need the following:
1. A Clean computer with a CD Burner
2. Windows XP CD
3. Blank CD
4. USB pen drive
 
Please follow the steps below. If you are unable to create the UBCD4WIN, please provide any error messages, and/or what step you cannot follow.
 
Phase I - Creating the ISO file
 
1. Please select a mirror and download the Ultimate Boot CD for Windows to the Desktop

  • Double-Click on the UBCD4Win.exe file downloaded to the Desktop.
  • Follow all of its instructions/prompts

Note: Do not install to a folder with spaces in it's name. It is best to use the default name C:\UBCD4Win
Note: Your Antivirus may report viruses or trojans when you extract UBCD4Win. These are False-Positives.
Read here for information regarding the files that normally trigger AV software.

  • At the very end, uncheck: Run UBCD4WinBuilder.exe when installation is complete
  • Click: Finish

2. Insert your XP CD with SP1/SP2/SP3 into a CD ROM drive

  • Open My Computer, and navigate to: C:\ubcd4win
  • Double-click on UBCD4WinBuilder.exe
  • Click I Agree to the UBCD4Win PE Builder License
  • Select No when prompted to Search for Windows installation files
  • For Source: click on the ellipsis (...), then click on the drive with your Windows XP CD, press OK
  • For Custom: no information is necessary, leave blank
  • For Output: keep the default BartPE
  • For Media output select Create ISO image: (enter filename)

Note: Leave the default filename and path as well (C:\UBCD4Win\UBCD4WinBuilder.iso). If you change it make sure it is
 a folder without spaces in the name.

  • Note: If your XP install disc is SP1 then please click the Plugins button and modify the following options:

Quote

Click on each option, then click Enable/Disable so the correct value is displayed.
 
Disabled - !Critical: DComLaunch Service [Building with XP SP1-DISABLE]
Enabled - !Critical: LargeIDE Fix (KB331958) [Building with XP SP1-ENABLE]

3. Click on the Build button.

  • When you see the Windows EULA message. Click on I Agree
  • At the Build Screen, let it run its course.
  • When the Build is finished, click close, then exit.

4. Burn your ISO file to CD

 

Phase II - Download Farbar's Recovery Scan Tool (FRST)
 
From the clean computer, download Farbar Recovery Scan Tool and save it to the USB pen drive.
 
Note: You need the 32-bit version to run with UBCD4Win
 
Now, plug the USB pen drive back into the ransomed computer and move on to the next step.
 

Phase III - Booting to the UBCD4Win CD
 
Restart the ransomed Computer Using the UBCD4Win disc created.

  • Insert the UBCD4Win disc into a CD/DVD drive
  • Restart the computer. It should boot from the UBCD4Win CD automatically
  • If it doesn't, and you are asked if you want to boot from CD, then, select that option

Note: Information on booting from CD > here

  • In the window that appears select Launch The Ultimate Boot CD For Windows, and press: Enter
  • It may take a longer for the Desktop to appear than it does when you start the computer normally, but, just let the process run itself until the Desktop appears
  • Once the Desktop appears, a message appers asking: Do you want to start Network support?, click Yes
  • You should now have a Desktop that looks like this:

Main.jpg
 

Phase IV - Running the FRST scan

  • Single-click My computer from the UBCD4Win Desktop, and navigate to the Farbar Recovery Scan Tool (FRST.exe) saved to the pen drive.
  • Double-click on FRST.exe to begin running the tool
  • When the tool opens click Yes to disclaimer

Note: If prompted to download the latest version, please do so from the link in Phase II

  • Click on the Scan button
  • When done scanning, the tool makes a log, FRST.txt on the pen drive. You can now close the pen drive, and safely remove it.
  • Insert the USB pen drive into your clean computer, and post the FRST.txt in your reply

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 23 August 2014 - 02:36 PM

well no luck with the build I got 3 errors and 1 warning

 

Warning: File "fltmgr.sys" not found
Builder has stopped because there are 3 build errors
ISO image is not created, you must fix the errors!
Building done...
There where 3 errors and 1 warnings

 

Error: SetupDecompressOrCopyFile() "D:\I386\SHELL32.DLL" to "C:\UBCD4Win\BartPE\I386\SYSTEM32\SHELL32.DLL" 5: Access is denied.

Error: SetupDecompressOrCopyFile() "D:\I386\FLTMGR.SYS" to "C:\UBCD4Win\BartPE\I386\SYSTEM32\DRIVERS\FLTMGR.SYS" 2: The system cannot find the file specified.

Error: SetupDecompressOrCopyFile() "D:\I386\FLTLIB.DLL" to "C:\UBCD4Win\BartPE\I386\SYSTEM32\FLTLIB.DLL" 2: The system cannot find the file specified.

 

the above version is from 2003 and the bottom version I got in 2008

 

I also found another version, im not sure which one is installed in my infected computer, but with the 2nd copy I get this message

 

source files wrong version

file version "D:\i386\ntdll.dll" is 5.1.2600.0 should be 5.1.2600.1045 or higher you must use winxp sp1 or server 2003 of windows

 

now what to do? lol

 

 

EDIT==============

ok I have to hand over this laptop until tomorrow sometime


Edited by Lemmi, 23 August 2014 - 04:49 PM.


#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:09 AM

Posted 24 August 2014 - 06:02 AM

Hi Lemmi,

 

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

  • Insert your USB drive
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    user32.*

  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will be located in the USB drive as filefind.txt

​xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 24 August 2014 - 03:15 PM

hello,

 

 Confirm that you see driver.sh that you downloaded there

 

I don't see it in there, ive downloaded these last steps 4 times and no driver, I even tried

  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter

and I got no such file in directory

 

I also only have 1 thing to pick from in the mnt folder and its sda1


Edited by Lemmi, 24 August 2014 - 03:40 PM.


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:09 AM

Posted 25 August 2014 - 06:04 AM

Hi Lemmi,

 

How big is your USB?

 

I do have another way of getting the information, so I will work on getting the instructions for that.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 25 August 2014 - 01:11 PM

i have 3 usb drives I could use a 2gb, 8gb or a 32gb

 

I used the 8gb pny to make the xPUD I was going to save the 32gb drive for the hitmankickstart program incase I found someone with an old computer

 

to get into my bios I have to hit DEL and F9 to get a boot first selection screen to make the  usb boot first, nothing shows up in bios like the hitmanpro did

my motherboard if from 2007 ish


Edited by Lemmi, 25 August 2014 - 01:11 PM.


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:09 AM

Posted 25 August 2014 - 01:51 PM

Hi Lemmi,

 

Can you try the 2 GB usb instead? I believe it should all fit in the amount of space, or at least downloading the driver.sh and inserting it after the 8gb usb has been used to boot up.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 25 August 2014 - 02:49 PM

I hope this is how you wanted the report  

 

 

Search results for user32.*

1bb9831d3047ab446ed99d8e07ef6986  /mnt/sda1/WINDOWS/system32/user32.dll
      603.5K Mar 12 10:48

df74697fb06a25f2d119eca1ac4ae8c2  /mnt/sda1/WINDOWS/system32/user32.ini
      565.0K Mar 12 10:48

1bb9831d3047ab446ed99d8e07ef6986  /mnt/sda1/WINDOWS/ServicePackFiles/i386/user32.dll
      603.5K Mar 12 10:48

df74697fb06a25f2d119eca1ac4ae8c2  /mnt/sda1/WINDOWS/ServicePackFiles/i386/user32.ini
      565.0K Mar 12 10:48

c72661f8552ace7c5c85e16a3cf505c4  /mnt/sda1/WINDOWS/$NtServicePackUninstall$/user32.dll
      563.5K Aug  4  2004



#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:09 AM

Posted 26 August 2014 - 06:13 AM

Hi Lemmi,

 

That is perfect, just what I wanted to see. Looks like my suspicions of a patched user32.dll have proved true, now we just need to replace it. If anything doesn't go as planned here then stop and tell me.

 

Boot back into xPud:

  • Insert the usb into the computer.
  • Press F12 and choose to boot from the USB.
  • Follow the prompts.
  • Welcome to xPUD screen will appear.
  • Press File.
  • Expand mnt.
  • sda1 or sda2 usually corresponds to your hard drive (it will have a number of folders; including Windows, Users, Program Files).
  • Click on the folder that represents your hard drive (should be sda1).
  • Then using the folders, navigate to WINDOWS/$NtServicePackUninstall$ and there should be a file named user32.dll.
  • Right-click on it and select copy.
  • Then go back to sda1 or sda2 (depending on which is your hard drive) using the green back arrow or selecting it from the menu on the left.
  • Using the folders again, navigate to WINDOWS/system32 and you will see another file named user32.dll.
  • Right-click on it and select rename, type in user32.vir and click on OK.
  • Then right-click within the folder and select paste, you should see a file named user32.dll appear.
  • Once you have completed this, please reboot your computer and attempt to boot into windows.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 26 August 2014 - 01:33 PM

well everything went ok until I tried to reboot

 

"Once you have completed this, please reboot your computer and attempt to boot into windows."

 

it shows the windowsxp load screen then it just stays black with a movable pointer when the welcome screen should pop up

 

also it seems I cant stop the computer from wanting to boot up from the Kaspersky cd unless I hit F9 and pick hard disk then my western digital HD

in bios its set to boot from HD also

ok I think I figured it out I just removed the cdrom from any booting but it still wont bring up the welcome screen

all I got is a black screen with a pointer



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:09 AM

Posted 26 August 2014 - 01:43 PM

Hi Lemmi,

 

Boot back into xPud:

  • Insert the usb into the computer.
  • Press F12 and choose to boot from the USB.
  • Follow the prompts.
  • Welcome to xPUD screen will appear.
  • Press File.
  • Expand mnt.
  • sda1 or sda2 usually corresponds to your hard drive (it will have a number of folders; including Windows, Users, Program Files).
  • Click on the folder that represents your hard drive (should be sda1).
  • Then using the folders, navigate to WINDOWS/system32 and please confirm there is a file named user32.dll.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users