Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DOJ virus Oct. 24 2014 Vista Business OS no via safe mode


  • Please log in to reply
3 replies to this topic

#1 pghpagan

pghpagan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 24 October 2014 - 02:36 PM

My desktop got infected with the DOJ virus 2 days ago and haven't been able to do anything to get rid of it.  I have an OLD XP laptop I am able to use to access the internet and DL programs.  I can't boot the desktop in any type of safe mode without getting the DOJ screen, no command prompt, no networking, nothing. I do not have a Vista installation CD. I only have one user account, Admin (stupid, I know) and no restore points that I know of even if I could access system restore which I can't.  I CAN create a flash drive and/or CD with my laptop and boot from it on my infected desktop, but so far I've tried kickstart on a flash and Kaspersky rescue disk on a cd and neither of them find any infections.  I can access my registry with the rescue disk, but the only reccommendations I've seen for registry change (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell) was alredy set at explorer.exe.  I've DLed FRST but can't access the desktop to run it. I can't find any other suggesions to get rid of it.  Please help,  I'm at my wits end with this.  Any suggestions would be GREATLY appreciated.



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:40 AM

Posted 24 October 2014 - 02:41 PM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================

Hi pghpagan,

FRST Scan from RECOVERY Environment on Vista, 7, and 8:
 
On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

 
 
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========
 
On the System Recovery Options menu you will get the following options:
 
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
Select Command Prompt
 
==========
 
 
Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

xXToffeeXx~


Edited by xXToffeeXx, 24 October 2014 - 02:42 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 pghpagan

pghpagan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 26 October 2014 - 04:51 PM

First, I would like to thank you for your prompt reply as to how to solve my problem.  I really am VERY grateful and I really do appreciate your time and effort.

 

Second, I want to apologise because I haven't even attempted to repair my computer using your adviace.  To be totally honest, before I contacted you I attempted to solve my problem on my own and put in over 2 days of almost constant effort to resolve the problem so by the time I contacted you I was very frustrated and tired of working on it.  Plus there is the added fact that the computer was running Vista business which to say the least I am not very fond of.  So... I decided to purchase a new (used) system which I just did today.  I am pretty happy with it as it has a faster CPU, more RAM, and a larger HD PLUS it came empty with nothing loaded on it but XP which I much prefer over Vista.

 

Now comes my new question.  I would like to install the infected HD in the new system as a slave or secondary HD or whatever it is called nowadays so I can access some of the data I had on it but I definatly don't want to infect the new system.  I am hoping that I can just install it and boot off the primary XP drive and since it has it's own startup files and registry the secondary HD won't be accessed and the virus won't infect the new HD.  I could then run Malwarebytes and/or Spyhunter and hope one of them will detect and remove the virus.  I also have the option of accessing the infected drive with Kaspersky rescue disk while it's still in the old system and deleting any possible infected files or registry entries before installing it in the new computer.  I would be happy to totally delete all the Vista OS files but don't know how to do that.  I'd REALLY like your opinion on the best way to handle this situation and if my logic is correct that I can somehow do this without infecting the new computer.  Thank you VERY much for your time and attention to my problem.



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:40 AM

Posted 27 October 2014 - 02:47 PM

Hi pghpagan,

 

No worries on that. I think it would be best to use the Vista harddrive as a secondary drive as it will not be able to infect the new system unless you run an executable file from that drive. Spyhunter is a program which makes you pay to remove malware and uses scare tactics similar to rogues to get you to pay for it. ESET online scanner or Emsisoft AntiMalware are better options. You can also try Kaspersky rescue disk, or boot into an ubuntu disk to copy your files safely. There are many options, and with all of them it is almost impossible to infect the new system.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users