[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cannot delete Department of Justice virus

Posted on 2014-08-08
14
Medium Priority
?
704 Views
Last Modified: 2014-08-11
Have an XP Pro machine that has the DOJ virus when it boots.   I cannot do anything in production mode because as soon as I sign in the virus takes up the whole page.  When I try to go to Safe Mode, the computer reboots before the sign in page appears.   I have run Kaspersky Rescue CD, Malewarebytes, Hitman Pro kickstart, Alvira Rescue CD and Superantispyware .   Nothing worked.   Any ideas?
0
Comment
Question by:syssolut
14 Comments
 
LVL 10

Expert Comment

by:Tom
ID: 40250058
Boot PC - Press F8
Select: Safe Mode with Command Prompt
Type : C:\windows\system32\restore\rstrui.exe

System Restore should start, and you will see a list of restore points. Try using a restore point created just before the date and time the Department of Justice lock screen virus has infected your computer.

When System Restore has completed its task, start your computer in Windows regular mode, and perform a scan with Malwarebytes Anti-Malware and HitmanPro
0
 

Author Comment

by:syssolut
ID: 40250083
As stated above, any of the 3 Safe Mode choices, the computer reboots before as it goes down the list of files that show when trying to access Safe Mode.
0
 
LVL 10

Expert Comment

by:Tom
ID: 40250097
OK, Whats left is to boot from a win/linux boot cd. and then do the scan

Example:
http://www.knopper.net/knoppix/index-en.html

KNOPPIX is a bootable Live system on CD, DVD or USB flash drives, consisting of a representative collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used as a productive Linux system for the desktop, educational CD, rescue system, or adapted and used as a platform for commercial software product demos. It is not necessary to install anything on a hard disk. Due to on-the-fly decompression, the CD can have up to 2 GB of executable software installed on it (over 9GB on the DVD "Maxi" edition).
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:syssolut
ID: 40250123
You mean scan with Malwarebytes and Hitman Pro after booting to Knoppix?
0
 
LVL 10

Expert Comment

by:Tom
ID: 40250128
Correct, the PC's Hard disk will be mounted as a drive when booted from the CD. Make sure you copy out all files you absolutely need to a safe location (don't forget to scan them also)
0
 

Author Comment

by:syssolut
ID: 40250132
I have an older version of Knoppix loaded, and Malwarebytes downloaded to the desktop but when I click on Mbam, it is asking me how do I want to open the file?   Not sure how to do this
0
 
LVL 10

Expert Comment

by:Tom
ID: 40250158
OK then start with HitmanPro
http://www.selectrealsecurity.com/remove-ransomware

Remember don't start to repair anything before you have tried to rescue important files
0
 
LVL 10

Expert Comment

by:Tom
ID: 40250172
If rescue of important files where successful,  consider also the time used to clean this PC against re installing from scratch .
0
 

Author Comment

by:syssolut
ID: 40250180
I downloaded Hitman Pro kickstart to a USB, it went through the scan, but it didn't eliminate the ransomware.

The link you sent wants me to go to Safe Mode with networking but I cannot get into Safe Mode.  Is there any way to make the infected drive a secondary drive on another computer and delete files to get rid of this?   I know there is supposed to be a file called MigAutoPlay.exe, but I cannot locate it.   Does this mean I need to format the drive and re-install everything?
0
 
LVL 20

Expert Comment

by:n2fc
ID: 40250191
A better step-by-step guide to using HitManPro to remove this virus is available here:
http://www.bleepingcomputer.com/virus-removal/remove-department-of-justice-ransomware

In the alternative, I would attach the hard drive as a slave on another (good) PC and delete the main virus exe file(s)...

It is usually located at: %CommonAppData%\MigAutoPlay.exe
and:     %UserProfile%\Templates\syssecurity.exe

You can then delete the registry settings that attempt to load these files at boot time...
0
 
LVL 10

Accepted Solution

by:
Tom earned 2000 total points
ID: 40250467
The way I see it: As long as you have your files, the easiest way is to boot with the WinXP CD and format the
drive and do a complete re install.

Or better: Try out Win 7
0
 
LVL 2

Expert Comment

by:ccampbell15
ID: 40250512
If you attach that drive as a secondary to another PC you should be able to run Mbam against that drive.  Mbam should catch it.  Since you are running XP you may also want to try making a CD with Ultimate Boot CD
http://www.ultimatebootcd.com/download.html it has a few AV programs on it that should clean up that PITA.

Also it usually only affects 1 profile.  If you have another profile on the PC you should be able to log in to that and clean things up.
0
 

Author Comment

by:syssolut
ID: 40253029
As I said, I tried multiple AV and anti-malware programs.   I ran these programs as a startup rescue CD/USB or put the infected drive in a good working computer, but it did not catch the DOJ virus.
0
 

Author Closing Comment

by:syssolut
ID: 40253033
I re-installed Win XP after making a copy of files and it is working fine.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question