Link to home
Start Free TrialLog in
Avatar of syssolut
syssolutFlag for United States of America

asked on

Cannot delete Department of Justice virus

Have an XP Pro machine that has the DOJ virus when it boots.   I cannot do anything in production mode because as soon as I sign in the virus takes up the whole page.  When I try to go to Safe Mode, the computer reboots before the sign in page appears.   I have run Kaspersky Rescue CD, Malewarebytes, Hitman Pro kickstart, Alvira Rescue CD and Superantispyware .   Nothing worked.   Any ideas?
Avatar of Tom
Tom
Flag of Norway image

Boot PC - Press F8
Select: Safe Mode with Command Prompt
Type : C:\windows\system32\restore\rstrui.exe

System Restore should start, and you will see a list of restore points. Try using a restore point created just before the date and time the Department of Justice lock screen virus has infected your computer.

When System Restore has completed its task, start your computer in Windows regular mode, and perform a scan with Malwarebytes Anti-Malware and HitmanPro
Avatar of syssolut

ASKER

As stated above, any of the 3 Safe Mode choices, the computer reboots before as it goes down the list of files that show when trying to access Safe Mode.
OK, Whats left is to boot from a win/linux boot cd. and then do the scan

Example:
http://www.knopper.net/knoppix/index-en.html

KNOPPIX is a bootable Live system on CD, DVD or USB flash drives, consisting of a representative collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used as a productive Linux system for the desktop, educational CD, rescue system, or adapted and used as a platform for commercial software product demos. It is not necessary to install anything on a hard disk. Due to on-the-fly decompression, the CD can have up to 2 GB of executable software installed on it (over 9GB on the DVD "Maxi" edition).
You mean scan with Malwarebytes and Hitman Pro after booting to Knoppix?
Correct, the PC's Hard disk will be mounted as a drive when booted from the CD. Make sure you copy out all files you absolutely need to a safe location (don't forget to scan them also)
I have an older version of Knoppix loaded, and Malwarebytes downloaded to the desktop but when I click on Mbam, it is asking me how do I want to open the file?   Not sure how to do this
OK then start with HitmanPro
http://www.selectrealsecurity.com/remove-ransomware

Remember don't start to repair anything before you have tried to rescue important files
If rescue of important files where successful,  consider also the time used to clean this PC against re installing from scratch .
I downloaded Hitman Pro kickstart to a USB, it went through the scan, but it didn't eliminate the ransomware.

The link you sent wants me to go to Safe Mode with networking but I cannot get into Safe Mode.  Is there any way to make the infected drive a secondary drive on another computer and delete files to get rid of this?   I know there is supposed to be a file called MigAutoPlay.exe, but I cannot locate it.   Does this mean I need to format the drive and re-install everything?
Avatar of n2fc
A better step-by-step guide to using HitManPro to remove this virus is available here:
http://www.bleepingcomputer.com/virus-removal/remove-department-of-justice-ransomware

In the alternative, I would attach the hard drive as a slave on another (good) PC and delete the main virus exe file(s)...

It is usually located at: %CommonAppData%\MigAutoPlay.exe
and:     %UserProfile%\Templates\syssecurity.exe

You can then delete the registry settings that attempt to load these files at boot time...
ASKER CERTIFIED SOLUTION
Avatar of Tom
Tom
Flag of Norway image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ccampbell15
ccampbell15

If you attach that drive as a secondary to another PC you should be able to run Mbam against that drive.  Mbam should catch it.  Since you are running XP you may also want to try making a CD with Ultimate Boot CD
http://www.ultimatebootcd.com/download.html it has a few AV programs on it that should clean up that PITA.

Also it usually only affects 1 profile.  If you have another profile on the PC you should be able to log in to that and clean things up.
As I said, I tried multiple AV and anti-malware programs.   I ran these programs as a startup rescue CD/USB or put the infected drive in a good working computer, but it did not catch the DOJ virus.
I re-installed Win XP after making a copy of files and it is working fine.