Jump to content

Dept of Justice virus Ransomware Money Pak scam


Recommended Posts

A fake DOJ virus has blocked my computer and demanding money.  My screen only shows the DOJ site and I'm unable to access anything else because it's locked.  With an uninfected computer I created a HitmanPro Kickstart USB flash drive to boot the hostage computer from the USB.  Although HitmanPro scanned and removed malicious files successfully, my computer is still locked and reverts back to the DOJ screen. 

 

The hostage computer uses Windows XP.  Although I attempted to create a 32-bit version of HitmanPro, this was not possible since the uninfected computer is a Windows 8, 64-bit system.  I believe Bleeping Computer stated a 64-bit flash drive can still be used.  At this point, however, I'm left wondering if this is an outstanding issue.   

 

Obviously, I'm unable to provide a current MBAM scan log.

 

Thank you and looking forward to your assistance,

 

moonshadow

Link to post
Share on other sites

  • Replies 67
  • Created
  • Last Reply

Top Posters In This Topic

Make and run the following:

 

Download Kaspersky Rescue Disk (iso)

  • Burn it to a cd or dvd, if you need a program to burn an ISO...use  Active@ ISO Burner
  • Configure your computer to boot from CD/DVD
     
    Note : If you do not know how to set your computer to boot from CD/DVD follow the steps here
     
  • Once you have the CD/DVD created, boot the computer up using it
  • Press any key to enter the menu
  • Select your language
  • Press 1 to accept the End User License Agreement
  • Select Kaspersky Rescue Disk. Graphic Mode
  • Click on the Start button located in the left bottom corner of the screen
  • Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Malware/Virus
     
     
    krd5.jpg If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > Enter
     
     
  • When it's done, click on the Start button and start Kaspersky Rescue Disk utility
  • Click on My Update Center tab and press Start to download the latest update
  • Next, select the Object Scan tab
  • Put a check next to C:\ and any other local drives
  • Then click Start Objects Scan
  • Quarantine any malware found
  • Restart your computer and see if it boots up normally....

 

When booted back into Windows Navigate > Start > Computer > C:\Kaspersky Rescue Disck 10.0 Open the folder, inside is log from KRD run named "ScanObject" copy/paste that file to your reply.

Link to post
Share on other sites

Active @ ISO Burner 3.0 installation was completed but got message: Active @ISO Image File Burning Software has stopped working. "A problem caused program to stop working correctly.  Windows will close program & notify you if solution is available."

It was in the process of scanning the system for CD, DVD devices (which I have).  Later got message from some computer diagnosis vendor noting problems with driver on my Toshiba Satellite and solicited diagnosis software.  I'm stalled out here.

 

Went to Kapersky site and recorded Kapersky Rescue Disk 10 onto a flash drive but could not boot my Dell laptop from USB.  Thought it might work since I did this with Hitman Pro (before going to MBAM forum). 

 

At this point, still stuck needing to burn a CD copy.

 

moonshadow

Link to post
Share on other sites

Thanks, the CD was burned easily and I scanned the infected computer (Windows XP).  On the first scan, Kaspersky Rescue found one Java related Trojan (didn't write down the name) and quarantined.  Upon restarting, however, the DOJ screen still showed up. I'm currently rescanning again.  Its been running for 6-1/2 hours now and only 49% complete. Indicates 6 hours scan time remaining. 

 

I will update you but do you have any thoughts in the meantime?

moonshadow

Link to post
Share on other sites

Yes. The Kaspersky Windows Unlocker option was not listed so I went to Terminal and typed in > windowsunlocker, then chose 1.  Now that you mention it, I'm not sure I did this BEFORE updating. Can't recall the sequence on both scans.  As mentioned, KRD previously scanned and quarantined one Trojan on the first try.

 

I have 3 users on my system.  Did I need to repeat windowsunlocker 3 times?

 

At this point, the 2nd scan is 77% complete with 4 hours remaining.  It's been running 15 hours.  Very extreme compared to first scan.

Link to post
Share on other sites

After running 20 hours, the 2nd KRD scan detected no problems but the DOJ screen still persists. 

 

FYI, results from the 1st scan noted: 

  • Quarantined tab:  Trojan Program HEUR Exploit Java Generic."  c:/ Documents and Settings/sshiigi/Application Data/Sun/Java/Deployment/Cache/6.0/41/bfb8829-49709915
  • Report tab:  6 lines showed "Detected : HEUR: Exploit.Java_Generic"

                               3 lines showed "Untreated: HEUR: Exploit.Java_Generic"  Reason "Postponed"

Link to post
Share on other sites

Run the following offline tool from MS..... I give instructions for USB stick, you can change to CD after accepting the agreement if that is a better option for you..

 

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

 

You will have to select the correct version for your system, either 32 or 64 bit

 

Run the tool, Windows 7 or Vista user right click and select "Run as Administrator"

 

Read the instructions in the new window and select "Next"

 

WD2.png

 

In the new window accept the agreement:

 

WD2a.png

 

In the new window select your USB Flash Drive, then select "Next"

 

WD3.png

 

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

 

WD3a.png

 

In the new window accept the formatting alert by selecting "Next"

 

WD3b.png

 

Files will be Downloaded:

 

WD4.png

 

Files will be processed and created

 

WD5.png

 

Flash drive will be formatted and prepared

 

WD6.png

 

Files will be added to the Flash Drive and the tool will be created.

 

WD7.png

 

The procedure is finished and the Tool created, click on "Finish" to complete.

 

WD8.png

 

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...

As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.

When complete do a full scan, deal with what it finds.

When finished, remove the USB stick then press the Esc key to boot into regular windows.

Navigate to the following file:

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

Open with notepad and copy and paste it into a reply.

Link to post
Share on other sites

DOJ screen still shows after restart.  Windows Defender Offline Tool found and removed: EXPLOIT: Java/CVE-2012-1723. 

 

Alert Level: Severe. Status: Active. Recommended Action: Remove. 

Container file: c:\Documents and Settings\sshiigi\Application Data\Sun\Java\Deployment\cache\6.0\27\7943689b-7d3aa969

 

Above path was repeated 3 times followed each time by:  >a.class, >i.class, >k.class.

 

http://go.microsoft.com/fwlink/?linkid=142185&name=Exploit:Java/CVE-2012-1723&threatid=2147659851

Link to post
Share on other sites

Follow the instructions here: http://www.wikihow.com/Get-Safe-Mode-in-Windows-XP and boot your system to Safe Mode with Networking....

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Post those logs...

Link to post
Share on other sites

Attempted System Restore using link and original Windows XP CD to boot the system.  Recovery Console was a blue screen with no way to type commands in BOLD as directed.  Forged ahead with commands in standard text which seemed to work as it progressed thru instructions as shown. The restore points were not as listed as described (showing rp1, rp2 etc) nor in chronological order.  Not being able to select a restore point, I restarted only to get "Access Denied" upon trying to bring it up again.  Applied alternative instructions as provided in this event but only encountered Access Denied message. I did have System Restore enabled on my system. 

 

Having used the original XP CD, I was now curious about this site that touted the "Ultimate Boot CD" as the alternative if you don't have the XP CD.  My attempt to download it was a nightmare, leading to automatic installation of a series of crap (irrelevant toolbars, financial software, zip app that sold more crap, and pop ups).  Took a while to uninstall this miscellaneous junk and never got to burning the Ultimate Boot CD itself.  Pretty bogus.

 

Ultimately, the final message on this site was:

 

"Unfortunately, this process is not a magic cure for every problem, and some systems will still refuse to boot all the way in to Windows. It will also only work if you had System Restore enabled in Windows. If this procedure doesn't work, then your next step is to reinstall Windows. If you do this, ensure that the setup recognises your previous installation and choose to repair it. If it does not continuing could lead to data loss."

 

Not sure I want to go there yet.  Can FARBAR be run from CD or USB Flash drive? 

Link to post
Share on other sites

Yes we can use FRST, it is only possible using UBCD, I see you`ve already had problems with a previous link. Install "UNCHECKY" first, this utility will help stop unwanted extras from free downloads...

 

http://unchecky.com/

 

Unchecky utility and its site are clean and safe to install......

 

Next,

 

Please print this guide for future reference!

 

You will need a blank CD, a clean computer and a flash drive.

 

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

 

Stage 1

 

1. Download and Run http://www.ubcd4win.org/downloads.htm [/ Ultimate Boot CD for Windows

 

  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
     
    NOTES:
     
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.

 

2. Insert your XP CD with either SP1/SP2/SP3 into the CD Rom drive

 

  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files

 

Make the following selections from the Main Screen that pops up:

 

Builder

 

Source:(path to Windows installation files)

 

  • Enter the path to the drive where your XP CD is located.
  • You can click on the "..." button on the right to navigate to the path as well.

 

Custom: (include files and folders from this directory)

 

  • No information is necessary, leave blank.

 

Output: (C:\ubcd4win\BartPE)

 

  • Keep the default BartPE
     
    Media output:
     
  • Choose Create ISO image
  • Do not choose Burn to CD/DVD

 

Please note: If your XP install disc is SP1 then please .....

 

  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

 

This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

 

Also note: If you have a Dell XP install disc you will need to follow the instructions here:

 

http://www.ubcd4win.com/faq.htm#dell

 

 

3. Click on the "Build" button

 

  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit

 

4. Burn your ISO file to CD

 

    Please see Here on how to burn an ISO to CD.

 

=====================================

 

Stage 2

 

 

Next, from your clean computer:

 

Download Farbar Recovery Scan Tool and save it to your flash drive.

 

Now plug your flashdrive back into your sick computer and follow the next instructions:

 

=====================================

 

Stage 3

 

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created

 

  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
  • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.

 

  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
  • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
     
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
  • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.

 

You should now have a desktop that looks like this:

 

ud4bc.png

 

===================================

 

Stage 4

 

  • Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
  • Double click on it to begin running the tool.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive.

 

Please copy and paste the log to your next reply.

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Why did this reply switch to plain text?

Installed Unchecky. Downloaded and ran UBCD4Win.exe. Inserted my Dell XP sp3 install disc and progressed thru Main Screen. Since I have a Dell XP install disc, clicked on link provided above per instructions. Then got redirected to some junk site that froze everything. Restarted and tried to skip the link but upon pressing "Build," message showed Directory Does Not Exist. On third try, tried link again but got redirected again. Stopped here.

Link to post
Share on other sites

Apologies i`ve not used those links for several years, ok give the following a try. i`ve tried these links on my own pc and have no issues with them...

 

Try this please.  You will need a USB drive and access to a clean computer:

 

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

 

  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer

 

Next,

 

Download http://noahdfear.net/downloads/rst.sh save to the USB drive.

 

  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

 

Please note:  If you have an ethernet connection you can access the internet by way of xPUD (Firefox).  You can perform all these steps on your sick computer.  When you download the download will reside in the Download folder.  It can be found under the File tab also.  You can similarly access our thread by way of this OS too so you can send the logs that way.

 

Please also note - all text entries are case sensitive

 

Copy and paste the enum.log for my review....

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Downloaded everything to USB, including rst.sh and confirmed in USB stick memory. Upon booting sick computer, expansion of mnt showed no USB (sdb1) to expand. I found sda1 after expanding mnt (not USB) but no rst.sh anywhere.  Skipped to next instruction, went to Terminal and typed bash rst.sh. Response was "No such file or directory." Stopped here.

Link to post
Share on other sites

Pressed File, Tools, Find Files and Searched sd*.  Had a few files with sdb1 with 0 bytes in the /dev or /cow/dev folders. 

 

But I also saw sdb and sdb1 folders with long paths with 0 bytes. Both had the same path (with one exception).  The sdb1 Folder showed:

 

/sys/devices/pci0000:00/0000:00:1d.7/usb2/2-2/2-2:1.0/host6/target6:0:0:0/block/sdb/sdb1/subsystem/sdb1/subsystem/sdb1/subsystem

 ...

The sdb1/subsystem pattern kept going repeatedly. 

Link to post
Share on other sites

It would seem that we are not making any progress whatsoever. One other possibility is a repair install, that is install the OS straight over the top. See if this works....

 

Repair install Windows XP

 

I dont want you to do a recovery or full install but a repair install and see if that gets you up and running.

 

1. Place your XP CD in the tray and re-boot, you should see the following image as it boots:

 

 

xp-setup-0-press-any-key-to.jpg

 

 

When the Press any key to boot from CD message is displayed on your screen, press a key to start your computer from the Windows XP CD. If you do not see that image you will have to change the boot order in the bios..

 

2. Press ENTER when you see the message To setup Windows XP now, and then press ENTER displayed on the Welcome to Setup screen.

 

3. Do NOT choose the option to press R to use the Recovery Console.

 

4. In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.

 

5.Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.

 

6.Follow the instructions on the screen to complete Setup.

 

This will install your OS over the top of the original, No data should be lost that way.

 

Kevin...

Link to post
Share on other sites

One item I wasn't clear on throughout this process was should the hard drive always be checked so it kicks in last on the order?  Or does hard drive always kick in last automatically even when its not checked? 

 

There were times when I only checked one drive, USB or CD, depending on what we were doing.  For instance, on the latest method, I just had USB checked.  Could that be related to the problem overall?    

 

What boot order do you want for this repair install?  CD and Hard drive or just check default?  

Link to post
Share on other sites

Whatever is at the top of the boot order in the BIOS dictates what is checked first. Lets say the order is CD > USB > HD.

 

At boot if a bootable CD is in the tray you will be given the option to Boot from the CD. If no CD present the next option is checked.

 

If the USB option is first there would have to be  a USB device present with a bootable application installed, if not the next option is checked.

 

So if no CD present, no USB device present the HD would be checked and windows would boot if the OS was present and not corrupt...

 

So for the repair/install to happen the CD option must be first in Boot order...

 

does that make sense?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.