"Department of Justice" Ransomeware Saga

mrwhoopee

Level 1
Thread author
Mar 7, 2014
7
I was recently presented with a DOJ Ransomeware infection by a new client. It looked like previous infections I have seen, which I have removed in relatively short order. This one was different! The system had Windows Vista and 1gb RAM :eek:. I first booted into Safe Mode, no luck, there it was. Then Safe Mode with Command Prompt. The lock screen did not appear until I tried to run a scanner or load Explorer, then I was locked out again. From a command prompt I ran System Restore back to well before the infection arrived. No joy. I booted with a utility boot disk (which shall remain nameless) and ran Malwarebytes, which found and removed some files. SuperAntispyware (both full and portable) kicked a BSOD. Ran every scan on 2 different utility boot discs. Removed the harddrive and connected to a clean machine. Scanned with Avast, Malwarebytes and so many tools I can't even remember. Avast found and removed 55 infected files, Hitmanpro found another dozen or so, etc. etc. I researched every cure I could find. I tried TDSS Killer, Malwarebytes Rootkit Remover, and on and on and on. Trend Micro Housecall found nothing as did SAS (after the others had done their thing). Hijackthis revealed nothing. I put the HD back in its machine, the curse was still there. I booted again into Safe Mode with command prompt, brought up the Task Manager and watched for something unusual to show up. Started explorer and kept watching Task Manager. The curse showed up before I could see anything in Task Manager. You get the idea. My wife said I'm like a dog with a bone. Unfortunately, I didn't have the time to start a thread here and let the experts have their way. I ultimately wiped the HD and installed Win7, which, at least, was an improvement over Vista.
I've been repairing computers professionally for almost 15 years, this is the first time I have been absolutely beaten. I probably spent 10 hours on this infection, only to be defeated.

I posted this to let others know, there's a new variation on the prowl, and it's a b****h!!!
 
Last edited by a moderator:
  • Like
Reactions: Jack

Theguywholikesbetas

Level 2
Verified
Feb 23, 2014
63
My recommendation is if the scanners pick up unusual files save the sample and post them here and virustotal so the AV companies can detect the issues faster
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Any idea on what type of infection it was: Reveton, Urausy .. etc? I would have surely thought that you would manage to clean it with a bootable CD....
I have seen a few samples of trojan ransomware, I just might start testing them again after reading this.. Thank you for sharing your experience..
 
  • Like
Reactions: Theguywholikesbetas

Theguywholikesbetas

Level 2
Verified
Feb 23, 2014
63
Any idea on what type of infection it was: Reveton, Urausy .. etc? I would have surely thought that you would manage to clean it with a bootable CD....
I have seen a few samples of trojan ransomware, I just might start testing them again after reading this.. Thank you for sharing your experience..
It could've been LinkUp since when he tried to acess IE it opened the Ransomware file also
 
  • Like
Reactions: Jack

mrwhoopee

Level 1
Thread author
Mar 7, 2014
7
Any idea on what type of infection it was: Reveton, Urausy .. etc? I would have surely thought that you would manage to clean it with a bootable CD....
I have seen a few samples of trojan ransomware, I just might start testing them again after reading this.. Thank you for sharing your experience..

I'm afraid I'm not up on all the possible infections and am more concerned with removing them in a timely fashion.

Here is a screenshot of the Avast scan log.
Screenshot 2014-03-08 04.27.22.png


Apparently I mis-remembered the number of files detected.
This scan was run with the drive plugged into a clean machine. I missed quarantining the last item, but picked it up on a second scan. Of course, removal of these infected files did not cure the problem. I was never able to get a bead on the actual culprit. This machine was "protected" by McAfee, as is the one I am currently trying to clean. Go figure!
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top