Dept of Justice Ransomware infection

cman220

New Member
Thread author
Verified
Jun 25, 2013
23
As I noted above, attempted to run FRST scan, Dept of Justice screen blocked me.

I found identical issue on this forum at http://malwaretips.com/threads/your-computer-has-been-blocked-ransomware-infection.43606/ S

My system is Lenovo X120e laptop, System 7 professional. One BIG issue I have is I have not been able to recreate new reinstall system disks from this laptop. If needed, I will have to order from Lenovo, or go buy a new Windows system to install. I do have an external DVD drive for the laptop.
 

cman220

New Member
Thread author
Verified
Jun 25, 2013
23
Hello,


Did you try to run FRST from Safe Mode?
Ran from Safe Mode (networking off). Was on USB stick, 64 bit, right clicked to "run as administrator". Got a momentary dialog box saying something about not finding Drive E, then PC was locked up with Dept of Justice screen.
I did not try to copy FRST app to harddrive and then try to run. I can try that.
Thanks, Chad
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.
  • Plug the flashdrive into the infected PC.
  • Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
  • Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
  • In the Choose Recovery Tool menu select Command Prompt.
  • You will see a big black window with a blinking cursor (command prompt).



    notepad.png
    Access the notepad and identify your USB drive

    In the Command Prompt please type in:
    Code:
    notepad
    and press Enter.
  • When the notepad opens, go to File menu.
  • Select Open.
  • Go to Computer and search there for your USB drive letter.
  • Note down the letter and close the notepad.



    FRST.gif
    Scan with Farbar Recovery Scan Tool

    Once back in the command prompt window, please do the following:
  • Type in e:\frst64.exe and press Enter.
    You need to replace e with the letter of your USB drive taken from notepad!
  • FRST will start to run. Give him a minute or so to load itself.
  • Click Yes to Disclaimer.
  • In the main console, please click Scan and wait.
  • When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.

    Transfer it to your clean machine and include it in your next reply.
 

cman220

New Member
Thread author
Verified
Jun 25, 2013
23
looks to have run OK. Dept of Justice screen came back up as FRST was running (after a minute or two of running). Looked at the FRST file, looks like it ran. See a file created that coincides with about when I shut down PC last night and that auto install sequence ran: 2015-03-25 22:34 - 2015-03-26 09:14 - 00000000 ___HD () C:\Users\Public\Documents\Report
 

Attachments

  • Addition.txt
    16.3 KB · Views: 23
  • FRST.txt
    48.1 KB · Views: 47

cman220

New Member
Thread author
Verified
Jun 25, 2013
23
I ran from recovery mode command prompt as per your instructions. The Dept of Justice screen appeared while FRST was running. I will rerun and I will wait at least 5 minutes before I perform command/alt/del to get to a restart screen, assuming Dept of Justice screen reappears during FRST operation. Once Dept of Justice screen appears, only thing I seem to be able to do is command/alt/del.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
No, you didn't enter recovery mode because there is no virus that can be active in recovery mode. You probably entered Safe Mode with Command Prompt or something like that. Follow my instructions carefully.
 

cman220

New Member
Thread author
Verified
Jun 25, 2013
23
Dept Justice screen appeared to have blocked. My steps:
1) download combofix to usb
2) usb to infected laptop
3) boot in safe mode with command prompt
4) run combofix
5) click OK to initial accept disclaimer screen
6) Dept Justice screen appears at this point
7) leave untouched about 20 minutes to allow combofix to possibly run in background
8) shut down, transfer USB on clean desktop PC, no log files present
 

cman220

New Member
Thread author
Verified
Jun 25, 2013
23
Hi TwinHeadedEagle...got something new for me to try? Safe mode with command prompt didn't work sir.
 

cman220

New Member
Thread author
Verified
Jun 25, 2013
23
Also tried running combofix from Repair Your Computer/Command Prompt. Said subsystem to support the image type is not present. Tried both g:\combofix and g:\combofix.exe
Thanks
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
No, you cannot run ComboFix from Recovery Environment. I am looking into your issue now, this seems to be very new infection, I don't see where it is hiding.
 
Last edited:

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Download attached fixlist.txt and save it to your USB flashdrive as fixlist.txt

>> Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your USB flashdrive.


>> Exit out of Recovery Environment and post me the log please.



Try to boot Windows normally...
 

Attachments

  • fixlist.txt
    509 bytes · Views: 22

cman220

New Member
Thread author
Verified
Jun 25, 2013
23
Attached fixlog. Booted Windows normally. Still Infected as originally reported. Thanks
 

Attachments

  • Fixlog.txt
    1.4 KB · Views: 26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top