DOJ Virus, Malwarebytes Not Helping

[tommyboy611]

I've been trying to clear the DOJ virus off of my computer for two days now. It is the widespread scam, where I cannot use the Normal Mode of my main account and the frame asks me to use Moneypak to give the "DOJ" $300 to free my computer. Used Malwarebytes and Hitman Pro to no avail. All Safe Modes are still available to use... for now. Thank you for any help that you can give, it is invaluable.

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:OTL

[2010/05/31 01:50:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2013/07/14 12:57:07 | 000,317,252 | ---- | M] () (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c989w03a.default\extensio​ns\artur.dubovoy@gmail.com.xpi
[2013/05/29 11:19:16 | 000,003,983 | ---- | M] () (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c989w03a.default\extensio​ns\{976ce39e-c834-11e2-8275-b8ac6f996f26}.xpi
[2012/06/30 16:41:49 | 000,634,964 | ---- | M] () (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c989w03a.default\extensio​ns\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B0198E5B-ADF6-48BD-B346-60EB21698353}: NameServer = 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.24​7.20,156.154.70.1,156.154.71.1
[2013/07/07 20:32:32 | 000,001,356 | ---- | M] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2013/07/09 20:49:35 | 000,168,960 | ---- | M] () -- C:\Users\Ryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/10/10 18:58:25 | 000,000,064 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\wklnhst.dat
[2012/09/28 14:50:13 | 000,000,092 | ---- | C] () -- C:\Users\Ryan\AppData\Local\fusioncache.dat
[2011/12/23 22:30:00 | 000,000,000 | ---- | C] () -- C:\Users\Ryan\AppData\Local\{73229A5D-69C0-424C-8A99-169F573B226D}
[2011/01/06 15:39:16 | 000,000,120 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\ae0a123a.dat
[2010/09/25 22:40:18 | 000,000,026 | -H-- | C] () -- C:\ProgramData\.811261211181235583101118113995
[2010/06/23 15:38:30 | 000,001,890 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/06/23 15:38:30 | 000,000,088 | RHS- | C] () -- C:\ProgramData\F7FDD199E2.sys
[2010/06/01 00:25:58 | 000,168,960 | ---- | C] () -- C:\Users\Ryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/25 18:17:56 | 000,001,356 | ---- | C] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2010/05/25 17:58:12 | 000,000,552 | ---- | C] () -- C:\Users\Ryan\AppData\Local\d3d8caps.dat
@Alternate Data Stream - 85 bytes -> C:\ProgramData:$SS_DESCRIPTOR_LVVWVBGV0VFBTLX4D06YH7LVUTPXGJMBKE1R0WT1VH7E24F7PH​CTVF4VMVFVVX4VM


:commands
[emptytemp]
[reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

---

After this scan try to boot the computer in Normal mode. If you are still getting the FBI pop up you let me know......

 

[tommyboy611]

Actually, after I posted last night, I ran Rogue Killer. This seemed to clean it up. The screen does not pop up and my computer seems to be running fine. Is there any scans you recommend to make sure it is clear? Should I run the code in OTL anyway?

 

[kuttus]

Sure. Please run the OTL Scan and update me the Log Files.