cannot unlock taskbar or make changes in Start menu properties

[omegatx]

(Win 7 - 64) I recently was hit with the DOJ "computer locked" hack. I followed the u-tube video instructions and restored my PC to an earlier date. This solved the issue, everything is back to normal, except I cannot make changes to the Start Menu props or unlock the Task Bar. I also ran the MalwareBytes program which removed three instances of malware. Also ran a Vipre deep scan.

I have checked the registry section regarding keys which might be locking these items, but found none. Would appreciate any ideas regarding how to approach this issue. Would creating another user account help? I thought about creating another account, signing out and signing in under that account. Would that boot Win 7 back to the default settings for the Start Menu and Task Bar? (so I could change them?)

Thanks for any ideas.

 

[cottonball]

omegatx,

Some policy was probably set by the ransomware.

Let's see what we can find...

Please download SystemLook:
http://jpshortstuff.247fixes.com/SystemLook.exe
Save to the Desktop

Right-click SystemLook.exe and select: Run as Administrator

Copy the content inside the following quote box into the open field:

:reg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Click the Look button to start the scan.

When finished, a Notepad window opens with the results of the scan.

Please post the SystemLook.txt in your reply.


~~~~
Next,

Let's see what your system shows with the following short scan...



Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version for your system: 64-bit (button with x64)
Click the applicable dark-blue button to download.

Save to the Desktop.



Close all windows and browsers.
Right-click the downloaded file and select: Run as Administrator


At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished)


Press: SCAN



When done, a report opens on the Desktop: RKreport.txt



Please provide the RKreport.txt (Mode: Scan) in your reply.


~~~~
Also, which YouTube video did you follow?
Knowing this may help solve the puzzle. Some of the guidance seems to vary among the videos.

 

[omegatx]

More info re: Locked desktop issues

OK, quite a lot to report. Ran both apps. The results are attached.

1 txt report file from the Look app

1 txt report file from the Rogue Killer app

1 txt file from the Rogue Killer app that was located in a quarantine folder (quarantine report)

No items were deleted. The Killer app was closed after the final scan.

Thanks for any advice... Paul...
---

 

[omegatx]

Sorry, forgot to give you the utube video link...
How to Remove the Department of Justice Virus - YouTube

 

[cottonball]

Please run RogueKiller once again:

Close all windows and browsers.
Right-click RogueKiller and select: Run as Administrator

Wait until the Prescan finishes
The Status box shows: PreScan Finished

Press: Scan

When done, on the right, click: Delete

Wait until the Status box shows: Deleting Finished

Click on Report and provide the content of the new Rkreport (Mode: Remove) in your reply.


Restart the computer, and see if you can work with the TaskBar and the Start Menu.

 

[omegatx]

OK, ran the app. The report is attached. However, after booting the following happened:

My desktop icons were now back and in the order I had before the hack.
I still cannot control the start menu or task bar

Any other thoughts?

 

[cottonball]

Let's see if we can fish for the last Registry key in the previous post. It seems rather strange that SystemLook cannot find it.

Please go to Start > All Programs > Accessories, right-click the Command Prompt, and select: Run as Administrator

At the blinking cursor of the Command Prompt, Paste the following text inside the quote box below:

regedit /e C:\advanced.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

When done, go to Start, and in the Search programs and files box above, type in: advanced

The file should appear in the Files results above.

Right-click > Open, and post the results in you reply.

 

[cottonball]

omegatx,

Is the drive P:\ one that had XP on it at one time, or, is this a dual boot system?

Also, let's see if there is anything that prevents the loading of the Registry key.
The Event Viewer Tool (VEW) by Vino Rosso is free and can help look at system event logs for information that may be pertinent...

Please download VEW:
http://images.malwareremoval.com/vino/VEW.exe
Save to the Desktop

Right-click the icon on the Desktop (VEW.exe), and select: Run as Administrator
Click Allow at the User Account Control (UAC) prompt.

At the VEW program console:
In the Select log to query section, check:
Application
System

In the Select type to list section, check:
Critical (not XP)
Error
Warning

In the Number or date of events section, check: Number of events
Type 20 in the 1 -20 box

Now, press the Run button.

A Notepad report opens on the Desktop when done.

Please provide the report contents in your reply.
(If too large, please attach.)
　

 

[omegatx]

Got 2 replies from you. I assume I should do them in the order of posting?

Will report back. BTW, the P drive is an external drive (back up)

 

[omegatx]

locked issue

Let's see if we can fish for the last Registry key in the previous post. It seems rather strange that SystemLook cannot find it.

Please go to Start > All Programs > Accessories, right-click the Command Prompt, and select: Run as Administrator

At the blinking cursor of the Command Prompt, Paste the following text inside the quote box below:

regedit /e C:\advanced.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

When done, go to Start, and in the Search programs and files box above, type in: advanced

The file should appear in the Files results above.

Right-click > Open, and post the results in you reply.

Sorry, but your instructions did not work. When I pasted the text command into the characters ^V appeared next to the prompt. (also was I supposed to hit return?) When I place the word advanced into the search box, all I saw were links to help and documents? Sorry, I must be missing something here. I will attempt to negotiate your later post instructions... Thanks for continuing to offer suggestions... Paul...

 

[cottonball]

On Post #7...

The ^V appears if you use the keyboard to copy/paste.

Highlite the text inside the quote box.
Right-click and select: Copy

At the Command Prompt's blinking cursor. click there, then right-click and Paste.

Using the keyboard to copy/paste at the Command Prompt does not achieve the desired results.

 

[omegatx]

omegatx,

Is the drive P:\ one that had XP on it at one time, or, is this a dual boot system?

Also, let's see if there is anything that prevents the loading of the Registry key.
The Event Viewer Tool (VEW) by Vino Rosso is free and can help look at system event logs for information that may be pertinent...

Please download VEW:
http://images.malwareremoval.com/vino/VEW.exe
Save to the Desktop

Right-click the icon on the Desktop (VEW.exe), and select: Run as Administrator
Click Allow at the User Account Control (UAC) prompt.

At the VEW program console:
In the Select log to query section, check:
Application
System

In the Select type to list section, check:
Critical (not XP)
Error
Warning

In the Number or date of events section, check: Number of events
Type 20 in the 1 -20 box

Now, press the Run button.

A Notepad report opens on the Desktop when done.

Please provide the report contents in your reply.
(If too large, please attach.)
　

OK, I ran VEW. The file is attached. BTW, just wanted to let you know, I subscribe to Carbonite. After getting my PC to boot, the carbonote would not function, so no further backups were done. Since I have re-installed the app, but have frozen the BU until all these issues are resolved. Not sure carbonite would have backed up any files that would solve our issue. Also since I performed a restore from Feb 16th, not sure if the later carbonite files would conflict? Just wanted you to know more background...

 

[omegatx]

On Post #7...

The ^V appears if you use the keyboard to copy/paste.

Highlite the text inside the quote box.
Right-click and select: Copy

At the Command Prompt's blinking cursor. click there, then right-click and Paste.

Using the keyboard to copy/paste at the Command Prompt does not achieve the desired results.

OK, just a couple quick clarifications. I can perform the copy/paste now. But should I send the paste as a command (enter key) or just leave it next to the prompt? I did not click the enter key and performed the search. The search did bring up a doc with the name advanced, which appears to be an xml file?

Thanks for clarifying...

 

[Jacee]

1542 Source: Microsoft-Windows-User Profiles Service <-- this indicates the user profile is corrupt.

This may work to get your computer back: Event id 1542, User Profile Service and Missing Classes Root Key

If not, stay tuned in for more instructions from cottonball.

 

[cottonball]

@omegatx,

Paste the Registry key info by the blinking cursor of the Command Prompt, and press Enter.

Only took a glance at the VEW report. Oh boy!!
Will look at it later. Need to run some errands.

However, do follow Jacee's instructions.

@Jacee,

Thanks!

 

[omegatx]

@omegatx,

Paste the Registry key info by the blinking cursor of the Command Prompt, and press Enter.

Haven't looked at the VEW report yet. Will do so later. Need to run some errands.

@Jacee,

Thanks!

OK, I completed the command prompt paste and executed the command. I also peformed the "advanced" search. I opened a file called advanced.xml. Is that the correct file? That file is more than the forum limit for text (20000). xml files are not allowed to be attached. I can ftp the file or email it if you wish, just need info. Thanks...

 

[cottonball]

omegatx,

Advanced.xml is not it.
The advanced.reg file is nothing more than a short text file with some information on the Registry key
querried.

After looking at the Event Log, you had issues back to 3Feb13, and possibly long before that, since the VEW only looks at the past 20 days.

The malware did quite a job on that system, and the video used did not alert or engage in any damage recovery hints.

Event Viewer points to a corrupted user profile, as Jacee mentioned.

To this effect, let's see if we can do some more searching in the Registry...

Please go back to Post #2, and use SystemLook with the following:

:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

Please post the SystemLook.txt in your reply.

 

[cottonball]

Also, please go to Start, and in the search box above, type in (or copy/paste): UsrClass.dat

Does it appear on the list of Files above the search box?

If it does, place the mouse cursor over the file, and it will show the path of UsrClass.dat

It should show C:\Users\Paul Christensen\AppData\Local\Microsoft\Windows\UsrClass.dat

Please confirm whether UsrClass.dat is found or not.

 

[omegatx]

omegatx,

Advanced.xml is not it.
The advanced.reg file is nothing more than a short text file with some information on the Registry key
querried.

After looking at the Event Log, you had issues back to 3Feb13, and possibly long before that, since the VEW only looks at the past 20 days.

The malware did quite a job on that system, and the video used did not alert or engage in any damage recovery hints.

Event Viewer points to a corrupted user profile, as Jacee mentioned.

To this effect, let's see if we can do some more searching in the Registry...

Please go back to Post #2, and use SystemLook with the following:

:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

Please post the SystemLook.txt in your reply.

OK, here are the contents of that text file:

SystemLook 30.07.11 by jpshortstuff
Log created at 06:15 on 03/03/2013 by Paul Christensen
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist]
"\REGISTRY\MACHINE\HARDWARE"=""
"\REGISTRY\MACHINE\BCD00000000"="\Device\HarddiskVolume2\Boot\BCD"
"\REGISTRY\MACHINE\SYSTEM"="\Device\HarddiskVolume3\WINDOWS\System32\config\system"
"\REGISTRY\MACHINE\SOFTWARE"="\Device\HarddiskVolume3\WINDOWS\System32\config\software"
"\REGISTRY\USER\.DEFAULT"="\Device\HarddiskVolume3\WINDOWS\System32\config\default"
"\REGISTRY\MACHINE\SECURITY"="\Device\HarddiskVolume3\WINDOWS\System32\config\security"
"\REGISTRY\MACHINE\SAM"="\Device\HarddiskVolume3\WINDOWS\System32\config\sam"
"\REGISTRY\USER\S-1-5-20"="\Device\HarddiskVolume3\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat"
"\REGISTRY\USER\S-1-5-19"="\Device\HarddiskVolume3\WINDOWS\ServiceProfiles\LocalService\ntuser.dat"
"\Registry\User\S-1-5-21-2542295906-685563110-2760403507-1000"="\Device\HarddiskVolume3\Users\Paul Christensen\ntuser.dat"


-= EOF =-

 

[omegatx]

Also, please go to Start, and in the search box above, type in (or copy/paste): UsrClass.dat

Does it appear on the list of Files above the search box?

If it does, place the mouse cursor over the file, and it will show the path of UsrClass.dat

It should show C:\Users\Paul Christensen\AppData\Local\Microsoft\Windows\UsrClass.dat

Please confirm whether UsrClass.dat is found or not.

Not found... Obviously I also cannot look for it with any file mgr since I cannot set hidden file to be viewed.