Jump to content

ICE Malware Removal


Recommended Posts

Hello, Could i please get some help in removing this malware?It would be greatly appreciated.

  • ICE has locked my c drive. I still have access to slave and a remote
  • In order to get online i have swtiched the slave to master but i know i need to switch back to repair.
  • I have tried all 3 safe mode repair options to no avail. I cant slow the malware down enough to type even one word
  • I made a boot copy on a cd but nothing happens when i try to run but i am only inserting it because i cant open a control window
  • that is where it is at ; (

Possibly to make matters worse i reformatted my slave drive thinking it was backed up by my norton as i had requested.. but didnt check.I reformatted to install XP because this is the only computer i have running now. Well XP installed just perfect but i lost a lot work data in part because norton re installed virus protection. I ran one recovery software and saw bits & pieces of info. Im saying all this because if possible i hope to get some of the data back but getting malware off is #1 priority

 

The computer is a Dell 2003 decktop running xp 

 

thank you for your time

Link to post
Share on other sites

  • Replies 86
  • Created
  • Last Reply

Top Posters In This Topic

Thank you for your reply. I think i have already made  that disk but had trouble getting it to run. Please note: I am able to communicate on this forum because i have switched my C (master) and F (slave)drives. Am i correct that in order to rid the drive of malware it needs to be in the master position meaning i would switch the drives back to the way they were when i got the malware?

Link to post
Share on other sites

nothing doesnt even begin to spin which it does do when i have drives the other way. Maybe i should try again.

is there a sequence or can the cd go in the rom prior to powering up?


Yes, put the cd in and reboot the computer...it should now boot to the cd.

does it help if i tap F8 while cd trys to run or should it be left to do its thing solo

If it doesn't boot to the cd, you can try that to bring up the boot menu.

MrC

Link to post
Share on other sites

Really????I wasnt sure about that. And likewise arent you supposed to be helping me with that? I feel like im pulling teeth here day after day. Is this a fun joke to you, or do you like being condescending. Why couldnt you give me something to use like why doesnt your link work?? Im suffering here, my computer is broken, i cant do business, ive lost files and you arent helping. Give me something i can use or im outa here

Link to post
Share on other sites

Really????I wasnt sure about that. And likewise arent you supposed to be helping me with that? I feel like im pulling teeth here day after day. Is this a fun joke to you, or do you like being condescending. 
 
I've answered all of your replies almost immediately. You're swapping drives in the computers so I assume you have some computer knowledge. I haven't been condescending to you. 
 
 
Why couldnt you give me something to use like why doesnt your link work?? 
 
What link doesn't work? (first I've heard of this)
 
Im suffering here, my computer is broken, i cant do business, ive lost files and you arent helping. 
 
As I said, you have to get the computer to boot off the cd or even a usb flash drive, not having the computer in front of me it's hard to say why it won't boot off the cd. Have you tried the cd in another computer??
 
Give me something i can use or im outa here
 
What ever you want to do

Link to post
Share on other sites

Really????I wasnt sure about that. And likewise arent you supposed to be helping me with that? I feel like im pulling teeth here day after day. Is this a fun joke to you, or do you like being condescending.

I've answered all of your replies almost immediately. You're swapping drives in the computers so I assume you have some computer knowledge. I haven't been condescending to you.

Why couldnt you give me something to use like why doesnt your link work??

What link doesn't work? (first I've heard of this)

Im suffering here, my computer is broken, i cant do business, ive lost files and you arent helping.

As I said, you have to get the computer to boot off the cd or even a usb flash drive, not having the computer in front of me it's hard to say why it won't boot off the cd. Have you tried the cd in another computer??

Give me something i can use or im outa here

What ever you want to do

Link to post
Share on other sites

Ok so the cd finally ran and opened window then it just about finished displaying the desktop and the malware took over covering the entire screen. I don't think I have instructions so I just let the cd run. There was never a prompt to run anything additional. I am now writing you from my iPhone with a frozen ICED computer in front of me

Link to post
Share on other sites

Ok so the cd finally ran and opened window then it just about finished displaying the desktop and the malware took over covering the entire screen.

That shouldn't happen because you booted to the cd not windows...so something is not right.

You should have the BIOS set to boot to the cd rom first

Put the cd in and reboot the computer, it should now boot to the Kaspersky cd and follow the instructions below.

Below is my tutorial on the virus.

I thought you had another computer that you put the infected drive into.

If you don't make out with the Kaspersky scan, if you could set the infected drive as slave in another computer and be able to navigate around in it, it's possible that we could manually delete the malware enough to get it going.

By chance did you have ERUNT installed to back up your registry every day or so?

Let me know

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

FBI MoneyPak, Ransomware virus removal

For Vista, W7 and W8: (You'll need a usb flash drive)

1. Please download How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

[1]Restart the computer.

[2]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.

[3]Use the arrow keys to select the Repair your computer menu item.

[4]Select US as the keyboard language settings, and then click Next.

[5]Select the operating system you want to repair, and then click Next.

[6]Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: HERE

To enter System Recovery Options by using Windows installation disc:

[1]Insert the installation disc.

[2]Restart your computer.

[3]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.

[4]Click Repair your computer.

[5]Select US as the keyboard language settings, and then click Next.

[6]Select the operating system you want to repair, and then click Next.

[7]Select your user account and click Next.

3. On the System Recovery Options menu you will get the following options:

*Startup Repair

*System Restore

*Windows Complete PC Restore

*Windows Memory Diagnostic Tool

*Command Prompt

Select Command Prompt

Once in the Command Prompt:

[1]In the command window type in notepad and press Enter.

[2]The notepad opens. Under File menu select Open.

[3]Select "Computer" and find your flash drive letter and close the notepad.

[4]In the command window type e:\frst (for x64 bit version type e:\frst64)  and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[5]The tool will start to run.

[6]When the tool opens click Yes to disclaimer.

[7]Press Scan button.

[8]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For XP and XP Pro:

These methods may help remove this malware: (XP is a little harder to work on)

This will work if you have a good system restore point and can get to the Command prompt: (If it doesn't work the first time keep trying...you may be able to get it)

Step 1: Use F8 to Boot to SafeMode With Command Prompt or Command Prompt

Step 2: Type the word "explorer" in black screen > enter

Step 3: Then Navigate to:

Win XP: C:\windows\system32\restore\rstrui.exe and press Enter

Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter (double click rstrui.exe)

Step 4: Restore Computer to Date you know you were virus free

Step 5: See if it boots up normally.....post on the forum so we can ensure the computer's clean

Here's a little trick that may work:

You need to select the “Safe Mode with Command Prompt” option and then hit the Enter key. This will boot the computer with minimal drivers, and no startup programs will run except cmd.exe.

<=====><=====><=====><=====><=====><=====>

Use Kaspersky Rescue Disk and Unlocker:

  • Download Kaspersky Rescue Disk (iso)
  • Burn it to a cd or dvd, if you need a program to burn an ISO...use Active@ ISO Burner
  • Kaspersky Unlocker can also be loaded on to a USB flashdrive:

    http://support.kaspersky.com/8092

  • The Kaspersky Disk also has a Registry Editor that can be used to delete or modify the registry entries responsible for the hijack if Unlocker doesn't work.

    If you need guidance please ask.

  • Kaspersky WindowsUnlocker to fight ransom malware Tutorial
  • Configure your computer to boot from CD/DVD
  • Note : If you do not know how to set your computer to boot from CD/DVD follow the steps HERE
  • Once you have the cd/DVD created, boot the computer up using it
  • Press any key to enter the menu
  • Select your language
  • Press 1 to accept the End User License Agreement
  • Select Kaspersky Rescue Disk. Graphic Mode
  • Click on the Start button located in the left bottom corner of the screen
  • Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Metropolitan Police Virus

    krd5.jpg

    Note: If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > Enter

  • When it's done, click on the Start button and start Kaspersky Rescue Disk utility
  • Click on My Update Center tab and press Start to download the latest update
  • Next, select the Object Scan tab
  • Put a check next to C:\ and any other local drives
  • Then click Start Objects Scan
  • Quarantine any malware found
  • Restart your computer and see if it boots up normally

    <=====><=====><=====><=====><=====><=====>

    Sometimes HitmanPro.Kickstart will work:

    http://www.bleepingcomputer.com/virus-removal/remove-computer-crime-intellectual-property-section

    Good Luck.....MrC

Link to post
Share on other sites

Sorry I am just getting back to respond. When preparing to run from your cd I tap F12 til boot device menu comes and I pick #3 IDE CD ROMł

Next I get to choose f1 to cont or F2. F1 usually just repeats the choices so I hit F2and recheck boot sequence. There I put CD Rom at top# 1 spot and hard drive next. Next Escape and save if asked. If I get F1 & 2 i try f1 when it repeàts I do a hard kill and then restart cputer. It ran the cd once so I thought but I got a windows screen. If you were saying I'm not supposed to get windows then I don't know what it was running. Currently it will not redo that scenario anyways just goes back to F1 and F2.

I do not have ERUNT that I am aware of

Link to post
Share on other sites

No just one computer. I thought I have been very clear about my setup. I am switching two hard drives within the same computer from master to slave. It works well. I ran through tutorial couple of days ago from an other users post Doesn't work


The master is infected..correct

What's on the slave? an operating system??

If you can get to the infected drive through the slave we might be able to manually delete the malware or scan it with Malwarebytes


I ran through tutorial couple of days ago from an other users post Doesn't work

Were you able to run Unlocker and scan the system??
Did you try the registry editor.....can you get into the registry?


Sometimes HitmanPro works:
http://www.bleepingcomputer.com/virus-removal/remove-computer-crime-intellectual-property-section

Link to post
Share on other sites

no but i dont know how to neither. th registry is definitely over my head. i have to leave right now but will check back. thank you sorry to keep leaving. but what about the manual extract. right now the malware is on the slave on this computer but i havent gone looking around in fear of making worse. check back in a few hours

Link to post
Share on other sites

1: Can you get to a command prompt with the infected computer??

2: Not getting the malware out of the registry is going to be a problem.

3: If you have Malwarebytes 2.0 on the good drive, we can run a Custom scan on the infected hard drive.
This would be the first thing to do.

4: Then access the infected drive and look for the malware files. (below are samples from past infections)
The can be anywhere but usually in these locations.
Of course the user names will be different:

C:\Documents and Settings\mixael padilla\Application Data
C:\Documents and Settings\mixael padilla\Local Settings\Application Data
C:\Users\Test\AppData\Roaming
C:\ProgramData
C:\Users\elvis\Documents

Here's the samples:


C:\Documents and Settings\mixael padilla\Application Data\ypjvdod.exe
C:\Documents and Settings\mixael padilla\Local Settings\Application Data\8EVvll6gC\NrHXADuRdm.exe
C:\Users\Test\AppData\Roaming\skype.ini
C:\ProgramData\qci.pad
C:\Users\elvis\Documents\49d0e2d4.exe
C:\Users\elvis\Documents\49d0e2d4.dll
C:\ProgramData\2433f433
C:\Users\Dmac33\AppData\Roaming\2433f433
C:\Users\Dmac33\AppData\Local\2433f433
C:\Users\Dmac33\Documents\595159d6.exe
C:\ProgramData\Application Data\2433f433
C:\Users\EKeenan\Local Settings\Application Data\2433f433
C:\Users\EKeenan\Local Settings\2433f433
C:\Users\Tracey\AppData\Local\z4GlKA07\KDpGL2ymZE.exe
C:\Users\Administrator\AppData\Local\DRMPhdmi\4KU6ofZfGb.exe
C:\Users\Tracey\AppData\Local\z4GlKA07\KDpGL2ymZE.exe
C:\Users\Administrator\AppData\Local\DRMPhdmi\4KU6ofZfGb.exe
C:\Users\Tracey\AppData\Local\z4GlKA07
C:\Users\Tracey\AppData\Roaming\gQPQ1aa9GvU
C:\Users\Tracey\AppData\Local\vBRYW3g0
C:\ProgramData\ITM5CRaqY
C:\Users\Tracey\AppData\Local\z4GlKA07\KDpGL2ymZE.exe
C:\ProgramData\hash.dat

 

 

Link to post
Share on other sites

hello, I would  like to set a block of time today  or when you are able to work on this so that i can give it my full attention and make  use of the valuable help you are offering. By coming and going so sporadically i don't mean to be unappreciative or difficult. I was being pulled in many directions  but now its more manageable. So i will address your four points as best I can and then if you would be kind enough to let me know when you can work on this again i will try to shift my schedule accordingly. if we could hit it first thing monday  morning that would probably be best. So if you are 3 hrs ahead and are able to help me around 8  or 9 (east coast time) I plan to up early and prepared. if the morning doesnt work my next opening would be late afternoon my time. Lastly, would it be helpful to start with a phone call if you even work that way? if so im  at 3107708114 anytime. Ok  I will address  the 4 points below in orange font:

 

1: Can you get to a command prompt with the infected computer??
if i understand the quick answer is "no" but i have to ask 2 questions back

A) is a command prompt very particular as in "safe mode with command prompt" or is it anywhere Im able to type  words like start menu "run" or "search"?

B) Does "infected computer" refer to the infected drive only or literally the unit with desktop and multiple drives 

 

If i understand; i tried  to run the infected drive set as master in all 3 safe modes and from the cd using all your suggestions and tricks only to end  up on the ICE page

`
2: Not getting the malware out of the registry is going to be a problem.

3: If you have Malwarebytes 2.0 on the good drive, we can run a Custom scan on the infected hard drive.
This would be the first thing to do.

4: Then access the infected drive and look for the malware files. (below are samples from past infections)
The can be anywhere but usually in these locations.
Of course the user names will be different:

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.