Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IC3 in Safe Mode? How I fixed it


  • Please log in to reply
2 replies to this topic

#1 olligator

olligator

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 24 January 2013 - 07:50 PM

I have used these forums in the past to find out how to beat some of the malware I've had to deal with over the last couple of years. This past week, I caught the newer and nastier version of the IC3 ransomware. Let's call it "IC3+" for this post. This newer version locks you out from the earlier fix where you log on in safe mode and kill it with malwarebytes or whatever tool you like. The info that is posted here on Bleeping Computer has helped me save my butt a few times, and since I found this fix, I felt it only appropriate to share it, to give something back in the hopes that it can help someone else save their machine.

***I did this fix successfully on my Toshiba M750 Portege laptop running WinXP SP3 with ESET NOD32 4.2.64.12; What worked for me may not necessarily work for your system, but I think the concept is valid for other versions of the windows OS.

1. The newer nastier IC3 doesn't allow the relatively easy "safe mode fix" as I said above. It also kept me from utilizing the system recovery approach off of the factory WinXP disc. At least on my machine, I couldn't boot off the windows disc, usb drive, flash card, or anything else. When attempting to boot from any of these, all of the generic drivers would load into memory, and right before you get to any screen with any options whatsoever, you get the blue screen of death erroring out at the same memory address every time (0x0000007B or something). For me, my goal was at least to just get to a prompt, such that I could manually kill enough of the IC3+ files boot normally and run malwarebytes. For all it's nastiness, the newer IC3+ isn't complicated to get rid of once you get into the machine, but more on that later. I also tried a backdoor approach to kill some of the active services on the machine by connecting through the computer management tool on my wife's laptop, but was denied. This may have been a native permissions issue on my machine or IC3+, but I couldn't get in so oh well, back to square one.

2. After seeing the error at the same address with different boot devices, I made the logical assumption that IC3+ apparently locks down the MBR too. I'm thinking, great, how the heck do I get to a command prompt? How I beat the fubar'd MBR? A root kit perhaps? As this is a work machine, I wasn't to psyched about playing with a root kit since I haven't really used one before, and my data is too important to lose. Then I had an epiphany: Boot linux off of a disc to get at the data! I had a burned copy of Ubuntu desktop 10.1 sitting in the drawer and popped it in the drive, then booted up off the disc. Ubuntu's dialog pops up and generously asks me if I'd like to try out ubuntu or install it. I chose to "try it out", which loads all the linux drivers and gui into memory and unused disc space, bypassing the windows MBR altogether. The Ubuntu GUI pops up, and 5 seconds later, I have a file browser window open and I'm ready to clean house!

3. I popped in my USB external HDD to back up my important stuff, then proceeded to do part one of my IC3+ eradication. As I said earlier, the newer IC3+ is still somewhat simplistic. It duplicates a single executable into all the of the user data directories- C:\Documents and Settings\%username%\Application Data\.. and C:\Documents and Settings\%username%\Local Settings\Application Data\.. Just like the old IC3. In the directories for all the users, I found an executable of the same name written at the exact time and date IC3+. It had some random char filename like xjiishgdusf.exe or something (I'm sorry for not transcribing it exactly, but I was hungry for getting my machine fixed and it would probably be a different set of random chars on your machine anyway). While I was in there, I killed all of the temp browser and temp app data files too. If you're slick with linux, you could also just run a grep command from a prompt and find everything in one shot, but I'm lazy and impatient so I just used the GUI to git'r done.

***If you don't kill all the IC3+ executables, you'll have to do all this over again until you do, so take the time to really clean out all the dupes of the IC3+ executables and any temp files.

4. Part 2 of my IC3+ fix is a carbon copy of the old IC3 fix. I booted the machine into Safe Mode to test it out. No more IC3+ screen! Then I booted into Safe Mode+Networking successfully to finish the eradication. I busted out malwarebytes, updated, and did the full scan. It found 2 threats, identified as trojans, which I deleted after the scan. Reboot for normal bootup and I was back in business. Not counting the time for the full malwarebytes scan, this whole process took me less than 10 minutes after spending 6+ hrs fruitlessly searching the web for how to beat IC3+.

I would like to add that I was running ESET NOD32 with the realtime scanning when I got popped by IC3+. On the bootup with my hijacked IC3+, I could see dialogue flash that ESET had detected a threat and quarantined it, but that obviously wan't doing the trick. It also didn't help me when I got popped by the old IC3 back in September. You know, since most of the bad stuff loads before all your AV stuff loads and all...

I'm sure that I could use some other tools to handle the eradication of IC3+ differently, but this is my work laptop and I needed the data the next day. Since the whole issue is getting past the Windows MBR, you could probably adapt this approach with a different flavor or linux or OSX. I just happened to have the Ubuntu Desktop disc handy, but if you have access to another machine, you could download it and probably do even it off of a USB stick too. So that's my story, and I hope this approach can help other people beat IC3+.

Edited by olligator, 24 January 2013 - 08:25 PM.


BC AdBot (Login to Remove)

 


#2 olligator

olligator
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 24 January 2013 - 08:22 PM

I just had a few extra thoughts after typing this post that I think people should consider.

1. Bypassing the MBR with linux or whatever will only get you access to a command prompt/startup screen for the different OS and *maybe* access to your system or data files. If some other type of virus or malware tweaks, hides, or alters your files or permissions you might not be able to do anything with any of the files on your system. There is no guaranteed way that I know of to use this approach and get access to all your data files.

2. My stategy to kill IC3+ was based on what everyone's already figured out about how to beat the old IC3. Where it installed itself, for example. It just happened to work out that IC3+ installed itself in the same places as the old IC3. I was betting that the code monkey that wrote the original IC3 was too lazy to redo the whole thing from scratch and just added some extras to it to make IC3+. Looks like that bet paid off and I got lucky.

3. I saw on here that the first step when you're hijacked was to run some basic analysis tools that dropped logs of certain registry items, system params, etc., to see what and/or where your machine is hijacked. That's fine, but for me I was looking at the problem from a different perspective. The objective was first and foremost to get my work data. To that end, I really didn't care what the registry said or about any altered system params. Fixing the machine was always secondary in this mission. So if I didn't care about the registry items or system params, I decided to use my own "registry" and params to get what I needed. I was lucky that I could have my cake and eat it too by killing IC3+ at the same time.

#3 angielee1

angielee1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 11 February 2013 - 02:06 PM

I am seeking information about an extra laptop I have.  I have not been able to get out of the blue screen and its been that way for months.  I am not a tech wiz, and I often find it difficult to follow directions offered online because they move too fast; or use words that I am not familiar with.  Is there any way I can find out how to get my computer out of safe mode, and there not be an exorbitant charge for doing so?  I forgot to mention, I am a full-time student with part-time funds.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users