I am using Windows XP and my Dell laptop is locked up by the ICE Ransom-ware virus.
When I start my computer and log on, my normal desktop background appears with no icons, then after several seconds, the screen goes to a white background and the ICE message appears and I am locked out.
If I F8 and attempt to start in ‘Safe Mode’ I get a blue screen that reads, “A problem has been detected and windows has been shut down to prevent damage to your computer (yada yada yada)”.
If I F8 and attempt ‘Safe Mode With Networking’ and attempt to start windows I get the same blue screen and message as in plain ‘Safe Mode’ (see above).
If I F8 and attempt ‘Safe Mode With Command Prompt’ and attempt to start windows I again get the same blue screen and message as in plain ‘Safe Mode’ (see above).
If I F8 and try ‘Last Known Good Configuration’, and start my Windows XP, I go back to the top of this list and I get the ICE screen lock-out.
I downloaded HitmanPro 32bit to a USB stick.
And per HitmanPro instructions: start computer> hold F12 > USB Storage Device> “usb Boot options” > 1. Bypass Master Boot Record (default). Message shows “hitmanpro booting, MBR read”… then screen asks to start windows normally (yes), normal start begins, click user to begin, windows starts to load, screen shows normal desktop back ground with no icons, then after several seconds the ICE screen appears.
According to the Hitman Pro instructions, “After about 10-15 seconds, the HitmanPro window will appear on top of the screen locker as shown in the image (on the instruction sheet). This never happens. The HitmanPro will not Run. It appears this flavor of the virus is immune to HitmanPro32.
I downloaded and burned Kaspersky Rescue Disc 10 to a CD.
I start my laptop, F12, open the disc drive, insert the Rescue disc 10, select to boot from the CD drive. The Kaspersky screen is displayed, any key is selected to enter K-rescue disc, and I select “Kaspersky Rescue Disc Graphic Mode”. I can hear the disc loading… A warning pops up advising me that my “computer’s operating system has been shut down incorrectly. File system is going to be mounted. The procedure may cause damage to it. To avoid system corruption, you are advised to shut down the operating system correctly before using Kaspersky Rescue Disc.” (No kidding it was shut-down incorrectly, the only way to shut it down with it locked is by holding down the on/off button)
“Do you wish to continue?” Choices are: continue, skip, restart.
I choose ‘restart’ and reboot from the Rescue 10 disc. It reloads after being shut down and I’m back to the warning about the “mounting disc” operation. I select “skip’ this time. I then get a message warning that “There is not enough disc space to copy the required files-378Mb of free space is needed. The files will be stored in the memory”. I agree and select OK, then a “Mounting disc” load bar appears and I wait...
The Kaspersky Rescue desktop is present. A window is in view with a “Scan Your Computer” tab open. It shows 2 objects available to scan, “Disc Boot sectors” and “Hidden start-up objects”, but no C-drive. Also a window came into view advising that the program I just downloaded was out of date; I select the My Update tab and start the update. I use the rescue program to connect to my local wireless network and I update the K-rescue 10 program. After a few minutes it is updated. I then return to the “Objects scan” tab and select “Start Objects scan” which it completes in about a minute, but shows nothing in the quarantine or report tabs. It appears that it didn’t find anything in the “Disc Boot sector” or the “Hidden start –up objects’”. The web page instructions show that I need a c-drive available which I’m not getting when I skip the mounting procedure.
I use the K-rescue 10 to restart my laptop again and reboot again from the disc in graphic mode. This time at the “mounting disc” warning I select “continue” and mount the C-drive. I now see a c-drive folder on my desktop and a c-drive is available to scan in the “Scan Your Computer” window. I select “Start Objects scan”.
It’s late so I go to bed. When I check it in the morning, the Object Scan box displays “Stop Objects scan 99%, Finish: unknown, object: C:/…/Local Settings/temp/Nfts_Clear….”
I can’t read the rest because I have a red window open in the bottom right corner: “Alarm, detected: malicious software, Object: nts and settings/ (user)/local settings/ temp/Nfts_Cleanp.exe: contains a Trojan program. Backdoor.Win32.Androm.agod”. I am allowed 2 options: delete(recommended), or skip. I delete.
The big red box closes and there is a smaller box displayed, “File C:/…/(user)/ local settings/ temp/Nfts_Cleanp.exe, Trojan program: Backdoor.Win32.Androm.agod.” As I am typing this last paragraph the box turns green and the display now ends with “deleted and backup copy is created.”
I ‘x’ out the window but it doesn’t close. I click ‘details” inside the green window box and a large “protection State” box opens. Inside it reads “detected threats”, inside a selectable window “Disinfected items”, and in the large display window in the box it has detected and deleted 23.
It has detected all the items as Trojan programs as; 6 HEUR Java exploits (java Sun Applications) , 3 java exploit CVEs, 2 exploit Win 32 CVEs (temp internet files), 9 Rootkit boots pihar and Cidox (TDSS Killer quarantine related), Win 32 Genome( Tdss Killer quarantine related), and 1 backdoor win32androm.agod (Documents and settings). I have only one option available- so I click ‘Quarantine’.
The next window opens and it asks to Look in a folder named “/root” named xserver.cfg. I can type a file name but I’m not sure what this window is asking me to do. The file types box shows “*.*”. I cancel out without doing anything.
I close the window and now notice it’s telling me my database is out of date. I click update but it won’t update because the wireless is offline. I can’t turn it back on because the green window in the bottom right corner is blocking my access to the wireless icon and it won’t close or allow me to move it. I can maneuver my mouse and catch just an edge of the wireless tray icon and reconnect to the wi-fi and re-download the K-rescue 10 update.
When I view the K-rescue 10 Protection state window box it reads that there are 3 events quarantined. They are all “Trojan program HEUR: Exploit. Script. Generic.” Located as “C:/Documents and settings/(user)/Local Settings/ Application data/Sun/Java/Deployment/cache/ with the following final file extensions: 6.0/30/5bace8de-431-dd6c6, and 6.0/55/534c7677-37816bbe, and 6.0/56/238718b8-4c9d 90dc.
The K-rescue Protection State window box has a Status tab. I open it and it tells me “No threats detected”. If I were to guess what this statement means I would guess the Kaspersky rescue disc 10 didn’t find the ICE virus.
I’m stuck. I need help/ advice. This is the second time I have run the Hitman Rescue Disc.