Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HitmanPro32 and Kaspersky rescue Disc 10 Not Removing ICE Ransomeware virus


  • Please log in to reply
5 replies to this topic

#1 Rob Rig

Rob Rig

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 02 August 2013 - 09:19 AM

I am using Windows XP and my Dell laptop is locked up by the ICE Ransom-ware virus.

When I start my computer and log on, my normal desktop background appears with no icons, then after several seconds, the screen goes to a white background and the ICE message appears and I am locked out.

If I F8 and attempt to start in ‘Safe Mode’ I get a blue screen that reads, “A problem has been detected and windows has been shut down to prevent damage to your computer (yada yada yada)”.

If I F8 and attempt ‘Safe Mode With Networking’ and attempt to start windows I get the same blue screen and message as in plain ‘Safe Mode’ (see above).

If I F8 and attempt ‘Safe Mode With Command Prompt’ and attempt to start windows I again get the same blue screen and message as in plain ‘Safe Mode’ (see above).

If I F8 and try ‘Last Known Good Configuration’, and start my Windows XP, I go back to the top of this list and I get the ICE screen lock-out.

I downloaded HitmanPro 32bit to a USB stick.

 And per HitmanPro instructions:  start computer> hold F12 > USB Storage Device> “usb Boot options” > 1. Bypass Master Boot Record (default).  Message shows “hitmanpro booting, MBR read”… then screen asks to start windows normally (yes), normal start begins, click user to begin, windows starts to load, screen shows normal desktop back ground with no icons, then after several seconds the ICE screen appears.

According to the Hitman Pro instructions, “After about 10-15 seconds, the HitmanPro window will appear on top of the screen locker as shown in the image (on the instruction sheet). This never happens. The HitmanPro will not Run. It appears this flavor of the virus is immune to HitmanPro32.

I downloaded and burned Kaspersky Rescue Disc 10 to a CD.

I start my laptop, F12, open the disc drive, insert the Rescue disc 10, select to boot from the CD drive. The Kaspersky screen is displayed, any key is selected to enter K-rescue disc, and I select “Kaspersky Rescue Disc Graphic Mode”. I can hear the disc loading… A warning pops up advising me that my “computer’s operating system has been shut down incorrectly. File system is going to be mounted. The procedure may cause damage to it. To avoid system corruption, you are advised to shut down the operating system correctly before using Kaspersky Rescue Disc.” (No kidding it was shut-down incorrectly, the only way to shut it down with it locked is by holding down the on/off button)

“Do you wish to continue?”  Choices are: continue, skip, restart. 

I choose ‘restart’ and reboot from the Rescue 10 disc. It reloads after being shut down and I’m back to the warning about the “mounting disc” operation. I select “skip’ this time. I then get a message warning that “There is not enough disc space to copy the required files-378Mb of free space is needed. The files will be stored in the memory”. I agree and select OK, then a “Mounting disc” load bar appears and I wait...

The Kaspersky Rescue desktop is present. A window is in view with a “Scan Your Computer” tab open. It shows 2 objects available to scan, “Disc Boot sectors” and “Hidden start-up objects”, but no C-drive.  Also a window came into view advising that the program I just downloaded was out of date; I select the My Update tab and start the update. I use the rescue program to connect to my local wireless network and I update the K-rescue 10 program. After a few minutes it is updated.  I then return to the “Objects scan” tab and select “Start Objects scan” which it completes in about a minute, but shows nothing in the quarantine or report tabs. It appears that it didn’t find anything in the “Disc Boot sector” or the “Hidden start –up objects’”. The web page instructions show that I need a c-drive available which I’m not getting when I skip the mounting procedure.

I use the K-rescue 10 to restart my laptop again and reboot again from the disc in graphic mode. This time at the “mounting disc” warning I select “continue” and mount the C-drive. I now see a c-drive folder on my desktop and a c-drive is available to scan in the “Scan Your Computer” window. I select “Start Objects scan”.  

It’s late so I go to bed. When I check it in the morning, the Object Scan box displays “Stop Objects scan 99%, Finish: unknown, object: C:/…/Local Settings/temp/Nfts_Clear….”

I can’t read the rest because I have a red window open in the bottom right corner:  “Alarm, detected: malicious software, Object: nts and settings/ (user)/local settings/ temp/Nfts_Cleanp.exe: contains a Trojan program. Backdoor.Win32.Androm.agod”.  I am allowed 2 options: delete(recommended), or skip.  I delete.

The big red box closes and there is a smaller box displayed, “File C:/…/(user)/ local settings/ temp/Nfts_Cleanp.exe, Trojan program: Backdoor.Win32.Androm.agod.” As I am typing this last paragraph the box turns green and the display now ends with “deleted and backup copy is created.”

I ‘x’ out the window but it doesn’t close. I click ‘details” inside the green window box and a large “protection State” box opens. Inside it reads “detected threats”, inside a selectable window “Disinfected items”, and in the large display window in the box it has detected and deleted 23.

 It has detected all the items as Trojan programs as; 6 HEUR Java exploits (java Sun Applications) , 3 java exploit CVEs, 2 exploit  Win 32 CVEs (temp internet files), 9 Rootkit boots  pihar and Cidox (TDSS Killer quarantine related), Win 32 Genome( Tdss Killer quarantine related), and 1 backdoor win32androm.agod (Documents and settings). I have only one option available- so I click ‘Quarantine’.

The next window opens and it asks to Look in a folder named “/root” named xserver.cfg. I can type a file name but I’m not sure what this window is asking me to do.  The file types box shows “*.*”. I cancel out without doing anything.

I close the window and now notice it’s telling me my database is out of date. I click update but it won’t update because the wireless is offline. I can’t turn it back on because the green window in the bottom right corner is blocking my access to the wireless icon and it won’t close or allow me to move it. I can maneuver my mouse and catch just an edge of the wireless tray icon and reconnect to the wi-fi and re-download the K-rescue 10 update.

When I view the K-rescue 10 Protection state window box it reads that there are 3 events quarantined. They are all “Trojan program HEUR: Exploit. Script. Generic.” Located as “C:/Documents and settings/(user)/Local Settings/ Application data/Sun/Java/Deployment/cache/ with the following final file extensions: 6.0/30/5bace8de-431-dd6c6, and 6.0/55/534c7677-37816bbe, and 6.0/56/238718b8-4c9d 90dc.

The K-rescue Protection State window box has a Status tab. I open it and it tells me “No threats detected”. If I were to guess what this statement means I would guess the Kaspersky rescue disc 10 didn’t find the ICE virus.

I’m stuck. I need help/ advice. This is the second time I have run the Hitman Rescue Disc.

 

 



BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 02 August 2013 - 10:25 AM

:welcome:

 

Let's try another workaround: 

 

USING THE RAR/ZIP ARCHIVE TO CREATE A USB BOOTABLE DEVICE

To create a USB flash drive variant of AVG Rescue CD, you will need to do the following:

  • Extract the archive downloaded from AVG web to your preferred location.
  • Double-click the extracted setup.exe file. It will guide you through the whole process. You will be able to select a USB drive from a listbox and setup will copy all necessary files to the selected USB drive and it will make the USB drive bootable.
  • Please be careful not to run the makeboot.bat file directly from hard drive of the computer! This would overwrite the boot record and make your system un-bootable.
  • After this process is finished (message will be displayed) you can close the window.

:step1: AVG Rescue:

 

Now plugin the USB-device with AVG-rescue on it.

 

1.  Reboot the computer and start the boot menu (F10 or F12). Then choose for the USB-device

 

2. At the Boot Menu: Choose AVG Rescue CD (1) and press Enter

3. Let it load, at the "Disclaimer Screen"... just choose I agree or not and press Enter

4. At the "Update Screen", choose Yes and press Enter

Next screen, Choose Update from Internet and press Enter

5. At the "Update Priority Configuration" window, choose Priority 2 Virus Database Update and press Enter

6. Let it update and when finished, Press any key to continue

7. You end up back at the "Update Screen", choose Return and press Enter

8. Your at the "Main Menu" screen, choose Scan, press Enter

9. "Scan Type Menu", choose "Volumes Scan - Selected Volumes" and press Enter

10. "Scan Volumes", choose "OK" and press Enter

11. "Scan Options", choose "OK" and press Enter

12. "Run Scan", choose "Yes" and press Enter

13. When scan is complete, Press any key to continue

14. "Info screen", choose "OK" and press Enter

15. To see the scan report, select "Report File" and press Enter
Please look over the list as some files can be crucial for the Windows system and deleting them can make it inoperative, if  in your not sure please Google the file or files.

16. "Scan Results Menu", use the up and down keys and choose "Select - Handle single or groups of infected files", press Enter
Go through the files and choose to Rename the infected file, don't choose Delete!
This is important....Rename<---

17. Read the "Warning Screen", "Yes" and Enter

18. Back to "Scan Results Menu", choose "Back or Return" to get to the "Main Menu" and then choose ---->Reboot System
Don't forget to take out the rescue cd.

19. All the malware files will be renamed to "_INFECTED.arl", to find all of these files....
Go to Start > Search > All Files and Folders > type "_INFECTED.arl" and click search.
  Example: malware.exe would be renamed to malware.exe_infected.arl


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 Rob Rig

Rob Rig
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 04 August 2013 - 07:51 AM

I've downloaded the AVG Rescue Zip file to my desktop on my good computer and unzipped the file to it's folder on my desktop.

When I open the folder and click on the set-up icon, I get the box that asking me to "Select Removable Device". It wants to send it to my secondary harddrive inside my compute(I:HPv165w[Fat32][3201 MB free]. I need to send it to the clean, formatted 4 MB thumbstick on my K drive. I click the small arrow to view other options and it won't give me any other options. i've tried typing K drive in the dropdown window, but it won't allow me to do that. How can I get this to my K drive? The K drive is shown as being connected when I open "My computer".



#4 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 04 August 2013 - 07:54 AM

You may skip AVG Rescue, we're going to try another strategy, because I have seen to many issues with this.

 

Let's try another strategy:

 

Disconnect the LAN-cable so the infected machine hasn't internet. Ten start up your infected machine. Is the ransomware now there?

 

  1. Restart your computer, and then press and hold F8 during the initial startup to start your computer in safe mode with a Command prompt.
    Note: With some computers, if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the “F8 key”, tap the “F8 key” continuously until you get the Advanced Boot Options screen.
     
  2. Use the arrow keys to select the Safe mode with a Command prompt option.

    safemode12.jpg
     
  3. In the command promp enter explorer.exe

 

Do you now have access to your computer environment?  

 

===

 

Transfer the tools with a flash drive if necessary. 

 

===

 

:step1: Run Rkill http://www.bleepingcomputer.com/forums/t/308364/rkill-what-it-does-and-what-it-doesnt-a-brief-introduction-to-the-program/

 

       Note: Sometimes AV's thinks Rkill is infected, this isn't true, it's just a false-positive. Just let it terminate the malware processes. 

 

:step2: Provide the Rkill log.

 

:step3: Download Emsisoft Emergency Kit

  • Open EmsisoftEmergencyKit by  double-click Start.exe.
  • A new window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Deep Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply

 

:step4:  Install and run MBAM

:step5:   Running TDSSKiller to obtain log

 

Note: Don't cure or delete a threat, but choose skip for all instead.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • In the Additional options: Check Detect TDLFS file system
  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • Choose for all threats to Skip for all of them.
  • Click Continue
  • Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================


Edited by GodfatherKing, 04 August 2013 - 07:57 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#5 Rob Rig

Rob Rig
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 04 August 2013 - 09:02 PM

Here's the latest on my computer. 

I ran the HitmanPro when I put up the first post, and I had run it prior to that without it finding or removing the virus. My laptop has been sitting on my desk and I hadn't turned it on since I shut it down in frustration following my first post. I came back in this afternoon and figured what the heck, it didn't find anything, but maybe, just maybe it did something. 

I turned it on, and turned my back on it thinking it would just fail again and I'd be locked out by the ICE virus. A few minutes later I turned around and it had booted up in Safe Mode with Command Prompt all by itself.

I didn't touch it other than pushing the 'On' button. That was very strange, but it gets stranger.

When I first had this virus I found some tips to boot in safe mode with command prompt and go to C:/windows/system32/restore and type rstrui.exe to reset my laptop to a prior point. Everytime I tried rstrui.exe it responded that it was an invalid command. If I typed "dir" it showed me the contents of the restore folder and I could see the rstrui.exe was there. I tried this numerous times.  

After I first ran the HitmanPro (prior to the second time I ran it and recorded my actions for this post), when I tried to boot in command prompt, I got a blue screen, “A problem has been detected and windows has been shut down to prevent damage to your computer (yada yada yada)”.

Safe mode with Comand prompt was booting prior to my first run of the HitmanPro, but failed afterward.

I was very surprised to see my computer had booted itself in safe mode with command prompt AND when I navigated my way to the restore file and typed rstrui.exe, the restore function popped up and I was able to put my computer back to a restore point 2 weeks ago.

All my desktop icons were present but when I tried to run Malwarebytes I got a message saying the program was missing. I re-downloaded it and ran it.

This is what the Scan log showed:

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Documents and Settings\Jerry\Local Settings\temp\DownloadManager.exe (PUP.Optional.OutBrowse) -> No action taken.
C:\Documents and Settings\Jerry\Local Settings\temp\Ntfs_Cleanp.dll (Trojan.Agent.ED) -> No action taken.
C:\Documents and Settings\Jerry\Templates\2433f433 (Trojan.Agent.TPL) -> No action taken.
C:\Documents and Settings\All Users\Application Data\2433f433 (Trojan.Agent.TPL) -> No action taken.
C:\Documents and Settings\Jerry\Application Data\2433f433 (Trojan.Agent.TPL) -> No action taken.

The 5 items found were quarantined.

I am baffled at this point as to why the Hitmanpro didn't find anything (at least it didn't show that it found the ICE virus) and it didn't work the first time I ran it. I'm even more puzzled that after the second time, my computer self-booted in safe with command prompt. The topper for me is the WTF??? I experienced when I was able to restore my system after being unable to do so numerous times prior.

What do you recommend I do at this point? Should I run some more AV stuff and flush my system or do you want me to go into the registry and find something specific?



#6 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 05 August 2013 - 03:49 AM

Yes run the tools I have posted. 

 

The reason why command prompt may be worked was because I think you removed the LAN-cable, so ...


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users