Operating System
Windows Vista
Infection date and initial symptoms
5/19/14; booted the next morning to ransom DHS ICE screen
Current issues and symptoms
boots to bogus DHS ICE site; classic ransom malware symptoms (eg, programs hide behind site screen, etc.)
Steps taken in order to remove the infection
Desktop blocked with bogus DHS ICE site.
Won't boot up in safe/safe network/safe prompt.
Each kicks out and pc reboots normally, which means back to ransom page.
Windows Vista (x64) w/circa 2006 MB hardware.
Created Hitman flashdrive kickstart and Sidekick CD, but boot hangs/fails when it tries USB.
Tried above flashdrive w/Hiren's boot CD but also fails to boot from USB.
Tried Bitdefender boot CD, which booted and scanned OK, but failed to identify/remove ransom malware.
Advanced Boot Options do not include the 'Repair your computer' or 'System Recovery' choices; only these:

Enable Boot Logging
Enable low-resolution video (640x480)
Last Known Good Configuration (Advanced) - tried this one already; still gets ransom page.
Directory Services Restore Mode
Debugging Mode
Disable automatic restart on system failure
Disable Driver Signature Enforcement

Again, all 3 safe mode choices result in pc starting windows normally, which results in ransom page.

Using Knoppix boot disk now to backup files, mainly in prep for reinstall of Vista.
Reinstall is last ditch option but would (MUCH) rather avoid.
Is there another option?

Mercury7

New Member
Desktop blocked with bogus DHS ICE site.
Won't boot up in safe/safe network/safe prompt.
Each kicks out and pc reboots normally, which means back to ransom page.
Windows Vista (x64) w/circa 2006 MB hardware.
Created Hitman flashdrive kickstart and Sidekick CD, but boot hangs/fails when it tries USB.
Tried above flashdrive w/Hiren's boot CD but also fails to boot from USB.
Tried Bitdefender boot CD, which booted and scanned OK, but failed to identify/remove ransom malware.
Advanced Boot Options do not include the 'Repair your computer' or 'System Recovery' choices; only these:
Enable Boot Logging
Enable low-resolution video (640x480)
Last Known Good Configuration (Advanced) - tried this one already; still gets ransom page.
Directory Services Restore Mode
Debugging Mode
Disable automatic restart on system failure
Disable Driver Signature Enforcement
Again, all 3 safe mode choices result in pc starting windows normally, which results in ransom page.
Using Knoppix boot disk now to backup files, mainly in prep for reinstall of Vista.
Reinstall is last ditch option but would (MUCH) rather avoid.
Is there another option?
 

TwinHeadedEagle

Removal Expert
Verified
Staff member
Ok, we will burn required tools on your USB.


Please download the following tools on your Desktop:
  1. Farbar Recovery Scan Tool x64
  2. Rufus
  3. Vista 64bit rc.iso

  • Insert your USB and then start Rufus
  • Select the ISO file Vista 64bit rc.iso on the desktop via the ISO icon.



  • Under the Device select your USB Flash.
  • Press Start
  • When the process is complete, copy Farbar Recovery Scan Tool x64 on this USB
  • Insert USB into infected computer and power on the computer. Now you need to set your computer to boot from USB. In order to do that, follow this guide.
  • When you boot from USB, you will see image like this:


  • Click Repair your computer
  • Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • When notepad opens, click File and select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run. When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.