ICE Crime Virus says no to all attemps of removal

plZ_Help123

New Member
Thread author
Aug 11, 2013
12
font=Times New Roman]
My computer has the ICE cyber crime virus.
Because of the lock screen I cannot get a log, sorry.

I have tried safe mode restore, safe mode with networking, safe mode with comand prompt, and booting Hitman from a USB. Computer will automatically shut down after selecting allof the above.

The computer that is infected has Windows 7 64bit
The computer (backup) has Windows Vista 32bit.

[/font][
 

plZ_Help123

New Member
Thread author
Aug 11, 2013
12
I just ran Frst64 and have attached both of the reports.
My fixlog report shows that not all files were removed.
They are both attached. I may have written an incorrect fixlist.txt.
Any Ideas??
 

Attachments

  • FRST.txt
    17.1 KB · Views: 94
  • Fixlog.txt
    536 bytes · Views: 73

Fiery

Level 1
Jan 11, 2011
2,007
Hi and welcome to MalwareTips! :)

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

On another PC, open notepad and copy & paste the following:

start
HKU\D1DDY\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe [59904 2013-08-11] (Valve) <===== ATTENTION
C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe
HKU\D1DDY\...\Run: [SearchProtect] - C:\Users\D1DDY\AppData\Roaming\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
HKLM-x32\...\Run: [SearchProtectAll] - C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
C:\Users\D1DDY\AppData\Roaming\SearchProtect
C:\Program Files (x86)\SearchProtect
HKU\D1DDY\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\D1DDY\...\Command Processor: "C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe" <===== ATTENTION!
2013-08-11 07:09 - 2013-08-11 07:09 - 01328194 _____ C:\ProgramData\2433f433
2013-08-11 07:09 - 2013-08-11 07:09 - 01328173 _____ C:\Users\D1DDY\AppData\Local\2433f433
2013-08-11 07:09 - 2013-08-11 07:09 - 01328116 _____ C:\Users\D1DDY\AppData\Roaming\2433f433
C:\Windows\svchost.exe
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to boot normally. If successful,

Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Download TDSSkiller from here
  • Double-Click on TDSSKiller.exe to run the application
  • When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
  • After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
    clip.jpg
  • click Start scan .
  • If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
  • If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
 

plZ_Help123

New Member
Thread author
Aug 11, 2013
12
Thanks for helping me but after I ran explorer.exe in the command prompt. My windows desktop lasted about 10 sec before the origianl page blocker/ransom virus appeared again.

I have attached the the prior fixlog.txt and the new frst.txt file.
 

Attachments

  • Fixlog.txt
    731 bytes · Views: 57
  • FRST.txt
    16.9 KB · Views: 85

Fiery

Level 1
Jan 11, 2011
2,007
Hmm, some of the script didn't run. Please try the below again and make sure Word Wrap in notepad is unselected.

Open notepad and copy & paste the following:

start
HKU\D1DDY\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe [59904 2013-08-11] (Valve) <===== ATTENTION
HKU\D1DDY\...\Run: [SearchProtect] - C:\Users\D1DDY\AppData\Roaming\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
HKU\D1DDY\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKLM-x32\...\Run: [SearchProtectAll] - C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe
C:\Windows\svchost.exe
C:\Users\D1DDY\AppData\Roaming\SearchProtect
C:\Program Files (x86)\SearchProtect
end

Then go to Format and make sure Word Wrap is un-checked. Save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.
 

plZ_Help123

New Member
Thread author
Aug 11, 2013
12
Here are the lastest files.
The fixlist.txt I used, the Fixlog.txt I was given, and the Frst.txt when I ran the scan utility after recieving the Fixlog.txt.

The same two lines are still there.

Thanks for your help, I will continue to follow your direction for removing this virus.
 

Attachments

  • fixlist.txt
    691 bytes · Views: 80
  • Fixlog.txt
    644 bytes · Views: 68
  • FRST.txt
    16.8 KB · Views: 96

Fiery

Level 1
Jan 11, 2011
2,007
Try this one. Right-click the attachment and select save as and save it to your USB.

[attachment=5319]
 

Attachments

  • fixlist.txt
    671 bytes · Views: 73

Fiery

Level 1
Jan 11, 2011
2,007
That's better.

I realized I missed 3 folders that should be removed. Here is the new fixlist.txt, do the same thing as before.

[attachment=5321]

Afterwards, try to boot normally. If successful, follow the instructions above to run TDSSKilers and malwarebytes. If not, send me another FRST log. Most of the bad files are now deleted.
 

Attachments

  • fixlist.txt
    262 bytes · Views: 69

plZ_Help123

New Member
Thread author
Aug 11, 2013
12
OK, I think it clear. Here are the new txt. files, could you look over them once more to see if the virus is completely removed?
 

Attachments

  • FRST.txt
    15.7 KB · Views: 99
  • Fixlog.txt
    419 bytes · Views: 72

Fiery

Level 1
Jan 11, 2011
2,007
Not quite done yet.

Download TDSSkiller from here
  • Double-Click on TDSSKiller.exe to run the application
  • When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
  • After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
    clip.jpg
  • click Start scan .
  • If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
  • If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
 

Fiery

Level 1
Jan 11, 2011
2,007
Please download Complete Internet Repair from here and transfer it to your PC. Make sure you are not running the program from the USB
  • Unzip all the files to the desktop
  • Double click the Complete Internet Repair folder with the unzipped files on your desktop
  • Double click on CIntRep.exe
  • Place a checkmark next to the following entries:

    • Reset Internet Protocol (TCP/IP)
      Repair Winsock (Reset Catalog)
      Renew Internet Connections
      Flush DNS Resolver Cache
      Repair Internet Explorer 6.0.2900
      Clear Windows Update History
      Repair Windows / Automatic Updates
      Repair SSL / HTTPS / Cryptography
      Reset Windows Firewall Configuration
      Restore the default hosts file
      Repair Workgroup Computers view
  • Click Go!
  • Select file to get the log once the program has finished
  • Click OK to reboot your computer
  • Check your internet access
 

plZ_Help123

New Member
Thread author
Aug 11, 2013
12
page not found for the link,

I went online and downloaded all the network adapter drivers from HPs website... Problem seems to be fixed I have internet now.

I have attached the logs.
 

Attachments

  • TDSSKiller.2.8.16.0_11.08.2013_20.50.58_log.txt
    525.9 KB · Views: 85
  • system-log.txt
    73 KB · Views: 97
  • mbar-log-2013-08-12 (19-17-23).txt
    2 KB · Views: 83

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

You have a malicious partition on your hard drive that needs to be deleted. Please re-run TDSSKiller again, but for \Device\Harddisk0\DR0 ( TDSS File System ) select quarantined or delete. post the TDSSKiller log after.

Next, Please download Malwarebytes' Anti-Malware from here to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • When it prompts you to try their 30-day trail, click decline
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
 

Fiery

Level 1
Jan 11, 2011
2,007
Do a scan like you did before. When the results are in, select delete/quarantine for \Device\Harddisk0\DR0
 

plZ_Help123

New Member
Thread author
Aug 11, 2013
12
Only attached the last portion of the tdsskiller file so i would not reach my attachment usage limit.
 

Attachments

  • tdsskiller.txt
    2.5 KB · Views: 82
  • mbam-log-2013-08-17 (14-07-55).txt
    8.8 KB · Views: 111
  • log.txt
    2.2 KB · Views: 79

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top