ICE Crime Virus says no to all attemps of removal

[plZ_Help123]

font=Times New Roman]
My computer has the ICE cyber crime virus.
Because of the lock screen I cannot get a log, sorry.

I have tried safe mode restore, safe mode with networking, safe mode with comand prompt, and booting Hitman from a USB. Computer will automatically shut down after selecting allof the above.

The computer that is infected has Windows 7 64bit
The computer (backup) has Windows Vista 32bit.

[/font][

 

[plZ_Help123]

I just ran Frst64 and have attached both of the reports.
My fixlog report shows that not all files were removed.
They are both attached. I may have written an incorrect fixlist.txt.
Any Ideas??

 

[Fiery]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

On another PC, open notepad and copy & paste the following:

start
HKU\D1DDY\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe [59904 2013-08-11] (Valve) <===== ATTENTION
C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe
HKU\D1DDY\...\Run: [SearchProtect] - C:\Users\D1DDY\AppData\Roaming\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
HKLM-x32\...\Run: [SearchProtectAll] - C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
C:\Users\D1DDY\AppData\Roaming\SearchProtect
C:\Program Files (x86)\SearchProtect
HKU\D1DDY\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\D1DDY\...\Command Processor: "C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe" <===== ATTENTION!
2013-08-11 07:09 - 2013-08-11 07:09 - 01328194 _____ C:\ProgramData\2433f433
2013-08-11 07:09 - 2013-08-11 07:09 - 01328173 _____ C:\Users\D1DDY\AppData\Local\2433f433
2013-08-11 07:09 - 2013-08-11 07:09 - 01328116 _____ C:\Users\D1DDY\AppData\Roaming\2433f433
C:\Windows\svchost.exe
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to boot normally. If successful,

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

 

[plZ_Help123]

Black screen after restart and login.

 

[Fiery]

Please do a new FRST scan in system recovery mode.

 

[plZ_Help123]

Thanks for helping me but after I ran explorer.exe in the command prompt. My windows desktop lasted about 10 sec before the origianl page blocker/ransom virus appeared again.

I have attached the the prior fixlog.txt and the new frst.txt file.

 

[Fiery]

Hmm, some of the script didn't run. Please try the below again and make sure Word Wrap in notepad is unselected.

Open notepad and copy & paste the following:

start
HKU\D1DDY\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe [59904 2013-08-11] (Valve) <===== ATTENTION
HKU\D1DDY\...\Run: [SearchProtect] - C:\Users\D1DDY\AppData\Roaming\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
HKU\D1DDY\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKLM-x32\...\Run: [SearchProtectAll] - C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
C:\Users\D1DDY\AppData\Local\Temp\vaidqvjcjtbwqfuof.exe
C:\Windows\svchost.exe
C:\Users\D1DDY\AppData\Roaming\SearchProtect
C:\Program Files (x86)\SearchProtect
end

Then go to Format and make sure Word Wrap is un-checked. Save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

 

[plZ_Help123]

Here are the lastest files.
The fixlist.txt I used, the Fixlog.txt I was given, and the Frst.txt when I ran the scan utility after recieving the Fixlog.txt.

The same two lines are still there.

Thanks for your help, I will continue to follow your direction for removing this virus.

 

[Fiery]

Try this one. Right-click the attachment and select save as and save it to your USB.

[attachment=5319]

 

[plZ_Help123]

New Fixlog.txt

 

[Fiery]

That's better.

I realized I missed 3 folders that should be removed. Here is the new fixlist.txt, do the same thing as before.

[attachment=5321]

Afterwards, try to boot normally. If successful, follow the instructions above to run TDSSKilers and malwarebytes. If not, send me another FRST log. Most of the bad files are now deleted.

 

[plZ_Help123]

OK, I think it clear. Here are the new txt. files, could you look over them once more to see if the virus is completely removed?

 

[Fiery]

Not quite done yet.

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[plZ_Help123]

Ran the TdssKiller and tried to update mbar but my network adapter is not working.

 

[Fiery]

Please download Complete Internet Repair from here and transfer it to your PC. Make sure you are not running the program from the USB

• Unzip all the files to the desktop
• Double click the Complete Internet Repair folder with the unzipped files on your desktop
• Double click on CIntRep.exe
• Place a checkmark next to the following entries:
  • 
    Reset Internet Protocol (TCP/IP)
    Repair Winsock (Reset Catalog)
    Renew Internet Connections
    Flush DNS Resolver Cache
    Repair Internet Explorer 6.0.2900
    Clear Windows Update History
    Repair Windows / Automatic Updates
    Repair SSL / HTTPS / Cryptography
    Reset Windows Firewall Configuration
    Restore the default hosts file
    Repair Workgroup Computers view
• Click Go!
• Select file to get the log once the program has finished
• Click OK to reboot your computer
• Check your internet access

 

[plZ_Help123]

page not found for the link,

I went online and downloaded all the network adapter drivers from HPs website... Problem seems to be fixed I have internet now.

I have attached the logs.

 

[Fiery]

Hi,

You have a malicious partition on your hard drive that needs to be deleted. Please re-run TDSSKiller again, but for \Device\Harddisk0\DR0 ( TDSS File System ) select quarantined or delete. post the TDSSKiller log after.

Next, Please download Malwarebytes' Anti-Malware from here to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

 

[plZ_Help123]

How do I run TDSS Killer for \Device\Harddisk0\DR0 ( TDSS File System ) ?

 

[Fiery]

Do a scan like you did before. When the results are in, select delete/quarantine for \Device\Harddisk0\DR0

 

[plZ_Help123]

Only attached the last portion of the tdsskiller file so i would not reach my attachment usage limit.