ICE Cyber Crimes Virus

[rbrown]

I have Windows XP Service Pack 3 and IE8. After encountering the ransomware ICE, I tried Kaspersky Disk 10
but still have the infection. Any ideas for my next step?

 

[TwinHeadedEagle]

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note : as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

[rbrown]

Thank you for your assistance.

 

[TwinHeadedEagle]

FRST report isn't properly created, can you re-run it again and post fresh report...

 

[rbrown]

Reran FRST. File attached.

 

[TwinHeadedEagle]

On your clean PC, download attached file and save it onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to boot normally.

 

[rbrown]

Ran fix. Log attached.

 

[rbrown]

System booted normally. Seems to be running OK.
Thank you for your assistance.

 

[TwinHeadedEagle]

We're not yet finished, follow this topic and attach requested reports so we can see that everything is fine...

http://malwaretips.com/threads/malware-removal-assistance-how-to-get-help.20334/

 

[rbrown]

Thank you. Reports are attached.
(I had to turn off my Norton 360 to run FRST and ASW.)

 

[TwinHeadedEagle]

1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guidehttp://www.bleepingcomputer.com/combofix/how-to-use-combofix carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.htmlthis or this Instruction.


Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

 

[rbrown]

Ran ComboFix. Log report attached.

 

[TwinHeadedEagle]

Open notepad and copy/paste the text present inside the code box below:

File::
c:\documents and settings\All Users\Application Data\ezjmqjgr.reg

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=-
"50000:UDP"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableVirtualization"=-
"DisableRegedit"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=-

ClearJavaCache::

Save this as CFScript.txt

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

 

[rbrown]

Am I supposed to include from File:: up to ClearJavaCache:: in the file CFScript.txt ?
I did this and drug the file to the ComboFix.exe item in the window.
I did this through my email window. Should it be done from your website instead?
It did not initialize ComboFix.

 

[TwinHeadedEagle]

You need to create CFScript.txt file including everything and drag it to ComboFix icon...

 

[rbrown]

I created the CFScript.txt file and drug it from where it was saved on my desktop to the
ComboFix.exe box above. It doesn't appear that it started running. It brings up an
Internet explorer window that shows the CFScript.txt file.

 

[TwinHeadedEagle]

Then just name it CFScript

.txt is just extension

 

[rbrown]

It is saved as CFScript . I tried dragging it to the box above but nothing happens.

 

[rbrown]

Attached is the file I created.

 

[TwinHeadedEagle]

That is correct file, can you download fresh ComboFix report, you are not doing something good...