ICE Cybercrimes Ransomware

[tom.b]

Hello,

I need help removing the ICE Cybercrimes Ransomware. I read through rbrown's thread and didnt want to hi-jack the thread. I was hoping TwinHeadedEagle could lend me a hand as well. I have ran the initial testing and have attached the FRST.log

Thanks in advance!

Tom

 

[tom.b]

Hmm. Someone had replied that they were looking at my log but now the post is gone. So I am bumping just in case someone saw this and didn't help because someone else was helping. Thanks!

 

[TwinHeadedEagle]

I'll respond in few minutes, sorry...

 

[TwinHeadedEagle]

On your clean PC, download attached file and save it onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to boot normally.

 

[tom.b]

Thank you for the reply,

Forgive my noobness, but how do i boot to recovery. I am currently still booted up using OTLPENet. Do i boot to recovery in the normal Windows OS?

 

[TwinHeadedEagle]

Sorry, execute this fix within OTLPENet...

 

[tom.b]

Thank you.

Attached is the Fixlog.txt

I have successfully booted my hostage PC.

One thing I noticed, not sure if it is related. Windows Security Center says no anti virus detected when I have Zone Alarm and AVG installed.

 

[TwinHeadedEagle]

I think there is more malware hidden here, so let's fix one by one thing

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.

• Press Start Scan
• If Suspicious object is detected, the default action will be Skip, click on Continue.
• If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

 

[tom.b]

It didnt find anything suspicious or malicious.
The forum would not allow me to post the content of the log, as it is too long.
I have attached the log instead.

Thanks!

 

[TwinHeadedEagle]

Good, now run FRST from normal windows and attach both reports...

Then...



Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

 

[tom.b]

Here you go.

 

[TwinHeadedEagle]

1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guidehttp://www.bleepingcomputer.com/combofix/how-to-use-combofix carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.htmlthis or this Instruction.


Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

 

[tom.b]

Ok so I just ran ComboFix and it auto rebooted my PC.
It came up just fine.
I have a directory C:\ComboFix, inside of it I have ComboFix.txt which I have attached.

 

[tom.b]

Any reply I will resume tomorrow. I am leaving the office for the day today. Thanks again for your help so far.

 

[TwinHeadedEagle]

Report is not properly created, can you attach it again? Attach all reports inside C:\Combofix and ComboFix.txt inside C:\

 

[tom.b]

Here you go. I re ran the scan and it processed it correctly. Thanks again.

 

[TwinHeadedEagle]

I need you to download and execute three files that are attached. Restart your PC and then re-run FSS and attach fresh report.

 

[tom.b]

Thanks.

I will do this first thing tomorrow morning. I am away from the office where the hostage PC is.

Thanks again for your time and help. Maybe you can teach me the ropes so I can be self sufficient in the future.

 

[TwinHeadedEagle]

Thanks.

I will do this first thing tomorrow morning. I am away from the office where the hostage PC is.

Thanks again for your time and help. Maybe you can teach me the ropes so I can be self sufficient in the future.

If this is your company PC, I cannot help you anymore. Company is making money via this PC, and they should pay for its repair. We help only private users and non profitable computers.

 

[tom.b]

It's not a company PC. If you still want to help me, I ran the 3 registry files and have attached the new FSS log.

Thanks.