cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
mndad
Level 8
Report Inappropriate Content
Message 1 of 21

ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

I have a multi user total protection account active in my home network.  Yesterday my daughter came to me with a "US Courts" headed virus scam and we were able to boot to the desktop with safe mode and remove it with a full McAfee Security Scan.  Today she has a later version of the virus apparently, with an "ICE" heading and the same baloney about violations and paying $300 to unlock the computer. but it is far nastier and I cannot do anything to run a program to remove it.

Each time I get the F8 list, I choose the safe mode, log in with the user account and the system shuts down and reboots without safe mode and we have the fixed screen.  I saw this described in the Mandiant USA Cyber Security Ransomware thread but dont know how I can resolve this without safe mode.

Any help would be appreciated. 

Like John_burgess, I also don't understand why there is no mention of these issues on the web site or why the software did not pick up either the one I removed yesterday or the one that has me stymied today.  It's the kind of thing I bought the software to avoid in the first place.  My daughter says she did not open an attachment so it must be carried with some kind of youtube or game download she did.

Did not tag this to other discussions because they seem to be resolved with restoring from the command prompt, or renaming and then deleting the virus executable.  I can't get that far to search for the file or invoke an earlier restore point.

1 Solution

Accepted Solutions
mndad
Level 8
Report Inappropriate Content
Message 11 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Guys , i want to thank you all for your help.  I have to say I have learned a lot from this experience.  My daughter's machine run windows 7 and it is a dell, just as the one I am typing on is. 

I got the machine fixed last night but I really don't know what fixed it. 

I downloaded a new hitman pro kickstart usb drive from my youngest daughter's machine - 64 bit version  - and tried to use it as a boot media as I had already tried.  This time I heard the machine spinning and the blue bar got further before stopping.  I let  the machine spin for quite a while before shutting it down with  the power button.  I wanted to see if I had really messed up the registry or some other important software by all the hot boots I had done so I decided to let it boot to the ICE screen.  Lo and behold - without even hitting F8 I got the screen to choose the safemode or normal start.  I decided to try safe mode with command prompt. 

The machine looked to be behaving in a promising manner, took me to the user log on and promptly bypassed safe mode, shut itself down and rebooted.  I expected the ICE screen but instead I got the windows desktop!! 

I quickly opened IE and downloaded hitman pro and ran it with a trial subscription.  If found a lot of files - at least 3 trojans deleted and numerous files quarantined.  About that time McAffee prompted me to reboot because it had found a file and needed to reboot to deal with it.    I ran a complete McAfee scan and even more infected files were found.before I rebooted.

I rebooted and I am happy to report the machine is clean now.  I rand windows update and installed everything called for.  I ran disk cleanup and defragged the machine for good measure. 

I don't think this is going to help anyone else - wish something good could come from this time. spent.  I had downloaded KAV rescue 10 and was going to try that after I got the ICE screen that fortunately did not appear. 

Did not know about Farbar but I was googling other options and picked KAV as next step. 

One thing - McAffee firewall keeps turning off on her machine.  Is that another problem or do I just need to disble the windows firewall on her machine? 

Thanks again for the excellent advice.

20 Replies
Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 2 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Does the method described here work ie post 5 and the suggested hitmanpro and malware bytes scans

He uses F8 and safe mode with command prompt.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 3 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

I think Tony means this thread:  https://community.mcafee.com/thread/57339?tstart=0

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 4 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Yes sorry about that

mndad
Level 8
Report Inappropriate Content
Message 5 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

No safemode works at all.  I am even having trouble getting the choice of the boot record to come up with F12 since I am trying the hitman pro method.  It is not resolving into a choice of the boot record to call hitman on the flash drive.  I will let it run a while longer I guess but I have been tunring it off and on so many times who knows what damage I am doing.

mndad
Level 8
Report Inappropriate Content
Message 6 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Still not resolved.  I plug in the usb drive and try to invoke boot record with F12 (its a dell) and the computer just stops.  My laptop is 64 bit but not sure which hers is.  that could be problem.  Can't install 32 bit version from this laptop so the drive has both on it.

mndad
Level 8
Report Inappropriate Content
Message 7 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Tony the safemode options are not available.  When I select any of the safemodes, the computer gotes to log on in safemode and immediately after entering user credentials, the system reboots and ends up at the ICE screen lock once finished. 

I am trying the hitman pro boot 'disc' (usb drive) even now, having hit the F12 and gotten furhter with the drive plugged in, but I still have not gotten the boot screen described in the bleeping computer instructions.  I have the blue bar under teh Del logo and studio  but it is just sitting.  It was making promising processing sounds this time so I am going to let it run.

I had hoped being away from it for  a few days would give me more insight but no such luck. 

I tried to download a 32 bit version (install kickstart) from my other daughter's laptop but her OS is also 64 bit. 

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 8 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

The malware may have evolved since that thread. Really best to check google as I am not an expert re malware and only suggest what I find online or see here.

unless peter has another suggestion.

Did the hitman pro option help? May be better to try hyjack this and post on 1 of its forums.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 9 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

I really can't add to what's already been posted.    If a Hijackthis session could only be run and then the log could be analysed on one of the specialist forums for their expert help -  in the last link in my signature below, scroll down the page.   If it were my machine I'd be formatting and reinstalling the system, or taking it to a good PC repair shop at least.   It's getting too technical for me to be of much help, sorry.

The other Peter is more expert than I at troubleshooting this sort of thing.

Message was edited by: Ex_Brit on 05/08/13 3:01:47 EDT PM
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 10 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

@mndad, this thread has been running for 5 days now. Time to get it fixed, if it's not already been fixed by someone else.

You've got a 64-bit laptop and you're trying to download repair programs from that to your daughter's 64-bit machine using a flash drive, if I read the posts correctly.

No-one's asked what the operating system is on wither machine. 64-bit means neither is XP, but are you and your daughter running Vista, Windows 7, Windows 8 or something else? And what hardware platform are these machines? One of them is a Dell, and that presumably is your daughter's machine.

The Hitman Pro boot disk hasn't worked, so it's time to try something else. Both Quads (on the Norton forums) and Mr. Charlie (on the Malwarebytes forums) prefer a different approach, and recommend the Farbar Recovery Scan Tool as a first step. It's worth a try. You may need to do some cleaning up afterwards if this approach works, since Windows Automatic Update (and perhaps other functions) will have been disabled by the malware.

If you want to see the threads I refer to, they are at

http://forums.malwarebytes.org/index.php?showtopic=127895 and

http://community.norton.com/t5/Malware-Discussion/ICE-Cyber-Crime-Ransomware/td-p/998387.

The instructions for running Farbar are copied from one of Quads' posts.

Farbar Recovery Tool.PNG

Note that you will need the 64-bit version (frst64.exe), not the 32-bit one.

If that works it will produce a small .txt output file. Attach that to your next post, let's see if it shows anything.

Message was edited by: Hayton on 05/08/13 18:05:22 IST