cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
mndad
Level 8
Report Inappropriate Content
Message 11 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Guys , i want to thank you all for your help.  I have to say I have learned a lot from this experience.  My daughter's machine run windows 7 and it is a dell, just as the one I am typing on is. 

I got the machine fixed last night but I really don't know what fixed it. 

I downloaded a new hitman pro kickstart usb drive from my youngest daughter's machine - 64 bit version  - and tried to use it as a boot media as I had already tried.  This time I heard the machine spinning and the blue bar got further before stopping.  I let  the machine spin for quite a while before shutting it down with  the power button.  I wanted to see if I had really messed up the registry or some other important software by all the hot boots I had done so I decided to let it boot to the ICE screen.  Lo and behold - without even hitting F8 I got the screen to choose the safemode or normal start.  I decided to try safe mode with command prompt. 

The machine looked to be behaving in a promising manner, took me to the user log on and promptly bypassed safe mode, shut itself down and rebooted.  I expected the ICE screen but instead I got the windows desktop!! 

I quickly opened IE and downloaded hitman pro and ran it with a trial subscription.  If found a lot of files - at least 3 trojans deleted and numerous files quarantined.  About that time McAffee prompted me to reboot because it had found a file and needed to reboot to deal with it.    I ran a complete McAfee scan and even more infected files were found.before I rebooted.

I rebooted and I am happy to report the machine is clean now.  I rand windows update and installed everything called for.  I ran disk cleanup and defragged the machine for good measure. 

I don't think this is going to help anyone else - wish something good could come from this time. spent.  I had downloaded KAV rescue 10 and was going to try that after I got the ICE screen that fortunately did not appear. 

Did not know about Farbar but I was googling other options and picked KAV as next step. 

One thing - McAffee firewall keeps turning off on her machine.  Is that another problem or do I just need to disble the windows firewall on her machine? 

Thanks again for the excellent advice.

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 12 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Malware can mess the firewall up so download and run the Mcafee virtual technician found on the support page

http://service.mcafee.com/TechSupportHome.aspx?lc=1033&sg=TS

Try it first if still an issue it maybe another cause not added to MVT to enable it to be fixed.

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

WOW, this sounds familiar!  I posted earlier on another thread and exBrit suggested that I come here.

I am having the same difficulties as mndad.  I have read recommendations from Malware and another and been through the "F8" "Safe Mode" a dozen times.  I have downloaded the HitmanPro and something from Malware "mbam", but I cannot get to the the "C:\windows\system32\restore\rstrui.exe" command.   The "Safe Mode" only allows me to utilize the commands listed under the "Help" command.

My machine is 7 or 8 years old and is operating under XP.  I am using my wife's iMac21 to submit this request for assistance.

Is it possible that "restore" and "rstrui.exe" have been compromised?  Is it possible that I may have to download the command from Windows or use the original disks to reboot?

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 14 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Maybe that will work the best place if safe mode restore will not work is to post on the bleeping computer forum and let them analyse your infection. But then Peter toid you that in your other post..

I asume you tried stinger /malwarebytes etc

McAfee Communities: Anti-Spyware/Malware & Hijacker Tools

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 15 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

I suggested you post for help on BleepingComputer forums.

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Thank you Brit and Peackeeper, here is a copy of my post on BleepingComputer:

Hello, I have a 7 or 8-yo Compaq Prasario with the XP operating system.  I've been searching for help since being infected with the ICE lock out virus on Aug 21 2013.  I have down loaded HitmanPro and mbar (from Malware) and read numerous articles and posts/threads with excellent suggestions to combat and then eliminate the virus.

Unfortunately, "Safe Mode" has been of little assistance.  No matter how I get to "Safe Mode", I cannot get the machine to recognize the "C:\windows\system32\restore\rstrui.exe" command.   Additionally, I down loaded the two suggested virus locator removal programs to a USB, but my machine does not recognize it no matter what USB port it is inserted into.  I just redownloaded the programs and can see them on the USB when viewed from my wife's iMac21.

In "Safe Mode with Networking" it takes me to a choice to open XP as the user or administrator.  "User" takes me directly to Windows and the lock out whereas under "Administrator" takes me "C:\Windows>"   Under "Safe Mode with Command Prompt" it reads: "c:\Documents and Settings\Administrator.Your (my address)"  In either case,   it becomes a challenge to get to C:\ and then any variation of the suggested "C:\windows\system32\restore\rstrui.exe" gets the response: "Command is not recognized.  Type HELP for a list of supported commands."

Here too is a discrepancy, under "Command Prompt"  the "HELP" command nets about 20 suggested commands while under "Networking" it offers maybe 48 commands.   HOWEVER, no where is either "restore" or "rstrui.exe" offered.

What am I doing wrong?

Is my ancient operating system corrupted?

Should I try to boot the unit with the original Windows XP in the cd player?

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 17 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

The last resort would be to completely format the hard drive and reinstall Windows but that would be a long haul with 3 service packs and a multitude of other updates to install to catch up.    Something that may be a bit daunting but we've all been there and done that.   You have to weigh up the fact that XP is running out of support next April 8.

Using software such as Hitman Pro and the like should only be done under expert supervision, that's why I suggested asking for help on BleepingComputer forums as they specialize in the use of such tools.  They will tell you what to use and when to use it.

We aren't qualified to advise you on their use here.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 18 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

By the way, should you choose to format and reinstall I may be able to help with an XP SP3 CD image but you would need your own key to activate it.   If you choose that route please click on my name to take you to my profile and click Send Private Message over at the right side.

I use Cloud storage to house some disk images and can provide a download link on request.  Warning, be prepared to act immediately I send it as the Cloud storage provider has a strict time limit on how long those download links last.

I will also need to know which version of XP, Home or Professional, you are using.

.

Message was edited by: Ex_Brit on 24/08/13 9:21:46 EDT AM
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 19 of 21

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

It's possible that the rstrui file has been renamed or deleted by the malware.

The Microsoft advice is

At the command prompt, type %systemroot%\system32\restore\rstrui.exe, and then press ENTER

If it's not in the 'restore' subdirectory then it should also be, according to Search, in c:\windows\system32\dllcache and in c:\windows\servicepackfiles\i386

Alternatively the malware may prevent the System Restore service from running.

  1. Type Net Start at the command prompt to make sure that the System Restore Service is up and is running.

    If the System Restore Service is not listed, type net start "System Restore Service", and then press Enter.

For XP see these Microsoft articles -

A description of the Safe Mode Boot options in Windows XP

How to start the System Restore tool by using the safe mode option with the Command prompt in Window...

Troubleshooting steps for issues when you try to use the System Restore tool in Windows XP

There are some suggestions and observations on CNET which might be useful

http://forums.cnet.com/7723-6132_102-598053/fbi-moneypak-virus/

Re: ICE Ransomware Virus Bypasses safe mode, safemode with networking and safe mode with command prompt Help

Jump to solution

Hayton, Brit, and Peacekeeper, it was a struggle but I finally got into the "restore" using the "%systemroot%\system32\restore\rstrui.exe".

A heartly thankyou for guiding me out of this quadmire.  I shall recommended this site to others.