1 2 Previous Next 18 Replies Latest reply on Aug 24, 2013 4:29 AM by exbrit

    ICE Cyber Crime virus

      I have the ICE Cyber Crime virus on my desktop. I can't get past step two in trying to remove. I shut the computer off and waited at least 10 seconds, switched it on and immediately started pressing F8.

      I then arrowed to Safe Mode With Networking, hit enter, selected XP professional as operating system, hit enter, got a page of script, then screen went to "to Begin click user name. Windows then shut down, and restarted (no mention of safe mode)  it displayed Welcome, then opened up to Ice Crime Center screen. How do I get into safe mode and try to get a virus removal tool?

        • 1. Re: ICE Cyber Crime virus
          exbrit

          Moved to Top Threats as a better spot.

           

          You'll have to create a bootable USB drive using another machine as per this tutorial:  http://www.bleepingcomputer.com/virus-removal/remove-ice-cyber-crime-center-rans omware

          See "Automated Removal Instructions for ICE Cyber Crime Center Ransomware using HitmanPro.Kickstart", but read the whole thing.

          • 2. Re: ICE Cyber Crime virus

            Thank you. I followed the instructions, however when I got to Step 10, the HitmanPro window never appeared. Any suggestions?

             

            Georgeas

            • 3. Re: ICE Cyber Crime virus
              exbrit

              You'll have to ask them about that.  At the bottom of that tutorial it states:

               

              If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

              • 4. Re: ICE Cyber Crime virus
                andreygvozd

                I recommend you to remove this virus by rebooting your PC into safe mode with networking and scanning your PC with McAfee. Basically, safe mode with networking should work very well with ICE Virus. What I mean is that ICE virus doesn't really block this mode, since this is a Reveton-type of ransomware.

                You may use these instructions on how to remove ICE virus in safe mode with networking - http://www.system-tips.net/remove-ice-cyber-crime-center-virus/

                 

                If this solution doesn't work, then try the option to restore your PC to an earlier date by running System Restore (provided that you have this system restore option. See how to do it here.

                 

                Message was edited by: andreygvozd on 6/14/13 9:09:53 AM CDT
                • 5. Re: ICE Cyber Crime virus

                  Not any of the online solutions seem to work on the variant of virus that infected my computer. The furthest I could get was the boot screen. I could not make it past the user logon without the ICE screen showing up. When trying to execute any program, my computer would automatically restart.  I tried a boot USB from HitmanPro.  It didn't work either.  Kapersky was no help either. What worked for me was: 1. Hit F8 then select 'Safe Mode with Command Prompt" option 2. Logon to user 3. At command prompt window, type "rstrui.exe", which is the restore command. 4. Select an earlier time period to restore to 5. Computer will restart after restore process 6. Logon to user 7. Run Malwarebytes and HitmanPro to clean any remaining files 8. Free from the ICE virus

                  • 6. Re: ICE Cyber Crime virus
                    exbrit

                    bdg wrote:

                     

                    Not any of the online solutions seem to work on the variant of virus that infected my computer. The furthest I could get was the boot screen. I could not make it past the user logon without the ICE screen showing up. When trying to execute any program, my computer would automatically restart.  I tried a boot USB from HitmanPro.  It didn't work either.  Kapersky was no help either. What worked for me was: 1. Hit F8 then select 'Safe Mode with Command Prompt" option 2. Logon to user 3. At command prompt window, type "rstrui.exe", which is the restore command. 4. Select an earlier time period to restore to 5. Computer will restart after restore process 6. Logon to user 7. Run Malwarebytes and HitmanPro to clean any remaining files 8. Free from the ICE virus

                    Safe Mode is often a saviour as you found out.   Glad you found a way.

                    • 7. Re: ICE Cyber Crime virus

                      I just finished removing the virus from my computer which was infected the 15th. It was really pretty simple.. First if you pay attention when you log on you'll notice a cmd window right before the lock screen. It makes the call to the virus.exe aka the lock screen. Use this to get the name of the file thats infected your computer (the first few characters are fine). Then use some sort of bootable media (USB, CD, PXE) to boot into linux (any OS works, I prefer linux) open up a terminal type  " cd .. " to go up a directory then type " ls " to list all files. You should see "OS:" or "C:/" (the name of the hard drive for your computer) type " cd OS/Users/[Infected Username Here] " then type " find -name [the first few characters of the program being called by the cmd line right before lock screen]* " MAKE SURE YOU TYPE THE *. If you coppied the characters right you should see a .exe file that starts with those characters you typed in preceeded by a filepath. use cd to navigate to the folder containing the virus then type mv [VirusFileName.exe] [VirusFileName.exe.Virus].

                       

                      Now reboot the computer you'll get a black screen and a cmd window when you log in complaining about the file name you changed. Hit Ctrl+Alt+Del start task mgr then click file new task. A window will pop up type in explorer to bring up the user interface. Now click the start menu and type regedit and hit enter. Expand HKEY_CURRENT_USER then expand Software Expand Microsoft and select command processor. Click the AutoRun property in the right hand pane then right click it and select modify and delete the path, this will stop the cmd prompt from trying to execute the virus every time cmd is run. Now in the scroll list on the left find Windows NT (under Software>Microsoft) and expand it, then CurrentVersion and select winlogon. You'll see a property called Shell in the right pane and it's set to cmd.exe change it to explorer.exe.

                       

                      As simple as that, all you have to do is locate the virus file you renamed to .exe.Virus and delete it (the reason for not deleting it is on the off chance its NOT the file we need to remove it still exists and we can rename it to .exe)

                       

                      Hope this helps someone and sorry if its not the clearest just msg me on here and I'll try to get back to you.

                       

                      Safe surfing everyone,

                      Richard.

                      • 8. Re: ICE Cyber Crime virus

                        bdg, how did you get the cmd propmt?  My safemode with command prompt also reboots before I can do anything.  I also tried to catch the executable file name but all I see is system32....

                         

                        Thanks.

                        • 9. Re: ICE Cyber Crime virus
                          Hayton

                          If you've got Vista or Windows 7 see if this is any use -

                          http://forums.malwarebytes.org/index.php?showtopic=127895

                           

                          If you can't get the PC to boot into Advanced Boot Options using F8, or if you've got a different OS, please let us know. Could be something's modified the MBR or even the BIOS.

                          1 2 Previous Next