• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos0

[FIXED] ICE Cyber Crime Center

My PC has been infected with this.  If I start in Safe Mode it just reboots as soon as it loads.  Please help.

Replies

Kudos0

Re: [FIXED] ICE Cyber Crime Center

My PC has been infected with this.  If I start in Safe Mode it just reboots as soon as it loads.  Please help.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

[Instructions are for the thread starters system only, Not another users system]

Please Read  http://community.norton.com/t5/Malware-Discussion/Malware-Discussion-Board-Guidelines/td-p/961409

This is to make sure the user has seen the Guidelines before starting.  

Even other Malware Removal forums state like

"you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean."

Users have to realise these tools used can cause problems anyway, and if instructions are not followed, bigger problems can occur from deleting something that shouldn't be, the program has caused the system to freeze, the program jammed during the restart etc etc.  and so we use instructions to allow the tools to be in the correct location (so we also know) settings given so that items won't be automatically deleted, other programs disabled so things can be done without detection or conflict.

When the user follow instructions and things still go a little haywire, and it does happen, it is up to us to sort the extra problem out.

 

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Thank you very much for the reply. I have read the information.  I am running Windows Vista 64 bit.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

You need to have a Flash Drive.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Yes I have one of those.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

I will be out for a couple of hours

 

 

Read Slowly and all of it.

Please download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/   You need to download the 64 bit version.


Transfer it on to the Flash Drive.

Enter System Recovery Options

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64.exe) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive.  restart the system and load Windows Please attach the log in  your reply back..

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

I miraculously managed to get Task Manager on top.  I haven't closed anything, but does this help?

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Oh so you are trying things against the guidelines and warnings,   Cool one less for me to deal with.

I don't have time for users who ignore the instructions and or the guidelines,  I infect my system with the likes of ICE and figure out why some instructions don't work, and why for users removing the file Windows still does not load properly.  So FRST also got updated for the registry keys to fix. 

Not to have users just go about (even after reading) doing their own thing creating a waste of time.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

No, that's how my PC was when I came here.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

My Advanced Boot Options does not have "Repair your Computer".  It has:

Safe Mode

Safe Mode.....

Safe Mode.....

Enable Boot Logging

Enable low-resolution

Last Good Configuration

Directory Services Restore Mode

Debugging Mode

Disable automatic restart

Disable driver signature enforcement

Sart Windows normally

Kudos0

Re: [FIXED] ICE Cyber Crime Center

I know your time is valuable.  I have done everything you asked.  Please help.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

So what you are saying is that I have no other option except to go to another company and their products/support for help?

Kudos0

Re: [FIXED] ICE Cyber Crime Center

What did I say in a previous message


I will be out for a couple of hours

 

 

Read Slowly and all of it.

Please download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/   You need to download the 64 bit version.


Transfer it on to the Flash Drive.

Enter System Recovery Options

To enter System Recovery Options from the Advanced Boot Options:

 


 

 

Looks like this user is not reading properly,   Message after message while I was out,  even though I stated I was to be so.

 

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Do you have your Windows Repair CD (disc)??

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

No, I don't have one unless it's on a partition of the HDD.  If it is I don't know how to access it.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

This should give me the registry entries required

Download  hxxp://oldtimer.geekstogo.com/OTLPENet.exe    to your desktop  (change the xx to tt)

Ensure that you have a blank CD in the drive

Double click OTLPENet.exe and this will then open imgburn to burn the file to CD for you ready.

Instead on the Flash drive we need the 32 bit version of FRST not the 64 bit version that can be removed.

 have the Flash Drive plugged into the computer.

 

a) Reboot your system using the boot CD you just created. OTLPE.


Note : If you do not know how to set your computer to boot from CD follow the steps here

As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads , it's all to do with system speed and hardware.

b) Your system should now display a Reatogo desktop. It looks sort of like you have loaded Windows XP but you are actually using the bootCD.

Note : as you are running from CD it is not exactly speedy 

c) (done already)

d) Locate the flash drive and run FSRT,  Like you would with XP and using My Computer (Computer) to find the Flash drive, or any connected drive. It may ask which Operating system to scan, choose your Vista OS.

e) The tool will start to run. When the tool opens click Yes to disclaimer. (if it appears)

f) Press Scan button. It will make a log (FRST.txt) on the flash drive. ,

You can either use the loaded OTLPE to be able to get to this forum over the net, or use which ever way you are getting to the net.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Thank you for trying to help.

File Attachment: 
Kudos0

Re: [FIXED] ICE Cyber Crime Center

I have found it and I see you have PUP's to,  I will break the stubborn PUP service (had fun with that one recently) but will get the rest later once back in Windows.

I just have to create a script for FRST to use,   I did note of interest this

Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Cyrus\AppData\Local\Temp\nawsrhvwfbkktlnwd.exe [ 2013-07-09] (NVIDIA Corporation)

Ransomware with what looks like a legit Company name to try and fool users

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

I greatly appreciate any help you provide.  This PC has been on the net for 4-5 years with nothing but Norton 360 and Spybot S&D.  I've had several infections before but not to the point of not being able to access the computer.  I've had one similar to this one before but they only wanted $40 I think and it didn't lock out safe mode.

For future reference are there any Norton/Windows/IE settings that will block the likes of ICE?  Or another compatible software even that can block it?

Kudos0

Re: [FIXED] ICE Cyber Crime Center

That is just the way Malware is and continuing to evolve,   Yours is not the worst I have dealt with.

I don't like Norton and Spybot S&D together due to Spybot's realtime Teatimer and SDhealper.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

I don't use those parts of it.  I only use it to scan when Norton misses something.  I prefer not to have other things taking up RAM, plus I don't know what might conflict with Norton so it's largely on it's own.  Is there anything you know of that is compatible with Norton that can be memory resident?  Or do you know of anything preferable to Spybot that I can use as a backup for scanning?

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Read carefully

Download the script attached, needs to be the same file name as well (fixlist.txt), Copy across to flash drive next to FRST.exe

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Use the CD to load again and start FRST.exe (like before when creating the log)

But this time press the Fix button just once and wait.


The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply


Quads

File Attachment: 
Kudos0

Re: [FIXED] ICE Cyber Crime Center

Your OS is still running on my PC.  Do I need to reboot?

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Reboot the PC and load to OTLPE like you did last time to create the FRST.txt log.   Except the fix instructions are slightly different above  as I am having FRST use the fixlist.txt to do as I ask it to do.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

It came from that stinking .exe file didn't it?

File Attachment: 
Kudos0

Re: [FIXED] ICE Cyber Crime Center

The trouble is some of these are on a system in a way  (like this one) so that even if you move or delete just the file(s)  you will still end up with Windows not loading correctly etc. due to the registry entries are in a area where Windows is still loading them and wanting the file. like what happened here http://community.norton.com/t5/Malware-Discussion/I-ran-NPE-My-computer-does-not-load-properly-now/td-p/974163

Can you now load Vista to the desktop,  and the Ransom won't load meaning you can now see all of your desktop like before the Ransom.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Yes!  I am at the desktop!

And yeah.  I hate to think of the condition of my registry.  I can't edit it and don't know of a software that I trust to scan and fix it.  I've had bad experiences with registry fixers.  Norton does some but I don't think it does an extensive job.

Anyway, I'm ready for what's next. 

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Is your Vista with Service Pack 1??

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

I think it has SP2 but I may be wrong

Kudos0

Re: [FIXED] ICE Cyber Crime Center

OTLPE is not the correct disc for your system, but did enough to be able to run FRST although FRST was not the correct version for your system either.

Seeing as you do not have the "Repair your Computer"  option on your Hard Drive(s)  for safety sake and it will be available in future if something like this happens or worse, or after the use of our tools like combofix where something goes wrong during the can.

Do this  http://community.norton.com/t5/Tech-Outpost/Creating-a-Repair-Disc-in-Windows-7-and-Vista-SP1-for-future-use/m-p/801962#M6004

The Recovery Disc created will be for your system and tools like FRST or listparts can be used also using the correct version of the tool for the installed OS.  So then logs will be produced that are also correct. 

You can put the disc(s) away for safe keeping.

We should be able to do the rest of your system from the desktop,  but better do this before anything else so that you have that disc, seeing as you don't have the F8 repair feature.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

No it is not working.  I typed "system restore disc".   It just turns up empty search result.  Also during this process Explorer restarted.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

I mean "system repair disc"

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Do you have it via

  1.  Control Panel, clicking System and Maintenance, and then clicking Backup and Restore.

  2. In the left pane, click Create a system repair disc,

    Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

No.  I just have "Repair Windows using System Restore" and "Create a restore point or change settings"

I verified that I do have SP2.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

maybe your system maker removes it (not very nice of them)  

What is you make of system  Dell etc.??

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Yes that would be lovely.  It's an ASUS.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Looks like Microsoft may have removed it from Vista,  Heck.

http://www.vistax64.com/tutorials/141820-create-recovery-disc.html

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

17. Insert your retail Vista installation DVD into the CD/DVD drive, and click on Continue.

I made it this far.  I don't have a retail DVD.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Probably should have used the original recdisc.exe

Kudos0

Re: [FIXED] ICE Cyber Crime Center

OK

We will have to continue to use OTLPE in future if something goes wrong here, ,  

The only other way is to find someone with Vista x64 and has the disc to make a copy or http://www.forum.probz.net/index.php?/files/file/20-windows-vista-recovery-environment-iso/

While you can create a system repair disc and be able to use it on any Windows Vista edition on any computer, it must be the same 32-bit or 64-bit system repair disc as the installed 32-bit or 64-bit Vista. 

You will not be able to use a 32-bit system repair disc on a 64-bit Vista, or a 64-bit system repair disc on a 32-bit Vista.

 

You also can't use the automated startup repair, or the windows system image, System Restore. However, you can use the command prompt to effect boot repairs or start other programs

I will give the next cleaning instructions next.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center


jstwebbrowsing wrote:

Probably should have used the original recdisc.exe


 The original does not work with SP2

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

I don't suppose a Windows 7 repair disc would be of any benefit for Vista.  That's what's on my laptop.  Of course, I don't have a retail disc for it either so I probably can't even make one for it.

Kudos0

Re: [FIXED] ICE Cyber Crime Center

No

This is a very poweful tool, so

Please read carefully Read all of this message first

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix  

  • Ensure that Combofix is saved directly to the Desktop <--- Very important  (Not in the Download(s) or Temp folders)

  • Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more. Not until the next restart option.
  • Close any open browsers and any other programs you might have running

Right click the combofix.exe on the desktop and select from the menu "Run as Administrator"

  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

I disabled Norton AV and Firewall via the richt click menu in the system tray for five hours.  I started ComboFix.  After it installed it popped up a box saying Norton 360 AV and Antispyware are running.  There is no context menu to turn off antispyware and the AV and Firewall show they are disabled.

Combofix says, "Please disable these scanners before clicking 'OK'".

Kudos0

Re: [FIXED] ICE Cyber Crime Center

As long as 

Auto-Protect   and

SONAR 

are turned off you are good to go.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

It took a little while.  Here it is.

File Attachment: 
Kudos0

Re: [FIXED] ICE Cyber Crime Center

OK,  More PUP items removed in amonst that lot, and some uninstall entries for folders I had moved with FRST.

Time for the proper PUP's checks

Read carefully

Download Adwcleaner http://general-changelog-team.fr/fr/downloads/view.download/2   The Green Arrow  on to your desktop like OTLand run a scan (Search Button).  It will create a log after.

ONE SCAN ONLY

Attach the log back here.

Quads

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Here it is. 

File Attachment: 
Kudos0

Re: [FIXED] ICE Cyber Crime Center

Man I bet my PC is gonna run better than it has in a long time.   You are awesome!

Kudos0

Re: [FIXED] ICE Cyber Crime Center

Looks like I can't use the Adwcleaner delete junction unless you want to have Norton / Symantec reset inside the Chrome settings.

At least it gives me more data to look at.

 

Lets try this

Download this and run it on the desktop.   http://www.bleepingcomputer.com/download/junkware-removal-tool/

The blue Button

Download now

@ Authors site

It will create a log after.

Quads

 

Replies are locked for this thread.