How do I remove the ICE virus from my Dell Windows 8 (64bit) laptop?
[Instructions are for the thread starters system only, Not another users system]
Please Read http://community.norton.com/t5/Malware-Discussion/Malware-Discussion-Board-Guidelines/td-p/961409
This is to make sure the user has seen the Guidelines before starting.
Even other Malware Removal forums state like
"you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean."
Users have to realise these tools used can cause problems anyway, and if instructions are not followed, bigger problems can occur from deleting something that shouldn't be, the program has caused the system to freeze, the program jammed during the restart etc etc. and so we use instructions to allow the tools to be in the correct location (so we also know) settings given so that items won't be automatically deleted, other programs disabled so things can be done without detection or conflict.
When the user follow instructions and things still go a little haywire, and it does happen, it is up to us to sort the extra problem out.
Confirm in Reply you have read and understand the Guidelines etc.
OK. Thanks. I've read the instructions.
Do you have more than one user account tou can logon to??
If NOT Windows 8 is different when it comes to getting to the advanced menu compared to Vista and Windows 7, unless you have changed the BCD to add an entry.
No. Just one user account on my laptop.
You will need a Flash Drive and to download a Program.
I have several flash drives. How big?
Not much space on the Flash Drive is required, like less then 10mb usually.
Great. I'll use a 120MB one then.
Please download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ You need to download the 64 bit version.
Transfer it on to the Flash Drive.
Does it install on my desktop computer? Where do I find the file after I've downloaded it? Can I download it directly to the flashdrive?
After downloading FRST64.exe you need to transfer the file on to the Flash Drive.
You find it like every other file or document you download.
I get this message: Unfortunately the page that you requested does not exist.
Sorry. It's there. I pasted the link into my browser. That must have put my in the wrong place. I'll download it now.
I've downloaded FRST64.exe and transferred it to my flash drive.
It is not to be in a folder on the Flash Drive but on the systemroot of the Flash Drive (for instance e:\frst.exe).
Then Plug the Flash Drive into the infected laptop.
It's not in a folder. It's plugged into the laptop. F12 gets me to the boot menu on the laptop.
What the Heck are you doing with F12??
Nothing. I haven't turned the laptop on.
The 2 easiest ways to get to the Advanced Startup / Repair options with Windows 8 (Vista and Win 7 used F8) is
a) At the Windows 8 Start Screen, if it is not blocked By the Ransomware. Screenshot below borrowed from Bleeping Computer showing part of the process
b) The Pressing CTRL+ALT+DEL and at the same time as chooosing Restart from the 3 power options holding down the Shift Key
As Dell themselves put it "Click the shutdown button, hold down the Shift Key and click Restart from the options provided."
Just depends which one you can get.
When I have tried to start the laptop, it does not go to the W8 Start screen but instead goes immediately to the ICE lock screen. I'm not clear on option b. Do I hold the keys as I try to start the computer? or after it starts and goes to the ICE lock screen?
Like with other ransomware (on Windows 7also) even with the Ransomware running the CTRL+ALT+DEL keys at the same time brings up a full screen options and power button, but can be different colours, Light green,, dark greenish, blue, red, purple. ICE Ransom is still in behind but the Screenshot below starts and goes over the top of the Ransom
When you click on the Power button in the lower right hand corner the options appear like above, You hold down the Shift key on the keyboard as you Click Restart
Success! The options listed are Continue, Trouble Shoot, or Turn off. What's next.
That is why we are doing little steps, with me finding screenshots to, Windows 8 is different, although the F8 legacy option like XP, Vista, Windows 7 can be switched on.
Now you are at this screen
Choose Troubleshoot Then you will have this screen
Choose Advaned Options Then you will have this screen
Choose Command Prompt Then you will have this screen
Now we are at a similar point as we would be with Vista and Windows 7 ready to use FRST that is on the Flash Drive
Making progress. I'm on the same screen.
Read all Fisrt to understand the steps.
Here's the text file attached.
This should be enough to break ICE, but files will still be on your system and the services have to be looked at etc. This should just get you to be able to load the Desktop for the rest
Download the script attached, needs to be the same file name as well (fixlist.txt), Copy across to flash drive, so that fixlist.txt is next to FRST64.exe on the Flash Drive DO NOT DRAG AND DROP to download the script, it won't work for FRST
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemDo Like previously to start FRST without Windows loading like we did when we first used FRST on the Flash Drive. (there is a difference stated further down)
Now you should be able to load Windows Normally without the ICE Ransom also loading, so now you can see the Desktop.
Many thanks. I assume running antivirus and utilities is in order.
Did you not understand what I said
"This should be enough to break ICE, but files will still be on your system and the services have to be looked at etc. This should just get you to be able to load the Desktop for the rest "
Allright. Maybe I didn't understand your cryptic message. Please be more explicit. Is there something in particular that I should do?
Download TFC http://www.bleepingcomputer.com/download/tfc/ and place it on your Desktop. Close your browsers Then run TFC. It will say when it is finished.
That should clear out the rest of the caches and temp folders. in doing so Delete the Ransomware's backup .dll file.
Will TFC delete the Ransomware dll files or do I need to find them to delete them myself?
I already stated
"That should clear out the rest of the caches and temp folders. in doing so Delete the Ransomware's backup .dll file."
I have aleady moved the .exe and deleted registry data, the .exe is moved into a Quarantine folder on your system
"C:\Users\David\AppData\Local\Temp\juucsehegvvdrxusd.exe => Moved successfully."
ICE group should have also altered a Windows service.
But if you don't want to do as I say that is fine, you can go and you can keep everything as it stands now.
I don't see any .dll file that looks like Ransomware. I'd like to do exactly what you are asking but I don't understand if TFC deletes the Ransomware files or whether I need to search for them to delete them myself.
in doing so Delete the Ransomware's backup .dll file
Does this mean in doing so TFC willDelete the ...
Does this mean in doing so YOU must Delete the...
You are not doing as I asked.
This is easy
I wish you good luck with your system, I have explained and you are not doing as instructed so I am finished. You can deal with the rest.
I have run TFC. Is there something more that I should do? Please don't leave without answering my question.
It is as simple as this. We tell users (who asked for help) what to do with each step, dependent on what they have ans what OS. and we then also tell the user when all is done and they can go on their merry way (all fixed).