[unique101sd]

My computer is infected with the Ice Cyber Crime Ransom virus. The screen is locked when I boot up. Can someone please assist with the removal of this virus? I saw that someone had a similar infection on April 28th. However, I am uncertain if I should try the same process and tools that that individual was provided by their Global Moderator.

 

Thanks in advance for your assistance.

[Advertisements]

Hello and welcome to the Geeks to Go Virus, Spyware & Malware Removal forum. My name is Josh and I will be helping you remove your infection. I am only human not superman - I can make errors but will do my best to help you as best I can so we can solve your problems. If you have since resolved the original problem you were having, I would appreciate you letting me know. Please include a clear description of the problems you're having along with any steps you may have performed so far if you haven't already.

Some of the following instructions to begin the malware removal process can be hard to follow - let me know if you have any questions. Please read all of my responses through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. Also please do not attempt any disinfection procedures without my instruction as things can go wrong that way or lengthen the time it takes to disinfect your computer. Also please follow your topic to conclusion or your system may not be completely clean, and it will be more vulnerable to future infections.

Throughout our interactions I will be using canned speeches. These are premade speeches for different scenarios we will encounter. If you find errors like bad links in my canned speeches please let me know so I can fix them.

Please copy and paste all logs into your reply. Do not attach logs to a post unless I tell you to or if they don't fit in the post.

One more thing - please refrain from using your computer until it is disinfected unless you absolutely have to (unless you are following my disinfection procedures) - if you do have to use your computer please disconnect it from the Internet - that way the current malware cannot propagate further infections.

I will get back to you soon with further instructions. Expect no more than 36 hours between your post and my response unless World War 3 breaks out and I will need at most 48 hours for initial analysis of your OTL log. Good luck! After 4 days if a topic is not replied to we assume it has been abandoned and it is closed.

 

Make sure not to turn on your computer in the mean time.  Is the infection asking you to pay money to unlock your computer or decrypt your files?  If so regarding decrypting your files you are infected with a ransomware variant which encrypts your files using a private key held by the hackers.  This means that if the malware has already encrypted your files and you don't have them backed up the only way to salvage your data is by paying the hackers the ransom and this is not always a sure method of retrieving your data since sometimes the hackers don't even decrypt your data after paying.  Leave the computer off so that if the files haven't been encrypted yet they are salvageable.  We can disinfect the computer but it's not a guarantee you'll be able to get your data back.  Please let me know if you'd like to proceed or if you have any questions or problems.  I will have disinfection instructions for you later today or tomorrow.  Can you give more details as to what the malware is saying?

[Crag_Hack]

Hello and welcome to the Geeks to Go Virus, Spyware & Malware Removal forum. My name is Josh and I will be helping you remove your infection. I am only human not superman - I can make errors but will do my best to help you as best I can so we can solve your problems. If you have since resolved the original problem you were having, I would appreciate you letting me know. Please include a clear description of the problems you're having along with any steps you may have performed so far if you haven't already.

Some of the following instructions to begin the malware removal process can be hard to follow - let me know if you have any questions. Please read all of my responses through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. Also please do not attempt any disinfection procedures without my instruction as things can go wrong that way or lengthen the time it takes to disinfect your computer. Also please follow your topic to conclusion or your system may not be completely clean, and it will be more vulnerable to future infections.

Throughout our interactions I will be using canned speeches. These are premade speeches for different scenarios we will encounter. If you find errors like bad links in my canned speeches please let me know so I can fix them.

Please copy and paste all logs into your reply. Do not attach logs to a post unless I tell you to or if they don't fit in the post.

One more thing - please refrain from using your computer until it is disinfected unless you absolutely have to (unless you are following my disinfection procedures) - if you do have to use your computer please disconnect it from the Internet - that way the current malware cannot propagate further infections.

I will get back to you soon with further instructions. Expect no more than 36 hours between your post and my response unless World War 3 breaks out and I will need at most 48 hours for initial analysis of your OTL log. Good luck! After 4 days if a topic is not replied to we assume it has been abandoned and it is closed.

 

Make sure not to turn on your computer in the mean time.  Is the infection asking you to pay money to unlock your computer or decrypt your files?  If so regarding decrypting your files you are infected with a ransomware variant which encrypts your files using a private key held by the hackers.  This means that if the malware has already encrypted your files and you don't have them backed up the only way to salvage your data is by paying the hackers the ransom and this is not always a sure method of retrieving your data since sometimes the hackers don't even decrypt your data after paying.  Leave the computer off so that if the files haven't been encrypted yet they are salvageable.  We can disinfect the computer but it's not a guarantee you'll be able to get your data back.  Please let me know if you'd like to proceed or if you have any questions or problems.  I will have disinfection instructions for you later today or tomorrow.  Can you give more details as to what the malware is saying?

[unique101sd]

Hi josh,

Thanks for getting back to me so quickly.

Yes, the malware asks me to pay a ransom of $300 via Money Pak. I have had to boot up my computer in safe mode to remove a few files for work. Is that ok? Other than that, I have not done anything else. I mistakenly left my computer on over night. When I woke up it displayed a notice stating that my computer had been locked for committing cyber crimes. Somehow the virus had activated the camera on my laptop and I could see myself on screen.

Yes, I would like to proceed with disinfection.

Thanks in advance for your help.

[Crag_Hack]

So the thing about cryptolocker ransom ware is that if your files were already encrypted the only way to get them back is either from a backup or to pay the hackers but paying is not a guarantee. If you do have cryptolocker and no backup and your files are already encrypted if we do remove the infection then you lose the only means of salvaging the data - paying the hackers. So if you want to proceed let me know. Maybe you could show me a picture of the lock screen so I can see what you have.

[Crag_Hack]

The main question is do you have cryptolocker or not. If not let's do the disinfection. If so keep in mind what I mentioned previously.

[unique101sd]

I'm going to send you a picture of the screen? Give me a few minutes to snap a photo and log on.

[unique101sd]

Hi Josh,

 

I can't seem to attach the photo. My 2nd computer says that it has blocked me from attaching a photo of the Ice Cyber Crime screen on my other computer. Any recommendations?

[unique101sd]

Josh,

 

Here is a snap shot of the computer screen. I apologize for the poor quality. I had to scan it in.

 

I look forward to hearing from you.

 

 

[unique101sd]

 SKMBT_C55214051916311.pdf   89.95KB   181 downloads

[Crag_Hack]

Hi unique.  I'm consulting a colleague regarding a quick question about your infection.  Will have a response for you tomorrow - we will start the disinfection process then.  You have access to safe mode right?

[unique101sd]

Hi Josh,

 

Yes, I have access to Safe Mode. I have been able to boot up my computer in Safe Mode and copy a few files.

[Crag_Hack]

Hi unique. Here's the start of the disinection procedure. Since you're locked in normal Windows we need to do the following in safe mode with networking. Try downloading the files on the infected computer and if that doesn't work use another computer, put them on an external flash drive or hard drive, transfer to the infected computer, run them, grab the logs and put them back on the drives then post for me; for the OTL scan you can throw the custom scan instructions in a text file to transfer them to the infected computer. Also you might want to back up your data to be on the safe side. This first series of instructions may be a little daunting but things will get simpler. Here goes:

Step 1

1. Download ListCrilock from here
2. Run ListCrilock then post the contents ListCrilock.txt (in the same directory) in your next post

Step 2

• Download OTL and save to desktop or other convenient location.
• Double click OTL to run it. Make sure all other windows are closed to let it run uninterrupted.
• Select the Scan All Users box in the middle on the top of the window
• Under the Custom Scans/Fixes box paste this in:
  
  
   

  netsvcs

  BASESERVICES
  %SYSTEMDRIVE%\*.exe
  /md5start
  services.*
  WSHELPER.*
  consrv.dll
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  rpcss.dll
  /md5stop
  C:\Windows\assembly\tmp\U\*.* /s
  %Temp%\smtmp\1\*.*
  %Temp%\smtmp\2\*.*
  %Temp%\smtmp\3\*.*
  %Temp%\smtmp\4\*.*
  dir C:\ /S /A:L /C
  >C:\commands.txt echo list vol /raw /hide /c
  /wait
  >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
  /wait
  type c:\diskreport.txt /c
  /wait
  erase c:\commands.txt /hide /c
  /wait
  erase c:\diskreport.txt /hide /c
  CREATERESTOREPOINT

   

   
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. If you have already run OTL it won't open Extras.txt but Extras.txt will be in the same place as the new OTL.txt so simply open it manually.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Step 3

• Download aswMBR.exe ( 1870KB ) to your desktop.
• Double click the aswMBR.exe to run it
• It will ask you if you want to download the latest Avast! virus definitions, answer yes
  
  
• Click the Scan button to start scan
  
  
• On completion of the scan click Save log, save it to your desktop and post in your next reply

Step 4

• Download RogueKiller to the desktop
• Quit all programs
• Start RogueKiller.exe
• Wait until Prescan has finished ...
• Click on Scan. Click on Report and copy/paste the contents of the notepad window into your next post
   

log files: RKreport[#].txt

Things to see in your next post:
ListCrilock.txt
OTL.txt
Extras.txt
aswMBR log
RKreport[#].txt

[unique101sd]

Hi Josh,

 

I just got your message. I'm going to start the process in Safe Mode with networking. Does it matter if I sign on as Administrator?

Edited by unique101sd, 20 May 2014 - 05:19 PM.

[Crag_Hack]

If your normal account has administrator rights then it shouldn't matter.

[Crag_Hack]

Actually it is preferable to use your normal account assuming it is an administrator.