ICE Ransomware Infections

Discuss Malware removal, techniques, trends, etc. and repairing Windows after removal.
Forum rules
1. Try to give more than you take, when possible.
2. Don't be a prick.

ICE Ransomware Infections

Postby Marshall » Fri Jun 21, 2013 9:37 am

To date this one is my favorite, and it may simply be the situation I'm stuck in with it.

http://www.bleepingcomputer.com/virus-removal/remove-ice-cyber-crime-center-ransomware

System came to me with a variant of the ICE Ransomware infection. I pulled the hard drive, slaved to a Malware removal VM, and away I went. I removed 28 infections on the first pass. The system could be clean at the moment, but it's hard to say because the OS has been damaged a bit.

The buggar with this one for me has been that the client has previously ran the free version of HitmanPro, and so it couldn't be used to remove the infection. This left me with other AV tools, which have not seemed to work as well.
Ultimately all PE/Rescue CD's have failed to solve the issue. This is a fun one! Going to really hammer it today, as I have more time to focus on it.
Help Me With My Computer Tech
IT Services & IT Consulting Services In Southern IL and St. Louis MO
User avatar
Marshall
 
Posts: 509
Joined: Thu Feb 14, 2013 3:14 am

Re: ICE Ransomware Infections

Postby Dannim » Fri Jun 21, 2013 10:26 am

Most scans will not pick up the FBI infection. Manual removal is best for the main files that are causing the problem and then running scans to clean out any other remnants that are picked up. In particular I'd recommend aswMBR to check that the system's MBR is default and Roguekiller. FBI tends to go hand-in-hand with 0access.

For manual file removal you're looking in the following locations primarily:

XP:


%userprofile%\
%userprofile%\Application Data
%userprofile%\Local Settings\Application Data
%allusersprofile%\Application Data

Vista/7:

%localappdata%
%appdata%
%programdata%

In particular you are looking for: Skype.dat, Skype.ini, DisplaySwitch.exe, MigAutoPlay.exe, and any random .exes or .sys files as there really should not be any of those file types in those locations.

You can also use Autoruns to analyze the Offline system and then you'll generally be able to see the suspicious entry to track it down and remove it.

Also, some variants will change the HKCU\Software\Microsoft\Currentversion\Winlogon\ shell key from "explorer.exe" to "cmd.exe" or point to its own files.
Dannim
 
Posts: 61
Joined: Mon Feb 11, 2013 10:50 am

Re: ICE Ransomware Infections

Postby Marshall » Fri Jun 21, 2013 10:33 am

Thanks Dannim.

Your right on the money, those are huge hot spot locations.

The reg key you mentioned absolutely was changed, and the d7 Malware Scanner found that quick enough and allowed me to alter it.

I'm still trying to fix some basic Windows 7 behavior though, and keep getting drawn away from working on the laptop. It won't assign removable media a drive letter (I have enabled/disabled disk auto mounting, etc, no dice.). Same effect in Safe-Mode. I will report back with details when I can.
Help Me With My Computer Tech
IT Services & IT Consulting Services In Southern IL and St. Louis MO
User avatar
Marshall
 
Posts: 509
Joined: Thu Feb 14, 2013 3:14 am

Re: ICE Ransomware Infections

Postby techw13 » Tue Jul 16, 2013 6:28 pm

Hitman Pro kickstart can detect the FBI virus. Just needs to be updated regularly (recreating the kickstart). Something is different between updating hitman itself and copying to the drive vs letting hitman create the kickstart with updated ones.
techw13
 
Posts: 106
Joined: Tue Jul 09, 2013 6:13 pm

Re: ICE Ransomware Infections

Postby EagleTech » Wed Jul 17, 2013 9:20 am

techw13 wrote:Hitman Pro kickstart can detect the FBI virus. Just needs to be updated regularly (recreating the kickstart). Something is different between updating hitman itself and copying to the drive vs letting hitman create the kickstart with updated ones.


You still need a valid license, whether that be free or not. HMWMCT was saying that the free license had already been used, so you can't use it again without paying for it.
User avatar
EagleTech
 
Posts: 159
Joined: Thu Mar 21, 2013 6:15 pm
Location: IL, USA

Re: ICE Ransomware Infections

Postby techw13 » Mon Jul 29, 2013 11:52 am

Understood. At that point, it would be time for external scanning.
techw13
 
Posts: 106
Joined: Tue Jul 09, 2013 6:13 pm


Return to Malware Removal