ICE Ransomware

Today I had the fun of working on a computer that was infected with Ransomware.  It looked like this:

The ICE Ransomware

It would not boot up to Windows, it would only boot to this screen.  Ctrl-Alt-del would bring up task manager, but everything useful in task manager was disabled.  The laptop would not boot in to safe mode, no matter what.  The boot routine somehow disabled the safe mode boot menu.

It was essentially a big brick.  The user said she was downloading TV shows or movies when it happened.

The Ransomware claims the user was doing something illegal and needs to pay a fine.  It instructs the owner to buy a MoneyPak from CVS or Walmart in the amount of $300, and key in the voucher number to unlock the computer.  The scary message claims you only have 48 hours to get this done.  I wonder if that works?  I imagine the bad guys get the $300, but then scurry away without fixing the PC.  Why would they give a hoot about someones' computer who is dumb enough to pay them ransom? 

I tried quite a few things to get rid of it, but nothing seemed to work.  I tried Hitman Pro, and various flavors of Linux with AV tools.  I also tried manual removal, but never got all the files deleted.  The nasty ICE thing kept coming back.

ICE Ransomware

Here is what eventually worked. 

1.  I used Rufus to make a bootable USB.  http://rufus.akeo.ie/

2.  Then I downloaded the Kapersky Rescue CD iso, and the USB installer, and installed this on my USB.  http://support.kaspersky.com/8092

3.  I booted the infected machine with this USB and did a scan.  Stuff was found and deleted, but unfortunately the malware was not totally removed.  One time the machine did boot up correctly, but as I started to download some anti malware tools on it, the infection came back and took over again.  Argh!  Success seemed so close!

Also, on a couple of restarts the laptop came up to a blank screen, and I needed to do Ctrl-Alt-del to bring up task manager, and then start explorer.exe.  The desktop would appear, and then: BAM, the Ransomware would reappear.

Scanning with Kapersky.  Oops!  Looks like I scanned the USB stick this time!

 Kapersky nagged me that the virus definitions were about a week old, but the Linux running Kapersky on the USB couldn't see my wireless, so I couldn't get the new definitions   So I plugged the computer in to my network with an ethernet cable, and was able to do the update that way.  I guess NIC drivers are more standard than wireless card drivers.  The next scan seemed much more successful.  And happily, after that I could boot in to Windows successfully!

4.  Finally, with the computer booted normally in to Windows, I downloaded Combofix and ran a complete scan, and it found a bunch of bad stuff.  http://www.combofix.org/download.php.  If you download Combofix, be aware that the process has about a million links that try to download all kinds of other programs.  It's a bit of a trick to find the actual Combofix program.

After all that, I updated all the programs on the computer (ie, WindowsXP, Adobe, Java), uninstalled a bunch of weird looking programs and toolbars, and added Microsoft Security Essentials (I know - it has a reputation for not flagging anything, but it's better that nothing, I think).

Microsoft Security Essentials DID actually flag Zango Search Assistant, and delete it.  No doubt that must be a competitor to the tracking technology Microsoft uses in Bing.  Only guessing.

It was a bit like I killed Godzilla, and then MSE found a mosquito.

MSE Captures a potential threat!

So far so good.

Just for fun I put the Kapersky Rescue USB in a trusty old iBook G4, but the boot menu only recognized the Hard Drive, not the bootable USB.

iBook G4 Boot Menu

 All things considered, I think I'll keep my trusty little Kapersky Rescue USB!

The Hero that saved the day!

If you want to read more about the ICE Ransomware, here is an article.