Locked out of Windows by bogus FBI CyberCrime Divsion (ICSPA) malware

[peppergomez]

Ugh, this thing is VICIOUS.

I just got this virus, which is a doozy. It locks users out of Windows completely.


http://malwaretips.com/blogs/fbi-cybercrime-division-icspa-virus/

("If your computer is locked, and you are seeing a “ATTENTION! Your computer has been locked and all data is encrypted!” notification from FBI CyberCrime Division (ICSPA) , then your computer is infected with a piece of malware known as Trojan Reveton.")

I am trying to solve it based on the instructions in that link above, but no luck so far. Hitman Pro didn't detect it, and I can only boot into Safe Mode with Command Prompt (while staying in the command prompt window). All other safe modes reboot immediately back into "regular" Windows, so I'm unable to navigate to Device Manager in Windows or to run any kind of Malware Removal software. I downloaded and isntalled HitmanPro using a clean secondary computer (obviously).


I am trying to fix this without having to revert to a restore point.

Other details:

I can boot into Safe Mode with Command Prompt, and got here (see screenshot)after typing start mmc.exe.

I am trying to get to my drivers in Device Manager, or wherever it is I need to be to look for any suspicious tunnel adapters, viruses, etc etc.



I ran Hitman Pro from a USB boot drive but it failed to find anything after scanning. I also looked in the Startup and Services tabs in msconfig and didn't see anything suspicious. I unchecked a few unfamiliar things for good measure and then rebooted, but it didn't work


Basically, I need to get into Windows so I can run Malwarebytes Anti-Malware to remove this freaking ICSPA virus. But the virus is totally blocking me from using Windows.

Thanks a lot for any help...it sucks not being able to use my computer.

PS- Can anyone recommend another good program that I can save to a USB thumb drive that will allow me to boot and bypass Windows, and then run a Malware scan? Hitman Pro didn't detect any viruses or malware, which is a fail.

 

[BinarySynapse]

Linux Live CD with AV on it, or pull the drive out and mount it in another computer to scan (DO NOT OPEN ANYTHING ON THE DRIVE).

Before doing that, while in the Command prompt, clear out the C:\Users\\(your user name)\AppData\Local\ folder of any executable files and Local\Temp folder of all files. Also run "schtasks" (command line task scheduler) to see if there are any tasks that run/reinstall your infection. Finally see if "regedit" will run, and if so naviagate to the \Software\Microsoft\Windows\CurrentVersion\Run key in both HKEY_CURRENT_USERS and HKEY_LOCAL_MACHINE to see what's listed there.

 

[scaarbelly]

Run malwarebytes in safe-mode. This has worked for me in the past a few times wit cleaning out this virus.

 

[peppergomez]

Thanks Ryan.

Caniba, I can't do much of anything in Safe mode b/c the virus reboots my computer after about 15 seconds when I boot up in Safe mode (or Safe mode with networking). It's only when the cmd prompt window is open that my computer doesn't reboot. Also, i don't have Malware Bytes installed on my desktop. Though maybe if I saved the Malware Bytes EXE to a USB thumbdrive, could I open and run it off of my thumbdrive, and have it scan my C drive?

 

[peppergomez]

Linux Live CD with AV on it, or pull the drive out and mount it in another computer to scan (DO NOT OPEN ANYTHING ON THE DRIVE).

Before doing that, while in the Command prompt, clear out the C:\Users\\(your user name)\AppData\Local\ folder of any executable files and Local\Temp folder of all files.

Not a bad idea- think i will pull the drive and run a scan from an external mount from my laptop



What are the commands to type into cmd to clear out executable files and the local\temp folder?


Thanks again

 

[wtburnette]

DOS command, like del *.* in that folder should do the trick for clearing it out (once you're in that folder). Since there are a lot of folders, you'll probably need rd /S as well, to remove all folders.

Also, for boot disks/USB you can use Trinity Rescue, or something similar. You can get various AV packages to run, or grab a malware scanner that runs on it. You could also just use a linux liveCD/USB and do the same, only booting it up graphically. Good luck!

 

[bobstone]

you should try logging in as a different user name. I have had a lot of luck with that. that virus installs on a per user basis. also the fact that it reboots on safe mode means it is one of the newer revisions of that virus.

super, malware, and emsisoft emergency kit should be able to remove it if you run all 3. each one seems to fail to find it one time or another, but at least one of the 3 always seems to catch it.

 

[thefordmccord]

Most of the time with this, I boot from an Ultimate Boot CD (I have mine on a USB flash drive) and enable to local administrator account and set a password on the local administrator account. This should let you log in with the administrator account from safe mode. Once in safe mode, I rename the profile folder for the FUBAR user account. I then create a new user account for the user and copy their files from the FUBAR account folder.

 

[Deleted member 88227]

Just toss the drive into an enclosure and/or another computer, grab the files you want to keep, then format the ENTIRE drive. Done.

 

[bigdogchris]

Plug the drive into another computer. View hidden and system files. Navigate to the drive to the drive root \Users\<yourusername>\appdata. You will have a UAC prompt to gain security rights to the drive.

Look in the Locallow and Local folders. In Local, delete the temp folder. Also delete any randomly named .exe files that you see or ones you know are malware. Also look for folders that do not have names but rather numbers and delete them. In LocalLow, do the same but there will not be a temp folder. If you can, scan the drive with Malwarebytes or another AV.

Plug the drive back in and boot the system. If the malware is gone, go back to C:\Users\<yourusername> and view security ACL. There will an invalid user sid (from the other computer). Delete that ACE. If you have Java, delete your java cache from the Java CP. Also run a disk cleanup.

 

[peppergomez]

Thanks again guys. I am pretty sure I removed it successfully by plugging the drive into a Thermaltake BlacX and running a battery of anti malware and spyware apps. Put the drive back in my desktop, booted to Windows, looked around regedit and scheduled tasks and didn't see anything suspicious. Also deled items in the local and locallow folders.

 

[Ruoh]

Combofix takes care of this pretty easily as well.