struppigel

Moderator
Verified
Staff member
Are you aware that there is a user named wBzcwBE with administrator permissions on your system?

Is it safe to use my PC and do my work on it or no?
Not yet. I think your system was infected with a Remote Access Trojan (RAT) which was also used to run the ransomware. Those kinds of malware allow a criminal full control over your system.
It means your system is unsafe and all of your accounts are potentially compromised. After cleaning the system you need to put new passwords in place for all of your accounts (email, online banking, everything that's somewhat important). If you have a clean computer somewhere you can already start doing that. If available, enable 2-Factor-Authentication for accounts.

AVG is still not entirely gone from your system and there is one program that slipped my uninstall list (sorry for that).

1. Uninstall Software
  • Press the Windows Key
    + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programs, right-click and click Uninstall.
    • WinRAR Free Download Packages
  • Follow the prompts.
  • Note: If you are offered the choice to install additional software, ensure you decline.
  • Reboot if necessary.

2. Farbar Recovery Scan Tool (FRST) Script
  • Download the attached fixlist.txt
  • Important: The file must be saved in the same location as FRST64.exe.
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
  • Double-click FRST64.exe to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.

3. Browser Reset

Before proceeding, please refer to the following instructions on how you can backup your Favourites/Bookmarks.
Using the relevant instructions below, please reset your installed browsers.
As Internet Explorer is an integral part of Windows, please ensure you reset this browser regardless of whether you use it or not.
 

Attachments

I backed up the bookmarks of internet explorer, Firefox, google chrome then i reset them as you told me. I found the sync already turned off in chrome and i found a bottom named turn on sync so i left this step and didn't do it, is it okay? but i reset the chrome.
There is a message that appear on starting the windows that it can't open the outlook but i don't know what it means. I have an email on Hotmail and opens fine.
 

struppigel

Moderator
Verified
Staff member
The back up of bookmarks and the old Firefox folder shall i delete them?
If your browsers work fine now, you can delete it.
Is the Smiley program gone by now?

i left this step and didn't do it, is it okay?
Yes, it's fine.

Do you use Outlook for your email or something else?

1. Delete Windows 7 User Account
  • Press the Windows key
    , click on Control Panel
  • Click on Add or remove user accounts
  • Click on the account named wBzcwBE and click delete the account
  • A prompt will ask you if you want to keep files. Click Delete files then Delete Account

2. Batch File
  • Press the Windows Key
    + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the string below and paste into the Notepad document.
    wevtutil qe application "/q:*[System[(Level=1 or Level=2)]]" /c:300 /f:text /rd:true > wevtlog.txt
  • Click Format. Ensure Wordwrap is unchecked.
  • Click File, Save As and name the file eventlog.bat.
  • Select All Files as the Save as type.
  • Save the file to your Desktop.
  • Locate eventlog.bat on your Desktop. Double-click on it to run it.
  • A file named wevtlog.txt will appear on your Desktop, please upload this file here.
  • You can delete wevtlog.txt and eventlog.bat after that.
 
Is the Smiley program gone by now?
yes it is not there anymore

Do you use Outlook for your email or something else?
yes, i use outlook for my email but i open it and use it without any problems, although this message appear on starting up the windows.
 

struppigel

Moderator
Verified
Staff member
yes it is not there anymore
(y)

Ah, this log doesn't show any Outlook errors. o_O
I need to create my query more specific. I will try to delete the hidden user account in that same Batch as well.

Copy the following text including "Start::" and "End::"

Start::
CMD: net user wBzcwBE /delete
CMD: wevtutil qe Application /q:"*[System[Provider[@Name='Outlook'] and ((Level=2) or (Level=1))]]" /f:text /c:500 /rd:true
End::


Run FRST64.exe and click on Fix.
A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.
 
"The program can't start because OutLookLib.dll is missing from your computer. try reinstalling the program to fix this problem" this is the note that appear on starting the windows
 

struppigel

Moderator
Verified
Staff member
Hi Eman,

Thank you for the error message. This explains why I didn't find errors. OutlookLib.dll belongs to one of the Dell programs. I understand that the name of the file makes it seem like it could belong to Outlook.

I see that you have disabled some Dell entries with msconfig:

Code:
MSCONFIG\startupreg: AccuWeatherWidget => "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
MSCONFIG\startupreg: Apoint => C:\Program Files\DellTPad\Apoint.exe
MSCONFIG\startupreg: Dell DataSafe Online => C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
MSCONFIG\startupreg: Dell Webcam Central => "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
MSCONFIG\startupreg: DellStage => "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
MSCONFIG\startupreg: QuickSet => C:\Program Files\Dell\QuickSet\QuickSet.exe
MSCONFIG\startupreg: Stage Remote => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe -Quiet
You have also blocked some with your Firewall:

Code:
FirewallRules: [TCP Query User{1FFCE511-CDCE-4DA5-AEC1-C316AED368DB}C:\program files (x86)\dell\stage remote\stageremoteservice.exe] => (Block) C:\program files (x86)\dell\stage remote\stageremoteservice.exe (ArcSoft, Inc. -> )
FirewallRules: [UDP Query User{561EAC1A-7F10-4987-B715-578A685671FC}C:\program files (x86)\dell\stage remote\stageremoteservice.exe] => (Block) C:\program files (x86)\dell\stage remote\stageremoteservice.exe (ArcSoft, Inc. -> )
My question is: Do you even want these Dell programs? They are legit programs that come preinstalled on Dell systems but often considered bloatware.

Do you have any issues connecting Bluetooth devices to your computer? I think reinstalling the Bluetooth driver might help. I will research tomorrow morning how to do this.
 

struppigel

Moderator
Verified
Staff member
Regarding the Bluetooth driver: Dell SupportAssist is the program that is responsible to help you pick and install the right drivers. I don't have a Dell system, I don't think I can try the software to guide you through.
There is a Dell guide on How to download and install a device driver with SupportAssist. Note that you don't need to download SupportAssist because it is already installed.

I would like you to try and reinstall or update the Dell Bluetooth driver. I suspect this to be problem for the error message after startup.
 
Do you even want these Dell programs? They are legit programs that come preinstalled on Dell systems but often considered bloatware.
i don't know the benefit of these programs, are they useful or not? i didn't remove them but maybe they are removed by malware programs which i used it before.
 
Do you have any issues connecting Bluetooth devices to your computer?
i use the Bluetooth to connect with WiFi and it works fine, i don't know how to reinstall it .
let us return to the main issue which is to keep my PC free from that ransomware so i can use it safely.
 

struppigel

Moderator
Verified
Staff member
let us return to the main issue which is to keep my PC free from that ransomware so i can use it safely.
What about the abnormal account wBzcwBE is it still there or have gone?
Your FRST logs showed the account but the deletion command said it couldn't find it. So the account probably still there. I would have collected everything that's to be done first, to not do more steps than necessary before I try another way. But I will skip the Bluetooth error for now due to your request.

Please provide fresh FRST.txt and Addition.txt. I reposted the instructions below.

Farbar Recovery Scan Tool (FRST) Scan
  • Double-Click FRST64.exe to run the programme.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach the logs in your next reply.
 

struppigel

Moderator
Verified
Staff member
Hi Eman,

The user account is gone. You executed the fix twice. The first removed it and the second couldn't find it anymore.
I only see unwanted programs in your browsers still.

Remove Chrome Extension
  • Please open Chrome.
  • Enter the following line into the address bar
    chrome://extensions/
  • For the following extensions click the button Remove and follow the prompts
    • AVG Web TuneUp
    • MSN Homepage & Bing Search Engine
Remove Edge Extension
  • Please open Edge
  • Enter the following line into the address bar
    edge://extensions/
  • For the following extensions, select the extension and click Remove
    • Free Smileys & Emoticons
    • Security Protection
Malwarebytes AdwCleaner
  • Please download Malwarebytes AdwCleaner and save the file to your Desktop.
  • Click Scan Now and wait for completion of the scan.
  • Ensure anything you know to be legitimate does not have a check mark under the corresponding tab.
  • Click Quarantine.
  • Follow the prompts and allow your computer to reboot.
  • After the reboot, a log will open. Copy the contents of the log and paste in your next reply.
-- File, folder and registry backups are made for items removed using this program. Should a legitimate file, folder or registry item be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of the log.
 
Top