Ransomware - PCEU virus

[Fryern]

If Hitmanpro kickstart cannot make an internet connection and malawarebytes is already on my PC what should I do next?

I am new to this site so excuse my errors etc

Non't understand OTL or aswMBR. I can't add anything the PC is currently unuseable

Any help much appreciated

 

[Fiery]

Hi and welcome to MalwareTips!

My name is Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time. 
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean. 
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital. 
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

---

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For x32 (x86) bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a flash drive.
For x64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
    <li>Restart the computer.</li>
    <li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
    <li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
    <li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
    <li>Select the operating system you want to repair, and then click <>Next</>.</li>
    <li>Select your user account an click <>Next</>.</li>
</ul>
<>To enter System Recovery Options by using Windows installation disc:</>
<ul>
    <li>Insert the installation disc.</li>
    <li>Restart your computer.</li>
    <li>If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.</li>
    <li>Click <>Repair your computer</>.</li>
    <li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
    <li>Select the operating system you want to repair, and then click <>Next</>.</li>
    <li>Select your user account and click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
    <li>Select <>Command Prompt</></li>
    <li>In the command window type in <>notepad</> and press <>Enter</>.</li>
    <li>The notepad opens. Under File menu select <>Open</>.</li>
    <li>Select "Computer" and find your flash drive letter and close the notepad.</li>
    <li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
    <li>The tool will start to run.</li>
    <li>When the tool opens click <>Yes</> to disclaimer.</li>
    <li>Press <>Scan</> button.</li>
    <li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close out this message</li>
    <li>Type <>exit</> and reboot the computer normally</li>
    <li>Please copy and paste both logs in your reply.(FRST.txt)</li></li>
</ol>
</ul>

 

[Fryern]

Hi and welcome to MalwareTips!

My name is Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

---

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For x32 (x86) bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a flash drive.
For x64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<>To enter System Recovery Options by using Windows installation disc:</>
<ul>
<li>Insert the installation disc.</li>
<li>Restart your computer.</li>
<li>If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.</li>
<li>Click <>Repair your computer</>.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account and click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close out this message</li>
<li>Type <>exit</> and reboot the computer normally</li>
<li>Please copy and paste both logs in your reply.(FRST.txt)</li></li>
</ol>
</ul>

---

 

[Fiery]

Hi Fryern,

I didn't get your reply. Can you use the "New Reply" function, I have attached a picture below:

If you want to attach a log, click New Reply then scroll down to the attachment section and and attach the file

 

[Fryern]

Hi Fiery,

Sounds good to me. A couple of questions. I will be using my Mac for the download/s and copying to the UBS flash drive. Is that ok? Secondly you say choose US k/b happy with that but mine is UK.

Thanks,
Fry

Hi and welcome to MalwareTips!

My name is Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

---

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For x32 (x86) bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a flash drive.
For x64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<>To enter System Recovery Options by using Windows installation disc:</>
<ul>
<li>Insert the installation disc.</li>
<li>Restart your computer.</li>
<li>If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.</li>
<li>Click <>Repair your computer</>.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account and click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close out this message</li>
<li>Type <>exit</> and reboot the computer normally</li>
<li>Please copy and paste both logs in your reply.(FRST.txt)</li></li>
</ol>
</ul>

---

 

[Fiery]

Hi Fiery,

Sounds good to me. A couple of questions. I will be using my Mac for the download/s and copying to the UBS flash drive. Is that ok? Secondly you say choose US k/b happy with that but mine is UK.

Thanks,
Fry

Yes, that will be perfectly fine And yes, you can choose UK keyboard if you want.

 

[Fryern]

Hi Again,

Done the scan. Saved it - now I've got to get it to you!!!
I'll need to find best way to do that as my Mac is VERY slow at most things.
Fry

Hi Fiery,

Sounds good to me. A couple of questions. I will be using my Mac for the download/s and copying to the UBS flash drive. Is that ok? Secondly you say choose US k/b happy with that but mine is UK.

Thanks,
Fry

Yes, that will be perfectly fine And yes, you can choose UK keyboard if you want.

 

[Fryern]

Log is FRST PCEU 070272013

Hi Fryern,

I didn't get your reply. Can you use the "New Reply" function, I have attached a picture below:

If you want to attach a log, click New Reply then scroll down to the attachment section and and attach the file

 

[Fryern]

Log is FRST PCEU 07022013
Second FRST.TXT

Hi Fryern,

I didn't get your reply. Can you use the "New Reply" function, I have attached a picture below:

If you want to attach a log, click New Reply then scroll down to the attachment section and and attach the file

 

[Fryern]

2013-02-07 08:21 - 2013-01-18 20:49 - 00000004 ____A C:\Users\Chris\AppData\Roaming\skype.ini

Whatever that is it is about the date the problem occured

 

[Fiery]

Hi,

Yes you are correct, that is one of the bad files that we will have to remove. Can you create .txt files on a Mac? If you can, open that program and copy and paste the following: I have also attached a file if you can't create a .txt file on a Mac (never used a Mac in my life so I don't know how it works). Right-click the attachment and select Save link As.

2013-01-18 20:49 - 2013-02-07 08:21 - 00000004 ____A C:\Users\Chris\AppData\Roaming\skype.ini
2013-02-05 20:22 - 2009-06-26 13:35 - 00003394 ____A C:\Users\Chris\AppData\Local\qcgyy.dat
2013-02-05 20:22 - 2009-06-26 13:35 - 00000088 ____A C:\Users\Chris\AppData\Local\qcgyy.bat
2013-02-05 20:17 - 2009-06-26 13:35 - 00001537 ____A C:\Users\Chris\AppData\Local\qcgyy_navps.dat
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1074769810-1078283988-2073797478-1000\$b155b2704791f9b09759dca33a230a88

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

 

[Fryern]

Well I've got it on the flash drive:-

2013-01-18 20:49 - 2013-02-07 08:21 - 00000004 ____A C:\Users\Chris\AppData\Roaming\skype.ini
2013-02-05 20:22 - 2009-06-26 13:35 - 00003394 ____A C:\Users\Chris\AppData\Local\qcgyy.dat
2013-02-05 20:22 - 2009-06-26 13:35 - 00000088 ____A C:\Users\Chris\AppData\Local\qcgyy.bat
2013-02-05 20:17 - 2009-06-26 13:35 - 00001537 ____A C:\Users\Chris\AppData\Local\qcgyy_navps.dat
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1074769810-1078283988-2073797478-1000\$b155b2704791f9b09759dca33a230a88


Above is how it's showing - i'll go to step 2

 

[Fryern]

'Then, boot to system recovery, plug in your flash drive, open FRST and click fix.'

Do I go in via 'notepad' in command prompt after the other bits k/b etc? Excuse the ignorance.

Not sure where I get the command 'Fix'.

 

[Fiery]

'Then, boot to system recovery, plug in your flash drive, open FRST and click fix.'

Do I go in via 'notepad' in command prompt after the other bits k/b etc? Excuse the ignorance.

Not sure where I get the command 'Fix'.

In command prompt, start FRST with(e:\frst.exe or e:\frst64) like you did when you did the scan. In the FRST interface, there should be a button that saids "Fix"

 

[Fryern]

'Then, boot to system recovery, plug in your flash drive, open FRST and click fix.'

Do I go in via 'notepad' in command prompt after the other bits k/b etc? Excuse the ignorance.

Not sure where I get the command 'Fix'.

In command prompt, start FRST with(e:\frst.exe or e:\frst64) like you did when you did the scan. In the FRST interface, there should be a button that saids "Fix"

Thanks,
The updated text attached. I still have the problem. I have not looked at the text yet. Moving between a Mac and a PC is doing my head in a bit !!

 

[Fiery]

Hi,

Following the same instruction as before, create another fixlist.txt. The delete the old one and create a new one

HKU\Chris\...\Winlogon: [Shell] explorer.exe,C:\Users\Chris\AppData\Roaming\skype.dat [62976 2011-11-18] ()

Save it to the USB and click fix again in FRST. Then try to reboot.

 

[Fryern]

Hi,

Following the same instruction as before, create another fixlist.txt. The delete the old one and create a new one

HKU\Chris\...\Winlogon: [Shell] explorer.exe,C:\Users\Chris\AppData\Roaming\skype.dat [62976 2011-11-18] ()

Save it to the USB and click fix again in FRST. Then try to reboot.

Updated TXT attached. We get as far as loading all the desktop items then in a flash the screen goes blank (totally white) - hope that helps

Now 11.15pm uk, time for bed!!

 

[Fiery]

Hi there,

The last script didn't work. Delete all the FRST/fixlist logs on your USB so that the only FRST-related file on the USB is the FRST program itself. I have also attached a copy of the fixlist.txt if you have trouble making one on the Mac.

Open notepad and copy & paste the following:

start
HKU\Chris\...\Winlogon: [Shell] explorer.exe,C:\Users\Chris\AppData\Roaming\skype.dat [62976 2011-11-18] ()
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log and attempt to reboot to normal mode.

 

[Fryern]

Hi there,

The last script didn't work. Delete all the FRST/fixlist logs on your USB so that the only FRST-related file on the USB is the FRST program itself. I have also attached a copy of the fixlist.txt if you have trouble making one on the Mac.

Open notepad and copy & paste the following:

start
HKU\Chris\...\Winlogon: [Shell] explorer.exe,C:\Users\Chris\AppData\Roaming\skype.dat [62976 2011-11-18] ()
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log and attempt to reboot to normal mode.

Latest log attached (hopefully). Same issue. I have noticed that if you boot in Safe Mode with Networking just before you appear to have 'got there' the system reboots. btw not sure I need HitmanPro bits and I also got the message to say frst.exe is 6 days out of date

 

[Fryern]

The logs !!


Looks to me like your mod is there. Looks to me like it was in the previous one as well.