PCEU virus affected Windows 7 - 32 bit - Urgent help required

[arunkumar1983]

PCEU virus affected Windows 7 - 32 bit - Urgent help required

---------------------------------------------------------------------------------------

 

Safemode, with network, command prompt nothing works.

 

Please find the 2 file results as you mentioned.

 

It's office laptop and it's encrypted.

Note: I have only 7 more hours to login. Any immediate response would be appreciated and i'm trying to solve this for 5

hrs.

FRST result:

--------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-02-2014 01
Ran by SYSTEM on MININT-1P3CA6P on 16-02-2014 15:25:42
Running from F:\
WIN_7 Service Pack 1 (X86) OS Language: English(US)
Boot Mode: Recovery
Attention: Could not load system hive.
Attention: System hive is missing.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

ATTENTION: Software hive is missing.
ATTENTION: Software hive is not loaded.
ATTENTION: System hive is not loaded.

========================== Services (Whitelisted) =================

==================== Drivers (Whitelisted) ====================

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

==================== One Month Modified Files and Folders =======

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\rpcss.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION!.

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 2037.95 MB
Available physical RAM: 1696.5 MB
Total Pagefile: 2037.95 MB
Available Pagefile: 1689.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1946.48 MB

==================== Drives ================================

Drive f: (SONY_16W) (Removable) (Total:14.46 GB) (Free:10.7 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 75 GB) (Disk ID: 97BE5B6A)
Partition 1: (Active) - (Size=40 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=35 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 14 GB) (Disk ID: 2387E12F)
Partition 1: (Not Active) - (Size=14 GB) - (Type=0C)

==================== End Of Log ============================

 

Search result:

------------------------

Farbar Recovery Scan Tool (x86) Version: 12-02-2014 01
Ran by SYSTEM at 2014-02-16 15:27:47
Running from F:\
Boot Mode: Recovery

================== Search: "services.exe" ===================

X:\Windows\winsxs\x86_microsoft-windows-s..s-

servicecontroller_31bf3856ad364e35_6.1.7601.17514_none_d1672a532b8b1a15\services.exe
[2010-11-20 00:38] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

X:\Windows\System32\services.exe
[2010-11-20 00:38] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===

 

 

[MrCharlie]

It's office laptop and it's encrypted.

The log from FRST is useless...nothing showing.

Can you burn a cd??

MrC

[arunkumar1983]

I have USB flash drive. Is it possible to make bootable USB flash drive instead of CD ?

[MrCharlie]

Yes you can use usb, but first have you tried system restore??

The link below will give you suggestions for system restore and for making a Kaspersky Rescue Disk and Unlocker disk:

(some of the links don't work anymore, I listed them below)
http://maddoktor2.com/forums/index.php/topic,55928.0.html

http://support.kaspersky.com/8092 <------usb

http://support.kaspersky.com/us/viruses/disinfection/8005#block3 <----Windows Unlocker

The key is to run Windows Unlocker, that repairs/restores the registry and then scan for malware.

Let me know.....MrC

[arunkumar1983]

Hi,

 

:-( unfortunately there is no restore point created on this laptop. I actually tried your suggestions 8-10 hours ago by reading your posts. But I was tired and lost confident. Actually decided to reinstallation by tomorrow morning (12:30 AM here).  I didn't expect that you would respond to this thread. Thanks a lot for that !!!

Having hope now.

 

http://maddoktor2.com/forums/index.php/topic,55928.0.html    // This is URL is not functioning

Going to follow below url first, Please correct me if i'm doing anything wrong.

http://support.kaspersky.com/8092    // Download is in progress. Let you know once I done with the steps mentioned.

[MrCharlie]

The link doesn't seem to work on some Servers I guess.

The link is for creating the usb

The link below is running unlocker:

http://support.kaspersky.com/us/viruses/disinfection/8005#block3

MrC

[arunkumar1983]

Downloaded iso images from both 2 links and tried (guess both are same) but failed.
http://support.kaspersky.com/8092
http://support.kaspersky.com/us/viruses/disinfection/8005#block2

USB Boot options:

1.Bypass Master Boot Record
2.Regular boot (when bypass failed)
3.Legacy boot

For 1 and 3 getting below

Hitmanpro.kickstart booting
MBR Read
non-NTFS partition or encrypted disk detected
Failed to boot

For 2, getting "Error Loading Operating System"

I tried FRST run again and i'm attaching those files with this. I could see few differences than the one which posted on first thread.

 

 

FRST:

---------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-02-2014 01
Ran by SYSTEM on MININT-KE5GMDE on 17-02-2014 01:41:39
Running from F:\
WIN_7 Service Pack 1 (X86) OS Language: English(US)
Boot Mode: Recovery
Attention: Could not load system hive.
Attention: System hive is missing.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

ATTENTION: Software hive is missing.
ATTENTION: Software hive is not loaded.
ATTENTION: System hive is not loaded.

========================== Services (Whitelisted) =================

==================== Drivers (Whitelisted) ====================

========================== Drivers MD5 =======================

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

==================== One Month Modified Files and Folders =======

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\rpcss.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION!.

==================== Restore Points  =========================

==================== BCD ================================
The boot configuration data store could not be opened.
The system cannot find the file specified.

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 2037.95 MB
Available physical RAM: 1694.07 MB
Total Pagefile: 2037.95 MB
Available Pagefile: 1687.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1950.48 MB

==================== Drives ================================

Drive f: (HITMANPRO) (Removable) (Total:14.44 GB) (Free:14.44 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 75 GB) (Disk ID: 97BE5B6A)
Partition 1: (Active) - (Size=40 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=35 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 14 GB) (Disk ID: 052F0270)
Partition 1: (Active) - (Size=14 GB) - (Type=0B)

==================== End Of Log ============================

 

 

Search:

------------

Farbar Recovery Scan Tool (x86) Version: 12-02-2014 01
Ran by SYSTEM at 2014-02-17 01:42:18
Running from F:\
Boot Mode: Recovery

================== Search: "services.exe" ===================

X:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7601.17514_none_d1672a532b8b1a15\services.exe
[2010-11-20 00:38] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

X:\Windows\System32\services.exe
[2010-11-20 00:38] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===

[MrCharlie]

How did Hitmanpro get into the picture???

FRST log is no good and services.exe isn't involved in this infection.

Here's an example of what we need:

https://forums.malwarebytes.org/index.php?showtopic=134799&hl=ransomware#entry743001

MrC

[arunkumar1983]

Hi,

 

I tried Hitmanpro almost 5 hrs ago from the url below.

http://www.bleepingcomputer.com/virus-removal/remove-serios-organised-crim-agency-ransomware

 

But I have formatted my USB flash drive before initiating the steps recommended by you. Not sure how it comes in picture even now !!!

 

Please let me know which step I need to proceed now ? 

[MrCharlie]

So you can't get Kaspersky to work???

It won't boot of the usb drive??

MrC

[arunkumar1983]

Yes ... I'm not able to boot with that. Tried once again now. Getting the error as mentioned above. (step1,2,3)

Not sure whether disk encryption could be the reason.

 

If you want me follow any procedure i'm ready to follow that right now.

[MrCharlie]

I don't have any suggestions, usually we use FRST on W7 and that works fine.

Kaspersky works well on XP

I've never used Hitmanpro

Not much else I can tell you, do you have any IT guys at the office??

MrC

[arunkumar1983]

yes ... WIll check with IT team tomorrow.  Thanks for your suggestion.

[MrCharlie]

OK...Good Luck, MrC

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!