Jump to content

Victim of .qewe ransomware


Recommended Posts

Hello!
I am a victim of .qewe ransomware. 
The attack seems to be a complex one, adding group policy, restricting internet access and many other things including encrypting files.

I see lots of "fix" suggestion that i need to install MB. The problem is that i cannot successfully install it and the following errors pops:

An error occurred while downloading. Please check your connection to the internet and try again ...

As i mentioned. I cannot access to browse internet. 

How can i fix this? :(

Link to post
Share on other sites

Hello.     :welcome:

I regret to hear of this situation & your troubles.

Do you have a ( another machine)  that is clean & working, where you can do downloads?

Do you also have a clean USB-thumb-flash drive to use as a copy & transfer agent ?

 

NOTE:  We here cannot fix / repair / or decrypt any files encrypted by ransomwares.

The best way to recover damaged files is from a recent Backup made from before any of this infection.

Backup is your best friend.

Link to post
Share on other sites

Yes, a have a clean pc and USB. 

The problem is, i think that this ransomware was updated. Because all fixes i found over the internet do not suite my situation.
Even my backups seems to be removed. I tried to restore to previous point and load backup ... i have non / they are deleted. 

Everywhere is suggested to simply install MB and it is fixed. Guess what, i cannot install MB, i cannot acces.

I've just cleaned the hosts file and still seems to be unable to use internet. :(

Link to post
Share on other sites

I meant actual Offline Backups   ( on removable media) but not the system restore functions of Windows.   The latter is one of the first things ransomwares delete automatically.

The Malwarebytes for Windows can be installed & run.   However, it cannot "cure" or "fix" any encrypted file.

 

Let's give the following one try to get a working Winsock internet connection.

Start NOTEPAD { you can press Windows-key+R keys to get the RUN option
and then type in

NOTEPAD.exe

and press Enter key to start NOTEPAD.

Check and make sure "word wrap" is off. 
From Notepad main menu bar, Select F (format) and make sure Word Wrap is NOT checked.
IF it -is- checkmarked, click that one time so that it is un-checked.

Please copy/paste the lines below to Notepad:


@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset resetlog.log
shutdown -r -t 1
del %0

now Save as flush.bat to your desktop.
Double-click flush.bat file to run it. Your computer will reboot.
.
 

Link to post
Share on other sites

We have no decrypter.  I do not know of any decrypter for this ransomware.   You should just leave all the .qewe files where they are now.   In the hopes that perhaps in future someone may come out with a decrypter.

I would like for you to upload 2 files for analysis.

C:\Users\-Alex\_readme.txt

C:\Users\-Alex\Downloads\vuex6497.exe.qewe 

I would suggest you visit a special resource site called ID Ransomware & those 2 files and then save the resulting reports, and then post those logs here in a reply.

Read over the write-up  here https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/

Do the Upload to this site link   https://id-ransomware.malwarehunterteam.com/

Link to post
Share on other sites

I very much want those 2 files  ( listed before) uploaded to ID-Ransomware.

 

You have another working machine, so you can do downloads & uploads & transfers using the USB as a transfer medium.

Do downloads on clean machine.  Save downloads to the USB   and later on take to the problem-machine to run some tools.

After a tool has completed a run,  copy the report to USB / take to clean computer / send  ( attach ) the new report onto this forum Topic-thread.

Use the USB as a transfer mechanism back and forth.

 

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here
https://downloads.malwarebytes.com/file/mbar/
and save it to your USB.    Then take the USB to the problem machine / insert / copy the mbar.exe  to the desktop of the problem-machine

 

Now run MBAR.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

Link to post
Share on other sites

Need to slow down the pace of posting here.   It is too fast & rapid.   

The article at Emsisoft is several months old I believe  & is about the 1st generation of STOP .....which has rapidly changed.  It changes constantly.

Please wait for my next reply.   But I also sent you a reply just before this about running the Malwarebytes MBAR anti-rootkit tool.

I want to see the result from MBAR.

However,  I feel a need to repeat, we cannot help on recovering or curing or fixing encrypted files.

What we can do is to see that there is no leftover infection.

Link to post
Share on other sites

Ok, sorry. I didn't find a way to edit the post, and i needed to post another. 

While reading your previous message, the MBAR was already scanning. 

I got it, that i cannot decrypt files. I will save them, and maybe sometimes i will be able to decrypt them. I think there isn't an issue to have some encrypted files, since the machine was cleaned, right? Or i should also make them disappear from the machine?


As i said before, i couldn't upload both files on the id-ransomware website. I have attached them below, in 7z.

Also the scanning LOG after i "cleaned up" is uploaded.




PS: OMG the USB stick i used until now it cannot be opened anymore on the clean machine. I have formatted it and still. It returns: "The structure of this drive is corrupted.." or something like that. Needed to change the USB device.

crystalex05-ransomware.7z mbar-log-2020-04-28 (00-26-46).txt

Link to post
Share on other sites

Thanks for the MBAR report & the 7z   file

I tried to upload the 2 files to ID-Ransomware, however got errors on both.

Please hold on & have patience since my next reply will take some additional time to get back to you.  Just holdon.

The MBAR anti-rootkit did do a good cleanup.   That is a good start.   However we will need to do more.

Link to post
Share on other sites

Hello.

We will be needing to make use of a USB-thumb-flash drive.   Please remember, before inserting the USB into any machine to 1st,  press and hold the SHIFT -key down on keyboard before inserting it in ....on any of your machine.

We need to take that USB-drive to the clean machine.   Press SHIFT key & hold it before and during insertion of the USB-flash.

Then we need to Reformat the USB.   Start the Windows Explorer  & look for the usb drive.

right click on it direct and select Format. Quick option.

NEXT

We need for you to do a new/fresh download of FRST64.exe   and Save it to the USB drive.

Save the file from this link  https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/?rha=1

 

Once that is completed,  we need to have you to save the file attachment  named FIXLIST.txt     I have with this reply onto the USB-device.   Please make sure of that.

Now, remove the USB   from the clean machine.

.

Now at the infected-machine,  Lets resume by doing the following steps.  Starting with getting a elevated Command prompt window.

 

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.

 

It is best to  use COPY & Paste for the following.

At the prompt either type or copy/paste the following commands, tap  Enter-key after each command:

bcdedit.exe /set {bootmgr} displaybootmenu yes


bcdedit.exe /set {default} recoveryenabled yes


exit

.

NEXT

(Note: do not insert the USB into the infected PC until you are successfully booted to the recovery Environment.

Boot to the Recovery Console's Command prompt in the infected computer. (this is not the same as safe mode)

To enter the Recovery Environment 

1. Right click the windows logo lower left corner of your screen > choose Command Prompt (Admin)
2. Type the command below, and press Enter.

shutdown /r /o /f /t 00


The PC will now boot to the recovery options

Click Troubleshoot

user posted image

 

and then Advanced options.

 

user posted image

 

Next click on Command Prompt

user posted image

 

 

Ar the Command prompt, you will do your usual Windows login

choose your account to continue and enter the password to log into the account (if you use one.)

 

NOW, press and hold the SHIFT-key while you do this:

Insert the USB drive containing FRST64.exe and the Fixlist.txt

 

At the command prompt > type in 

notepad.exe 

and press enter 

when the notepad opens > Under File > select Open > Select "This PC" and find your flash drive letter and close the notepad.
Now back in the command window type e:\frst64.exe and press Enter 


Note: Replace letter e with the drive letter of your flash drive.

The tool will start to run. Now, there are 2 procedures to do, both with FRST64

A ) press the Scan button. That should help a great deal.  Please wait for it to finish the run

 

B } 

This is the next task while still with the machine :

once the scan is finished,    now press the Fix button.

These actions will make two logs, a Fixlog.txt and a FRST.txt log in the flash drive. 

Please attach those once booted back to normal mode.

 

Fixlist.txt

Link to post
Share on other sites

Good morning.   Thanks for the reports.   The good news:   you did well in following the guidance on running the FRST in special mode.

The bad news is that this Windows system is still plagued by more than one infection.  This case started out as just a Ransomware corruption  & although the ransomware deletes itself after doing its damage.....There are other infections here.  A trojan infection, among them.  It is classified as WIN/64/Agent.KD

We can attempt to get it removed by using a special tool from ESET.

The fact of having this sort of infection necessitates my having to caution you.  This system has multiple infections.  There are still malicious drivers on this machine.

And since a trojan is involved, this is a point at which you need to decide whether to keep trying to look for and attempt to remove malware,

OR

else to just copy your user files & then wipe / erase the system & to rebuild Windows from scratch & re-install fresh user application programs.

You should also consider that your identity may have been compromised, along with any financial account numbers that you may have stored on this machine.

 

You should not be using this system to do any banking or shopping or any web surfing  that is not related to possible cleanups.

Later on,  ( but not now while infected) you will have to change all your passwords.

Let me know how you want to proceed.

Link to post
Share on other sites

Good Morning. 

I think i will wipe everything and i will install a new windows. Should the malware cause any inconvenient if i choose to do this? 

I didn't have any file with passwords. Maybe just google password saving and a software  "LastPass" which stores passwords. 
Are those affected?


Any tips for the future procedures?


I will reinstall windows and that's it  

Link to post
Share on other sites

Good morning.

Lastpass is a good utility.  If that is the 'only' place where passwords were kept, then that is better.

Keep in mind, by passwords, I also meant website Logins.

 

You may want to copy  ( make copies to offline media, like a large USB device) your own personal files & important documents, pictures, etc

Then save them & put away.   If and when you may need to put back ....before you do that.....you want to first scan all the files with Malwarebytes & with antivirus like Microsoft Windows Defender.

 

Yes, a Windows 10 RESET operation  AND keeping NO files   would be a way to rebuild a new Windows 10 installation.

Use this article at Tenforums as a guide

https://www.tenforums.com/tutorials/4130-reset-windows-10-a.html

 

Let me know if you need something else at this point.   Later, before we close this, I will provide you a list of ways to keep safer.

Link to post
Share on other sites

Allright.   Go slow, deliberate, careful.

Just as one reminder, at the start of this case the Windows 10 was showing as being on Windows Build 1803   ( which is from Spring 2018).

This Windows ideally should have been on at least Build 1909   ( the fall 2019 build update for Windows 10).

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.