Avast WEBforum
Other => Viruses and worms => Topic started by: phydron on September 18, 2012, 06:41:34 PM
-
I have a Dell Mini that has downloaded a trojan: HEUR.BackDoor.Win64.Generic as reported by Kasperski Security Scan.
I haven't beeen able to run any other scans. Before this scan, I removed the BIOS battery for 30 mins., replaced the HDD, upgraded the RAM, reinstalled WIN7 Starter, an the virus was still there. I tried to run sysclean, but it wouldn't load.
asMBr loads definitions, then says: Initialize error c000010E-driver not loaded. HiJack this won't run, nor will any
other scan and now Kasperski Security Scan won't load.
Can anyone tell me where to begin?
-
follow the guide and attach the logs. http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR
-
The only way I can gain access to this machine is to reformat the HDD and remove the BIOS battery.
Is there an easier way?
Thanks
-
Are you able to get into windows to run a programme ?
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(https://dl.dropbox.com/u/73555776/RKScan.GIF)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(https://dl.dropbox.com/u/73555776/RKDelete.GIF)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
-
Here are the files I could get. Malwarebytes wouldn't run, I got a runtime 0 error message. I downloaded it twice,
with the same result.
-
Here are the rest:
The RootkitBuster is just for WIW.
Ihave many more RKReport files if you want them.
-
Could you tell me exactly what the current problems are
Aslo delete your current copy of OTL and download the latest version
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
Here are the logs you requested:
I hope this is what you wanted, I couldn't find the "attach" file anywhere.
Thanks for what you do, it's really appreciated.
-
At the moment I am seeing no evidence of malware.. What problems are you experiencing ?
-
No rootkit scanners can run, Hijackthis halts after ten or twelve lines. I can't stop my interner connection for more than
five minutes without it beguining again, my SD card gets harder and harder to access, until it won't read it at all.
This computer isn't worth the time we've put into it, but I hate to see them win.
Here are a few screen captures, Win7 Starter doesn't come with a capture program.
-
OK lets check the MBR and service files
Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(http://dl.dropbox.com/u/73555776/TDSSFront.JPG)
- Then click on Change parameters.
(http://dl.dropbox.com/u/73555776/TDSSConfig.JPG)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(http://dl.dropbox.com/u/73555776/TDSSFound.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(http://dl.dropbox.com/u/73555776/TDSSEnd.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
-
Here's the log you requested:
I'm not sure this is a MBR infection. I replaced the HDD with a new, clean one, replaced the RAM, disconnected the
BIOS battery. The only place a virus could exist under those conditions is the chipset or CPU, i guess.
Whatever is in this won't let me boot from anything external. Do you have any idea how to defeat that?
Thanks
-
Now this is intriguing, as none of the other scans detected these. These files will be placed in the TDSSKiller quarantine, once they are there could you scan them with Avast please and let me know the result
Run TDSSKiller again with the same parameters and select delete for the following :
10:56:24.0477 3740 AHKA ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0477 3740 AHKA ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0477 3740 GLJAR ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0477 3740 GLJAR ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0493 3740 LNCLZKSLCM ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0493 3740 LNCLZKSLCM ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0493 3740 VCOQNW ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0493 3740 VCOQNW ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0493 3740 WVYYDMDLSBUEMDH ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0493 3740 WVYYDMDLSBUEMDH ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0508 3740 ZKY ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0508 3740 ZKY ( UnsignedFile.Multi.Generic ) - User select action: Skip
-
TDSSKiller comes back clean, but HiJackThis still won't run (attached), and RootkitBuster still reports malware, I know some
of it is false, an Rootkit revealer still won't run (It runs fine on a clean machine).
-
Those files did not show in the TDSSKiller re-run ?
Have you right clicked Hijackthis and selected run as Admin ?
-
They didn't show up in TDSSkiller.
Run as administer doesn't make any difference in Hijackthis.
-
OK lets see if Combofix will see them
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
I've tried everyway I can think of to run HijackThis. I've used it for several years and never had a problem before.
Here's the TDSSKiller log:
Whatever this is, the more I'm online the worse it gets. I reformatted the HDD, changed the RAM, and disconnected the BIOS battery. I don't see how it's possible, but this bug has to be in flash memory somewhere.
If we can't find it soon, a used MOBO is only $30.00 although I hate to give in. I'd like to thank you for your patience and
help, I can see from the forum that you're very busy.
Thanks again.
-
Weird there are not there... Did you run Combofix ?
Also Hijackthis is no longer relevant with the current malware especially 64 bit systems
-
Here is the HijackThis log. I think whatever is on this PC, it's keeping Hijackthis from going past #23.
Reading other posts on this forum, I can see how busy you are, so I think I'll buy another M/B for $30.00
and admit defeat. I use this machine for ham radio logging and need it.
If you have any further ideas, let me know.
If I leave this on the internet, It becomes almost unusable.
Thanks for your help, I've learned a lot.
-
23 is the last HJT entry http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/#O24Diag
For malware to enter the BIOS is something I have not yet come across
My final idea would be to run Combofix to see if it can locate any suspect drivers
-
Now, when I try to almost anything, a dialog box says"Illegal operation attempted on a registry key that has been marked for
deletion" or "Unspecified error". I did get ComboFix to run before it got too bad.
-
A reboot will cure that, Combofix failed to release the registry
OK combofix saw them
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\users\norm\AppData\Local\Temp\QXZYMYYPCG.exe
c:\users\norm\AppData\Local\Temp\SQKJFMCSF.exe
c:\users\norm\AppData\Local\Temp\XCPIQEYC.exe
c:\users\norm\AppData\Local\Temp\YVD.exe
Driver::
QXZYMYYPCG
SQKJFMCSF
XCPIQEYC
YVD
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
I ran ComboFix twice. I hope that's not counterproductive.
-
Did you create the CFScript text file and drag and drop onto the combofix icon ? As combofix is not reporting that as happening
-
I think I got it right this time.
-
Two more
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\users\norm\AppData\Local\Temp\ESFODCY.exe
c:\users\norm\AppData\Local\Temp\LLT.exe
Driver::
ESFODCY
LLT
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
Here's the latest.
-
OK that appears to be all the bad drivers. Is there any change in the computer ?
-
It seems much better, Rootkit revealer still won't run (it does on another laptop) and RootkitBuster found two errors
and deleted them, but still displays mythical errors. I know they're not real, but the fact that they're still there
bothers me.
Correction: Rootkit revealer does NOT run on a Win 7 machine---My error.
-
Operating System Hook ZwAddBootEntry; hooked by C:\Windows\System32\Drivers\aswSnx.SYS
Is this the rootkit buster one you are concerned about ? As it is the Avast sandbox
-
Well, I'll guardedly say we may have fixed this PC. The only problem I still have is that I had the HDD out and reformatted
it with/u, replaced the system RAM with a new stick, removed the motherboard and took the BIOS battery out and this
malware was still there. I did all this twice to be sure. It will be a while until I put anything important on here, but it's
been working properly most of the day.
I'd like to thank you for all your help, time and effort and expertise. You've done me a great favor. If you ever have any
Ham radio questions, be sure to ask.
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave: