Back Door Trojan has Hijacked my computer!!

[phydron]

They didn't show up in TDSSkiller.

Run as administer doesn't make any difference in Hijackthis.

[essexboy]

OK lets see if Combofix will see them

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[phydron]

I've tried everyway I can think of to run HijackThis. I've used it for several years and never had a problem before.

Here's the TDSSKiller log:

Whatever this is, the more I'm online the worse it gets. I reformatted the HDD, changed the RAM, and disconnected the BIOS battery. I don't see how it's possible, but this bug has to be in flash memory somewhere.

If we can't find it soon, a used MOBO is only $30.00 although I hate to give in. I'd like to thank you for your patience and
help, I can see from the forum that you're very busy.

Thanks again.

[essexboy]

Weird there are not there... Did you run Combofix ?

Also Hijackthis is no longer relevant with the current malware especially 64 bit systems

[phydron]

Here is the HijackThis log. I think whatever is on this PC, it's keeping Hijackthis from going past #23.

Reading other posts on this forum, I can see how busy you are, so I think I'll buy another M/B for $30.00

and admit defeat. I use this machine for ham radio logging and need it.

If you have any further ideas, let me know.

If I leave this on the internet, It becomes almost unusable.

Thanks for your help, I've learned a lot.

[essexboy]

23 is the last HJT entry http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/#O24Diag

For malware to enter the BIOS is something I have not yet come across

My final idea would be to run Combofix to see if it can locate any suspect drivers

[phydron]

Now, when I try to almost anything, a dialog box says"Illegal operation attempted on a registry key that has been marked for
deletion" or "Unspecified error". I did get ComboFix to run before it got too bad.

[essexboy]

A reboot will cure that, Combofix failed to release the registry

OK combofix saw them

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\users\norm\AppData\Local\Temp\QXZYMYYPCG.exe
c:\users\norm\AppData\Local\Temp\SQKJFMCSF.exe
c:\users\norm\AppData\Local\Temp\XCPIQEYC.exe
c:\users\norm\AppData\Local\Temp\YVD.exe

Driver::
QXZYMYYPCG
SQKJFMCSF
XCPIQEYC
YVD

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

[phydron]

I ran ComboFix twice. I hope that's not counterproductive.

[essexboy]

Did you create the CFScript text file and drag and  drop onto the combofix icon ?  As combofix is not reporting that as happening

[phydron]

I think I got it right this time.

[essexboy]

Two more

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\users\norm\AppData\Local\Temp\ESFODCY.exe
c:\users\norm\AppData\Local\Temp\LLT.exe

Driver::
ESFODCY
LLT

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

[phydron]

Here's the latest.

[essexboy]

OK that appears to be all the bad drivers.  Is there any change in the computer ?

[phydron]

It seems much better, Rootkit revealer still won't run (it does on another laptop) and RootkitBuster found two errors
and deleted them, but still displays mythical errors. I know they're not real, but the fact that they're still there
bothers me.

Correction: Rootkit revealer does NOT run on a Win 7 machine---My error.