I have a Dell Mini that has downloaded a trojan: HEUR.BackDoor.Win64.Generic as reported by Kasperski Security Scan.
I haven’t beeen able to run any other scans. Before this scan, I removed the BIOS battery for 30 mins., replaced the HDD, upgraded the RAM, reinstalled WIN7 Starter, an the virus was still there. I tried to run sysclean, but it wouldn’t load.
asMBr loads definitions, then says: Initialize error c000010E-driver not loaded. HiJack this won’t run, nor will any
other scan and now Kasperski Security Scan won’t load.
Can anyone tell me where to begin?
follow the guide and attach the logs. http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR
The only way I can gain access to this machine is to reformat the HDD and remove the BIOS battery.
Is there an easier way?
Thanks
Are you able to get into windows to run a programme ?
[*] Download RogueKiller and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan
https://dl.dropbox.com/u/73555776/RKScan.GIF
[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.
https://dl.dropbox.com/u/73555776/RKDelete.GIF
[*]The report has been created on the desktop.
[*]Next click on the ShortcutsFix
https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF
[*]The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
Here are the files I could get. Malwarebytes wouldn’t run, I got a runtime 0 error message. I downloaded it twice,
with the same result.
Here are the rest:
The RootkitBuster is just for WIW.
Ihave many more RKReport files if you want them.
Could you tell me exactly what the current problems are
Aslo delete your current copy of OTL and download the latest version
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
Here are the logs you requested:
I hope this is what you wanted, I couldn’t find the “attach” file anywhere.
Thanks for what you do, it’s really appreciated.
At the moment I am seeing no evidence of malware… What problems are you experiencing ?
No rootkit scanners can run, Hijackthis halts after ten or twelve lines. I can’t stop my interner connection for more than
five minutes without it beguining again, my SD card gets harder and harder to access, until it won’t read it at all.
This computer isn’t worth the time we’ve put into it, but I hate to see them win.
Here are a few screen captures, Win7 Starter doesn’t come with a capture program.
OK lets check the MBR and service files
Download the latest version of TDSSKiller from here and save it to your Desktop.
[*]Doubleclick on TDSSKiller.exe to run the application
http://dl.dropbox.com/u/73555776/TDSSFront.JPG
[*]Then click on Change parameters.
http://dl.dropbox.com/u/73555776/TDSSConfig.JPG
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click the Start Scan button.
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
http://dl.dropbox.com/u/73555776/TDSSFound.JPG
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
[*]Get the report by selecting Reports
http://dl.dropbox.com/u/73555776/TDSSEnd.JPG
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
Here’s the log you requested:
I’m not sure this is a MBR infection. I replaced the HDD with a new, clean one, replaced the RAM, disconnected the
BIOS battery. The only place a virus could exist under those conditions is the chipset or CPU, i guess.
Whatever is in this won’t let me boot from anything external. Do you have any idea how to defeat that?
Thanks
Now this is intriguing, as none of the other scans detected these. These files will be placed in the TDSSKiller quarantine, once they are there could you scan them with Avast please and let me know the result
Run TDSSKiller again with the same parameters and select delete for the following :
10:56:24.0477 3740 AHKA ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0477 3740 AHKA ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0477 3740 GLJAR ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0477 3740 GLJAR ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0493 3740 LNCLZKSLCM ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0493 3740 LNCLZKSLCM ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0493 3740 VCOQNW ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0493 3740 VCOQNW ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0493 3740 WVYYDMDLSBUEMDH ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0493 3740 WVYYDMDLSBUEMDH ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:56:24.0508 3740 ZKY ( UnsignedFile.Multi.Generic ) - skipped by user
10:56:24.0508 3740 ZKY ( UnsignedFile.Multi.Generic ) - User select action: Skip
TDSSKiller comes back clean, but HiJackThis still won’t run (attached), and RootkitBuster still reports malware, I know some
of it is false, an Rootkit revealer still won’t run (It runs fine on a clean machine).
Those files did not show in the TDSSKiller re-run ?
Have you right clicked Hijackthis and selected run as Admin ?
They didn’t show up in TDSSkiller.
Run as administer doesn’t make any difference in Hijackthis.
OK lets see if Combofix will see them
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
I’ve tried everyway I can think of to run HijackThis. I’ve used it for several years and never had a problem before.
Here’s the TDSSKiller log:
Whatever this is, the more I’m online the worse it gets. I reformatted the HDD, changed the RAM, and disconnected the BIOS battery. I don’t see how it’s possible, but this bug has to be in flash memory somewhere.
If we can’t find it soon, a used MOBO is only $30.00 although I hate to give in. I’d like to thank you for your patience and
help, I can see from the forum that you’re very busy.
Thanks again.
Weird there are not there… Did you run Combofix ?
Also Hijackthis is no longer relevant with the current malware especially 64 bit systems
Here is the HijackThis log. I think whatever is on this PC, it’s keeping Hijackthis from going past #23.
Reading other posts on this forum, I can see how busy you are, so I think I’ll buy another M/B for $30.00
and admit defeat. I use this machine for ham radio logging and need it.
If you have any further ideas, let me know.
If I leave this on the internet, It becomes almost unusable.
Thanks for your help, I’ve learned a lot.