[Ross Dorn]

Virus total tells me, I have a virus. Eset calls it: "a variant of MSIL/Kryptik.DFE", Ikarus calls it: "Trojan.MSIL.Crypt"
The file calls itself explorer 64.exe

I found it in CCleaner in the "Start up items" list and there are two folders in C: Program data, called 639228 and 639328


It no longer lets me access system restore, and Avira seems to have been removed. After booting I get a pop up called OCRA telling me: Failed to create file:
C:\Users........\windows\security.rb


So I tried to clean install Win 7, but no mouse works when I boot from the CD... I cannot get beyond the first page, as I cannot click on next....
Any suggestions?

 

Thanks, RD

[Advertisements]

Hi Ross Dorn,

Welcome to Geeks to Go. My name is dbreeze and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:

• Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
• All of the assistants and staff at Geeks to Go are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date. That being said, please notice the following Geeks to Go rule:
• Posts that are not replied to in four (4) days will result in the topic being closed. We have not forgotten you; this is just an effort to keep the boards organized and flowing. To continue on your closed topic, please PM me or any Moderator to have the topic reactivated. If, at any time during our working together, I have not responded to you in 2 days (48 hours), then please PM me.
• Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
• If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
• While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
• Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
• Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.

- Save ALL Tools to your Desktop-

 

All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.
Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
 

Quoted from and used by permission of BrianDrab. Thank you.

Let's get started....

Can you still boot your system normally? If so, please run the scans below. If you can not boot normally, come back and tell me; we will back up attack a differnet way.

FIRST >>>
 
Please download Farbar Recovery Scan Tool 64bit and save it to your Desktop.

• Right click the FRST file on your desktop and select "Run as Administrator..." (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• If an update is available, the program will inform you and download the update. Allow it do this please.
• Once the tool shows "The tool is ready to use." message, please press the Scan button.
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

 

SECOND >>>>

Please scan your system with RogueKiller. Do not delete / remove anything yet just scan the system.

• Download RogueKiller (by tigzy) on to your desktop
• Quit all programs
• Start RogueKiller.exe.
• Wait until the Prescan has finished ...
• Click on Scan. Once finished, click on Report

Please post the contents of the RKreport.txt in your next Reply.

[dbreeze]

Hi Ross Dorn,

Welcome to Geeks to Go. My name is dbreeze and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:

• Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
• All of the assistants and staff at Geeks to Go are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date. That being said, please notice the following Geeks to Go rule:
• Posts that are not replied to in four (4) days will result in the topic being closed. We have not forgotten you; this is just an effort to keep the boards organized and flowing. To continue on your closed topic, please PM me or any Moderator to have the topic reactivated. If, at any time during our working together, I have not responded to you in 2 days (48 hours), then please PM me.
• Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
• If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
• While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
• Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
• Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.

- Save ALL Tools to your Desktop-

 

All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.
Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
 

Quoted from and used by permission of BrianDrab. Thank you.

Let's get started....

Can you still boot your system normally? If so, please run the scans below. If you can not boot normally, come back and tell me; we will back up attack a differnet way.

FIRST >>>
 
Please download Farbar Recovery Scan Tool 64bit and save it to your Desktop.

• Right click the FRST file on your desktop and select "Run as Administrator..." (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• If an update is available, the program will inform you and download the update. Allow it do this please.
• Once the tool shows "The tool is ready to use." message, please press the Scan button.
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

 

SECOND >>>>

Please scan your system with RogueKiller. Do not delete / remove anything yet just scan the system.

• Download RogueKiller (by tigzy) on to your desktop
• Quit all programs
• Start RogueKiller.exe.
• Wait until the Prescan has finished ...
• Click on Scan. Once finished, click on Report

Please post the contents of the RKreport.txt in your next Reply.

[Ross Dorn]

The problem is that the computer did no longer allow to download any AV software. Roguekiller was one the first ones I tried, after mbam and stinger. The download requests are  immediatly cancelled, I assumed by the virus, several other functions like system restore are also disabled. As is "run as admin", any attempt will without exception bring a popup telling me I have no authority for this.

Normal or safe mode, makes no difference either.

 

I did try to install Win 7 fresh on top of the old Win 7 on the SSD that would be reformatted by this, but it was not possible. I tried Win 7 Win 8 and even Win XP, but as sson as the first is there that askme to chose or confirm something, I have to accept that there is no mouse or keyboard function, there is no cursor!

 

What eventually worked was an installation of Linux Mint, Mouse, keyboard and cursor had noproblem there at all, it works fine. I again tried to installmy three Win versions, but even though the SSD had probably been reformatted for Linux, still no mouse, no cursor, no keyboard.

I do not know toomuch about computers, but does that mean  the virus must have gone deeper than the OS.

 

I disconnected the SSD and tried to install Win7 on the old HDD, which I use for storge in the computer. (I had disconnected this HDD when the problem started.)  Even there, where there was no OS installation at all, the same problem: no mouse, no cursor,no keyboard, no way for input....

 

Anything I can do now?

 

Thanks, RD

[dbreeze]

Check that your BIOS settings have not been changed.

[Ross Dorn]

Check that your BIOS settings have not been changedI m

 

Thank you,but....

 

I am sorry, can you be mor specific?

I did check the USB options, and they wre are anabled..

[dbreeze]

When you boot your system, most computers' BIOS will show a brief access to check the BIOS settings; on some laptops it may be the ESC key or F2 or F12 pressed right after pressing the power button.

[Ross Dorn]

change of problem...

 

I did update the BIOS, but there was no difference... So I decided to wipe the whole disc.

 

I installed parted magic, and it seems found the cause of all the symptoms, there is an 8GB partition on the SSD "unallocated", it cannot be deleted, removed or wiped, even by Parted Magic. It is probably a partition that was created by the virus and even after formatting the drive and installing Linux,it is still their there.

 

When Parted Magic is supposed to erase the whole disc, a popup appears stating that the drive's Security state is frozen, and the Security Erase command cannot be performed. P.M. tried to place the system into sleep mode, but this does not work....

 

Do you have any idea how I can wipe the hole disc incl the suspect partition?

[dbreeze]

Ah, I see what you mean.  Unfortunately, I am not a hardware wizzard but we do have some members here that are.  I suggest that you start a topic at the Hardware, Components and Peripherals board located here.  You can link this thread to your new one for reference if you would like.  Good luck and let me know how things progress for you.

 

[Ross Dorn]

Thank you for your help. and your patience

Sorry to have wasted so much if your time, but it took a while to find the problem

[dbreeze]

You did not waste my time; I am always happy to help where and when I can.  Good luck.

[dbreeze]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.