?
Solved

Stubborn spyware - process: 3188766420:726265665.exe

Posted on 2011-09-22
14
Medium Priority
?
388 Views
Last Modified: 2012-05-12
When I first saw this computer (win xp) it was in the state such that all the icons and files were hidden.

I ran rkill until I could run malwarebytes and removed a few things and then ran the unhide utility to restore the desktop, start menu and hard drive files.  Everything seemed pretty normal at this time.

When I restarted everything seemed fine but after about 15 minutes something strange happens where programs are running and if a window is active you can work in it but the taskbar stops functioning, you can't restore a window and you can't do ctrl-alt-del.

I was surprised by this.  I hought the issue had been resolved.  After restarting I can see that there is a suspicious process 3188766420:726265665.exe which I cannot terminate by end process or end process tree.

I continued working on it, have run malwarebytes a few more times and it usually comes up clean or it found one thing when running in safe mode as administrator but that didn't remove this process after restart.

I searched through the registry for 3188766420 and found 3 instances and removed them.  Now the registry search is clean but still this process returns after every restart.  Except if I start into safe mode as the normal user or as administrator the process does not run.

I will wipe the computer next but other than this it is in perfect condition and it will be a bit of work to do it and get it set back up.  I also thought about trying to create another user account.  But I think that since it isn't running in safe mode I should be able to get rid of this.

I haven't found anything about this specific problem and it is unusual in the sense that it doesn't give any name to define it by except for that strange process.  

The last time I ran malwarebytes in safe mode it found one trojan in a location related to java installation.

Anyway I am just putting it out here if anyone knows anything about this problem I will appreciate any insight.

Thanks and best regards,

Sky
0
Comment
Question by:Schuyler Kuhl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 36579718
I would check in msconfig for any unknown startups or services.  Trty disabling all startups and non-microsoft services, reboot, and see if the problem goes away.  If it does, re-enable startups one at a trime until you find the culprit.  Start by re-enabling your av software.
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 36579730
Can you run RKill first? Allow it to shut down any other processes it considers hostile and then run a full scan with malwarebytes MBAM.  Don't reboot after RKill until MBAM has finished its scan and you've done any necessary clean-up.
0
 

Author Comment

by:Schuyler Kuhl
ID: 36579733
I've turned everything except for kaspersky av and malwarebytes off in the startup tab of msconfig.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:Schuyler Kuhl
ID: 36579737
that is how I used rkill.  I did it again yesterday.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 36579753
Try ComboFix and also TDSSKiller. Show us the logs specially the CF log.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 36579756
And you're running the clean up in Normal (not Safe) mode?
Was there a path to the file in the registry?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36579760
Are the scanners able to run in normal mode or only in safe mode?
0
 

Author Comment

by:Schuyler Kuhl
ID: 36579769
At first I was running it in normal mode.  Yesterday I ran malwarebytes in safe mode.  

Regarding the registry, I didn't write down what I deleted.
0
 

Author Comment

by:Schuyler Kuhl
ID: 36579775
Everything works fine in normal mode.  For about 15 minutes or so and then the task bar becomes disabled and obviously something is wrong.

I will use combo fix today.  Thanks for that recommendation.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36579861
If ComboFix won't run or run and then stops, run TDSSKiller first followed by ComboFix.
This looks like the new ZA rootkit based on the ADS process --> process: 3188766420:726265665.exe

CF supposed to be able to take care of it most of the time but sometimes can't.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 36580066
Scan it offline with the Microsoft System Sweeper: http://connect.microsoft.com/systemsweeper
0
 

Author Comment

by:Schuyler Kuhl
ID: 36580272
Ok thanks a lot for the details. I will try these things today.  Thank you.
0
 

Author Comment

by:Schuyler Kuhl
ID: 36589819
When I ran tdsskiller it found two problems and I deleted them.

Upon restart 3188766420:726265665.exe is no longer in the process list.  That may be a good sign.

I think I will monitor it a bit before running combo fix.

It could be resolved, we will see.

Thanks very much.

Sky
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36890953
Glad to know the issue seems to be resolved.
Thanks.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question