Solved

Stubborn spyware - process: 3188766420:726265665.exe

Posted on 2011-09-22
14
369 Views
Last Modified: 2012-05-12
When I first saw this computer (win xp) it was in the state such that all the icons and files were hidden.

I ran rkill until I could run malwarebytes and removed a few things and then ran the unhide utility to restore the desktop, start menu and hard drive files.  Everything seemed pretty normal at this time.

When I restarted everything seemed fine but after about 15 minutes something strange happens where programs are running and if a window is active you can work in it but the taskbar stops functioning, you can't restore a window and you can't do ctrl-alt-del.

I was surprised by this.  I hought the issue had been resolved.  After restarting I can see that there is a suspicious process 3188766420:726265665.exe which I cannot terminate by end process or end process tree.

I continued working on it, have run malwarebytes a few more times and it usually comes up clean or it found one thing when running in safe mode as administrator but that didn't remove this process after restart.

I searched through the registry for 3188766420 and found 3 instances and removed them.  Now the registry search is clean but still this process returns after every restart.  Except if I start into safe mode as the normal user or as administrator the process does not run.

I will wipe the computer next but other than this it is in perfect condition and it will be a bit of work to do it and get it set back up.  I also thought about trying to create another user account.  But I think that since it isn't running in safe mode I should be able to get rid of this.

I haven't found anything about this specific problem and it is unusual in the sense that it doesn't give any name to define it by except for that strange process.  

The last time I ran malwarebytes in safe mode it found one trojan in a location related to java installation.

Anyway I am just putting it out here if anyone knows anything about this problem I will appreciate any insight.

Thanks and best regards,

Sky
0
Comment
Question by:skykuhl
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 36579718
I would check in msconfig for any unknown startups or services.  Trty disabling all startups and non-microsoft services, reboot, and see if the problem goes away.  If it does, re-enable startups one at a trime until you find the culprit.  Start by re-enabling your av software.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 36579730
Can you run RKill first? Allow it to shut down any other processes it considers hostile and then run a full scan with malwarebytes MBAM.  Don't reboot after RKill until MBAM has finished its scan and you've done any necessary clean-up.
0
 

Author Comment

by:skykuhl
ID: 36579733
I've turned everything except for kaspersky av and malwarebytes off in the startup tab of msconfig.
0
 

Author Comment

by:skykuhl
ID: 36579737
that is how I used rkill.  I did it again yesterday.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 36579753
Try ComboFix and also TDSSKiller. Show us the logs specially the CF log.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 36579756
And you're running the clean up in Normal (not Safe) mode?
Was there a path to the file in the registry?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36579760
Are the scanners able to run in normal mode or only in safe mode?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:skykuhl
ID: 36579769
At first I was running it in normal mode.  Yesterday I ran malwarebytes in safe mode.  

Regarding the registry, I didn't write down what I deleted.
0
 

Author Comment

by:skykuhl
ID: 36579775
Everything works fine in normal mode.  For about 15 minutes or so and then the task bar becomes disabled and obviously something is wrong.

I will use combo fix today.  Thanks for that recommendation.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36579861
If ComboFix won't run or run and then stops, run TDSSKiller first followed by ComboFix.
This looks like the new ZA rootkit based on the ADS process --> process: 3188766420:726265665.exe

CF supposed to be able to take care of it most of the time but sometimes can't.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 36580066
Scan it offline with the Microsoft System Sweeper: http://connect.microsoft.com/systemsweeper
0
 

Author Comment

by:skykuhl
ID: 36580272
Ok thanks a lot for the details. I will try these things today.  Thank you.
0
 

Author Comment

by:skykuhl
ID: 36589819
When I ran tdsskiller it found two problems and I deleted them.

Upon restart 3188766420:726265665.exe is no longer in the process list.  That may be a good sign.

I think I will monitor it a bit before running combo fix.

It could be resolved, we will see.

Thanks very much.

Sky
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36890953
Glad to know the issue seems to be resolved.
Thanks.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now