Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Stubborn spyware - process: 3188766420:726265665.exe

Posted on 2011-09-22
14
377 Views
Last Modified: 2012-05-12
When I first saw this computer (win xp) it was in the state such that all the icons and files were hidden.

I ran rkill until I could run malwarebytes and removed a few things and then ran the unhide utility to restore the desktop, start menu and hard drive files.  Everything seemed pretty normal at this time.

When I restarted everything seemed fine but after about 15 minutes something strange happens where programs are running and if a window is active you can work in it but the taskbar stops functioning, you can't restore a window and you can't do ctrl-alt-del.

I was surprised by this.  I hought the issue had been resolved.  After restarting I can see that there is a suspicious process 3188766420:726265665.exe which I cannot terminate by end process or end process tree.

I continued working on it, have run malwarebytes a few more times and it usually comes up clean or it found one thing when running in safe mode as administrator but that didn't remove this process after restart.

I searched through the registry for 3188766420 and found 3 instances and removed them.  Now the registry search is clean but still this process returns after every restart.  Except if I start into safe mode as the normal user or as administrator the process does not run.

I will wipe the computer next but other than this it is in perfect condition and it will be a bit of work to do it and get it set back up.  I also thought about trying to create another user account.  But I think that since it isn't running in safe mode I should be able to get rid of this.

I haven't found anything about this specific problem and it is unusual in the sense that it doesn't give any name to define it by except for that strange process.  

The last time I ran malwarebytes in safe mode it found one trojan in a location related to java installation.

Anyway I am just putting it out here if anyone knows anything about this problem I will appreciate any insight.

Thanks and best regards,

Sky
0
Comment
Question by:Schuyler Kuhl
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 36579718
I would check in msconfig for any unknown startups or services.  Trty disabling all startups and non-microsoft services, reboot, and see if the problem goes away.  If it does, re-enable startups one at a trime until you find the culprit.  Start by re-enabling your av software.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 36579730
Can you run RKill first? Allow it to shut down any other processes it considers hostile and then run a full scan with malwarebytes MBAM.  Don't reboot after RKill until MBAM has finished its scan and you've done any necessary clean-up.
0
 

Author Comment

by:Schuyler Kuhl
ID: 36579733
I've turned everything except for kaspersky av and malwarebytes off in the startup tab of msconfig.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:Schuyler Kuhl
ID: 36579737
that is how I used rkill.  I did it again yesterday.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 36579753
Try ComboFix and also TDSSKiller. Show us the logs specially the CF log.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 36579756
And you're running the clean up in Normal (not Safe) mode?
Was there a path to the file in the registry?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36579760
Are the scanners able to run in normal mode or only in safe mode?
0
 

Author Comment

by:Schuyler Kuhl
ID: 36579769
At first I was running it in normal mode.  Yesterday I ran malwarebytes in safe mode.  

Regarding the registry, I didn't write down what I deleted.
0
 

Author Comment

by:Schuyler Kuhl
ID: 36579775
Everything works fine in normal mode.  For about 15 minutes or so and then the task bar becomes disabled and obviously something is wrong.

I will use combo fix today.  Thanks for that recommendation.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36579861
If ComboFix won't run or run and then stops, run TDSSKiller first followed by ComboFix.
This looks like the new ZA rootkit based on the ADS process --> process: 3188766420:726265665.exe

CF supposed to be able to take care of it most of the time but sometimes can't.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 36580066
Scan it offline with the Microsoft System Sweeper: http://connect.microsoft.com/systemsweeper
0
 

Author Comment

by:Schuyler Kuhl
ID: 36580272
Ok thanks a lot for the details. I will try these things today.  Thank you.
0
 

Author Comment

by:Schuyler Kuhl
ID: 36589819
When I ran tdsskiller it found two problems and I deleted them.

Upon restart 3188766420:726265665.exe is no longer in the process list.  That may be a good sign.

I think I will monitor it a bit before running combo fix.

It could be resolved, we will see.

Thanks very much.

Sky
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36890953
Glad to know the issue seems to be resolved.
Thanks.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question