Stubborn spyware - process: 3188766420:726265665.exe

When I first saw this computer (win xp) it was in the state such that all the icons and files were hidden.

I ran rkill until I could run malwarebytes and removed a few things and then ran the unhide utility to restore the desktop, start menu and hard drive files.  Everything seemed pretty normal at this time.

When I restarted everything seemed fine but after about 15 minutes something strange happens where programs are running and if a window is active you can work in it but the taskbar stops functioning, you can't restore a window and you can't do ctrl-alt-del.

I was surprised by this.  I hought the issue had been resolved.  After restarting I can see that there is a suspicious process 3188766420:726265665.exe which I cannot terminate by end process or end process tree.

I continued working on it, have run malwarebytes a few more times and it usually comes up clean or it found one thing when running in safe mode as administrator but that didn't remove this process after restart.

I searched through the registry for 3188766420 and found 3 instances and removed them.  Now the registry search is clean but still this process returns after every restart.  Except if I start into safe mode as the normal user or as administrator the process does not run.

I will wipe the computer next but other than this it is in perfect condition and it will be a bit of work to do it and get it set back up.  I also thought about trying to create another user account.  But I think that since it isn't running in safe mode I should be able to get rid of this.

I haven't found anything about this specific problem and it is unusual in the sense that it doesn't give any name to define it by except for that strange process.  

The last time I ran malwarebytes in safe mode it found one trojan in a location related to java installation.

Anyway I am just putting it out here if anyone knows anything about this problem I will appreciate any insight.

Thanks and best regards,

Sky
Schuyler KuhlAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
rpggamergirlConnect With a Mentor Commented:
Try ComboFix and also TDSSKiller. Show us the logs specially the CF log.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
phototropicCommented:
I would check in msconfig for any unknown startups or services.  Trty disabling all startups and non-microsoft services, reboot, and see if the problem goes away.  If it does, re-enable startups one at a trime until you find the culprit.  Start by re-enabling your av software.
0
 
☠ MASQ ☠Commented:
Can you run RKill first? Allow it to shut down any other processes it considers hostile and then run a full scan with malwarebytes MBAM.  Don't reboot after RKill until MBAM has finished its scan and you've done any necessary clean-up.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Schuyler KuhlAuthor Commented:
I've turned everything except for kaspersky av and malwarebytes off in the startup tab of msconfig.
0
 
Schuyler KuhlAuthor Commented:
that is how I used rkill.  I did it again yesterday.
0
 
☠ MASQ ☠Commented:
And you're running the clean up in Normal (not Safe) mode?
Was there a path to the file in the registry?
0
 
rpggamergirlCommented:
Are the scanners able to run in normal mode or only in safe mode?
0
 
Schuyler KuhlAuthor Commented:
At first I was running it in normal mode.  Yesterday I ran malwarebytes in safe mode.  

Regarding the registry, I didn't write down what I deleted.
0
 
Schuyler KuhlAuthor Commented:
Everything works fine in normal mode.  For about 15 minutes or so and then the task bar becomes disabled and obviously something is wrong.

I will use combo fix today.  Thanks for that recommendation.
0
 
rpggamergirlCommented:
If ComboFix won't run or run and then stops, run TDSSKiller first followed by ComboFix.
This looks like the new ZA rootkit based on the ADS process --> process: 3188766420:726265665.exe

CF supposed to be able to take care of it most of the time but sometimes can't.
0
 
Adam LeinssSenior Desktop EngineerCommented:
Scan it offline with the Microsoft System Sweeper: http://connect.microsoft.com/systemsweeper
0
 
Schuyler KuhlAuthor Commented:
Ok thanks a lot for the details. I will try these things today.  Thank you.
0
 
Schuyler KuhlAuthor Commented:
When I ran tdsskiller it found two problems and I deleted them.

Upon restart 3188766420:726265665.exe is no longer in the process list.  That may be a good sign.

I think I will monitor it a bit before running combo fix.

It could be resolved, we will see.

Thanks very much.

Sky
0
 
rpggamergirlCommented:
Glad to know the issue seems to be resolved.
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.