Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2221299630:1370003835.exe virus


  • Please log in to reply
4 replies to this topic

#1 NeedHelp02

NeedHelp02

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 15 August 2011 - 11:42 PM

First of all, I am very glad that I found this forum and salute to all the wonderful helpers on this site.

On with the problem. I was surfing on 2leep.com (humor website - I know, I have learned my lesson and I promise to do something more productive instead in the future) and, after clicking on a link, the following occurred

1) Graphic for the Java start-up (the coffee cup) appeared
2) A pop-up window showed up asking to install fix_pack107f_231.exe
3) McAfee anti-virus disables
4) Note: here is the exact link, broken in half with "++" in the middle, in case someone accidentally clicks on it

hxxp://2leep.com/bar.php?url=http://2 ++ leep.com/news/231594/0/more/

I performed the following

1) Closed the pop-up window by clicking on the "x", not by choosing option for "ok" and "cancel"
2) Tried alt-control-delete and found out that task manager has been disabled
3) Tried to start Malwarebyte's Anti-Malware, but it said the program is outdated by 200+ days and asked if I want to update... I was dumb enough to try and update
4) I clicked on the ok button to update and something downloaded. Installation begins but before it can complete, my computer crashes and went to a blue-screen error

Upon re-boot

1) Anti-malware is now broken (links are bad and when I tried to start the program via the program's folder, the error "Run-time error '5'" shows)
2) Windows firewall is now turned off
3) Opening almost any program "IE, Firefox etc." requires Windows to unblock it
4) Browser re-directs to random sites, sometimes even when I manually copy&paste the link into a fresh browser window

I tried next to

1) Run Regedit to bring back task manager, was successful by editing HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System and removing the line for DisableTaskMgr
2) I downloaded and ran RKill (again, had to unblock a couple of programs before it would run), but unfortunately it did not find/kill any process
3) Upon examining the list of processes, 2221299630:1370003835.exe is the most suspicious file... and I can't kill it by stopping it in task manager

So what do I do at this point? I have removed viruses and malwares from my computer before, but at least I knew the names of the offending program in those cases. This time, the person who wrote this obviously had in mind to make it hard for victims to look up the problem.

Your time and assistance will be much appreciated! If I can at least know the name of the virus, I will be more than happy to try and search for a remedy in the forums.

Edited by quietman7, 16 August 2011 - 08:13 AM.


BC AdBot (Login to Remove)

 


#2 NeedHelp02

NeedHelp02
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 16 August 2011 - 07:59 AM

Sorry, forgot to add...

I am running a Dell laptop running Windows XP

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:20 PM

Posted 16 August 2011 - 08:13 AM

Did you try performing a Quick Scan in normal mode with Malwarebytes' Anti-Malware immediately after running RKill? If not, that's what you need to do.

Does the file 2221299630:1370003835.exe show in Task Manager if you reboot in safe mode?

Malwarebytes Anti-Malware has a built-in FileAssassin feature for removing stubborn malware or other malicious files that it did not detect.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
  • When you find the file, click on it to highlight, then select Open.
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully.
  • Click Ok and exit MBAM.
  • If prompted to reboot, then do so immediately.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to remove highly persistent files. Using it incorrectly could lead to serious problems with your operating system if removing a critical file.


For the redirect issue, please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
Be sure to print out and follow the instructions for performing a scan. Alternate instructions can be found here.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop.
  • Alternatively, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.

    Posted Image
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Important Note: Some infections will alter the Proxy settings in Internet Explorer which can affect your ability to browse, update or download tools required for disinfection. If you are experiencing such a problem, check those settings. To do that, please refer to Steps 4-7 under the section Automated Removal Instructions in this guide.

If using FireFox, refer to these instructions to check and configure Proxy Settings under the Connection Settings Dialog.


Closed the pop-up window by clicking on the "x", not by choosing option for "ok" and "cancel"

TIP: Use Task Manager to close pop-up messages to safely exit malware attacks
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 NeedHelp02

NeedHelp02
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 16 August 2011 - 08:21 AM

Appreciate the feedback quietman...

I have not tried running MBAM in safemode yet, but the virus may have damaged it beyond repair. When trying to run in normal mode, windows returns an error "Run-time error '5'"

But I will run through the list of your suggestions later in the day and report back! Thanks!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:20 PM

Posted 16 August 2011 - 08:39 AM

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Malwarebytes is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, Malwarebytes loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of Malwarebytes but sometimes there is no alternative but to do a safe mode scan. If that is the case, after completing a safe mode scan, reboot normally, update the database definitions through the program's interface (preferable method) and try rescanning again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users