Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Process with numbers (and a colon) that I can't kill


  • This topic is locked This topic is locked
18 replies to this topic

#1 stangsdado

stangsdado

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 16 August 2011 - 02:54 PM

Hey guys. I've got a process that I absolutely cannot kill and it's slowly taking away the executables I can run.

The process is called 3252348497:2920883518.exe. I've never seen a process with a colon.

It shows up whether I'm in regular boot, safe mode and safe mode with command prompt.

I've searched for this executable "file" everywhere and I cannot find it.

I've found two entries to it in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WOW
(Default) - REG_MULTI_SZ - \Device\HarddiskVolume1\WINDOWS\3252348497:2920883518.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\51e6dac1
ImagePath - REG_SZ - \systemroot\3252348497:2920883518.exe

Can anyone help?

BC AdBot (Login to Remove)

 


#2 stangsdado

stangsdado
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 16 August 2011 - 03:11 PM

I found the file located in c:\windows but it is the first part of the file name and it's blank (0 kb).

It's letting me run all regular programs with the exception of Nero Burning Software.

It's not letting me run any anti-spyware/malware/virus programs.

#3 nebulight

nebulight

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 16 August 2011 - 03:16 PM


This is my first post as well. This is the first type of malware that I have not been able to remove with tools available online. Every program you click on, it removes all permissions except the Everyone group, but that doesn't allow you run anything. You can manually assign permissions in safe mode and run IE, but everything else will run for 3-5 seconds then close (TDSSKiller, Combofix, MBAM). RKill doesn't recognize any infected processes.

I'm at a loss. This PC is just used to access a terminal server, so I'm just going to reload the machine as I don't want to waste too much time on it. However I fear that this may be a common infection in a few days which is why I posted. :(

BTW, my numbers are different. If I search the first part of the file name, I find it located in C:\Windows



Since you have ran Combofix, Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.


I am not going to both with disinfecting as the machine is just used for RDP access. I'm just going to reload the machine. I was just posting the info I found while doing the basic troubleshooting.

#4 MR Cracker

MR Cracker

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 16 August 2011 - 03:18 PM

why you dont say your problem in Virus, Trojan, Spyware, and Malware Removal Logs forum?

#5 stangsdado

stangsdado
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 16 August 2011 - 03:20 PM

http://www.bleepingcomputer.com/forums/topic414691.html

#6 nebulight

nebulight

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 16 August 2011 - 03:20 PM

why you dont say your problem in Virus, Trojan, Spyware, and Malware Removal Logs forum?


If you are replying to me, I was just replying to a post I found in a google search.

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:29 PM

Posted 16 August 2011 - 03:24 PM



This is my first post as well. This is the first type of malware that I have not been able to remove with tools available online. Every program you click on, it removes all permissions except the Everyone group, but that doesn't allow you run anything. You can manually assign permissions in safe mode and run IE, but everything else will run for 3-5 seconds then close (TDSSKiller, Combofix, MBAM). RKill doesn't recognize any infected processes.

I'm at a loss. This PC is just used to access a terminal server, so I'm just going to reload the machine as I don't want to waste too much time on it. However I fear that this may be a common infection in a few days which is why I posted. :(

BTW, my numbers are different. If I search the first part of the file name, I find it located in C:\Windows



Since you have ran Combofix, Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.


I am not going to both with disinfecting as the machine is just used for RDP access. I'm just going to reload the machine. I was just posting the info I found while doing the basic troubleshooting.



If you use any files from the backup that you have possibly created you will just re-infect yourself.

#8 nebulight

nebulight

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 16 August 2011 - 03:28 PM

I am aware of that. This PC is going to get a fresh OS load as it was only used for RDP access. Thanks.

Edited by Orange Blossom, 16 August 2011 - 07:27 PM.
Removed unnecessary quote. ~ OB


#9 MR Cracker

MR Cracker

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 16 August 2011 - 03:33 PM


why you dont say your problem in Virus, Trojan, Spyware, and Malware Removal Logs forum?


If you are replying to me, I was just replying to a post I found in a google search.

I replyed to stangsdado :wink:

#10 stangsdado

stangsdado
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 16 August 2011 - 03:35 PM



why you dont say your problem in Virus, Trojan, Spyware, and Malware Removal Logs forum?


If you are replying to me, I was just replying to a post I found in a google search.

I replyed to stangsdado :wink:


I did. Thanks :)

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:29 PM

Posted 16 August 2011 - 07:32 PM

@ stangsdado,

I have deleted your new topic which is a duplicate of the initial post in this topic.

To all readers: If you are experiencing an infection or think you are, please create your own topic. Even though symptoms may be similar, the causes and solutions may be vastly different. Things get terribly confused when trying to assist more than one person or trying to fix more than one computer in the same topic.

@ stangsdado,

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
In your reply please post:

MBAM log
An updated description of your computer issues whether changed or not.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 stangsdado

stangsdado
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 17 August 2011 - 09:59 AM

@ Orange Blossom

The same thing happened with the fresh install of Malwarebytes. It let me install and even run the program and EVEN run a scan. But the scan got to about 15 seconds and the program shut down. Now every time I try to run the program, it tells me that it can't be found. I checked the permissions of the exe file and they're all set properly. UGH!

#13 stangsdado

stangsdado
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 17 August 2011 - 10:13 AM

@ Orange Blossom

I managed to get gmer to run. It scans until, what I think is a finish, but then abruptly closes and I don't see the results. It changes the permissions, I change them back, scan again, and the same thing happens.

#14 MR Cracker

MR Cracker

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 17 August 2011 - 12:30 PM

download and run Rkill from here
after run it will give you a log post it here
then try to reinstall MBAM and scan your computer

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:29 PM

Posted 17 August 2011 - 12:38 PM

The malware may have deleted the main mbam.exe executable file.

Try these instructions instead:

Please reboot in "safe mode with networking", then redownload Malwarebytes' Anti-Malware and RKill by Grinler, saving them to your desktop.RKill.exe Download Link
RKill.com Download Link
RKill.scr Download LinkRenamed versions if the above do not work:
iExplore.exe Download Link
eXplorer.exe Download Link <- this renamed copy is usually effective but may trigger an alert from MBAM...just ignore it.
WiNlOgOn.exe Download Link
uSeRiNiT.exe Download Link
alternate link with all versionsRKill is available in several versions to include renamed versions in case one does not work, you can try another. As such, you may want to download and save more than one before proceeding.

After installing Malwarebytes', reboot normally, then proceed as follows:
  • Double-click on the Rkill desktop icon to run the tool.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, and try another version.
  • If it still does not work, repeat the process and attempt to use one of the remaining version until the tool runs.
  • Note: You may have to make repeated attempts to use RKill several times before it will run as some malware variants try to block it.
  • A log file will be created and saved to the root directory, C:\RKill.log
  • Copy and paste the contents of RKill.log in your next reply.
-- If you get an alert that RKill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run RKill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that RKill can perform its routine.

-- Some security tools may flag RKill as malware, especially when renamed to iexplore.exe, explorer.exe, winlogon.exe, etc because they have definitions in place that flag certain file names used outside their normal path. If you encounter such an alert when running Rkill, you can safely ignore it and continue to allow the program to run.

Important: Do not reboot your computer until after performing a scan with Malwarebyes'. A scan must be completed immediately after running RKill.

Perform a Quick Scan in normal mode with Malwarebytes' Anti-Malware and follow these instructions. Check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.


IMPORTANT NOTE: If you cannot run Malwarebytes Anti-Malware or complete a scan in normal mode, then try performing a Quick Scan in "safe mode".

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Malwarebytes is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, Malwarebytes loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of Malwarebytes but sometimes there is no alternative but to do a safe mode scan. If that is the case, after completing a safe mode scan, reboot normally, update the database definitions through the program's interface (preferable method) and try rescanning again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users