Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware stopping Rkill, Task Mgr, etc. from running


  • Please log in to reply
1 reply to this topic

#1 AstroCreep75

AstroCreep75

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 25 August 2011 - 09:45 PM

Hi all,

First of all let me state that I have had the occassional problem in the past that required my perusing of your site. In each prior instance I was successfully able to restore my system state to normal. That said, I've now currently got an issue that my anonymous reading of your forums has been unable to correct, hence the site registration and now first post.

I'm running Windows XP Professional, SP3 on a 2.8GHz Dell with 1MB RAM.

The issue I've got seems to be related to the previous ones in that it involves a sudden popup of a fake security alert. Previously it was MS Removal, which I successfully handled per your forum's instructions.

This one is Zentom System Guard however and is behaving differently.

The fake system scan and it's accompanying plethora of warnings only occured once upon initial infection. Having already had RKill downloaded from previous Malware infections, I immediately tried to run it to stop the processes. It mentioned a missing dll file in the split second between double clicking on it and the DOS command window opening. I didn't see the message long enough to note the exact name before the DOS window covered it up. Then before RKill could finish running, the window was closed evidently by the malware process trying to protect itself.

At that point I tried opening task manager with CTRL ALT DEL and it too was immediately closed before I could make note of any of it's contents.

I did at that point run a MBAM quick scan and had a return of 40+ results infected. After quarantining them and rebooting back into Windows, I immediately tried to open Task Manager again just to see if the problematic process was still 'alive'. Again and again, however, it would either not open at all or only open for a split second and reclose. Clearly the MBAM scan didn't take care of the problem.

At this point I returned to your site and followed the link to download alternate versions of RKill. After having done so I still had no success in running any of them. Each file now, however, gives a series of errors messages, stacking on top of one another (usually 3x) stating "Instalation Failed". Then, depsite the message, I see RKill try to open and run in it's DOS window behind them, only to be reclosed within seconds before actually running.

So I'm assuming the MBAM scan isn't effective because of whatever process running that's preventing RKill and Task Manager from opening is also just replicating itself after my MBAM scans.

And while I had the original Zentom message and fake scan, it has never again returned after the first instance and subsequent MBAM scan. At this point, other than the inability to run RKill, Task Mgr, and additionally RegEdit, the only other popups I'm getting are an occasional series of System Warnings quote boxes in the taskbar that read as follows:

System warning
Keep your computer safe from viruses and malicious programs thatcan slow down or break your system


and

System warning
Spyware protection is disabled. Your personal data is at high risk of being stolen and misused.


Additionally I should note the following:

** I HAVE not yet run a full MBAM scan because it takes hours on my system and given the inabililty to kill the process w/ RKill I'm reluctant to devote that much time to what I fear would be a fruitless exercise.

** I HAVE booted to safe mode w/ networking and attempted all of my above steps as well (that being trying to open task manager, regedit and all versions of RKill to no avail.

** I DO HAVE Hijack this and have run a scan and found several obviously fake lines in the "HKLM....Run" section (04) which I then deleted. I have the scan log of this available as well, just didn't want to initally overburden this post with it. The one that keeps reappearing, however, is as follows:

O4 - HKLM\..\Run: [Kwarawopik] rundll32.exe "C:\WINDOWS\ogutuqoleziba.dll",Startup

In closing and summary, unlike the previous fake security malware occurances I've had before that have prevented me from being able to run MBAM or basically anything other other than Internet Explorer, this one is allowing me to run basically anything I want still, with the exception of those I stated (Task, RKill, regedit, DOS windows, etc.)

I understand that I've not yet done all the steps necessary to fully diagnose on my own, but assuming it will hours or days before you're able to help I wanted to at least start this ball rolling and I will update with the results of other scans/findings in the interim.

Thanks so much for your talent and help. This site has been very beneficial to me over the past six months and hopefully even moreso over the next few days!

~ AstroCreep

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:24 AM

Posted 26 August 2011 - 06:14 PM

Hello,

It appears that the issues on your system will require a more in-depth examination than can be performed in this forum. Please read the information in this guide, and follow all the steps beginning with step 6. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The MRT is very busy, so it could be several days (3-5 days is the average wait right now) before you receive a reply. But rest assured, help is on the way!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users