Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

suspicious task 1956182124:2466736011.exe


  • Please log in to reply
6 replies to this topic

#1 rmhartman

rmhartman

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 23 September 2011 - 12:29 PM

My wife's computer is not working right now. No internet access. Even though it got an IP assigned from our gateway, even pings to google.com don't go through.

There was a suspicious exe placed on her desktop. 0.bunchofnumbers.exe (sorry, I did not write that one down). Moreover, there is an even more suspicious task running in the listing. It has the name "1956182124:2466736011.exe". Yes, I know that colon (":") is the device separator character, but that's what it says in the running tasks listing. There is a 0 byte file c:\windows\1956182124 ... I can not find 2466736011.exe anywhere on the disk. This exe is launched by a services entry for a service identified as "6cf89874".

I removed the disk from her desktop and with a usb tether from my laptop ran malwarebytes on the entire thing, and AVG on the Docs&settings folder. Neither recognized anything significant (including the 0.whatever.exe which I left in the desktop folder for them to find).

I looked at files modified around the time of the desktop file timestamp. Found a couple of java files and removed them. She had been browsing soapzone, and the cookies right around that time were for some of the ad streams. I also found a cache file of some sort in an antivirus app folder, so I suspect it was preparing to not be discovered.

I removed the 0.whatever.exe file from the desktop folder, the java files, and the antivirus cache file then put the disk back in her computer.

The wierd task was still there, so I dumped the registry and found the service entries (yes, I mentioned them above, but this is when I found them).

I removed the entry for service 6cf89874 in CurrentControlSet, ControlSet003 and ControlSet004 (actually one of those was liked to current control set).

I removed the 0 byte file c:\windows\1956182124

I powered off the machine (not shutdown as I did not want to give any virus-reinstaller a chance there).

The task in the running tasks list, the zero byte file, and the registry entries for the service came back.

Since the colon is a device separator, I figure this is some serious bypass mojo and the actual virus is hidden god-knows-where.

Is anybody familiar with the trick of tasks with colons in their names?

Is anybody familiar with these symptoms?

Edited by hamluis, 23 September 2011 - 01:08 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:06 PM

Posted 23 September 2011 - 01:20 PM

EDIT: I just found something .. please do this first

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.6.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. [color=green]In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

Wait on this....
AS it is affecting a service we should get a proper look. YOu need to repost this in a new topic with these logs....

Please go here....
Preparation Guide .

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.

Edited by boopme, 23 September 2011 - 01:39 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 rmhartman

rmhartman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 23 September 2011 - 06:18 PM

Ok, downloaded the tools. Will try them tonight. Thanks!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:06 PM

Posted 23 September 2011 - 07:39 PM

Ok if the first works,ther's no need for the second. Good luck.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 rmhartman

rmhartman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 23 September 2011 - 10:02 PM

Ok, how do things get worse when the darned disk has not been on since this morning?

Got home. Computer refused to boot into safe mode. Kept looping around when it got to avgidseh.sys (I have searched and found mention of this in other forums, but have not yet even attempted to cure it). Removed disk again, put on usb tether on laptop. It came up initially showing the drive name, but shortly thereafter it showed the generic "local disk" and could not be accessed with explorer or "dir" on the command line.

My next task is to use acronis to create an image of this thing exactly as it is (even in it's current bad state) so that things can not deteriorate any further. THEN I shall attempt to chkdsk the drive (on the usb tether). If that doesn't work, I shall try to recover the partition with ultimate boot cd. _Then_ perhaps I can use the TDSSkiller on it. (btw: can I run tdskiller on the drive on the tether, or does it automatically target the running system drive?)

These are my intended steps. If someone has something different to suggest, please post it.

Edited by rmhartman, 24 September 2011 - 01:39 AM.


#6 rmhartman

rmhartman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 24 September 2011 - 12:27 AM

Oh, it gets better and better. Main partition gone. I want to image the _disk_ before I even attempt to re-create the partion, but there are a ton of read problems. UBCD S.M.A.R.T. utility reveals a buncha failures in various categories.

Question: Can a virus mess up the S.M.A.R.T. firmware, or is it possible that this wasn't a virus in the first place, it was just the disk failing?

Question: If I can get replacement electronics for the drive, is it likely I will be able to get it to read again?

Question: can any of you guys suggest what to do next?

Drive type: Samsung SPC2504C

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:06 PM

Posted 27 September 2011 - 12:40 PM

This is a ZERO access rootkit.. We need to get a DDS log and then remocve it.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users