Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM, SAS, Process Explorer ALL access denied!


  • This topic is locked This topic is locked
7 replies to this topic

#1 KaraBean

KaraBean

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 29 September 2011 - 07:56 PM

(running Windows XP Pro)

I think I have a really bad rootkit on my computer. It started over a week ago when I accidentally clicked on *something* while browsing with Firefox. I can't be sure what that was since I wasn't looking at the computer - my hand hit the mouse button by accident as I was getting up. I know I only had my Yahoo Mail and Facebook up at the time, so it was probably one of their ads. <frown> Anyway immediately a popup came up and said there was a virus and click Next to remove it (or someting like that). The options were "next" and "cancel" but I went for the "X" on the top right. A bunch of new tabs popped up after that -I got mad and impatient and just rebooted and did a proper shut down after that.

The next morning my CPU usage just went through the roof. The culprit was svchost.exe. I tried a Restore and went 2 days back just to be on the safe side. That did NOTHING. That freaked me out! The only way I could operate was by continually shutting off svchost.exe through task manager, which I had to do like every 5 minutes. I was also started getting new tabs popping up in Firefox with all these obviously bogus websites selling just about everything. Safe Mode with Networking fixed it - or at least it seemed to. I read a lot of people saying great things about Malwarebytes Anti-Spyware so I installed it while in Safe Mode and rebooted to run it in Normal Mode. I got "Windows cannot acces the specified device, path, or file. You may not have the appropriate permissions to access the item." I uninstalled it and went back into Safe More and installed it again, with a fresh download from Malwarebytes website. After install I ran a Full Scan while I was still in Safe Mode. Nothing found. Back in Normal Mode, I got the same error message as before. I tried this entire process again (install/scan in safe mode right away) with Spyware Doctor. Spyware Doctor (PCTools) actually caught some infected files - 8 I think, but again back in Normal Mode I still had the CPU and the access problems.

At this point I wanted to look at what was behind svchost.exe so I downloaded Process Exlporer. I installed AND ran it in Safe Mode just to be sure it was working (it was) and switched to Normal to inspect the offending process. "Windows cannot acces the specified device, path, or file. You may not have the appropriate permissions to access the item." is all I got. Unbelieveable!

Then looking closer I found another process running in Task Manager called 2521443175:2564076905.exe it usues like NO CPU and very low memory. I can't be terminated - you don't even get an error messge, it just sits there like you never clicked on it or anything! This particular file can't be found on the hard drive, but you will find a file with the first set of numbers in Windows\ and in Windows\prefetch and both are empty.

The last thing I tried was *ONE MORE* try at installing MBAM. Before starting I uninstalled/deleted and even searched the registry for "MBAM" and "Malwarebytes" to make sure there wasn't any trace left. When I installed I renamed the install directory. I was going to rename the exe as well but got distracted (sorry - I have 2 toddlers). When I rebooted, I found that Malwarebytes was successfully blocking outgoing IP's:
194.11.16.144
194.11.16.138 (Russia)
38.99.183.32
38.99.183.25 (Canada)
195.3.145.105
195.3.145.183 (Latvia)
208.87.149.250 ---> F-ING EL SEGUNDO! This address made me cry

Anyway I got excited and tried running a scan BUT when I select Start Scanner from the right-click menu, I got nothing. The exe gives the same old access message. BUT another good thing is svchost doesn't slam the CPU anymore either. What should I do at this point? I really would appreciate some help on the remaining access issue and I think I may be good from there. Thanks!

BC AdBot (Login to Remove)

 


#2 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 29 September 2011 - 07:59 PM

Boot into Safe Mode (With Networking), and run RKill (http://www.bleepingcomputer.com/download/anti-virus/rkill), SUPERAntiSpyware (http://www.superantispyware.com/)(Update before installing), and MalwareBytes (http://www.malwarebytes.org/)(Update before installing) in this order.
Hope this works!

Edited by Spartacus1, 29 September 2011 - 08:00 PM.

May thou virus bow at thy mercy when you come to me...

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:02 PM

Posted 29 September 2011 - 08:06 PM

Hello KaraBean... this item is indicative of a ZeroAccees rootkit
process running in Task Manager called 2521443175:2564076905.exe

To get it removed we need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:02 PM

Posted 29 September 2011 - 08:09 PM

Spartacus.. that will have no affect on the Rootkit and 2 please do not guess at solutions.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 KaraBean

KaraBean
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 29 September 2011 - 08:38 PM

Thanks boopme - I will start on that just as soon as my kids are asleep. :whistle:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:02 PM

Posted 29 September 2011 - 08:46 PM

You're welcome and swweet dreams guys
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 KaraBean

KaraBean
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 30 September 2011 - 08:32 AM

:) The kids say thanks LOL

Hey I ran that DDS last night and posted to the other forum BUT I just thought I should warn you that I *did* install a lot of anti-malware programs in the last 30 days AND I started creating folders and moving files around to start saving all my important stuff. Sorry it made the DDS report really longer than I had hoped.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:02 PM

Posted 30 September 2011 - 09:51 AM

That's OK, they will also clean off all the junk while in there.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users