Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP!


  • This topic is locked This topic is locked
5 replies to this topic

#1 brettf

brettf

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 30 September 2011 - 03:39 PM

I don't know WTH is going on, but my PC is seriously ill.

It started with Open Cloud Security. I thought I wiped it out, but it seems it has open a backdoor that is not closing anytime soon. The key points of this nasty virus are the following:

It blocks most anti-virus software / tools, regedit, etc. from executing by modifying the system privileges to have access denied.
It "occasionally" hijacks Internet Explorer and will redirect to various random sites. This does not happen always though...
It creates a process "1165239595:3571092410.exe" with the description of "3571092410.exe". This runs in both normal AND safe mode unless safe mode is ran with alternate shell (command prompt).
The process cannot be KILLED.
The process cannot dump file.
The process is not visible in HiJackThis Process viewer.

I can run anti-virus software only when this process is not running (alternate shell) but it does NOT REMOVE the file, and when I reboot it opens up the door to new viruses again.

I made another thread, but I think it was in the wrong location. Hopefully, I got it in the right place now. PLEASE, PLEASE, PLEASE Help. This is becoming seriously frustrating!!!

BC AdBot (Login to Remove)

 


#2 FTLDmike

FTLDmike

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 30 September 2011 - 03:55 PM

Brett, I am new around here so not an expert. But I think we are in the same boat. Do a search on Rootkit Zero Acess. I have a thread just below yours asking for advice on whether to repair it or blow away my machine. It is really, really scary. It blew through my AVG Antivirun and Firewall like it was not even there and seems able to disable anything that might threaten it. I'm going to start posting my logs to the fix it forum tomorrow.

Mike

#3 brettf

brettf
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 30 September 2011 - 04:12 PM

I haven't seen any references to ZeroAccess, what makes you think it might be that?

It definitely blows away anything that tries to take it out. Evil, nasty little virus!

#4 FTLDmike

FTLDmike

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 30 September 2011 - 08:26 PM

Well, there are a couple of things that make me suspicious. First, the behaviour is the same. It takes out everything that might help and in a way that is very different than most infections. Maybe not inititally, but the minute a helpful program starts scanning anything in memory or services, look out. It gets killed, and permissions changed to prevent it from running. The second is the only obvious visible symptom which is a service in task manager that is xxxxxxxxxx:xxxxxxxxxxx.exe that you cannot stop or do anything with. This seems to be a consistent report from all infected machines and almost the only obvious visual cue. The third is the inconsistent browser re-direct.

There are an increasing number of posts about this threat, not all referencing the "name", much like yours titled "Help". Don't get me wrong....I was in "help" and mystified mode yesterday and today.

Not positive it has you, but you have the same group of symptoms that I have and I am certain this is the cause for me. This thing is really smart and really nasty. Hope I am wrong, but apparently there is a path to cleaning, so I am hopeful.

Best,

Mike

#5 brettf

brettf
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 01 October 2011 - 01:03 AM

12 freaken hours later! Ha... no virus defeats me!

Ok... I haven't a clue what the heck I actually had, but I think I got rid of it. At least I can now run MalwareBytes without it crapping out on me, and internet explore is back to its lame self.

What I do? [proceed with your own caution]

In safe mode (command prompt):

Delete all the random letter exe files and directories in c:\windows\system32
Do the same for c:\users\[user name]\appdata\roaming\[any folder]
I also cleared c:\temp and c:\windows\temp
That random number exe file does not exist in c:\windows but the first half (before ':') exists without extension there. I deleted that 0 byte file as well.

Then the magically trick excute cmd (with admin rights) and type: sfc /scannow

Found all kinds of integrity issues, reboot again in command prompt and run it again (it should be clean). Now go into normal mode and run MalwareBytes. Remove any remaining little pesky viruses and cross your fingers.

I also had some issues with ChkDsk that I suspect may be related to the virus trying to install on a hidden partition. The drive was dirty (whatever that means). Anyways, I executed a command (I forget which one) and told it to run chkdsk next boot. I then booted in safe mode and let it run check disk. It was able to fix it. If you have this issue as well let me know and I can look up how I did it.

Now I am left with only one thing. The damn thing thinks Windows is no longer Genuine, I guess I just have to go and find my product key for that one to be fixed. Fun times.

Like I said early... that is one hell of a nasty virus. Good luck.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:03 PM

Posted 01 October 2011 - 01:04 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic421270.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users