Posted 05 October 2011 - 11:10 AM
This past week my fiancé got a rogue antivirus on her PC – Open Cloud Security – while searching DeviantArt and listening to Pandora. Though I wasn’t present to observe, it appeared to be a drive-by installation (AFAIK, she didn’t click on any suspicious items).
Her PC stats:
What I know: Win XP Pro 32-bit, Ad-Aware free running constantly, router/hardware firewall, IE 8, EVGA GTX 460 @ 1024 MB, no virtual drive installed
What I can’t remember specifically offhand: Quad-core Intel, 2.5+ GB RAM, Mobo…(Asus ETS2 Energy Saver?)
I have searched numerous forums and sites for advice, and found many helpful tips – but nothing has worked.
(NOTE: This post does not contain DDS and GMER logs, because I downloaded and transferred those programs to her computer with a flash drive and experienced problems, noted below:
DDS: began to run, but seemed to freeze up the machine…after 2 hours, the “bar of asterisks” had not moved past ¾ of the way or so…I had to hard restart, and it took several tries on the initial BIOS screen, along with pulling the power cord out and letting the mobo power drain, before the BIOS would find the HD’s and continue the boot process.
GMER: Started and ran successfully, run overnight. In the morning, I tried to “Save” a log for submittal, but received an error that there were “not enough resources to complete the process” in My Documents or something similar, and then the computer froze…could move the mouse but not click anything, or pull up Task Manager…had to hard shutdown.)
The minute she saw Open Cloud Security appear, she shut down the computer. I restarted in Safe Mode and attempted to pull up Task Manager to catch the .exe before it took hold. Her computer boots and loads Windows extremely fast (compared to mine, in like 20 sec or less), so it’s sometimes hard to catch these things, but I identified the file (rRLL…something or other), ended its process, and took note of the location.
Next, I opened Msconfig and stopped the file from loading at Startup, and confirmed its location on the hard drive. I also checked Services to see if anything was amiss, and I didn’t see anything strange.
I next went to the file’s location, which was in WINDOWS\System32, and deleted it. I also deleted it from the registry.
I also checked Application Data and other locations where rogue antiviruses tend to install, and I didn’t see anything. I ran HiJackThis as well, and saw nothing that had changed since the last time I had run it (nothing suspicious or unknown). I also checked IE for any proxies or changed connection settings, but there weren’t any. I thought I was done - prematurely, it seems.
I then rebooted the PC (in normal mode), and checked for the file – it did not appear. My fiancé reminded me to run an antivirus scan. We have several to choose from; I decided to run Malwarebytes. However, the scan would not run; I get an error message stating “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.”
Just FYI, this is an administrator account with Full Control of mbam.exe.
Each time I tried, I got that error. I tried Ad-Aware, but it said “Failed to connect to service.” I tried Trend Micro Housecall, but it loaded and then quit before scanning, without any error message.
I then rebooted again in Safe Mode (with networking, because it seemed like I would need to re-download Malwarebytes, or run one of the other scanners, which each required the Internet to work). I then noticed in Task Manager a new .exe – called “2478689085:3258204780.exe”. I could not end the process, despite multiple attempts – and there doesn’t seem to be any way to get to it before it appears – the earliest I can bring up Task Manager once the computer boots, it’s already there. The file runs with about 460 kb memory.
I checked Msconfig and there are no suspicious Startup items or services.
So next, I did a Windows Search for the file. It found the file in C:\WINDOWS (under the first part of its name, “2478689085”, with a size of 0 bytes), and in Prefetch. I deleted both occurrences. However, it keeps appearing each time I reboot.
Realizing that something must be putting it back in, I also searched the registry; I deleted all occurrences of “2478689085”, and Open Cloud Security. No luck; the file continued to reappear, even though the registry items do not reappear.
I eventually found reference to “2478689085” in another registry item, “3dcbbd93”, which appear in Services\Current Control Set(s) 0001 and 0002 in the registry. I deleted these. However, these continue to reappear (at least in Services\Current Control Set 0001). I haven’t been able to find what is causing this registry key to reappear.
I also tried opening “2478689085” in Notepad to check if there were any clues in its contents, but it’s a blank file (or I just can’t see anything).
Now, through this I’ve been trying things like Rkill (which doesn’t stop or find anything), and renaming Malwarebytes to “iexplore.exe” or “userinit.exe” to try and trick the rogue antivirus. That trick doesn’t work; the antivirus still gets shut down, Ad-Aware can’t connect to service, and Trend Micro quits.
Another interesting occurrence is that, if you try to run in Safe Mode with Network, and you open IE, once you start searching for things like Malwarebytes and such to download, IE appears to crash and say that it recovered a page – and sometimes it opens multiple windows pointed to your home page – which I assume is the rogue antivirus trying to mess with you. When I look at the reopened pages’ settings, though there is no proxy, the security settings for Cookies have been changed to “accept all cookies,” even if I had it set to block all cookies previously. I went ahead and deleted all cookies just in case there was something malicious, but that hasn’t solved the problem.
I was able to run ESAT’s online scanner and it found a few Trojan items which I quarantined and deleted. It also found some things in Sun Java, so I went ahead and deleted the whole Java install, since that’s easy to reinstall.
Another thing I’ve tried is rebooting only in Safe Mode (no network support). If I reboot like this after deleting the registry keys and “2478689085,” then the .exe does not reappear in Task Manager and I can run Malwarebytes without error if I reinstall it each time (I still can’t do Trend Micro or Ad-Aware, as they need network support).
[For whatever reason, if “2478689085” is running and you use Malwarebytes, it cancels the scan and you get the permissions error dialog, and mbam.exe and mbamservice.exe change to the “generic .exe” icon (blue atop a white box), as if the .exe are broken.]
Doing this, I’ve been able to find some more items, quarantine, and delete them, to the point that if I run a scan now, it says clean. However, if I boot normal or in Safe Mode with network, the file reappears and shuts down my antivirus programs – even if I boot with the Ethernet cable disconnected.
I thought I could outsmart the virus by changing “3dcbbd93’s” registry key for Start from (3) to (0), so that the file wouldn’t load. And it won’t load, even if I don’t delete it and “2478689085” and then reboot in Safe Mode…but once I reboot in Safe Mode with Networking, it will reappear in Task Manager.
I have also checked for rootkits using Esage’s Rootkit Remover, but it didn’t find anything.
So here are the problems:
1. “2478689085” continues to reappear whenever the PC is booted normal or in Safe Mode with networking, and I can’t end the process.
2. Guides found online don’t solve the issue because Malwarebytes, Rkill, ESAT et al can’t find any malicious items. I wonder, did I screw myself by deleting the original file [rRLL…] before running an antivirus?
3. I can’t identify what is causing “3dcbbd93” to reappear in the registry every time it reboots in Safe Mode with networking or normal mode.
4. Changing “3dcbbd93’s” Start registry key from (3) to (0) will prevent it from loading, but only when there is no network…once there is a network it will reappear.
5. When “2478689085” is running, the browser doesn’t work properly, with crashes, multiple windows, and resetting cookies to Accept All. And I cannot perform normal antivirus scans.
Thanks for reading this post. Any ideas to help me, short of wiping the PC and reinstalling Windows?