Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected? Oh, you betcha! Worst I've ever seen!


  • Please log in to reply
6 replies to this topic

#1 ultranothing

ultranothing

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 27 October 2011 - 11:47 AM

I'm going to be as detailed as possible:

After searching for a program online, I was directed to a website that I just knew wasn't trustworthy. You've all seen them before: terrible graphics and layout, horrible grammar/sentence structure, etc. But I thought I'd give the guy the benefit of the doubt, since the program was "freeware" and, hey, what do you expect for free?

After downloading the program, I fired it up. I started getting this message, something to the effect of "Do you want the program taskmgr.exe (unknown publisher) to make changes to this computer?"

After clicking "no" about five hundred times, I became a bit frustrated and said, "Fine! Whatever!" and clicked "Yes."

Stupid, I know! And now I'm paying for it. This is, in twenty years of computer experience, the absolute worst infection I've ever had.

Microsoft Security Essentials (MSE) shows that I'm infected by Trojan.Win32/Sirefef.O, Sirefef.I, and Sirefef.J, TrojanDownloader:Java/OpenConnection.OS and Java/OpenConnection.OU, Exploit:Java/CVE-2010-0840.KI, Backdoor:Win32/Smadow.gen!B, and Virus:Win32/Patchload.O.

Of course, MSE continues to tell me that threats are being detected, and that a reboot is required. I've rebooted about two dozen times after it tries to either remove, quarantine, inoculate, or whatever, and it just keeps coming back. MSE is also reporting internal errors, the last one being 0x8007054f.

Task Manager shows a process running called "2430975358:2168593007.exe" Process ID 788 (though the PID varies depending upon reboot.) I've tried deleting the file manually - no luck.

Malwarebytes will scan the Hard Drive and as soon as it comes to this process, the scan (and Malwarebytes itself) will immediately close. Scanning with Microsoft Safety Scanner produces the exact same result - it scans for a moment, and then completely shuts down.

Once this happens, any attempt to restart either program results in the error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I must re-install either program in order to use it again, which is useless at the moment.

I have tried renaming each of the .exe's (both the install and the program executable) to avoid detection by the malware, but it does not work.

I have tried using OTH and RKILL before running either program, but that has not worked either.

I have ran ESET's online scanner, which found and quarantined three files but did not remove the offending malware.

I have done all of this with normal, selective, and safe startup.

The other symptom I'm having is redirects to such exotic locales as: signalsearchsystem.com, topusaprizes.com, beechwoodgrangestud.com, search-fast-results.com, guide2flashlights.com, etc.

My Google searches now yield "about 0 results" and display only about five results.

I think that's about all I can remember. Can someone please assist me with this? I've been fighting this infection for six hours, so if you can't offer technical assistance, maybe some Dr. Kevorkian style help will do?

Thank you in advance, for all the work you do around here, and for whatever you can do for me!

- Josh

Edited by ultranothing, 27 October 2011 - 08:25 PM.


BC AdBot (Login to Remove)

 


#2 Akashi

Akashi

  • Members
  • 301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 27 October 2011 - 01:29 PM

Task Manager shows a process running called "2430975358:2168593007.exe"

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

The above indicates that you are infected with a Zeroaccess rootkit.

I read HERE that rootkit removal is not allowed in the Am I infected? What do I do? forum.

To proceed, I suggest that you follow the instructions HERE. Then start a new thread in the Virus, Trojan, Spyware, and Malware Removal Logs forum HERE, and include a link to this thread in your new thread.

I hope it goes well for you. :)

#3 ultranothing

ultranothing
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 27 October 2011 - 08:25 PM

No offense to you personally, but you've only joined this site two days ago and have only two posts. Although you're most likely genuinely trying to assist, don't be too upset if I wait for a moderator, or someone with some clout, to pick this up.

In the meantime, I'll check out your links. Thanks!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:29 PM

Posted 27 October 2011 - 09:03 PM

Hello,of you are runnimg a 32 bit system then the task manager ascertion is correct.

Then follow the Prep guide Akashi linked to above " follow the instructions HERE. "
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Akashi

Akashi

  • Members
  • 301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 28 October 2011 - 09:52 AM

No offense taken, ultranothing. :)

The Zeroaccess infection can be very tricky to remove, but one of the malware experts here will guide you through the process. :thumbup2:

#6 ultranothing

ultranothing
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 10 August 2017 - 12:37 PM

Well, just a quick update to this one.  The computer ended up having to be burned in the hellfire of Hades.  It screamed and moaned in ancient tongues before finally succumbing to the damnation it knew it rightfully deserved.  An intonation was canted and the area sprinkled with holy water.  



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:29 PM

Posted 10 August 2017 - 01:25 PM

:flamethrower:  :flamethrower:  :rip: 


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users