Processes Getting Killed

E

Ender07

New Member
Reaction score
0
Location
Sun Prairie, WI
Hey everyone, I have a netbook I received and it had Cloud Security Antivirus which was a fake AV. I was able to stop the process from starting and remove all that I could find but now I cannot run any scans still within windows. Everytime I install a program like SSA or MBAM it lets me start the scan then kills it and does something to the icon and .exe files in program files so I cannot launch it anymore. It makes it so the icons cannot find the .exe but even if you rename it, it still does not work.

I narrowed it down to a rogue process I believe in windows when I am running windows XP normally. It is called 2551391300:3151752295.exe and it cannot be killed with end process or end task, I tried killing from command line but that does work either. I have rebooted in safe mode and was able to run MBAM, SAS, and MSE but none turned up anything regarding that and when i search for it I cannot get any results back.

I also tried running process explorer, hijackthis, and autoruns in regular windows but as soon as I get them up then get killed and the icons dont work anymore. Has anyone ever come across something like this? Is there anyway to find the rogue process killing everything and forcefully end it somehow?

Thanks!
 
Well I am trying other options right now, its a netbook so no CD drive and I dont have an external on hand. The weird thing is though why can I not find that process ANYWHERE even searching in safe mode with hidden files included in the search?
 
Ok new development...I searched the last part in regedit and found this:
Name Type Data
ImagePath REG_SZ \systemroot\2551391300:3151752295.exe

Is there a way to find it and delete it?
 
Metanis said:
Take the drive out and scan it on another machine.
Click to expand...

I will do that, I already was able to run scans while in safemode with superantispyware, malwarebytes, and microsoft security essentials. After the first few passes with the initial removal of the malware items I did not get anything back from any of them after multiple complete scans. I can always try again though!
 
I have met this beasty a lot recently. This is a rootkit part of the TDSS family and the tdss 3+,4 versions are very nasty.

The biggest problem you have got, is you are fighting a rootkit which hides itself, its running processes and infected system files from security software you are running.

Your infection is not as severe as some cases i have experienced as you have been able to run programs.

This rootkit resets all the permissions and will terminate any programs that you try to run. If you right click a program for example and go to security tab you will notice that only "everyone" is left and only has special permissions checked.

You will also notice a weird process running called something like 2324244:3455367335.exe for example that cannot be killed.

It will also maybe add a random file in the c:windows\system32 folder. This can be deleted but will be replaced on a reboot.

The biggest danger with this rootkit is that depending on if it is tdss3-4, it infects .sys files and even the masterboot record!

Resolve

If you are getting the "you havent got permissions error" when trying to run a program then try these first.

I have used the kaspersky TDSS killer removal tool many times and it is able to protect itself from being terminated(but strangely not always).
If it does run and it finds any thing, you have the option to delete or cure what it finds. I have used the cure option almost everytime and it has fixed/disinfected the MBR and .sys files. If it is stopped by the rootkit then i reckonmend trying "hitman pro 3.5". This does the same as kaspersky tdss removal tool and is also able to protect itself.

If the above doesnt work then your going to need to remove the infection with a bootup CD. There is no point continuing in the O/S as the rootkit has full control of what you can do.

My weapon of choice is again Kaspersky *bows*. Their Rescue boot-CD is amazing. Boot from the CD run a scan remove/disinfect done!!


If you still get permission errors, when the rootkit has been removed run this in a cmd windows

Windows xp:- secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

windows vista/7:-

You need to run cmd as "administrator", be on the drive that needs the permission reset I.E (C:\)

icacls * /T /Q /C /RESET


If none of the above doesnt work then i have used "Unhackme" in combination with their "Warrior CD".

i have never needed to nuke and pave or run an repair install (fingers cross). ;)

Hope this has helped you guys. :D
 
Alright, so I did some late night troubleshooting tonite and was able to get everything back to normal thanks to all of you! I must say that D7 by Foolishtech was VERY helpful and the full insight from Mike_Tech was awesome as well. After running the D7 IFEO resolution I was able to run TDSSKiller and get rid of everything and then I repaired the permissions and got it running in tip top condition. Thanks again everyone!
 
You must log in or register to reply here.

Similar threads

HCHTech
Opening zipped PDFs in Outlook without extracting
Replies
3
Views
112
frase
frase
ComputerDave
Windows Installer Can't See Local Drive
2
Replies
25
Views
756
britechguy
britechguy
HCHTech
Permission Hell
Replies
12
Views
543
Sky-Knight
Sky-Knight
HCHTech
[SOLVED] Windows 11 cannot extract zip files
Replies
17
Views
2K
britechguy
britechguy
Appletax
[SOLVED] Is it bad that I installed a device driver for a non-existent device?
Replies
6
Views
398
ThatPlace928
ThatPlace928
Back
Top