MobileTechie
Well-Known Member
- Reaction score
- 32
- Location
- UK
I've a PC in which had the Zentom virus. This was killed off by removing the reg keys and then running MBAM. Now the fake AV bit has gone.
However it, or it's associated rootkit, is still running.
In task manager you can see a file named something like 128320934:3093432.exe which is in the Windows directory. However deleting this offline makes no difference since it appears to be created freshly at boot.
Any program you use that messes with that file, such as Process Explorer or Kernel Detective or a scanner results in the scanner being terminated and then the next time you try to run it, you cannot and are given a permissions error. It's like it adds them to a kill list.
You cannot suspend that exe file as it just does not work. If you kill it, explorer restarts, your app gets killed and it's still there.
TDSSkiller completes a scan and finds nothing.
Autoruns finds nothing unusual.
Hitman Pro completed and found various problems with java exploits, trojans and cookies. Oddly it successfully removed all the infected exes but failed to delete the cookies.
Root Repeal finds odd things, including those cookies being linked to the API. but you cannot make any changes that make any difference.
Offline scans with Kaspersky find nothing at this stage - not bootkits, no startup objects, no infected files.
Yet there that little exe remains and it, or something else, is blocking any move to remove it.
Also weird is the inability to uninstall certain things. I want to run Combofix but AVG cannot be uninstalled. It goes through the process but on reboot - it's still there. I can turn it off but AVG only gives you 15 mins and combofix takes longer than that. I'll give it a go anyway but it's just another unusual feature.
Anyone seen anything like this before?
However it, or it's associated rootkit, is still running.
In task manager you can see a file named something like 128320934:3093432.exe which is in the Windows directory. However deleting this offline makes no difference since it appears to be created freshly at boot.
Any program you use that messes with that file, such as Process Explorer or Kernel Detective or a scanner results in the scanner being terminated and then the next time you try to run it, you cannot and are given a permissions error. It's like it adds them to a kill list.
You cannot suspend that exe file as it just does not work. If you kill it, explorer restarts, your app gets killed and it's still there.
TDSSkiller completes a scan and finds nothing.
Autoruns finds nothing unusual.
Hitman Pro completed and found various problems with java exploits, trojans and cookies. Oddly it successfully removed all the infected exes but failed to delete the cookies.
Root Repeal finds odd things, including those cookies being linked to the API. but you cannot make any changes that make any difference.
Offline scans with Kaspersky find nothing at this stage - not bootkits, no startup objects, no infected files.
Yet there that little exe remains and it, or something else, is blocking any move to remove it.
Also weird is the inability to uninstall certain things. I want to run Combofix but AVG cannot be uninstalled. It goes through the process but on reboot - it's still there. I can turn it off but AVG only gives you 15 mins and combofix takes longer than that. I'll give it a go anyway but it's just another unusual feature.
Anyone seen anything like this before?
