Jump to content

interesting virus!


Recommended Posts

Alright well i cant run any virus scans such as combofix, gmer, mbam, or anything for that matter regardless of what the file name is. Once you start the scan, the virus closes the process and adds permissions to the file so it cannot be run (access denied). Ive removed countless viruses before and this one is by far the toughest ive ever come across!

File Name: 2633065072:2409434723.exe

Location: C:\Windows

The file does not show up as an exe, it has no file attributes to it when viewing, and comes up as only '2633065072'. When running 'attrib -h -s 2633065072:2409434723.exe' it cannot find the file specified. i can delete that file but it will come back on the next restart. I tried moving it to my flash drive to run a Virus Total scan on it but received this message...


Confirm Stream Loss

The File '2633065072' has extra information attached to it....

:2409434723.exe:$DATA

Proceed anyway?

I was able to run gmer under Hiren Boot CD but even when i uncheck drives, it still scans them anyway so the log file is polluted with thousands of entries that mean nothing. Was able to use combofix. Combofix, however, detects rootkit activity and wants a restart which if the computer restarts then it wont run again since its booting via cd...

In safe mode, i get the same results and the exe is still running. When attempting to end task the exe, it just stays there and nothing happens. I was able to run gmer briefly and kill all processes in hopes to run an mbam scan but the virus continues to run even when i delete or kill the process inside of gmer! So now i am here! Hopefully someone can help me out.

attach.txt

Link to post
Share on other sites

Alright, a little more research on my part in attempts to remove this thing. The colon simply means that there is an ADS (Alternate Data Stream) attached to the file, which is the 2409434723.exe. I cannot find the location of this file. Ive since tried deleting all startup registries pointing to that exe and the 2633065072 file with no extension. They both came back right after restart and the virus is still running.

I downloaded Streams.exe from Sysinternals on the windows website and found the data stream and attempted to delete it but it gives me access denied. I also tried ADSspy from BleepingComputer. It finds the ADS but when you delete it, the program is immediately closed and permissions set to it so you cant start it again. I'm thinking a wipe and reload is the only way to get rid of this damn thing. Cant find it by pulling the hard drive and doing a scan either.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Let's see if we can kill this from outside of Windows. Bear with us-- this is a new infection and we are working on it. :)

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Let me know how it goes.

Link to post
Share on other sites

I ran the Norton Bootable CD last night and it got rid of 2 trojans. Sadly i did not write down which trojans these were :( Computer loaded into windows without ADS on that file and that file was gone. However, windows was very corrupt. I tried sfc /scannow, chkdisk, and a repair but nothing resolved all the little stuff it was doing. Only resolution now is to backup, wipe, and reload. Pesky little virus :(

After complete install, computer is running great now.

Link to post
Share on other sites

  • Staff

Thanks for letting me know.

Unfortunately malware is causing more and more irreparable damage that requires a format and reinstallation of Windows.

Let me know if there's anything else we can do for you.

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.