Jump to content

964712526:2980544454.exe process, can't kill or find original source

Recommended Posts

Alright, so I followed the forums' instructions to the best of my abilities, successfully running defogger and dds. Due to the nature of my problem, I am unable to run MBAM or GMER. MBAM just shuts down entirely shortly after beginning the scan (this is due to the virus) and GMER either crashes or flat out bluescreens my computer whenever I try to run it, so I just gave up on that. In all cases I was running in safe mode.

Onto the problem itself. I realized I had a problem as soon as I saw that my Avast! antivirus was disabled (with the red X over it in the taskbar icon). If I tried to run it or MBAM, they would just shut down completely not long after starting a scan. Also if I went to google in my web browser and searched for something, every time I clicked on a link in the search results I'd be taken to some completely different site. Just avoiding google searching seems to work fine though, hence how I got here. Oh also, sometimes when I opened my browser it would attempt to connect me to some proxy server. I'd then have to go get rid of proxy settings in my browser's options.

I did some of my own investigation on the problem, and here's the shakedown: if I open task manager, I see the culprit process. The process name is 964712526:2980544454.exe, and the description is just 2980544454.exe. It claims to be run by SYSTEM. If I try to end the process, nothing happens and the process is still there. If I try to open the file location, nothing happens and no window or folder opens.

I tried manually looking for the exe, but to no avail. I searched all over my C drive for both 964712526 and 2980544454, but found no exes. BUT right in the C:\Windows folder I did see a file simply named "964712526" with no extensions or anything. If I look at its details it says it's literally 0 bytes, which is weird. I've deleted it multiple times, but it just comes back every time I reboot.

I also searched my registry. The only thing I found was in the location HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\4e588039 . Inside is a string by the name of ImagePath, with the value \systemroot\964712526:2980544454.exe . Similar to the file in C:\Windows, if I remove it it just comes back whenever I reboot. Even if I just edit the value, it's back to the same value again when I reboot.

So neither that registry entry or the file in C:\Windows are the actual source of the virus and its process. But... what is? If I can just figure that out, maybe I can beat this thing. But I can't figure it out for the life of me. So, I humbly turn to you experts. Can you help me?

Oh yeah, one more important bit of info: I've mostly been working in safe mode. The one time I booted up in normal mode, my computer was instantly hitting me with that Open Cloud Antivirus crap, which I knew was fake right away. I think I managed to get rid of most of the traces of that in safe mode (where it didn't open on startup), but I'm afraid if I try to boot up in normal mode it'll just happen again, since it's probably getting installed by the virus I've been talking about. So I guess what I'm dealing with here is some variant of the Open Cloud virus. Maybe.

Incoming DDS dump. Also, I attached the zip file, but it only has the attach.txt from dds, since like I said GMER wasn't playing nice.


DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_21

Run by Jonathan at 0:28:27 on 2011-10-05

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.2476 [GMT -4:00]


AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService



C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted


C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe


C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe



============== Pseudo HJT Report ===============


uStart Page = hxxp://www.dell.com

uWindow Title = Internet Explorer provided by Dell

uDefault_Page_URL = hxxp://www.dell.com

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"

uRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

uRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [volmgr] c:\windows\system32\config\systemprofile\appdata\local\volmgr.exe

mRun: [xNyyxAA0uvS8234A] c:\windows\system32\uhhhTTXqjUCeIBz.exe

mRun: [FELL99gTZ8234A] c:\windows\system32\ZbbbD33pnG4QHsW.exe

mRun: [GaaaQH6ddW7fR9g8234A] c:\windows\system32\H000uvvS2ib3pG.exe

StartupFolder: c:\users\jonathan\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nostro~1.lnk - c:\windows\installer\{548c7b77-8b04-427e-acd0-d0e6e6e59bcf}\NewShortcut2_548C7B778B04427EACD0D0E6E6E59BCF.exe

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: Interfaces\{9556666C-55D2-4E27-87BC-F20AEEC73FBB} : DhcpNameServer =

TCP: Interfaces\{9EEEA230-5B92-45D7-84C2-1CA4189CFD4B} : DhcpNameServer =

TCP: Interfaces\{CC5FC235-E13C-4FB6-A426-FCA199BC424B} : NameServer =

TCP: Interfaces\{D8C4A634-1E76-4FB6-B84A-E8B3B5E2C399} : DhcpNameServer =

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Hosts: www.google.com

Hosts: www.bing.com


================= FIREFOX ===================


FF - ProfilePath - c:\users\jonathan\appdata\roaming\mozilla\firefox\profiles\mb225ekm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - prefs.js: network.proxy.http -

FF - prefs.js: network.proxy.http_port - 51232

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\tabletplugins\npwacom.dll

FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\users\jonathan\appdata\roaming\mozilla\firefox\profiles\mb225ekm.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll


============= SERVICES / DRIVERS ===============


R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-9 64512]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2010-8-24 40912]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2010-8-24 10448]

S1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2011-1-22 127744]

S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-5 442200]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-4-11 320856]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-4-10 73728]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-11 20568]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-4-11 54616]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-18 44768]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-9 2152152]

S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-11-7 5010288]

S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2009-8-3 23040]

S3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\drivers\hcwhdpvr.sys [2011-1-22 157568]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-9 15232]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010.sp3\RpcAgentSrv.exe [2010-9-29 93848]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-11-7 16168]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2009-4-9 209408]


=============== Created Last 30 ================


2011-10-05 04:07:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-05 03:12:37 -------- d-----w- c:\users\jonathan\appdata\roaming\i7dEK8gRZhXjVlB

2011-10-05 03:12:36 -------- d-----w- c:\users\jonathan\appdata\roaming\AP0ycA1iv2n4m5Q

2011-10-05 01:36:04 -------- d-----w- c:\users\jonathan\appdata\roaming\UGG55aQJJ6W

2011-10-05 01:36:02 -------- d-----w- c:\users\jonathan\appdata\roaming\WkUUVVrlO

2011-10-05 01:35:53 -------- d-----w- c:\users\jonathan\appdata\roaming\ICBzNA23n5Q6

2011-10-05 01:35:50 -------- d-----w- c:\users\jonathan\appdata\roaming\wBzNx1vo3GQ6W8R

2011-10-05 00:34:04 2410496 ----a-w- c:\windows\system32\H000uvvS2ib3pG.exe

2011-10-05 00:33:36 2410496 ----a-w- c:\windows\system32\ZbbbD33pnG4QHsW.exe

2011-10-04 21:26:43 -------- d--h--w- c:\windows\PIF

2011-10-01 16:07:18 -------- d-----w- c:\program files\iPod

2011-10-01 16:07:10 -------- d-----w- c:\program files\iTunes

2011-10-01 15:58:29 -------- d-----w- c:\program files\Bonjour

2011-09-14 14:11:24 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2011-09-08 01:24:32 -------- d-----w- c:\program files\PakkISO


==================== Find3M ====================


2011-09-22 20:28:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr

2011-09-06 20:38:05 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-09-06 20:36:26 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-16 05:23:11 0 ----a-w- c:\programdata\svpt.exe

2011-08-16 05:23:11 0 ----a-w- c:\programdata\snln.exe

2011-08-16 05:23:11 0 ----a-w- c:\programdata\hffy.exe

2011-08-16 05:23:11 0 ----a-w- c:\programdata\hbph.exe

2011-08-12 02:12:19 952 --sha-w- c:\programdata\KGyGaAvL.sys

2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll

2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll

2011-07-11 13:25:35 2048 ----a-w- c:\windows\system32\tzres.dll


============= FINISH: 0:30:51.93 ===============

Link to post
Share on other sites


Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.