Jump to content

3934230198:1231650837.exe Cant Stop!


Hizzle G
 Share

Recommended Posts

For anyone reading this ZeroAccess Rootkit topic involing an ADS file (example) - C:\Windows\3934230198:1231650837.exe

 

If you wish to 'cut to the chase', go to Post #72 on page 8: here

Any previous attempts to run any programs prior to this page failed.

 

~~~~

 

 

 

Have an infection!

 

3934230198:1231650837.exe is running and i cannot stop it.

 

causes all searches to end up at ads

will not let any anti-malware programs run

will not let me use Hijackthis

nothing else that runs will find the problem

 

any help will be appreciated!

Edited by Aaflac
Link to comment
Share on other sites

  • Replies 119
  • Created
  • Last Reply

Top Posters In This Topic

Lets start here...if you don't have it try and download Malwarebytes and save it to your desktop. (you may need to go SafeMode/w Networking to do this) You may have to rename it to Hizzle G.exe if the virus interferes.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform quick scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

 

edit: if the virus interferes with everything you may have to use SafeMode entirely.

 

 

 

 

:geezer:

Link to comment
Share on other sites

Tried everything you said and nothing.

 

This thing 3934230198:1231650837.exe even runs in SafeMode! It would not allow Malwarebytes to run. It lets you START to scan and then it kills the program and if you try to start it back up you just get error messages.....starting to frustrate me! Normally i can take care of these things alone but this one has me stumped!

Link to comment
Share on other sites

WOW this thing is persistent!!! Ive downloaded 5 trojan/virus/malware/adware programs and the ones that wont find it are allowed to run any that WILL it will not let them run SAFEMODE or not!!! Basically disables them and throws up an error like the installation was corrupted.

 

It redirects any searches. It allows you to search but when you click the link that Google or what have you gives you to choose from it will redirect you. I keep seeing in the bottom left of my browser 100ksearches.com

Link to comment
Share on other sites

upload 3934230198:1231650837.exe to http://www.virscan.org/

Scan and save the results. Copy and paste the results back here, so we can see what this malware is.

 

After doing the above, see if you can kill it with Killbox:

Download KillBox

 

 

Unzip the folder to your desktop.

 

Start Killbox.exe

 

When it is open, enter 3934230198:1231650837.exe into the field labeled "Full path of file to delete". You will need to find the 'full' path, such as C:\****\***

 

Select the Delete on reboot option.

 

Then press the button that looks like a red circle with a white X in it.

 

Your computer will reboot and check to see if the file is gone.

Link to comment
Share on other sites

Hello, Hizzle G, caintry_boy, and Jacee!! :adios:

 

From the basic information provided, it appears the system is infected with the ZeroAccess Rootkit. It is a tough one.

 

The file C:\Windows\3934230198:1231650837.exe is an Alternate Data Stream (ADS) file that needs to be removed.

 

 

There are some tools that address this Rootkit, and one of them is new. However, the issue is getting them to run on this system.

There are a couple of approaches that we can try, and see if we have any luck, but it is all up to you, Hizzle G.

 

How far the infection has progressed will determine whether any efforts taken on will succeed...

Edited by Aaflac
Link to comment
Share on other sites

Hizzle G,

 

Let’s see if you can follow Jacee’s suggestion to use KillBox:

 

First, need to be able to View Hidden Files and Folders(XP)

 

Now, look for the following file:

 

C:\Windows\3934230198

 

Let us know. If you still cannot find the file, we’ll press on...

 

 

Please download ADS Spy

 

Save to your Desktop, right-click, and select: Extract all…

 

The file is extracted to a folder of its own. Open the folder, and move the file inside it to the Desktop. Important!!

 

Right-click the adsspy file, and select ’Rename’. Name it addie.com

Now, double-click addie.com to run it.

 

Click: Full scan (all NTFS drives)

Uncheck: Ignore safe system info data streams..

 

Press: Scan the system for alternate data streams

When the scan is completed, see if you can locate the following on the list:

 

C:\Windows\3934230198

 

Just let us know if you find the file, for now.

 

Close ADS Spy (addie.com).

 

 

If addie.com does not run, please do the following:

 

Go to Start > Run, and, in the Open area type: cmd

 

At the prompt, copy/paste each of the following commands in the box below, one at a time, pressing 'Enter' after each:

 

cd "%userprofile%\desktop"
cacls addie.com /e /g everyone:f
addie.com

Does it run now?

Link to comment
Share on other sites

Good job, Hizzle G!!

 

You got ADS Spy to run!!

 

Now, we need to do the following:

 

First, download AntiZeroAccess and TDSSKiller (Instructions further below)

Save the programs to the Desktop, but, do not run them!!

 

We need to have these programs ready to roll, so that when you get done removing the nasty file, you can run them immediately.

We cannot take a chance on the darn file ‘taking over’ again.

 

Then, after the programs are downloaded (but not run), go back to ADS Spy (addie.com)

 

Double-click addie.com to run it.

 

Click: Full scan (all NTFS drives)

Uncheck: Ignore safe system info data streams..

 

Press: Scan the system for alternate data streams

 

When the scan is completed, locate the following on the list:

 

C:\Windows\3934230198

 

Select the file

 

Click: Remove selected streams

 

Close ADS Spy.

 

Then run AntiZeroAccess, and follow with TDSSKiller.

 

 

 

Downloads:

 

AntiZeroAccess

Save to the Desktop

 

To run:

XP users: Double-click antizeroaccess.exe to start the program.

A command (black) window opens.

Type Y to start a system scan, and then press: Enter

Wait until the scan is complete.

Follow the instructions on the screen.

 

To close the program, press any key.

If a restart is required, do it immediately.

 

Please post the AntiZeroAccess log in your reply.

 

~~~~

TDSSKiller

Save to the Desktop

 

To run:

XP users: Double-click tdsskiller.exe to start the program

Press: Start Scan

 

If Malicious objects are found, ensure Cure is selected (it should be, by default)

Click Continue then click: Reboot now

 

When the tool is done, a log is produced at the root drive which is normally C:\

For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt

 

Please post the TDSSKiller log in your reply.

 

 

Good luck, Hizzle G!!

 

(Sorry for the delay. Had the instructions ready, and the computer decided to lock up. Lost them before saving!)

Edited by Aaflac
Link to comment
Share on other sites

Start the computer in: Safe Mode with Command Prompt

 

At the prompt, copy/paste each of the following commands in the box below, one at a time, pressing 'Enter' after each:

 

cd "%userprofile%\desktop"
cacls addie.com /e /g everyone:f
addie.com

If it runs, stay in Safe Mode with Command Prompt, and do the same thing for AntiZeroAccess:

 

cd "%userprofile%\desktop"
caccs antizeroaccess.exe /e /g everyone:f
antizeroaccess.exe

...and for TDSSKiller:

 

cd "%userprofile%\desktop"
cacls tdsskiller.exe /e /g everyone:f
tdsskiller.exe
Link to comment
Share on other sites

On the above, if ADS Spy (addie.com) refuses to run, press on and try AntiZeroAccess or TDSSKiller.

 

If still no go...

 

Go here or here and download Win32kDiag.exe

 

Save to the C:\ drive <<Important!

 

Go to Start > Run, type in: cmd.exe

At the prompt copy/paste the following, pressing Enter after each:

 

cd\

win32kdiag -r -f

When the scan completes, press any key to finish.

 

A log should be located on the Desktop.

 

 

Please post the Win32kDiag.txt log in your reply.

Link to comment
Share on other sites

Hizzle G,

 

Please disregard Posts #21 and #22!!

 

Let's see if we have better luck with a diagnostic tool that does not attempt to remove any malware:

 

Please download DDS:

http://www.bleepingcomputer.com/download/anti-virus/dds

 

Click on the ‘Download Now’ button

 

Save DDS.scr to the Desktop

 

Windows XP users - Double-click on the DDS icon to start the tool.

 

When done, DDS opens two logs:

DDS.txt, and Attach.txt

 

Save both reports to the Desktop.

 

Please post both reports in your reply.

 

 

 

Also, do you have a Windows XP CD?

Edited by Aaflac
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share


×
×
  • Create New...