Solved

I have a virus running called 807356193:3736658127.exe - how to get rid of it?

Posted on 2011-09-21
38
1,040 Views
Last Modified: 2013-11-22
I'm currently running Windows XP on this system.
I have a virus running called 807356193:3736658127.exe - how to get rid of it?
If I boot in Safe mode without networking, I don't see the process in task manager.  If I boot any other way, I see this process which I believe to be a virus.
I don't find any information about this and I don't know how to get rid of it.
It creates 2 entries in the registry but even if I delete these entries, they come back at the next reboot.
I scanned the system with Norton Security Suite without success.
I would appreciate any ideas on how to get rid of this virus.

Regards,
Mario.
0
Comment
Question by:MarioTre
  • 10
  • 8
  • 5
  • +5
38 Comments
 
LVL 16

Expert Comment

by:sjklein42
ID: 36578348
Some things to try.

Download and run Microsoft's "autoruns.exe" tool and look for rogue startup programs:

http://technet.microsoft.com/en-us/sysinternals/bb963902

Check the list of Services for one that doesn't belong.  As I recall, there was one that sounded "official" but wasn't.

Look for an EXE file in your c:\WINDOWS folder that was recently modified, around the time you think you may have become infected.  If you think you found one, do some research before disabling it.
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 36579110
I have had great results with Kaspersky's offline malware removal tool. Using a different computer, download the tool to a USB key or CD and then run on the infected computer in any mode, preferably not safe mode, but the tool will direct you no matter what.
http://support.kaspersky.com/viruses/utility
0
 
LVL 38

Expert Comment

by:younghv
ID: 36579309
"Safe Mode" is not recommended for almost all variants of malware, simply because the rogue processes are NOT running during a "Safe Mode" boot. It is also very common for them to generate random names for files/folders/processes to stop of from targeting our clean up efforts based on any known names for the bad stuff.

There are very precise steps you need to take and programs that you need to run - in sequence - to properly clean up your system.

It is no longer sufficient for us to simply run tools/scanners such as Malwarebytes or an AV program.

Many current malware variants require that we use one of the 'rogue process stoppers' prior to doing the scans. Starting with "RogueKiller", followed immediately  with a scan by a fresh download of "Malwarebytes" is a good starting point.

Here are some EE Articles with the details:
Rogue-Killer-What-a-great-name
Basic Malware Troubleshooting
Stop-the-Bleeding-First-Aid-for-Malware
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36579314
When I dealt with this virus, I found a zero-length .EXE file in c:\WINDOWS folder that was part of it.  I deleted that empty .exe file and that disabled the virus.

Look for (and delete or rename) a zero-length .EXE file in your c:\WINDOWS folder.

Normally, there should not be any zero-length .EXE files in that folder.
0
 
LVL 9

Expert Comment

by:jsdray
ID: 36579616
Download and run ComboFix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Killl your monitoring programs (Antivirus/Antispyware...) They could interfere with ComboFix. Last I checked, it won't run with AVG installed...
ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After this is done THEN run your Antivirus and Malware programs again...
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36579790
Are scanners able to run in normal mode?

Run the suggested ComboFix(if MalwareBytes isn't removing it) and show us the log.
This looks like the new infection that has ADS which can keep on returning.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36579823
If ComboFix won't run(even if renamed to svchost.exe), run TDSSKiller first then run ComboFix.
This could be the new ZA rootkit which is hard to remove.

TDSSKiller:(try renaming the file if it doesn't run on first go)
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 

Author Comment

by:MarioTre
ID: 36580016
Boy, that virus is nasty.
I tried, or in the process of trying using Safe Mode right now, all suggestions.  So far, no luck.  That virus is intercepting all attempts to install any anti-virus that I'm trying to install.  Looks like the only way I can do something is in Safe Mode.
I purged all zero-files, purged or renamed all recent files in C:\Windows and sub-folders.

Trying the suggested anti-viruses and malware in safe mode right now.
Already tried malwarebytes and it didn't fix it.  But of course since I'm running in safe mode without networking, malwarebytes was not able to update it's database.

Mario.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36580363
Try running ComboFix in safe mode.
If no joy you can try HitmanPro(they claim to be able to remove this) but then so are other tools that don't work all the time.
If no joy, my suggestion would be to reformat, but some variant of this rootkit can also survive a reformat.

If combofix can't handle it, you can try manual removal(seldom works) by deleting the bad ADS process.
Your aim in removing this rootkit is to delete the ADS process via RC is better, you also need to run diagnostic tool like Gmer to know the hidden folder so you can remdir it in RC, then you need to move quickly and remove patched driver before the rootkit respawns(CF should be able to take care of it).
But then you may still have problem with permissions.
0
 

Author Comment

by:MarioTre
ID: 36581375
Thanks guys.  Combofix got rid of it.  But now I can't access the internet with any browser (I tried IE8 and FF6).
My ipconfig is fine and I can ping IPs on the internet, my dns is fine too.
Looks like it could be a firewall issue but my firewall software (NIS) is not running right now.  In fact, it cannot run and gives me an error (Error: 8504,101) but I suspect it's because it cannot access the internet.
I tried to stop any processes that I think I can kill but no dice.

Mario.
0
 
LVL 38

Expert Comment

by:younghv
ID: 36581597
Use RogueKiller that I suggested up in http:#a36579309

The Menu Options of 3-6 might resolve this for you.
Be sure to post the logs that are generated so that we can review them.
0
 

Author Comment

by:MarioTre
ID: 36582066
I ran RogueKiller and it didn't help.
Here are the report files.
 RKreport-1-.txt
RKreport-2-.txt
RKreport-3-.txt
RKreport-4-.txt
RKreport-5-.txt
0
 
LVL 1

Expert Comment

by:Tigzy
ID: 36582170
Hello

You have a ZAccess rootkit. The file xxxxxxx:yyyyy.exe is its ADS.
Combofix should fix it ... If not, RogueKiller isn't able to handle this.

Does Combofix or TDSSKiller could run?
0
 
LVL 9

Expert Comment

by:jsdray
ID: 36582835
don't be afraid to run combofix a second time....i've seen it catch more a second time through.
0
 

Author Comment

by:MarioTre
ID: 36584331
ran it 4 times, no luck.
Haven't tried TDSSKiller yet.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36584446
Yeah this is the ZA rootkit that's hard to remove.

Can we look at the combofix log and see if it deleted the bad hidden folder --> C:\WINDOWS\$NtUninstallKBxxxxx$

Is the bad ADS process still present? that needs to go. If it's still present then maybe use Recovery console to delete it along with the other folder if it's still present.

0
 

Author Comment

by:MarioTre
ID: 36584825
That's the strange part.  I think the ZA rootkit isn't there anymore.  I dont have that xxxxxxx:yyyyy.exe running anymore.  I don't have any more C:\WINDOWS\$NtUninstallKBxxxxx$ either.

As I said earlier, my problem right now is that:
Now I can't access the internet with any browser (I tried IE8 and FF6).
My ipconfig looks fine and I can ping IPs on the internet, my dns is fine too.

Even more strange,  If I boot in safe mode with networking, I can access the internet.  When I do that, the only processes running are:
csrss.exe
ctfmon.exe
explorer.exe
interrupts
lsass.exe
services.exe
smss.exe
svhosts.exe - (DCOM SRV Proc - dcomlaunch)
svhosts.exe - (RPC proc)
System
System Idle Process
winlogon.exe

If I use msconfig and make sure only these same processes are running and boot the system normally.  I can see in task manager that only these same processes are running but for some reason, I can't access the internet with any browser.  Which means the Windows Update doesn't work either.  If I try to run Norton Internet Services, it won't work.  I also user TeamViewer but that one doesn't work either (when the service is started of course, not during this test with minimum processes).

Mario.
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36585067
Check whether there is a proxy enabled in the browser LAN settings and if so, get rid of it.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Expert Comment

by:Tigzy
ID: 36585124
The ZAccess is a rootkit taking place in the TCP/IP driver stack.
If you can't access internet, it must be still there. In this infection there's 3 important part:

* The ADS (xxxx:yyyy.exe) , this is the Kill-AV part --> you said it's down
* The rootkit driver (random_name.sys) --> probably down
* The patched legit file (we_dont_know.sys) --> This is the one not being fiex I guess

You ran 4 times combofix, but I still can't see any report....
We can't do anything without that
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36585349
@Tigzy,
That is only one version of the ADS Hidden stream. Analysis of the rootkit shows it has 2 kernel level rootkit drivers and creates a backup ADS Stream on Win32k.Sys driver 2 times. Effectively also creating a startup routine in the HKLM\SOFTWARE\CurrentControlSet0002\xx\xxx { winlogon.exe or svchost.exe } configuration and ring 3 executable are placed in %systemroot%\Config\<md5hash currenttimestamp = filename>.exe + ad-clicker
and also creates a fake process that simulates svchost.exe And effectly kills anything that scans it by hooking through APC and sending a ExitProcess command to the scanning program closing it and then for a effective extra counter-measure it changes both process and file ACL permissions restricting file operation and disabling firewall and antivirus. Newer variants are stored the uninstall volume directory label context known as $NTUninstallKBxxxx$ the system volume itself is also infected as it stores 4 files for backup 4 randomly named files 2 ring0 dll files, one ring3 driver loader, and it's configuration file.

Just thought I'd give you some detailed info about it.

@Mariotre, As for finding the rest of the files you will need to find the ADS streams left behind as you only deleted from the sounds of your findings the ring3 loader. You still need to did the streams that store the actually ring0 rootkit driver and delete the stream effectively deleting the rootkit driver. Gmer has the ability to search for ADS streams, I do warn you though. If the rootkit is still running and if it Detects the ADS Scan it will kill gmer too. This rootkit is very tightly intertwined in the OS and is very difficult to remove without causing damage to the operating system itself. Prevx and one other source has a working removal tool to remove this threat.

You can download the tool straight from prevx who owns webroot.
http://anywhere.webrootcloudav.com/antizeroaccess.exe
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36585409
"I dont have that xxxxxxx:yyyyy.exe running anymore.  I don't have any more C:\WINDOWS\$NtUninstallKBxxxxx$ either."

If the main ZA rootkit files are gone, then chances are "antizeroaccess.exe" won't detect ZA rootkit in the system.
As tigsy said, combofix report would help us decide what to do next.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36585455
If he is still having trouble accessing the Internet it can be a lot of things. Combofix does not fix the ACL's for the files. He still had a file system filter running and from the logs he posted it is not removed completely as it is still denying programs to run properly. Have you even suggested a fix for the ACL properties? That is why I suggested he use this tool. It fixes the ACL restrictions. The code for this rootkit is almost identical to TDL3 when decompiled. Uses the same RC4 encryption to hide it's hidden volume.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36585678
As far as I know antizeroaccess.exe does not fix ACL restrictions but I could be wrong.

MarioTre,
Try and follow Russel's advice and see if it antizeroaccess does fix ACL restriction.



@ Russell Ven...

We need to show respect when communicating to every participating member here at EE.
And please show some respect when you are communicating with Tigzy, he sure earned all the respect he deserves.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36585805
"That is why I suggested he use this tool. It fixes the ACL restrictions."


As far as my info goes(below link), you have the wrong info that antizeroaccess.exe fixes ACL permissions.
Maybe it would help if you make sure your facts are right before giving misleading advice here at EE. Or maybe you know more than the author of that article.

http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/
http://anywhere.webrootcloudav.com/antizeroaccess.exe

"The free tool removes the rootkit but does not restore the Access Control Lists (ACLs) that have been modified by the rootkit."
0
 

Author Comment

by:MarioTre
ID: 36586279
Thanks to all of you guys to help me out with this problem.  Sorry, that I forgot to include the combofix report.
I do have a report from yesterday afternoon but I don't remember if it's from the last run I did.
I'm running combofix right now and trying to get a fresh report (getting errors at some point that PEV.exe is aborting [twice]).  The system is more and more unstable.  I could not boot in Safe Mode with Networking or Safe Mode.  It even took me 2 attempts to boot in Safe Mode to Command Prompt.
I'm getting a lot of invalid/bad memory address errors, services.exe is terminating, once I was ablt to boot in Safe Mode with Networking and couldn't run file explorer.
Anyway, I have right now a new combofix report which I'm attaching here with the one from yesterday.
Hope this helps.  The system may be too f ar gone and I may have to re-install.  If I have to do it, I was wondering if any of you have used this product www.reimage.com and if it could be worth trying instead or re-imaging.


ComboFix-1.txt
ComboFix-2.txt
0
 

Author Comment

by:MarioTre
ID: 36586350
I was able to boot normally now.  So I did run combofix in normal mode to see if it would make a difference in the report.
He's the new report.
ComboFix-3.txt
0
 
LVL 1

Expert Comment

by:Tigzy
ID: 36586399
...and sending a ExitProcess command to the scanning program closing it ...
Thanks for the info, I 'll may be able to avoid this with my one of my tools (ProtectMyTool), but I need to do some test before. If it works, it will help to launch removal tools without being killed.

---

Anyway, CF does not found anything.
Could you re-run TDSSKill from a fresh copy (yours might be ACL's locked)
0
 

Author Comment

by:MarioTre
ID: 36586521
I downloaded TDSSKill yesterday from the Kaspersky site.  It should be the latest copy.
0
 
LVL 1

Expert Comment

by:Tigzy
ID: 36586568
Not working?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36586592
The only way to find out if Combofix had deleted the hidden folder created by the rootkit and other files is to look at its quarantine folder. Those CF logs don't show any deletions but the first CF run could've deleted some files.

There might be other nasties present in the system or it could just be the ACL restrictions that is causing this.
If the ZA rootkit is still active then no tools will be able to run unless it's in safe mode. Since Combofix is able to run in normal mode I assume the ZA tripwire running process is not active or no longer present.

When combofix successfully completed its run it should've been able to delete the folder/files unless it already did in its first run, hence I suggested looking at its quarantine folder.
Running Gmer would also show the hidden service and folder if still present.
0
 

Author Comment

by:MarioTre
ID: 36586774
Yes Tigzy, it worked, it ran but didn't detect anything.
Reports:  Processed: 210 objects,  Infection: Not found
Attched the log report from this run.

And yes, rpggamergirl, combofix was able to run in normal mode.
I have attached the files that I think you need to be able to see what was quarantined.
ComboFix-quarantined-files.txt
catchme.log
TDSSKiller.2.5.23.0-23.09.2011-0.txt
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36587493
@Tigzy,
I didn't mean to sound critical or harsh. Just thought you would want to know the information as it is important. When the rootkit was run in one of the honeynets setup it showed defensive mechanisms for not just security scanning but also removal.  
0
 
LVL 1

Expert Comment

by:Tigzy
ID: 36587975
@Russell: I do not feel attacked :)
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36588084
Thats good to know! Obviously a few others do as they have messaged me. You publish your tools and so other people like them know you for it. I on the other hand do not and I do respect your work and just thought since this rootkit had a defense mechanism you could use it to create a counter in return by filtering for that info and why not help arm another malware fighter with pinpoint accurate information. So much respect is given and thanks for coming to EE to help out. That was a good move and you are definitely welcome here.
0
 

Author Comment

by:MarioTre
ID: 36601605
Hi Tigzy and rpggamergirl.

Did the last combofix files helped to determine what I should do to fix my problem?
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
ID: 36928563
Hi MarioTre,
I did a in-depth analysis of the this rootkit and I did find a few things that are not publicly posted about this.

Rootkit.ZeroAccess.C does the following(That I observed personally):
- Creates a new sector in \GLOBAL??\IDE\CDROM as a DosDevice Symlink and creates a backwards RC4 encrypted directory.
- Drops 2 kernel files into the system32 directory.
- Creates a encrypted backup of the registry in system32/config (16 KB) worth
- Second rootkit file monitors for scanning over fake IDE\Device\Svchost.exe\Svchost.exe\* and kills security software including bootdisks trying to reach lower then a ACPI level. Then executes a file named (8s56gdfg.exe) <- always randomly named [Win32/Xooba.A] this file is the one killing all scanners that pass its tripwire.
- New location looks like this: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 <- Win32/Sirefef.C
unencrypted it looks like this: \GLOBAL??\\74.117.114.86\max++.x86.dll and injected into 4 processes.\
- Registry data added:
driver:AFD
file:C:\WINDOWS\system32\drivers\afd.sys [Dropper.ZeroAcccess.Sirefef.B] <-- This is a randomly patched driver with the rootkit injected into it.
regkey:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD
safeboot:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD
service:AFD

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
Type:      REG_MULTI_SZ
Length:      42
Data:      autocheck autochk *

HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Kmode
Type:      REG_EXPAND_SZ
Length:      66
Data:      %SystemRoot%\system32\win32k.sys

TCPIP Stack is Corrupted/Destroyed

Deleted:
wscui.cpl <-- Security Center that allows you to access firewall settings, AntiVirus, etc (XP/Vista/W7)
Firewall.cpl  <- This is missing too after full infection.

[Other findings Omitted for security reasons]


Conclussion:
You cannot reformat the drive and expect to have a cured system upon entering a newly built Windows Operating system. (Including X64 Systems)
Rootkit Attaches and monitors \Device\Cdrom. I actually watched it replace a WinXP CD(Clean!!) Driver copied to the C: Drive and replaced as soon as it was placed there.
The best Antivirus to protect against and detect this in my tests was Microsoft Security Essentials for some reason I could update and patch the system before the TCPIP stack was corrupted and all browser traffic was blocked then as well.
Tools good for finding traces of this rootkit are:
TDSSKiller, GMER, Rootkit Unhooker, and AntiZeroAccess. (Btw, Combofix died horribly in the test and got deleted by the rootkit itself!)

I did not successfully try using a bootable USB drive to disinfect the system (Technical problems), but you can effectively try this first yourself with Microsoft StandAlone System Sweeper. It is
 self explanatory and easy to use. You will need to change your boot startup to recognize your USB stick as a bootable device by entering its lineup before the main harddrive. Order should look like this: DVD->USB->Main harddrive->Network. Here is a good article you can read about doing so Change boot order. DVD/CD failed horribly using this method so tell me if that works for you.

As of now I cannot find a direct solution as to remove this rootkit completly and repair the TCPIP stack. The only fix I have come up with is to download Microsoft Security Essentials and download a up to date definition file (x86) or (x64) depending on your system and place them on a 2GB USB Stick, have a internet connection, and your Windows Installation Disk. Once you have all of these items you can do as follows.

1

Format and reinstall Windows Operating System with a Legal Windows Install Disk

2

Once installation is complete. As soon as the startup ends its runs, enter your USB Stick with Microsoft Security Essentials and definitions.

3

Click on the setup for MSSE after a quick install click on the definition file you downloaded. You can install the definitions while you are doing the quick scan. Make sure you update all security updates when requested by Windows Update.(You will be required to reboot a few times more during the process)

If your at this point and have done all of the above you should not have any infections being stopped by MSSE and also protected against future ZeroAccess attempts. Be very careful where you surf these days. Cracking sites, Porn, Fake Pharmaceutical sites, catchy news article names, are usually drive-by download points for getting this nasty malware. So be very very careful! I will continue to gather more information and help Tigzy develop his tool. I wish I could add more to help out, but this is the best I can publicly add for the moment.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37087238
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now