I have a virus running called 807356193:3736658127.exe - how to get rid of it?

I'm currently running Windows XP on this system.
I have a virus running called 807356193:3736658127.exe - how to get rid of it?
If I boot in Safe mode without networking, I don't see the process in task manager.  If I boot any other way, I see this process which I believe to be a virus.
I don't find any information about this and I don't know how to get rid of it.
It creates 2 entries in the registry but even if I delete these entries, they come back at the next reboot.
I scanned the system with Norton Security Suite without success.
I would appreciate any ideas on how to get rid of this virus.

Who is Participating?
Hi MarioTre,
I did a in-depth analysis of the this rootkit and I did find a few things that are not publicly posted about this.

Rootkit.ZeroAccess.C does the following(That I observed personally):
- Creates a new sector in \GLOBAL??\IDE\CDROM as a DosDevice Symlink and creates a backwards RC4 encrypted directory.
- Drops 2 kernel files into the system32 directory.
- Creates a encrypted backup of the registry in system32/config (16 KB) worth
- Second rootkit file monitors for scanning over fake IDE\Device\Svchost.exe\Svchost.exe\* and kills security software including bootdisks trying to reach lower then a ACPI level. Then executes a file named (8s56gdfg.exe) <- always randomly named [Win32/Xooba.A] this file is the one killing all scanners that pass its tripwire.
- New location looks like this: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 <- Win32/Sirefef.C
unencrypted it looks like this: \GLOBAL??\\\max++.x86.dll and injected into 4 processes.\
- Registry data added:
file:C:\WINDOWS\system32\drivers\afd.sys [Dropper.ZeroAcccess.Sirefef.B] <-- This is a randomly patched driver with the rootkit injected into it.

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
Type:      REG_MULTI_SZ
Length:      42
Data:      autocheck autochk *

HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Kmode
Type:      REG_EXPAND_SZ
Length:      66
Data:      %SystemRoot%\system32\win32k.sys

TCPIP Stack is Corrupted/Destroyed

wscui.cpl <-- Security Center that allows you to access firewall settings, AntiVirus, etc (XP/Vista/W7)
Firewall.cpl  <- This is missing too after full infection.

[Other findings Omitted for security reasons]

You cannot reformat the drive and expect to have a cured system upon entering a newly built Windows Operating system. (Including X64 Systems)
Rootkit Attaches and monitors \Device\Cdrom. I actually watched it replace a WinXP CD(Clean!!) Driver copied to the C: Drive and replaced as soon as it was placed there.
The best Antivirus to protect against and detect this in my tests was Microsoft Security Essentials for some reason I could update and patch the system before the TCPIP stack was corrupted and all browser traffic was blocked then as well.
Tools good for finding traces of this rootkit are:
TDSSKiller, GMER, Rootkit Unhooker, and AntiZeroAccess. (Btw, Combofix died horribly in the test and got deleted by the rootkit itself!)

I did not successfully try using a bootable USB drive to disinfect the system (Technical problems), but you can effectively try this first yourself with Microsoft StandAlone System Sweeper. It is
 self explanatory and easy to use. You will need to change your boot startup to recognize your USB stick as a bootable device by entering its lineup before the main harddrive. Order should look like this: DVD->USB->Main harddrive->Network. Here is a good article you can read about doing so Change boot order. DVD/CD failed horribly using this method so tell me if that works for you.

As of now I cannot find a direct solution as to remove this rootkit completly and repair the TCPIP stack. The only fix I have come up with is to download Microsoft Security Essentials and download a up to date definition file (x86) or (x64) depending on your system and place them on a 2GB USB Stick, have a internet connection, and your Windows Installation Disk. Once you have all of these items you can do as follows.


Format and reinstall Windows Operating System with a Legal Windows Install Disk


Once installation is complete. As soon as the startup ends its runs, enter your USB Stick with Microsoft Security Essentials and definitions.


Click on the setup for MSSE after a quick install click on the definition file you downloaded. You can install the definitions while you are doing the quick scan. Make sure you update all security updates when requested by Windows Update.(You will be required to reboot a few times more during the process)

If your at this point and have done all of the above you should not have any infections being stopped by MSSE and also protected against future ZeroAccess attempts. Be very careful where you surf these days. Cracking sites, Porn, Fake Pharmaceutical sites, catchy news article names, are usually drive-by download points for getting this nasty malware. So be very very careful! I will continue to gather more information and help Tigzy develop his tool. I wish I could add more to help out, but this is the best I can publicly add for the moment.
Some things to try.

Download and run Microsoft's "autoruns.exe" tool and look for rogue startup programs:


Check the list of Services for one that doesn't belong.  As I recall, there was one that sounded "official" but wasn't.

Look for an EXE file in your c:\WINDOWS folder that was recently modified, around the time you think you may have become infected.  If you think you found one, do some research before disabling it.
I have had great results with Kaspersky's offline malware removal tool. Using a different computer, download the tool to a USB key or CD and then run on the infected computer in any mode, preferably not safe mode, but the tool will direct you no matter what.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

"Safe Mode" is not recommended for almost all variants of malware, simply because the rogue processes are NOT running during a "Safe Mode" boot. It is also very common for them to generate random names for files/folders/processes to stop of from targeting our clean up efforts based on any known names for the bad stuff.

There are very precise steps you need to take and programs that you need to run - in sequence - to properly clean up your system.

It is no longer sufficient for us to simply run tools/scanners such as Malwarebytes or an AV program.

Many current malware variants require that we use one of the 'rogue process stoppers' prior to doing the scans. Starting with "RogueKiller", followed immediately  with a scan by a fresh download of "Malwarebytes" is a good starting point.

Here are some EE Articles with the details:
Basic Malware Troubleshooting
When I dealt with this virus, I found a zero-length .EXE file in c:\WINDOWS folder that was part of it.  I deleted that empty .exe file and that disabled the virus.

Look for (and delete or rename) a zero-length .EXE file in your c:\WINDOWS folder.

Normally, there should not be any zero-length .EXE files in that folder.
Download and run ComboFix:
Killl your monitoring programs (Antivirus/Antispyware...) They could interfere with ComboFix. Last I checked, it won't run with AVG installed...
ComboFix tutorial:

After this is done THEN run your Antivirus and Malware programs again...
Are scanners able to run in normal mode?

Run the suggested ComboFix(if MalwareBytes isn't removing it) and show us the log.
This looks like the new infection that has ADS which can keep on returning.
If ComboFix won't run(even if renamed to svchost.exe), run TDSSKiller first then run ComboFix.
This could be the new ZA rootkit which is hard to remove.

TDSSKiller:(try renaming the file if it doesn't run on first go)
MarioTreAuthor Commented:
Boy, that virus is nasty.
I tried, or in the process of trying using Safe Mode right now, all suggestions.  So far, no luck.  That virus is intercepting all attempts to install any anti-virus that I'm trying to install.  Looks like the only way I can do something is in Safe Mode.
I purged all zero-files, purged or renamed all recent files in C:\Windows and sub-folders.

Trying the suggested anti-viruses and malware in safe mode right now.
Already tried malwarebytes and it didn't fix it.  But of course since I'm running in safe mode without networking, malwarebytes was not able to update it's database.

Try running ComboFix in safe mode.
If no joy you can try HitmanPro(they claim to be able to remove this) but then so are other tools that don't work all the time.
If no joy, my suggestion would be to reformat, but some variant of this rootkit can also survive a reformat.

If combofix can't handle it, you can try manual removal(seldom works) by deleting the bad ADS process.
Your aim in removing this rootkit is to delete the ADS process via RC is better, you also need to run diagnostic tool like Gmer to know the hidden folder so you can remdir it in RC, then you need to move quickly and remove patched driver before the rootkit respawns(CF should be able to take care of it).
But then you may still have problem with permissions.
MarioTreAuthor Commented:
Thanks guys.  Combofix got rid of it.  But now I can't access the internet with any browser (I tried IE8 and FF6).
My ipconfig is fine and I can ping IPs on the internet, my dns is fine too.
Looks like it could be a firewall issue but my firewall software (NIS) is not running right now.  In fact, it cannot run and gives me an error (Error: 8504,101) but I suspect it's because it cannot access the internet.
I tried to stop any processes that I think I can kill but no dice.

Use RogueKiller that I suggested up in http:#a36579309

The Menu Options of 3-6 might resolve this for you.
Be sure to post the logs that are generated so that we can review them.
MarioTreAuthor Commented:
I ran RogueKiller and it didn't help.
Here are the report files.

You have a ZAccess rootkit. The file xxxxxxx:yyyyy.exe is its ADS.
Combofix should fix it ... If not, RogueKiller isn't able to handle this.

Does Combofix or TDSSKiller could run?
don't be afraid to run combofix a second time....i've seen it catch more a second time through.
MarioTreAuthor Commented:
ran it 4 times, no luck.
Haven't tried TDSSKiller yet.
Yeah this is the ZA rootkit that's hard to remove.

Can we look at the combofix log and see if it deleted the bad hidden folder --> C:\WINDOWS\$NtUninstallKBxxxxx$

Is the bad ADS process still present? that needs to go. If it's still present then maybe use Recovery console to delete it along with the other folder if it's still present.

MarioTreAuthor Commented:
That's the strange part.  I think the ZA rootkit isn't there anymore.  I dont have that xxxxxxx:yyyyy.exe running anymore.  I don't have any more C:\WINDOWS\$NtUninstallKBxxxxx$ either.

As I said earlier, my problem right now is that:
Now I can't access the internet with any browser (I tried IE8 and FF6).
My ipconfig looks fine and I can ping IPs on the internet, my dns is fine too.

Even more strange,  If I boot in safe mode with networking, I can access the internet.  When I do that, the only processes running are:
svhosts.exe - (DCOM SRV Proc - dcomlaunch)
svhosts.exe - (RPC proc)
System Idle Process

If I use msconfig and make sure only these same processes are running and boot the system normally.  I can see in task manager that only these same processes are running but for some reason, I can't access the internet with any browser.  Which means the Windows Update doesn't work either.  If I try to run Norton Internet Services, it won't work.  I also user TeamViewer but that one doesn't work either (when the service is started of course, not during this test with minimum processes).

Check whether there is a proxy enabled in the browser LAN settings and if so, get rid of it.
The ZAccess is a rootkit taking place in the TCP/IP driver stack.
If you can't access internet, it must be still there. In this infection there's 3 important part:

* The ADS (xxxx:yyyy.exe) , this is the Kill-AV part --> you said it's down
* The rootkit driver (random_name.sys) --> probably down
* The patched legit file (we_dont_know.sys) --> This is the one not being fiex I guess

You ran 4 times combofix, but I still can't see any report....
We can't do anything without that
That is only one version of the ADS Hidden stream. Analysis of the rootkit shows it has 2 kernel level rootkit drivers and creates a backup ADS Stream on Win32k.Sys driver 2 times. Effectively also creating a startup routine in the HKLM\SOFTWARE\CurrentControlSet0002\xx\xxx { winlogon.exe or svchost.exe } configuration and ring 3 executable are placed in %systemroot%\Config\<md5hash currenttimestamp = filename>.exe + ad-clicker
and also creates a fake process that simulates svchost.exe And effectly kills anything that scans it by hooking through APC and sending a ExitProcess command to the scanning program closing it and then for a effective extra counter-measure it changes both process and file ACL permissions restricting file operation and disabling firewall and antivirus. Newer variants are stored the uninstall volume directory label context known as $NTUninstallKBxxxx$ the system volume itself is also infected as it stores 4 files for backup 4 randomly named files 2 ring0 dll files, one ring3 driver loader, and it's configuration file.

Just thought I'd give you some detailed info about it.

@Mariotre, As for finding the rest of the files you will need to find the ADS streams left behind as you only deleted from the sounds of your findings the ring3 loader. You still need to did the streams that store the actually ring0 rootkit driver and delete the stream effectively deleting the rootkit driver. Gmer has the ability to search for ADS streams, I do warn you though. If the rootkit is still running and if it Detects the ADS Scan it will kill gmer too. This rootkit is very tightly intertwined in the OS and is very difficult to remove without causing damage to the operating system itself. Prevx and one other source has a working removal tool to remove this threat.

You can download the tool straight from prevx who owns webroot.
"I dont have that xxxxxxx:yyyyy.exe running anymore.  I don't have any more C:\WINDOWS\$NtUninstallKBxxxxx$ either."

If the main ZA rootkit files are gone, then chances are "antizeroaccess.exe" won't detect ZA rootkit in the system.
As tigsy said, combofix report would help us decide what to do next.
If he is still having trouble accessing the Internet it can be a lot of things. Combofix does not fix the ACL's for the files. He still had a file system filter running and from the logs he posted it is not removed completely as it is still denying programs to run properly. Have you even suggested a fix for the ACL properties? That is why I suggested he use this tool. It fixes the ACL restrictions. The code for this rootkit is almost identical to TDL3 when decompiled. Uses the same RC4 encryption to hide it's hidden volume.
As far as I know antizeroaccess.exe does not fix ACL restrictions but I could be wrong.

Try and follow Russel's advice and see if it antizeroaccess does fix ACL restriction.

@ Russell Ven...

We need to show respect when communicating to every participating member here at EE.
And please show some respect when you are communicating with Tigzy, he sure earned all the respect he deserves.
"That is why I suggested he use this tool. It fixes the ACL restrictions."

As far as my info goes(below link), you have the wrong info that antizeroaccess.exe fixes ACL permissions.
Maybe it would help if you make sure your facts are right before giving misleading advice here at EE. Or maybe you know more than the author of that article.


"The free tool removes the rootkit but does not restore the Access Control Lists (ACLs) that have been modified by the rootkit."
MarioTreAuthor Commented:
Thanks to all of you guys to help me out with this problem.  Sorry, that I forgot to include the combofix report.
I do have a report from yesterday afternoon but I don't remember if it's from the last run I did.
I'm running combofix right now and trying to get a fresh report (getting errors at some point that PEV.exe is aborting [twice]).  The system is more and more unstable.  I could not boot in Safe Mode with Networking or Safe Mode.  It even took me 2 attempts to boot in Safe Mode to Command Prompt.
I'm getting a lot of invalid/bad memory address errors, services.exe is terminating, once I was ablt to boot in Safe Mode with Networking and couldn't run file explorer.
Anyway, I have right now a new combofix report which I'm attaching here with the one from yesterday.
Hope this helps.  The system may be too f ar gone and I may have to re-install.  If I have to do it, I was wondering if any of you have used this product www.reimage.com and if it could be worth trying instead or re-imaging.

MarioTreAuthor Commented:
I was able to boot normally now.  So I did run combofix in normal mode to see if it would make a difference in the report.
He's the new report.
...and sending a ExitProcess command to the scanning program closing it ...
Thanks for the info, I 'll may be able to avoid this with my one of my tools (ProtectMyTool), but I need to do some test before. If it works, it will help to launch removal tools without being killed.


Anyway, CF does not found anything.
Could you re-run TDSSKill from a fresh copy (yours might be ACL's locked)
MarioTreAuthor Commented:
I downloaded TDSSKill yesterday from the Kaspersky site.  It should be the latest copy.
Not working?
The only way to find out if Combofix had deleted the hidden folder created by the rootkit and other files is to look at its quarantine folder. Those CF logs don't show any deletions but the first CF run could've deleted some files.

There might be other nasties present in the system or it could just be the ACL restrictions that is causing this.
If the ZA rootkit is still active then no tools will be able to run unless it's in safe mode. Since Combofix is able to run in normal mode I assume the ZA tripwire running process is not active or no longer present.

When combofix successfully completed its run it should've been able to delete the folder/files unless it already did in its first run, hence I suggested looking at its quarantine folder.
Running Gmer would also show the hidden service and folder if still present.
MarioTreAuthor Commented:
Yes Tigzy, it worked, it ran but didn't detect anything.
Reports:  Processed: 210 objects,  Infection: Not found
Attched the log report from this run.

And yes, rpggamergirl, combofix was able to run in normal mode.
I have attached the files that I think you need to be able to see what was quarantined.
I didn't mean to sound critical or harsh. Just thought you would want to know the information as it is important. When the rootkit was run in one of the honeynets setup it showed defensive mechanisms for not just security scanning but also removal.  
@Russell: I do not feel attacked :)
Thats good to know! Obviously a few others do as they have messaged me. You publish your tools and so other people like them know you for it. I on the other hand do not and I do respect your work and just thought since this rootkit had a defense mechanism you could use it to create a counter in return by filtering for that info and why not help arm another malware fighter with pinpoint accurate information. So much respect is given and thanks for coming to EE to help out. That was a good move and you are definitely welcome here.
MarioTreAuthor Commented:
Hi Tigzy and rpggamergirl.

Did the last combofix files helped to determine what I should do to fix my problem?
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.