Solved

Maleware, Backdoor.0access, 2662609615:81876045.exe, removal procedure please

Posted on 2011-09-22
4
2,935 Views
Last Modified: 2013-11-22
I have a virus identified by Malewarebytes as Backdoor.0access, running a process 2662609615:81876045.exe.  I have tried ending the process in task manager and using taskkill, but it doesn't stop.  I have run multiple Malewarebytes scans in safe mode and it says I am clean but it comes back when I reboot.  I can't use system restore because I must have turned it off in the past and forgot to turn it back on.  I have searched for the 2662* file in safe mode but I get no results.  I have tried creating a new profile, but it runs there too.
Does anyone know how to get rid of this without reformatting the hard drive?
0
Comment
Question by:sbdt8631
4 Comments
 
LVL 16

Assisted Solution

by:uescomp
uescomp earned 166 total points
ID: 36580915
I would check your startup programs to find its locations, most likely the exe file is sitting in your all users folder.  I would browse around there and check in the application data folder and local folder for it.  If you can't stop it, try renaming it and log out and back in.  

What i normally do is when i go to login i spam ctrl, alt, delete to open task manager right away so it does not get denied because the task was started before the virus.  Find its location in the startup (go to run, type msconfig, startup tab).  Delete the exe.

I then open up the registry, do a search for the virus and remove the keys it created and edit/change the keys it attatched itself too (like .exe extension and iexplore etc.).

Run a cleanup utility which can be found here: http://www.stevengould.org/index.php?option=com_content&task=view&id=15&Itemid=69

Then run malwarebytes, get your updates (if you cannot connect to the internet, check your poxy settings in internet explorer to see if anything is stuck in there.  Could also check your Local Area Connection to see if a bogus static was assigned, also check your host file to see if it has been tampered with).

Other recommendations which i have heard from others are portable super antispyware, hitmanpro, etc.

I remove the virus manually first because that way i know my scans will pick up the garbage a virus leaves behind.  Saves time from sitting and watching all these scans and your not sure if the scan is going to find it anyways.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 167 total points
ID: 36581107
This is similar to another question being worked on EE.

Please take a look at the suggestion here:
http://www.experts-exchange.com/Q_27321320.html#a36580363 (and at the other Expert Comments).
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 167 total points
ID: 36585883
That's a ZA(ZeroAccess) rootkit.

Try the antizeroaccess.exe mentioned in that article.
Sometimes it also doesn't detect the ZA rootkit, it also doesn't restore ACL permission.
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/

Combofix is also helpful with removing this infection. If combofix won't run, run TDSSKiller first and then combofix and show us the log.

TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip 



Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 1

Author Closing Comment

by:sbdt8631
ID: 36711230
Thanks
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Admin File Share Access 9 84
Roguekiller has no option of deleting 19 112
Is this virus ? 6 41
Virus that hides folders 6 28
This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question