Solved

Maleware, Backdoor.0access, 2662609615:81876045.exe, removal procedure please

Posted on 2011-09-22
4
2,933 Views
Last Modified: 2013-11-22
I have a virus identified by Malewarebytes as Backdoor.0access, running a process 2662609615:81876045.exe.  I have tried ending the process in task manager and using taskkill, but it doesn't stop.  I have run multiple Malewarebytes scans in safe mode and it says I am clean but it comes back when I reboot.  I can't use system restore because I must have turned it off in the past and forgot to turn it back on.  I have searched for the 2662* file in safe mode but I get no results.  I have tried creating a new profile, but it runs there too.
Does anyone know how to get rid of this without reformatting the hard drive?
0
Comment
Question by:sbdt8631
4 Comments
 
LVL 16

Assisted Solution

by:uescomp
uescomp earned 166 total points
ID: 36580915
I would check your startup programs to find its locations, most likely the exe file is sitting in your all users folder.  I would browse around there and check in the application data folder and local folder for it.  If you can't stop it, try renaming it and log out and back in.  

What i normally do is when i go to login i spam ctrl, alt, delete to open task manager right away so it does not get denied because the task was started before the virus.  Find its location in the startup (go to run, type msconfig, startup tab).  Delete the exe.

I then open up the registry, do a search for the virus and remove the keys it created and edit/change the keys it attatched itself too (like .exe extension and iexplore etc.).

Run a cleanup utility which can be found here: http://www.stevengould.org/index.php?option=com_content&task=view&id=15&Itemid=69

Then run malwarebytes, get your updates (if you cannot connect to the internet, check your poxy settings in internet explorer to see if anything is stuck in there.  Could also check your Local Area Connection to see if a bogus static was assigned, also check your host file to see if it has been tampered with).

Other recommendations which i have heard from others are portable super antispyware, hitmanpro, etc.

I remove the virus manually first because that way i know my scans will pick up the garbage a virus leaves behind.  Saves time from sitting and watching all these scans and your not sure if the scan is going to find it anyways.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 167 total points
ID: 36581107
This is similar to another question being worked on EE.

Please take a look at the suggestion here:
http://www.experts-exchange.com/Q_27321320.html#a36580363 (and at the other Expert Comments).
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 167 total points
ID: 36585883
That's a ZA(ZeroAccess) rootkit.

Try the antizeroaccess.exe mentioned in that article.
Sometimes it also doesn't detect the ZA rootkit, it also doesn't restore ACL permission.
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/

Combofix is also helpful with removing this infection. If combofix won't run, run TDSSKiller first and then combofix and show us the log.

TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip 



Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 1

Author Closing Comment

by:sbdt8631
ID: 36711230
Thanks
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is  Microsoft IIS 7 retired? 4 114
where is software market online? 7 94
Security Question AV vs Malwarebytes or benefits using both. 9 92
Twitching screen 11 77
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now