• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2954
  • Last Modified:

Maleware, Backdoor.0access, 2662609615:81876045.exe, removal procedure please

I have a virus identified by Malewarebytes as Backdoor.0access, running a process 2662609615:81876045.exe.  I have tried ending the process in task manager and using taskkill, but it doesn't stop.  I have run multiple Malewarebytes scans in safe mode and it says I am clean but it comes back when I reboot.  I can't use system restore because I must have turned it off in the past and forgot to turn it back on.  I have searched for the 2662* file in safe mode but I get no results.  I have tried creating a new profile, but it runs there too.
Does anyone know how to get rid of this without reformatting the hard drive?
0
sbdt8631
Asked:
sbdt8631
3 Solutions
 
uescompCommented:
I would check your startup programs to find its locations, most likely the exe file is sitting in your all users folder.  I would browse around there and check in the application data folder and local folder for it.  If you can't stop it, try renaming it and log out and back in.  

What i normally do is when i go to login i spam ctrl, alt, delete to open task manager right away so it does not get denied because the task was started before the virus.  Find its location in the startup (go to run, type msconfig, startup tab).  Delete the exe.

I then open up the registry, do a search for the virus and remove the keys it created and edit/change the keys it attatched itself too (like .exe extension and iexplore etc.).

Run a cleanup utility which can be found here: http://www.stevengould.org/index.php?option=com_content&task=view&id=15&Itemid=69

Then run malwarebytes, get your updates (if you cannot connect to the internet, check your poxy settings in internet explorer to see if anything is stuck in there.  Could also check your Local Area Connection to see if a bogus static was assigned, also check your host file to see if it has been tampered with).

Other recommendations which i have heard from others are portable super antispyware, hitmanpro, etc.

I remove the virus manually first because that way i know my scans will pick up the garbage a virus leaves behind.  Saves time from sitting and watching all these scans and your not sure if the scan is going to find it anyways.
0
 
younghvCommented:
This is similar to another question being worked on EE.

Please take a look at the suggestion here:
http://www.experts-exchange.com/Q_27321320.html#a36580363 (and at the other Expert Comments).
0
 
rpggamergirlCommented:
That's a ZA(ZeroAccess) rootkit.

Try the antizeroaccess.exe mentioned in that article.
Sometimes it also doesn't detect the ZA rootkit, it also doesn't restore ACL permission.
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/

Combofix is also helpful with removing this infection. If combofix won't run, run TDSSKiller first and then combofix and show us the log.

TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip 



Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
sbdt8631Author Commented:
Thanks
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now