Solved

Maleware, Backdoor.0access, 2662609615:81876045.exe, removal procedure please

Posted on 2011-09-22
4
2,932 Views
Last Modified: 2013-11-22
I have a virus identified by Malewarebytes as Backdoor.0access, running a process 2662609615:81876045.exe.  I have tried ending the process in task manager and using taskkill, but it doesn't stop.  I have run multiple Malewarebytes scans in safe mode and it says I am clean but it comes back when I reboot.  I can't use system restore because I must have turned it off in the past and forgot to turn it back on.  I have searched for the 2662* file in safe mode but I get no results.  I have tried creating a new profile, but it runs there too.
Does anyone know how to get rid of this without reformatting the hard drive?
0
Comment
Question by:sbdt8631
4 Comments
 
LVL 16

Assisted Solution

by:uescomp
uescomp earned 166 total points
Comment Utility
I would check your startup programs to find its locations, most likely the exe file is sitting in your all users folder.  I would browse around there and check in the application data folder and local folder for it.  If you can't stop it, try renaming it and log out and back in.  

What i normally do is when i go to login i spam ctrl, alt, delete to open task manager right away so it does not get denied because the task was started before the virus.  Find its location in the startup (go to run, type msconfig, startup tab).  Delete the exe.

I then open up the registry, do a search for the virus and remove the keys it created and edit/change the keys it attatched itself too (like .exe extension and iexplore etc.).

Run a cleanup utility which can be found here: http://www.stevengould.org/index.php?option=com_content&task=view&id=15&Itemid=69

Then run malwarebytes, get your updates (if you cannot connect to the internet, check your poxy settings in internet explorer to see if anything is stuck in there.  Could also check your Local Area Connection to see if a bogus static was assigned, also check your host file to see if it has been tampered with).

Other recommendations which i have heard from others are portable super antispyware, hitmanpro, etc.

I remove the virus manually first because that way i know my scans will pick up the garbage a virus leaves behind.  Saves time from sitting and watching all these scans and your not sure if the scan is going to find it anyways.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 167 total points
Comment Utility
This is similar to another question being worked on EE.

Please take a look at the suggestion here:
http://www.experts-exchange.com/Q_27321320.html#a36580363 (and at the other Expert Comments).
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 167 total points
Comment Utility
That's a ZA(ZeroAccess) rootkit.

Try the antizeroaccess.exe mentioned in that article.
Sometimes it also doesn't detect the ZA rootkit, it also doesn't restore ACL permission.
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/

Combofix is also helpful with removing this infection. If combofix won't run, run TDSSKiller first and then combofix and show us the log.

TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip



Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 1

Author Closing Comment

by:sbdt8631
Comment Utility
Thanks
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now