Solved

Maleware, Backdoor.0access, 2662609615:81876045.exe, removal procedure please

Posted on 2011-09-22
4
2,937 Views
Last Modified: 2013-11-22
I have a virus identified by Malewarebytes as Backdoor.0access, running a process 2662609615:81876045.exe.  I have tried ending the process in task manager and using taskkill, but it doesn't stop.  I have run multiple Malewarebytes scans in safe mode and it says I am clean but it comes back when I reboot.  I can't use system restore because I must have turned it off in the past and forgot to turn it back on.  I have searched for the 2662* file in safe mode but I get no results.  I have tried creating a new profile, but it runs there too.
Does anyone know how to get rid of this without reformatting the hard drive?
0
Comment
Question by:sbdt8631
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 16

Assisted Solution

by:uescomp
uescomp earned 166 total points
ID: 36580915
I would check your startup programs to find its locations, most likely the exe file is sitting in your all users folder.  I would browse around there and check in the application data folder and local folder for it.  If you can't stop it, try renaming it and log out and back in.  

What i normally do is when i go to login i spam ctrl, alt, delete to open task manager right away so it does not get denied because the task was started before the virus.  Find its location in the startup (go to run, type msconfig, startup tab).  Delete the exe.

I then open up the registry, do a search for the virus and remove the keys it created and edit/change the keys it attatched itself too (like .exe extension and iexplore etc.).

Run a cleanup utility which can be found here: http://www.stevengould.org/index.php?option=com_content&task=view&id=15&Itemid=69

Then run malwarebytes, get your updates (if you cannot connect to the internet, check your poxy settings in internet explorer to see if anything is stuck in there.  Could also check your Local Area Connection to see if a bogus static was assigned, also check your host file to see if it has been tampered with).

Other recommendations which i have heard from others are portable super antispyware, hitmanpro, etc.

I remove the virus manually first because that way i know my scans will pick up the garbage a virus leaves behind.  Saves time from sitting and watching all these scans and your not sure if the scan is going to find it anyways.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 167 total points
ID: 36581107
This is similar to another question being worked on EE.

Please take a look at the suggestion here:
http://www.experts-exchange.com/Q_27321320.html#a36580363 (and at the other Expert Comments).
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 167 total points
ID: 36585883
That's a ZA(ZeroAccess) rootkit.

Try the antizeroaccess.exe mentioned in that article.
Sometimes it also doesn't detect the ZA rootkit, it also doesn't restore ACL permission.
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/

Combofix is also helpful with removing this infection. If combofix won't run, run TDSSKiller first and then combofix and show us the log.

TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip 



Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 1

Author Closing Comment

by:sbdt8631
ID: 36711230
Thanks
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Yet another Ransome ware 13 200
Ransomware 9 101
webroot plus microsoft security essentials 2 170
SAP HANA vulnerability threat report. 2 70
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question