Anyone seen this malware?  Name is all numbers

Posted on 2011-10-06
Last Modified: 2012-05-12
I boot into safe mode (without networking).  I have a process running named 513554315:1959289825.exe.  That is the only odd looking name in the list of processes.  I can't find a file with a similar name.  I did find 2 entries in the registry and deleted them, restarted into safe mode and it is still there.
I can't kill the process.
As soon as I try to run Malwarebytes, ComboFix or RKill (even RKill named iexplore.exe), the shortcut for that program turns to the white page, as if the file with the icon can't be found.
I'm hoping to determine how to clean this up, as I recently reformatted a different computer due to a similar looking malware.
Any help is much appreciated.
Question by:rickmills
    LVL 17

    Accepted Solution

    If you have a clean computer with a CDR try creating the "Standalone Microsoft System Sweeper".
    You can download it at:
    also check you Scheduler to see if any unknown tasks are in there.
    LVL 6

    Expert Comment

    Boot into safe mode and run the scans.
    LVL 38

    Assisted Solution

    That has been one of the typical symptoms of the "ZeroAccess" rootkit that has been fairly prevalent over the last couple of months.

    I have been trying a variety of tools to repair it when it comes into my shop - with varying success.

    HitManPro claims their tool works - mixed success for me.
    We also have Experts who are having success with TDSSKiller, ComboFix and Malwarebytes.

    * Download the file and extract it into a folder on the infected (or potentially infected) PC.
    * Execute the file TDSSKiller.exe.
    * Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

    If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
    Please post the log to be analyzed.

    You can also try FixTDSS.exe from Symantec:



    Download, install, and run
    Malwarebytes (MBAM) (
    When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
    The instructions are included right in that link.

    If you need to manually download the latest update, use this link:

    When finished with MBAM, post the log that is generated and let us look at it for you.


    Please download ComboFix by sUBs:(and attach the resulting log)

    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and
    Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your
    next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically
    restored before CF completes its run. If CF runs into difficulty and terminates
    prematurely, the connection can be manually restored by restarting your machine.
    If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:

    *** NOTE
    Please post the logs generated for both Malwarebytes and ComboFix so that we can
    review the results.

    Manual instructions here from McAfee:
    LVL 7

    Expert Comment

    Same problem two week ago, tried everything you can imagine, with no luck.

    Copy your data, format and reinstall should be the quickest and easy solution, don't loose your time.

    Author Comment

    younghy, thanks for all the details.  I've got a MS System Sweeper scan running right now.  Crossing my fingers.

    frajico, I hear you.  However, I just did that Friday for another client because I couldn't clean this one.  I'm afraid I'll keeping running into this issue and am willing to spend some time to try to figure out how to clean this one.  It is a nasty one, to say the least.
    LVL 38

    Expert Comment

    Agreed on the toughness.
    I'm not sure why I am sometimes able to get this darn thing cleaned up and sometimes I have to *shudder* backup and format, but I haven't seen anyone yet who has the definitive solution.

    I dropped a note to 'rpggamergirl' to see if we can get her to weigh on on this one.
    LVL 32

    Expert Comment

    So far, I have been successful in removing the ZeroAccess (ZA) root kit using ComboFix (CF). Since ZA is usually accompanied by the TDSS root kit, I recommend running TDSSKiller first which will remove TDSS and identify but not remove ZA (although it says it will). In most cases, CF will run in normal mode. I recently had to start CF in safe mode and then allow it to reboot into normal mode when root kit activity was identified (CF will reboot itself upon detecting a root kit).

    @Vic -- it's that "juggling act" you're doing that's causing you problems :-)

    Now, let's wait for the Maven of Malware to appear and weigh in.
    LVL 47

    Expert Comment

    That random numbers ADS is definitely the sign of ZA rootkit. younghv already advised the tools that should help take care of it. That ADS is the ZA tripwire process that cause scanners to call its own Exitprocess function and terminate itself and won't run again since ZA also mess with the file's permission.

    If comboFix won't run, try using inherit.exe (just drag combofix.exe into the inherit.exe).
    If CF won't run then a rogue or some other nasties is present also and doing their own block, then just use 'safe mode' way to run the tools.

    Download inherit.exe by sUBs.
    Drag the program's executable file into the inherit.exe and wait for it to say OK.

    There's a tool created for ZeroAccess rootkit but doesn't always work, specially when CF or other tools had been run and the main ZA files had been removed the tool then won't find anything.
    There are few tools that claim to remove it including HitmanPro(as already mentioned), Eset, Kaspersky Virus Removal tool and even MSE but none can guarantee successful removal each time.
    ZeroAccess rootkit is the nasties of all so far since it also mess up permissions so the tools won't run the second time around.

    So try the suggested and we'll see.
    LVL 47

    Expert Comment

    Thanks for the heads younghv, don't have much to add since you already taken care of it, :)
    Nice to see you both here, :)

    Author Closing Comment

    MS Standalone System Sweeper seems to have done the trick.  After running it, I restarted and the malware was not running as a process.
    I was then able to run a Malwarebytes scan, which found 3 more items and clean those up.
    Thanks to all the detailed information and links.  I will continue to use this post as a reference.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now