Anyone seen this malware? Name is all numbers

I boot into safe mode (without networking).  I have a process running named 513554315:1959289825.exe.  That is the only odd looking name in the list of processes.  I can't find a file with a similar name.  I did find 2 entries in the registry and deleted them, restarted into safe mode and it is still there.
I can't kill the process.
As soon as I try to run Malwarebytes, ComboFix or RKill (even RKill named iexplore.exe), the shortcut for that program turns to the white page, as if the file with the icon can't be found.
I'm hoping to determine how to clean this up, as I recently reformatted a different computer due to a similar looking malware.
Any help is much appreciated.
Who is Participating?
If you have a clean computer with a CDR try creating the "Standalone Microsoft System Sweeper".
You can download it at:
also check you Scheduler to see if any unknown tasks are in there.
Boot into safe mode and run the scans.
That has been one of the typical symptoms of the "ZeroAccess" rootkit that has been fairly prevalent over the last couple of months.

I have been trying a variety of tools to repair it when it comes into my shop - with varying success.

HitManPro claims their tool works - mixed success for me.
We also have Experts who are having success with TDSSKiller, ComboFix and Malwarebytes.

* Download the file and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

You can also try FixTDSS.exe from Symantec:



Download, install, and run
Malwarebytes (MBAM) (
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

If you need to manually download the latest update, use this link:

When finished with MBAM, post the log that is generated and let us look at it for you.


Please download ComboFix by sUBs:(and attach the resulting log)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and
Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your
next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically
restored before CF completes its run. If CF runs into difficulty and terminates
prematurely, the connection can be manually restored by restarting your machine.
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:

*** NOTE
Please post the logs generated for both Malwarebytes and ComboFix so that we can
review the results.

Manual instructions here from McAfee:
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Same problem two week ago, tried everything you can imagine, with no luck.

Copy your data, format and reinstall should be the quickest and easy solution, don't loose your time.
rickmillsPresidentAuthor Commented:
younghy, thanks for all the details.  I've got a MS System Sweeper scan running right now.  Crossing my fingers.

frajico, I hear you.  However, I just did that Friday for another client because I couldn't clean this one.  I'm afraid I'll keeping running into this issue and am willing to spend some time to try to figure out how to clean this one.  It is a nasty one, to say the least.
Agreed on the toughness.
I'm not sure why I am sometimes able to get this darn thing cleaned up and sometimes I have to *shudder* backup and format, but I haven't seen anyone yet who has the definitive solution.

I dropped a note to 'rpggamergirl' to see if we can get her to weigh on on this one.
So far, I have been successful in removing the ZeroAccess (ZA) root kit using ComboFix (CF). Since ZA is usually accompanied by the TDSS root kit, I recommend running TDSSKiller first which will remove TDSS and identify but not remove ZA (although it says it will). In most cases, CF will run in normal mode. I recently had to start CF in safe mode and then allow it to reboot into normal mode when root kit activity was identified (CF will reboot itself upon detecting a root kit).

@Vic -- it's that "juggling act" you're doing that's causing you problems :-)

Now, let's wait for the Maven of Malware to appear and weigh in.
That random numbers ADS is definitely the sign of ZA rootkit. younghv already advised the tools that should help take care of it. That ADS is the ZA tripwire process that cause scanners to call its own Exitprocess function and terminate itself and won't run again since ZA also mess with the file's permission.

If comboFix won't run, try using inherit.exe (just drag combofix.exe into the inherit.exe).
If CF won't run then a rogue or some other nasties is present also and doing their own block, then just use 'safe mode' way to run the tools.

Download inherit.exe by sUBs.
Drag the program's executable file into the inherit.exe and wait for it to say OK.

There's a tool created for ZeroAccess rootkit but doesn't always work, specially when CF or other tools had been run and the main ZA files had been removed the tool then won't find anything.
There are few tools that claim to remove it including HitmanPro(as already mentioned), Eset, Kaspersky Virus Removal tool and even MSE but none can guarantee successful removal each time.
ZeroAccess rootkit is the nasties of all so far since it also mess up permissions so the tools won't run the second time around.

So try the suggested and we'll see.
Thanks for the heads younghv, don't have much to add since you already taken care of it, :)
Nice to see you both here, :)
rickmillsPresidentAuthor Commented:
MS Standalone System Sweeper seems to have done the trick.  After running it, I restarted and the malware was not running as a process.
I was then able to run a Malwarebytes scan, which found 3 more items and clean those up.
Thanks to all the detailed information and links.  I will continue to use this post as a reference.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.