?
Solved

Anyone seen this malware?  Name is all numbers

Posted on 2011-10-06
10
Medium Priority
?
717 Views
Last Modified: 2012-05-12
I boot into safe mode (without networking).  I have a process running named 513554315:1959289825.exe.  That is the only odd looking name in the list of processes.  I can't find a file with a similar name.  I did find 2 entries in the registry and deleted them, restarted into safe mode and it is still there.
I can't kill the process.
As soon as I try to run Malwarebytes, ComboFix or RKill (even RKill named iexplore.exe), the shortcut for that program turns to the white page, as if the file with the icon can't be found.
I'm hoping to determine how to clean this up, as I recently reformatted a different computer due to a similar looking malware.
Any help is much appreciated.
0
Comment
Question by:rickmills
  • 2
  • 2
  • 2
  • +4
10 Comments
 
LVL 17

Accepted Solution

by:
pjam earned 1600 total points
ID: 36926850
If you have a clean computer with a CDR try creating the "Standalone Microsoft System Sweeper".
You can download it at:
http://connect.microsoft.com/systemsweeper
also check you Scheduler to see if any unknown tasks are in there.
0
 
LVL 6

Expert Comment

by:MISOperations
ID: 36926854
Boot into safe mode and run the scans.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 400 total points
ID: 36926896
That has been one of the typical symptoms of the "ZeroAccess" rootkit that has been fairly prevalent over the last couple of months.

I have been trying a variety of tools to repair it when it comes into my shop - with varying success.

HitManPro claims their tool works - mixed success for me.
We also have Experts who are having success with TDSSKiller, ComboFix and Malwarebytes.

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

You can also try FixTDSS.exe from Symantec:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

**************

HitmanPro
http://www.surfright.nl/en/hitmanpro
**********************************************


Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

If you need to manually download the latest update, use this link:
http://data.mbamupdates.com/tools/mbam-rules.exe

When finished with MBAM, post the log that is generated and let us look at it for you.

*********************

Please download ComboFix by sUBs:(and attach the resulting log)
 http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and
Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your
next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically
restored before CF completes its run. If CF runs into difficulty and terminates
prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*** NOTE
Please post the logs generated for both Malwarebytes and ComboFix so that we can
review the results.




Manual instructions here from McAfee:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23412/en_US/McAfee%20Labs%20Threat%20Advisory-ZeroAccess.pdf
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 7

Expert Comment

by:frajico
ID: 36927176
Same problem two week ago, tried everything you can imagine, with no luck.

Copy your data, format and reinstall should be the quickest and easy solution, don't loose your time.
0
 

Author Comment

by:rickmills
ID: 36927272
younghy, thanks for all the details.  I've got a MS System Sweeper scan running right now.  Crossing my fingers.

frajico, I hear you.  However, I just did that Friday for another client because I couldn't clean this one.  I'm afraid I'll keeping running into this issue and am willing to spend some time to try to figure out how to clean this one.  It is a nasty one, to say the least.
0
 
LVL 38

Expert Comment

by:younghv
ID: 36927609
@rickmills,
Agreed on the toughness.
I'm not sure why I am sometimes able to get this darn thing cleaned up and sometimes I have to *shudder* backup and format, but I haven't seen anyone yet who has the definitive solution.

I dropped a note to 'rpggamergirl' to see if we can get her to weigh on on this one.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36928201
So far, I have been successful in removing the ZeroAccess (ZA) root kit using ComboFix (CF). Since ZA is usually accompanied by the TDSS root kit, I recommend running TDSSKiller first which will remove TDSS and identify but not remove ZA (although it says it will). In most cases, CF will run in normal mode. I recently had to start CF in safe mode and then allow it to reboot into normal mode when root kit activity was identified (CF will reboot itself upon detecting a root kit).

@Vic -- it's that "juggling act" you're doing that's causing you problems :-)

Now, let's wait for the Maven of Malware to appear and weigh in.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36928754
That random numbers ADS is definitely the sign of ZA rootkit. younghv already advised the tools that should help take care of it. That ADS is the ZA tripwire process that cause scanners to call its own Exitprocess function and terminate itself and won't run again since ZA also mess with the file's permission.

If comboFix won't run, try using inherit.exe (just drag combofix.exe into the inherit.exe).
If CF won't run then a rogue or some other nasties is present also and doing their own block, then just use 'safe mode' way to run the tools.


Download inherit.exe by sUBs.
http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
Drag the program's executable file into the inherit.exe and wait for it to say OK.


There's a tool created for ZeroAccess rootkit but doesn't always work, specially when CF or other tools had been run and the main ZA files had been removed the tool then won't find anything.
There are few tools that claim to remove it including HitmanPro(as already mentioned), Eset, Kaspersky Virus Removal tool and even MSE but none can guarantee successful removal each time.
ZeroAccess rootkit is the nasties of all so far since it also mess up permissions so the tools won't run the second time around.

So try the suggested and we'll see.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36928778
Thanks for the heads younghv, don't have much to add since you already taken care of it, :)
Nice to see you both here, :)
0
 

Author Closing Comment

by:rickmills
ID: 36931183
MS Standalone System Sweeper seems to have done the trick.  After running it, I restarted and the malware was not running as a process.
I was then able to run a Malwarebytes scan, which found 3 more items and clean those up.
Thanks to all the detailed information and links.  I will continue to use this post as a reference.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To Remove Security Suite for Windows Malware from a Windows XP Machine:  Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p) Login as Administrator Go to My Computer /Tools/ Folder Options/ View/  check mark the selectio…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Loops Section Overview
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question