find exe, exe name is 2558309627:72057703.exe

Posted on 2011-10-07
Last Modified: 2013-11-22
I have a computer infected with AV Guard, in the process list I see an EXE running;
When I do a search I can not find it,
does anybody know how to find a file like this?

If I boot to safe mode with no network connection it does not run
If I boot to safe mode with network connection then it runs?

I am sure it is tied to this virus.

I have tried to re install MalwareByts, but it error at connecting to download the updated definitions.

Thank you
Question by:mdlp
    LVL 38

    Assisted Solution

    We have  been seeing a lot of this here on EE in the recent past.
    Here is an example of some advice that worked in this question (


    That has been one of the typical symptoms of the "ZeroAccess" rootkit that has been fairly prevalent over the last couple of months.

    I have been trying a variety of tools to repair it when it comes into my shop - with varying success.

    HitManPro claims their tool works - mixed success for me.
    We also have Experts who are having success with TDSSKiller, ComboFix and Malwarebytes.

    * Download the file and extract it into a folder on the infected (or potentially infected) PC.
    * Execute the file TDSSKiller.exe.
    * Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

    If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
    Please post the log to be analyzed.

    You can also try FixTDSS.exe from Symantec:



    Download, install, and run
    Malwarebytes (MBAM) (
    When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
    The instructions are included right in that link.

    If you need to manually download the latest update, use this link:

    When finished with MBAM, post the log that is generated and let us look at it for you.


    Please download ComboFix by sUBs:(and attach the resulting log)

    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and
    Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your
    next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically
    restored before CF completes its run. If CF runs into difficulty and terminates
    prematurely, the connection can be manually restored by restarting your machine.
    If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:

    *** NOTE
    Please post the logs generated for both Malwarebytes and ComboFix so that we can
    review the results.

    Manual instructions here from McAfee:
    LVL 10

    Accepted Solution

    Here is a step by step guide to cleaning AV Guard:

    The colon in the filename would indicate an alternate data stream (

    You can use sysinternals streams to locate ADS's (

    LVL 16

    Assisted Solution

    by:Michael Ortega (Internetwerx, Inc.)
    AV Guard will prevent MByte's from update it's definitions. You have a couple options:

    1. You can install and update MBytes on another system and simply copy over the definitions file from that machine to the infected machine.

    2. You can TASKKILL  the process from a command prompt and review your startup registry for the location of the infected files.


    Look for the bad file and take note of the path.

    You can also search for the file, but make sure your search parameters include hidden files and folders.

    LVL 9

    Expert Comment

    Have you tried running msconfig and disabling the program there? It may be displaying a false file name as well, so you can't find it.

    Can you bring over the MalwareBytes udpates via a thumb drive? I also have had good luck using the Microsoft Safety Scanner off of a USB to clean machines.
    LVL 38

    Expert Comment

    If this is AV Guard, the instructions in the link posted by 'Alan_White' will work. I used them last night on a system in my repair shop.

    Note that you have to boot to Safe Mode w/Networking to download your fresh Malwarebytes and run the updates.

    The detailed instructions are written by MS MVP Lawrence Abrams (Grinler) and he is one of the best on the planet at figuring out how to repair this stuff.

    There may be other 'options' if the instructions don't work, but I have had virtually 100% success following Grinler's advice in the past.

    Author Comment

    I have followed the bleeping computer file and have run the FixTDSS.exe, to no avail.

    I will try to copy the updated diff file, I beleive that will help me.

    yes I have disabled in msconfig, and went as far as run Hijack and deleted anything that looked the least bit wrong.

    If this is AV Guard, the instructions in the link posted by 'Alan_White' will work. I used them last night on a system in my repair shop.

    Note that you have to boot to Safe Mode w/Networking to download your fresh Malwarebytes and run the updates.

    The detailed instructions are written by MS MVP Lawrence Abrams (Grinler) and he is one of the best on the planet at figuring out how to repair this stuff.

    There may be other 'options' if the instructions don't work, but I have had virtually 100% success following Grinler's advice in the past.

    And I have followed all of these I can not reinstall malware bytes.

    Thank you let me try to do the manual update of malware bytes and see if that helps.


    Author Comment

    mgortega: When I do a search for the file since it has the : in it the search tries to make the part after the : the directory?

    and i did search the hidden and system, I tred a "dir 2558309627*.exe /s "  but it did not find it either.

    LVL 16

    Expert Comment

    by:Michael Ortega (Internetwerx, Inc.)
    Try to search by date parameter. Make sure to select hidden files and folders again.

    The manual def update for MByte's should work. I've tried that many times in the past.

    LVL 3

    Expert Comment

    Another thread on expert exchange dealing with same virus. Getting rid of the virus is the easy part. It installs a rootkit into the network core files of windows. Could not correct the network damage and had to run a windows xp repair install to fix internet connectivity.
    LVL 47

    Expert Comment

    Have you tried running the tools that younghv suggested? specially TDSSKiller and ComboFix.
    No need to find that random numbers 72057703.exe , you won't be able to find it via explorer or even command prompt, it's a data stream (ADS) attached to a file, common sign in a Zeroaccess rootkit.
    If I were you I'd just run those scanners already mentioned and post the combofix log.
    If the tools won't run in normal mode just run them via safe mode.

    Author Comment

    Thank you all, I know that the guide lines from Bleeping Computer are to be followed, and I do. It is always the first place I go!

     In this case they did not work, and I came across the file name and I could not find it, which to me is a reason to try to learn.  And that I did, because I did not know about ADS.  I agree rpggamegirl, that finding that file may not help me with this issue, but as a Tech in the field, I need to at least know, how and why something is happening.  And for that this post has been a wealth of knowledge, thank you experts.

    See I did not know about ADS, or the2 real treasure taskkill and manual update of Malwarebytes, although the manual download seems to be a week old and not as up to date as the version that you get if you update through the GUI.  

     I had, and one of my other associates that does work with/for me found that the root kits does destroy the network, so from that point we wipe and re install.  We do not fix.  Not right, not wrong, just a business choice that I have come to make, that I find works for us.  

    I am sorry to all the experts, I should not have referenced the virus side then I would not have wasted your time.  

    Thank you again for all your input, and know you all have helped an old guy to grow in the knowledge needed to stay afloat  in this day and age!;-)

    Author Closing Comment

    Thank you Allen White because you did answer my main question, and to Mgortega and Younghv, I am splitting the points because I felt that I co-mingled a question, and you gave me information that I did not know. This is where I wish I could add point, because Allen you did answer my question, and as i stated in my post I should not have co-mingled the virus into the question, because we were already at Wipe and re-install decision.

    I hope you all understand, as this is the part of using Expert's I hate, awarding the points!  I am learning, and again I apologize for the co-mingling of the question.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
    In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now