Rootkit-like program with numbers:numbers.exe

Question

There is a rogue program on a computer that seems to launch as an alternative data stream. It shows up in Task Manager as number: number.exe, and can't be killed. I can delete the main file, but the program is still running. I have tried deleting the program in Linux as well, but the program keeps running. Any other ideas for removal?

It also seems to hook to the Operating System, and look at file names to delete ones it doesn't like, like Malwarebytes Anti-Malware (mbam.exe) and Microsoft Security Essentials

Answer 1

Thanks for posting all this knowledge people, I've been working in a PC shop for a few months and been working on computers since they began and never encountered such an annoying rootkit. If you start in safe mode, run TDSSkiller, then ComboFix, then TDSSkiller again upon restart, then Malwarebytes, then something conventional like AVG, you should be able to clean it once and for all. It really attaches itself to the registry and keeps recreating fake invisible 0k versions of itself in your C:\Windows directory, typically. I've seen probably 5-10 PC's come into our shop in the last two weeks and I've only successfully cleaned one; the other's all needed fresh Windows which fixed it.

It seems running the right antivirus in the right order can finish it off, but for the time and difficulty it takes, you might as well reinstall Wind. Anyway, thanks again for your info on the number:number.exe pain in the rear. I'll come back and reply if we ever track down a definite fix! -Seldomane

Answer 2

I've also tried with MSS and no luck. The file was stil there.

However I've managed to solve it with ESET SysRescue CD. It found the resulting file (number:number.exe) and two others:

c:\windows\system32\c_15523.nl_
c:\windows\system32\drivers\mrxsmb.sys

After deleting these files, the problem went away. I still need to do some testing but hopefully it will stay this way.

Answer 3

Try booting into Safe Mode. Is it still there? Scan your computer with a clean copy of an antivirus software. (preferably downloaded from the internet while you are in Safe Mode).
If it detects it as a known malware, then it should take care of it. Otherwise, even if it doesn't detect it, try re-deleting the file and then restart and see if it is still running.

EDIT: never mind, if it hooks the OS even Safe Mode won't do anything. The only thing left to do is either use a rootkit scanning tool (such as Vice) or completely reimage with a clean copy of Windows.

Another thing you can try is to boot into a Live CD of one of the various versions of Linux to delete the file, because the reason that you can't delete it now is (most likely) because of OS hooks, so it can detect when it is deleted and restore itself.