virus that starts with network

September 20, 2011 at 11:41:05
Specs: Windows XP
it starts a process called 2851459059:204474966.exe when you enable networking -- and this disables all anti-virus problems from running -- has anyone experienced this and have you any suggestions

See More: virus that starts with network

September 20, 2011 at 13:53:14
That looks like an ADS infection...It's kind of strange it wouldn't append this to a benign process...

I'd suggest keeping the NIC disabled and look at common malware load-points in the registry, clean them up and reboot the machine.

Report •

September 20, 2011 at 14:36:04

The information provided does show the characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
It throws a wrench in the works, and programs will not run successfully...

Please download

Unzip the folder:
•Right-click and select: Extract all
•Follow the prompts to extract

Open the new folder that appears on the Desktop:
•Double-click DummyCreator/DummyMaker to run the tool.

•Now, copy/paste the following into the blank area:


•Press the 'Create' button.

Save the content of the 'Result.txt' to your Desktop, and post it in your reply.

Next, restart the computer!

We will proceed to the next step once you post the above results.

Please do not run any malware removal programs while we are in the process of making repairs. Doing so may just make matters worse, and that, you do not want!


Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

September 23, 2011 at 05:15:49
I found this thread when researching the same, or very similar virus. Characteristics include:
- starts when networking is enabled
- not detectable by many virus scanners or root kit detectors in safe mode
- once networking is enabled, kills virus scanners and changes permissions so they are not runnable again without changing permissions
- no virus activity with network disabled or in safe mode
- the 2851459059:204474966.exe is a different number on my system. Making the number a dummy file read only prevents the virus from running it; however, the virus still operates without it.
- with networking enabled, malwarebytes detects outgoing ip addresses to malware sites
- browser hijack
- eventual svchost run away process (100% cpu)

Report •
Related Solutions

Ask Question