What entry makes you beleieve you have this virus?ATF-CleanerPlease download ATF Cleaner by Atribune.Save it to your desktopDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If scanning hidden files ... How's the system running? It has done this 1 time(s). 14/06/2009 17:33:46, error: Dhcp  - The IP address lease 172.16.22.213 for the Network Card with network address 0016D4584EA1 has been denied by the DHCP Source
Your logs appear clean. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. C:\Documents and Settings\Sarah B\Local Settings\Temporary Internet Files\Content.IE5\CQNMOI6W\iframe.htm scheduled to be deleted on reboot.File delete failed. Instructions shown here - http://forum.kaspersky.com/index.php?showt...st&p=678328Your PC will restart when running, so save and exit all non-essential programs before doing so.CODEbeginSetAVZGuardStatus(True);SearchRootkit(true, true); QuarantineFile('C:\Program Files\PAV\pav.exe',''); DeleteFile('C:\Program Files\PAV\pav.exe');BC_ImportDeletedList;ExecuteSysClean;BC_Activate;RebootWindows(true);end.-----------------afterwards post a combofix log:Download it here: http://www.bleepingcomputer.com/forums/t/234103/trojanwin32tdssaegg/
The following corrective action will be taken in 5000 milliseconds: Restart the service. 15/06/2009 13:59:02, error: DCOM  - DCOM got error "%1084" attempting to start the service StiSvc with arguments They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. I would get constant adverts to buy WINDefender and when I search google for something, it would take me to a wierd webpage. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already. Jump to content Sign In Create Account Search Advanced Search section: This topic Forums Members Help Files Calendar View New Content Forum Rules BleepingComputer.com Forums Members Tutorials Startup List Keep your antivirus program and antispyware programs updated and scan with them on a regular basis. My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.Please observe these rules while we work:I will be working on your Malware issues
As requested from the previous member here are my HijackThis and DDS logs: HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:07:47, on 15/06/2009 Platform: Windows XP SP3 (WinNT Nowadays big part of infections are from P2P networks and that's why I recommend to uninstall P2P client software. This is a "lo-fi" version of our main content. It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.Using this tool incorrectly could lead to disastrous problems
The CPU usage is 0% most of the time, but in Task Manager PF Usage is not less than 7 bars, and usually 8. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. I'll try to have a look again to make sure I have removed all it's contents.There are few leftovers from Norton which we can get rid of.I have been reading on Click continue.
IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-05-14.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 20/02/2007 06:34:38 System Uptime: 15/06/2009 14:01:41 (0 hours ago) Motherboard: Acer | https://forums.pcpitstop.com/index.php?/topic/169667-backdoor-rootkit-2-resolved/ A case like this could easily cost hundreds of thousands of dollars. Have installed a version of Kaspersky and on scanning it finds Trojan Program Trojan.Win32.TDSS.aegg, in file globalroot\system32\UACxbrqrhxejhemtif.dll when I try to get Kaspersky to neutralise the infection, it comes back file Cheers.OTL logfile created on: 19/06/2009 18:28:40 - Run 1OTL by OldTimer - Version 184.108.40.206 Folder = C:\Documents and Settings\Andrew\DesktopWindows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type =
Select Perform full scan, then click on ScanLeave the default options as it is and click on Start ScanWhen done, you will be prompted. The code in the infected driver file acts as a rootkit and loader that directs the computer to load its main routines. Here is the link you requested.http://www.getsysteminfo.com/read.php?file...083ac9e160daa09 dawgg 5.06.2009 13:58 Download and save GMER onto your desktop.Disconnect from the internet, exit Kaspersky and run GMERIs there any red text in that screen? have a peek here scanning hidden autostart entries ...
Back to top #4 Buckeye_Sam Buckeye_Sam Malware Expert Members 17,382 posts OFFLINE Gender:Male Location:Pickerington, Ohio Local time:08:47 AM Posted 16 June 2009 - 04:52 PM Let's try something different.Delete combofix.exe It will scan and the log should open in notepad.Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.Come back here Please post the C:\ComboFix.txt so we can continue cleaning the system.
If you don't want to uninstall you still have to make sure any of present P2P programs has to be disabled. Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK: combofix /u This will uninstall ComboFix and delete ComboFix's quarantine folder. HERE Click on the erunt-setup.exe Follow the prompts to install ERUNT Choose language A set up window will pop up. NtpClient will try the DNS lookup again in 15 minutes.
The Trojan infects a system driver file with its own code. Everything appears to be working normally now. You will be prompted to install an application from Kaspersky. http://wpquickadminthemes.com/general/trojan-win32-tdss-aewh.html Thank you again for all your assistance. 06-08-2009, 03:47 PM #28 chemist Security Team Moderator, Analyst Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 29,089
MS Office and other applications working ok.