Seems one of my kids downloaded a 'game'. While the game is 'free' I'm now paying for it. I'm normally pretty good at finding virus cleanup procedures and removing them. This one seems different.
According to McAfee it is a TDSS variant. McAfee finds the rootkit every time it runs.
I followed the cleanup procedures here -
- Ran RKill (works with either RKill name or the iexplore.exe download version)
- Downloaded TDSSKiller
I tried running TDSSKiller and the process ended immediately. I can see the process starting in Process Explorer but it doesn't last long.
I renamed it to a random name. Same thing occured. It's almost as though whatever the trojan is doing it recognized the signature of the executable.
I did all the steps specified in the 'how to submit a request' (disabled CD emulator, ran dds, and gmer) and attached the logs.
One interesting thing - I really hated how it used IE to hit the web and download things. I took ownership of the IE executable and marked it as 'not executable' by anyone. I see events stating that a DCOM process is failing. I also noticed that my machine will run out of memory if left logged on long enough. It seems the trojan code doesn't like that much. It's a small victory I guess. It felt a little good.
I appreciate your help and am thanking you ahead of time. It's very impressive reading how you folks help others on this forum.