This is a Windows domain, and the rootkit and trojan both downloaded on a user account. I scanned as administrator and as the user (limited privileges). I couldn't scan with TDSS KIller on the user account as it needs an elevated account, and Run as... did not work. Also, RKill did not run properly after many tries, in both safe mode and normal mode.
For now I just added some extra characters in the filenames for the suspicious files. I want to make sure this is absolutely gone, as problems keep cropping up on this computer. Allso, if there's any way to prevent this type of thing from downloading, please advise. Our AV finds these things, but sometimes not till after the user clicked off and allowed the malware to install.
Steps I took:
Booted in safe mode, logged in as infected user.
Ran RKill (IExplore variant). Access denied.
Ran Malwarebytes. Found and deleted files. Rebooted.
Logged in as administrator, ran Malwarebytes. Found and deleted trojan.dropper. Rebooted.
Logged back in as user, ran TDSS Killer. Would not initialize.
Logged back in as administrator. Ran TDSS Killer. Nothing found.
Ran SUPERantispyware custom scan. Only cookies found.
Logged in as user. Ran SUPERantispyware. No infections found.
Program on taskbar, desktop icon, Start Menu entry, and suspicious files in All User/Application Data still remain. The Start menu listing has an uninstall option, but I didn't want to try that without advice.
Computer is running Win XP SP3.
Edited by sproffice, 13 June 2012 - 02:56 PM.