8 ответов в этой теме

[Maria Bustillos]

I have run dr.web several times and this virus keeps returning, though status is 'eradicated' it always comes up on the following scan.

(I have the windows version and am running XP)

Thanks for any help you may be able to offer.

Maria

[Stefan Dashich]

Try scanning with beta CureIt! - http://beta.drweb.com/files/?p=%2Fcureit&unreg=t

[drumut]

Turn off system restore because viruses can hide themself into there. Do that scan at secure mode (press f8 while booting up and choose secure mode)

You can read this and this russian forum threads, i believe these would help you too. You can use online-translator.com for translation.

[Maria Bustillos]

Thanks so much for your responses. Unfortunately it's not letting me boot into safe mode. Any ideas?

I'm going to go translate the other posts now!

Thanks again

Maria.

[drumut]

I highly recommend you to run Dr.Web LiveCD if you can't get what you want from cureit.

[Stefan Dashich]

Have you tried beta CureIt! in normal mode?

[Maria Bustillos]

Both my laptop and my desktop are infected. Laptop boots to safe mode, ran beta cure-it--trojan still returned. I am trying a second complete scan now.

Desktop--a mess. I have two drives on this machine, both bootable. Neither can boot to safe mode, though. Nor can they boot to an XP disk. On the other hand, the second drive is clearly not as compromised as my main drive. After running Combo Fix as someone on another site suggested in order to repair safe mode (by installing recovery console) I can no longer boot to the main drive at all: a message appears claiming that there is a problem authenticating my Windows version.

Also: TDSS Killer (Kaspersky) says that atapi.sys is infected on the laptop. The second drive (that I'm writing to you from) on the desktop shows no infection from TDSS Killer.

Two questions. 1) Is it possible that the router is infected?

2) Do you advise removing the infected drive and putting it in another machine that will boot to safe mode? Tedious, but I can do this. There are a couple of extra machines lying around.

Thanks for all your help!

Maria.

[Bashox]

I have the same trojan "backdoor.tdss.565" on my computer with Vista, visited a Dutch website yesterday which resulted in this infection. I only visited this site, nothing downloaded or executed.
Nod32 was active but it did not detect the infection.
When this trojan started to download files from "http://lenina66.com/209.exe" and "269.exe.crypted.exe" nod32 detected the exe files as virusses.
CureIt finds the process in memory "c:\Windows\System32\svchost.exe:1172" and Eradicate it.
However CureIt does not find the source, no infected files found. So the process will return. Currently there is no Rootkit, virusscanner or other tool which detects and removes this trojan.
Tried online scanners, spyware removal progs, rootkit progs like Gmer, tdsskiller and Rootkitrevealer.
So, currently this trojan is on the loose and it seems that no detection or removal is possible. Reinstalling Vista has no use because it can be infected again very quick without protection.

[drumut]

Hello,

1) Is it possible that the router is infected?

Yes it is possible the router infected actually your router may hijacked. You can try to reset your router by reading your router's manual.

2) Do you advise removing the infected drive and putting it in another machine that will boot to safe mode? Tedious, but I can do this. There are a couple of extra machines lying around.

Save this file to your desktop and run it, follow the instructions and after that please check if you can boot at safe mode.

Tried online scanners, spyware removal progs, rootkit progs like Gmer, tdsskiller and Rootkitrevealer.

To find the source there are other tools but they are for professional use.