Even if it says it was deleted it's not... whenever I do the scan it's still there and after I rebooted my laptop I still have the same problems with that Trojan Horse cloning explorer and other system or user files and AVG doesn't find them anymore...
in 10 hours I need to access my secure accounts to work I would really need some help
is it at least safe to access my accounts?
P.S. whenever I open my laptop I have to close down from task manager rundll32.exe for me to be able to even go on the internet.
Im having similar problems to vd233.
I am running XP Professional on my pc. When I encountered this problem and realised it was a virus, I disconnected from the internet. Every time I start up the pc it opens 2 explorer windows with the ip address http://22.214.171.124/.
When I start up it also seems to clone my desktop, so that some of the system files i try to open, open behind the the cloned desktop. You see them briefly when shutting down. e.g. Task manager or if I push windows key + R.....
I am working off my laptop at the moment, so not sure how to get the required info through to you!
Worried about connecting my pc to the internet.
Can I take a photo? (sorry if its a silly question)
I'm lucky I have Windows XP installed on it too but without internet, only a few basic drivers, so I was able to make the bootable USB from there and I left the scan run all night long, when I woke up in the morning he found 3 worms and the scan was frozen.. so I rebooted the laptop.. and when I went back on the bootable usb I chose to see the last result and what I remember is that one was in system32 and one in explorer, I chose the healing option and it said he healed all 3 files, then I scanned it again just to be sure and he found 3 Trojan Horses into Java, I chose the healing option again and the program said he healed only 1 file, when I went back to check the last result it said all the files were healed.
I opened windows vista and the same things happen, when the processes are loading at one point explorer disappears and this other "fake", "cloned" explorer comes into place.. I took a screenshot too so you can see how weird my task manager looks like. ( http://www4.zippyshare.com/i/96108801/22577/task%20manager.jpg )
Whenever I try to use gmer rootscan it freezes (while scanning) and at one point rebooted my laptop too, I tried the older version but I can't even open it up because it instantly freezes. (yes they were renamed into vd233roo.exe)
The normal gmer scan worked.. even if the first time I tried it rebooted my laptop.. and the msinfo was done on the "fake" "cloned" explorer so I hope is still some good.
What I also noticed is that whenever explorer starts and I quickly access task manager and I close rundll32.exe and everything that looks suspicious to me the "cloned", "fake" explorer and invisible notepads don't appear anymore, is that safe for me to work on? Without the "fake", "cloned" explorer?!?
Thanks again for the effort and the help, really appreciate it.
P.S: I had to access my accounts this morning to work a bit I hope they're not compromised... and after I'll post this I'll run the rescue CD again if it finds anything I'll choose renaming this time.
Please also provide us with Gmer anti-rootkit scan results.
If you will not be able to run anti-rootkit scan, you may try to restore master boot record in offline mode.
Right after the MBR is restored, please scan your computer with updated AVG Rescue CD to kill all remains of infection.