I am a complete new fish at all these weird Malaware / Rootkit problems, so firstly I turned to the chaps at GMER, who directed me to your website since I ran their program and couldn't interpret the results: but I definately have one or more problems with my system:
GMER said that this file was infected : C:\WINDOWS\system32\drivers\atapi.sys is infected. So I am supposed to use "Recovery Console" to replace the file. I managed to download the file to my system, but haven't tried to use it as I don't know what I am doing.
Then AVG every 2 minutes (or less) comes up with a threat detection whenever I am connected to the internet. I just move it to the virus vault, but it looks like it copies itself with a different 4 letter .tmp designation every time:
I would attached the screen grab image, but I can't seem to upload screenshots on this section. (Please excuse me if I am blind!)
If I leave it for an hour or more, then AVG flashes up a 'multiple threat detection and the code is the same except for the 4 letter code before the .tmp, like so:
If left longer, I can have hundreds of these found by AVG
Also, I run AVG every day and it finds and removes the following worms, but every day AVG keeps finding them and removing them over and over again:
"C:\WINDOWS\system32\csrss.exe (936):\memory_00270000";"Trojan horse Vundo.IY";"Moved to Virus Vault"
"C:\WINDOWS\system32\csrss.exe (936)";"Trojan horse Vundo.IY";"Reboot is required to finish the action"
The only thing that changes are the numbers in the brackets:
"C:\WINDOWS\system32\csrss.exe (944):\memory_00270000";"Trojan horse Vundo.IY";"Moved to Virus Vault"
"C:\WINDOWS\system32\csrss.exe (944)";"Trojan horse Vundo.IY";"Reboot is required to finish the action"
I have the DDS.txt, Attach.txt and ark.txt all available if required.
I hope someone can help...!
I use daily QUAD registry cleaner and Malaware bytes anti-Malaware and the latest version of Ad-ware. None of these have helped with my problem. They remove some problems, but not these ones...
Edited by ed37, 14 December 2009 - 09:13 PM.