I am dealing with a friend's computer which seem to have a bad case of various malware and possibly rootkit(s). She had some guests over and their 15 year old was the last person using the computer before the symptoms appeared, he either caught it from some online gaming site or possibly some pr0nsite (can't tell all history has been wiped).
The original symptoms were that the computer pretty much refused to do anything, she had a friend over to help and they did a full scan with AVG in safe mode, this found and removed a few of problems but not all:
- Trojan Horse Downloader Generic.9.BNNG
- Trojan Horse Crypt.SAF
- Trojan Horse Cryptic.EA
- Trojan Horse Rootkit-Agent.DI
all search on google redirected to spurious other search pages which then redirected again to other pages (usually IP addresses instaed of URLs which seem related to the goored infection) containing malware payloads some of which were caught/flagged by AVG resident shield)
XP Firewall was disabled and notification turned off in the security centre.
Another full scan revealed nothing but while it was running the resident shield of AVG caught some infected files containing that last Rootkit-agent in the above list; the file was
C:\windows\system32\drivers\ndis.sys which could not be cleaned as the process involved was svchost.exe from the system32 folder once again.
I restarted from the XP cd and replaced that file with the one from the CD, to no avail it came up again flagged by the resident shield.
I disabled system restore did a cleanup with CCLeaner, installed malwarebytes which found and removed even more stuff.
Rescanned with AVG and malwarebytes once again.
Still no dice, the redirects from google have now stopped but firefox is opening random tabs which if not closed redirect to pages with malware payloads.
That ndis.sys file was flagged again this time as: C:\windows\system32\dllcache\ndis.sys
I downloaded GMER which flags C:\windows\system32\drivers\atapi.sys as having a suspicious modification and mousclass.sys in the same folder.
I am keeping her machine off the internet unless I need to download something else to fix the problem.
Am now at a loss for what the next step should be so I'll be waiting for instructions as to what to do next.
If needed I have a GMER and HJT logs ready to post.
The machine is running XP SP2.