I see more people had this virus/trojan and you guys helped them solve it.
I've read those topics and tried some things out myself (since i think of myself that i am above amateur level and wont screw up things)
That didn't really work out tough!
a once or twice per day redirect to an obscure searchengine website. (mfeed is most popular) (all those sites are blocked by a tool i have named "peerblock" this is a tool that blocks around 800 million IP's from all over the world.)
and i had a "random 6 characters .exe" in my "C:\Documents and Settings\kikker\Local Settings\temp" folder (kikker is my main and only user on this PC)
I manually deleted this in several folders. (as far as i know it isn't on the computer anymore, but i am 100% certain that it is not running in the taskmanager when i am looking.
Tools installed before/when everything happend:
Zonealarm firewall (antivirus disabled)
AVG Free antivirus
Spybot Search and Destroy
All these tools are up to date.
My Win XP Pro SP2 edition is NOT updated with the latest updates. last update was around may 2009. (i dont think the Windows Genuine Advantage is really an advantage in my situation ^_^)
What i did so far:
Installed and used:
Kaspersky online virusscan of the c:\windows folder
There was no report of any virus or trojan detected with any above named tool.
Combofix did say it detected a rootkit. But when i restarted, nothing happend. So it probably is still there.
And i have tried to replace my "C:\WINDOWS\system32\drivers\atapi.sys" file with:
C:\cmdcons\ATAPI.SY_ (used the expand command for it)
and from a zip file "CurrentControlSet-Atapi.zip" i found somewhere on these forums.
I also did a scan with GMER. The problem with this scanner is that if i use ANYthing else me computer freezes. (i can still move the mouse, but thats about it)
Therefore it will not make a logfile! (i tried 4 full scans and 2 scans with less options on, but that doesnt matter.)
I think the most important things out of this scan is:
C:\WINDOWS\system32\drivers\kl1.sys (suspicifious modification)
C:\WINDOWS\system32\drivers\atapi.sys (suspicifious modification)
Logfiles of DDS.scr and hijackthis in attachment. i used defrogger to disable emulation software.
If you need more info, just ask for it :D
added Radix log.txt
Big note: Radix crashes EVERYtime on the same spot. (see last line of logfile)
btw, some logs do have the dutch language in it. If you need translation just say what parts need to be translated!
Did a sophos antirootkit scan: nothing big. like 300 hidden files but none of them had a risk. (no logfiles)
Also did an mbam scan again, see logfile.
Edited by tester12345, 16 May 2010 - 02:33 PM.