So what was happening was that any search result from Google, Yahoo, Bing, etc all were affected. When clicking on a search result, i get redirected to some spam sites instead. This affected all browsers that i use: Firefox, Chrome, IE (in fact it was chrome that got me infected...)
I have been searching around for a solution, and finally found it! ... I have seen MANY people in recent days on forums boards with this same issue so I thought I would share.
I had run MANY scans using MANY tools ... none of which worked (altho they found a lot of junk that was included with the same infection, multi-bug infection?)
I had tried, SpybotSnD, Avast, Malware Bytes, Hijackthis, Rootkit revealer, Adaware, Combofix (until it was offlined), and a handful more tools ...
Finally after reading more forum posts, and trying out new tools, i tried out GMER.
When i did a scan using GMER, one of the entries (out of some other normal entries, mostly avast) was Atapi.sys with a "suspicious modification" note.
so i did some more googling and found some reports similar to this one http://remove-malware.com/malware/malware-...-is-everywhere/
Aha! ... nasty rootkit!
Atapi.sys Rootkit is EVERYWHERE!
Posted by malwarekilla in Malware News on 12 8th, 2009 | 15 responses
Man...every client I've seen for the past 2 weeks who was infected with malware also had this Atapi.sys rootkit. I know I've written about this about 2 weeks ago, but I wanted to keep this fresh. If you're searches are getting redirected and you've scanned with just about every thing you can think of then there's a pretty good chance your atapi.sys has been patched (Microsoft Security Essentials detects a spawned dll from this rootkit...I think it's called AlureonCT).
One easy way to find out if you have a patched Atapi.sys is to run the latest copy of GMER Anti-RootKit. Upon opening GMER it will run a very fast quick scan. If you see any entries like \DEVICEHARDDISK\Atapi (something like that) or Atapi.sys "suspicious modification" (especially this one) then your probably dealing with a very nasty rootkit.
For clients that run Windows XP I've just been using Combofix (Combofix disinfects Atapi.sys). For other operating systems (32-bit) I've just been using a bootable anti-malware disc (bartpe) and replacing atapi.sys with one from the Windows disc.
So to fix this I got out my XP Sp3 cd ...
browsed the cd to I386 folder in the command line and 'expand atapi.sy_ c:\atapi.sys'
Installed the recovery console ( http://support.microsoft.com/kb/307654 )
reboot, in the boot menu, booted into the recovery console
browsed to c:\windows\system32\drivers and deleted the infected file - 'del atapi.sys'
copied the fresh atapi that i just expanded from my XP disc - 'copy c:\atapi.sys c:\windows\system32\drivers'
did the same for c:\windows\system32\dllcache (that is, i deleted the atapi.sys in dllcache, and copied the fresh one in)
[note: before i deleted the infected atapi files, I renamed them and copied them to another folder incase something went wrong]
Then i just rebooted and opened up a browser to test it ... and ...
hope this helps!
Edited by Amazing Andrew, 20 December 2009 - 06:03 AM.
Mod Edit: Moved From AII - AA