I believe I have a root kit and need help removing it.
System is Dell Precision M90 with WinXP SPIII on it. I run F-Secure Workstation 7.11 as my AV program with all the latest hot fixes.
I was browsing a well known and usually reputable web site that recently had gotten compromised advertisements from from a web server. Somehow I got an exploit and ended up with AntiVirus 2009 virus.
I rebooted to safe mode, disabled the virus from the start with autoruns, rebooted to safe mode again and ran MBAM and everything seemed to be fine (after also restoring my internet connection from the proxy the virus set it from).
About a week later I was on the same website (they claimed the problem had been fixed) and a new add caused Adobe to launch. I quickly shut down Adobe but it was to late. I had a virus that looked the same but said something different for the title, I think it was AntiVirus System Pro or something else bla bla bla Pro. I should say I was running Seamonkey 1.1.18 with Adobe Pro 6.x. My guess is that the Adobe was to old and had some exploit in it. Reading other comments others got the virus this way as well.
This time I could not boot to safe mode. I got a BSOD when I tried. To fix this I made a Knoppix boot disk and manually deleted the virus's .exe files from my computer. I then could boot to regular mode and used MBAM to remove the left over fragments. This got rid of the virus but now I have system event log errors EventID 45 and 49 FTDISK errors. Googleing that came up with a bunch of atapi.sys related issues and that made me wonder if I had a root kit.
I ran Combo fix (I know don't post the log but hopefully this much is acceptable) and it seems to agree that I have a MBR rookkit and that there are rootkit hooks in CLASSPNP.sys ACPI.SYS, ATAPI.sys. The other combofix comments are Greek to me.
At this point I deleted ATAPI.SYS in the hopes that windows would restore it. This caused an instant BSOD.
I rebooted and got constant virus warning from F-Secure WKS 7.11 but it could not fix. The virus was for atapi.sys and was labeled by them as Rootkit.Win32.TDSS.y.
Running Combo Fix again made the constant virus pop up go away.
So thinking I was cleaver I booted from the Windows disk and did a fixmbr. The app said the MBR was not standard (or something similar) and fixed but booting back it was the same. My guess is that the infected .sys files just put it back when I boot. I still can't boot into safe mode, only normal mode. I'm hesitant to use USB keys without more guidance to try to put things back as I am afraid of spreading this though MBRs. I have to many memorys of DOS day MBR records sounding like the latest STD (from intimate floppy disk contact with any computer who had intimate floppy disk contact with my computer).
Can you help?
Edited by AshevilleHawker, 30 November 2009 - 09:04 PM.