A few days ago, my antivirus software (Norton Internet Security 2010, latest updates) suddenly showed me several messages concerning malicious files, programs which were started automatically and attacking computers, mainly from asian IPs. After that, I got ad popups when using Google in any browser. I am sure, I did not do anything with my PC in exactly that moment of the virus detection. But I had several programs started.
I used Google and found the TDSSKiller application from Kaspersky, which seemed to be exactly for my situation. I ran the tool, it found a rootkit in atapi.sys and it wanted to do a reboot. After the reboot, I ran the tool again. Same message, rootkit in atapi.sys. Another reboot, same thing.
I booted with BartPE and replaced the atapi.sys with a clean one from my notebook (I replaced 4 files in several folders). After a reboot, I got a bluescreen with the error code for "inccessible boot device". After a lot of research I used a remote registry tool within BartPE and found out, that in the atapi section of "CurrentControlSet" a file called "tmp36.sys" was called. I replaced the entry with atapi.sys and rebooted - no bluescreen this time.
I ran TDSSKiller again, this time only one reboot, but it still did not work. Than I ran "Norman TDSS Cleaner", which also found a rootkit. I tried several reboots with this tool, but it always found the same things and did not remove them.
I booted again with BartPE and again replaced atapi.sys with a clean version, this time also the cdrom.sys and redbook.sys, because I have read, that these files can also be infected. After a reboot I had the same situation. TDSSKiller and the Norman tool find the rootkit, but cannot remove it. Norton Internet Security and the Microsoft Malicious Software Removal Tool do not find anything.
What can I do? I'm working on this problem since Wednesday.
Edited by King555, 17 April 2010 - 01:02 PM.