virus in atapi.sys

[psaila]

I just formated my drives and installed windows 7. AVG virus keeps popping up a windows saying that file atapi.sys has been attacked by a trojan. I had avira before and it game the same message. What is this and what should I do? I ran malwarebytes and it did not detect it.

Thanks

 

[johnb35]

Are you running the 32bit or 64bit version of windows 7?

 

[psaila]

I think it's the 32 bit. How can I check???

 

[johnb35]

right click on computer and click on properties and it will tell you which operating system and what bit it is.

 

[psaila]

It's 32bit. I ran avg in windows safe mode it found the threat but did not clean it. I ran malwarebytes and it does not detect it. What can I do???

 

[johnb35]

When combofix becomes available for download you can download it and run it and it will disinfect that file and remove any other possible hidden infections you have. However, not sure when the file will be available for download as they are fixing it at the moment. It could be today, tomorrow, or whenever. Here is the link for it but only click on the bleeping computer link on that page to download it, it says its down right now.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[psaila]

Thanks. Still says unavailable but I subscribed to their facebook page and they said they will announce it there when available.

 

[johnb35]

There is a beta out for it now. It's a facebook link but it links back to bleeping computer. Get it here.

http://www.facebook.com/l.php?u=htt...ttyFix.exe&h=9cc3996b2803c213d4b3eccdac0c5f95

 

[psaila]

I downloaded the beta and it scared me because it said do not run it if you are not ready to buy a new machine so I think I will wait for the finished version.

 

[johnb35]

Combofix has been fixed, please download it from this location, click on the bleeping computer link.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[psaila]

Combo Fix did not solve the problem. The virus is Rootkit-Pakes.U. I even downloaded a removal tool and it did not detect it. The strange thing is that when I insert a CD it says that the atapi.sys file is infected but if then I go on it and scan it with AVG it says it's clean. What is going on?

 

[Respital]

Combo Fix did not solve the problem. The virus is Rootkit-Pakes.U. I even downloaded a removal tool and it did not detect it. The strange thing is that when I insert a CD it says that the atapi.sys file is infected but if then I go on it and scan it with AVG it says it's clean. What is going on?

Please post the log that ComboFix generated it is located at; C:\ComboFix.txt

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.

• Open a command window by going to Start > Run and typing: cmd Copy/paste or type the following in the command window: C:\fsbl.exe /expert
• Hit "Enter" to start the program and then close the cmd box.
  Accept the user agreement and click "Next".
• Click "Scan".
• After the scan is complete, click "Next", then "Exit".
• BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
• The log will have a list of all items found.
• Do not choose to rename any yet!
• I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe".
• Exit Blacklight and post the contents of the log in your next reply.

 

[psaila]

This program does not work with windows 7. can I use hijack this or something similar?

 

[Respital]

This program does not work with windows 7. can I use hijack this or something similar?

First please post the log that ComboFix generated it is located at; C:\ComboFix.txt

 

[psaila]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:57 PM, on 12/20/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\BitTorrent\bittorrent.exe
C:\Users\Etienne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Etienne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Etienne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Etienne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\explorer.exe
C:\Users\Etienne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Etienne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Etienne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Etienne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Etienne\Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" /S
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Etienne\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} (PhotoboxPhotowaysUploader5 Control) - http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091210075554
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 5340 bytes

 

[psaila]

and this is the combo fix result

ComboFix 09-12-19.01 - Etienne 12/20/2009 9:16.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3455.2399 [GMT 1:00]
Running from: c:\users\Etienne\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tdlcmd.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-20 08:21 . 2009-12-20 08:21 -------- d-----w- c:\users\Etienne\AppData\Local\temp
2009-12-20 08:21 . 2009-12-20 08:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-20 08:21 . 2009-12-20 08:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-20 08:15 . 2009-12-20 08:15 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2009-12-20 08:14 . 2009-12-20 08:15 -------- d-----w- C:\32788R22FWJFW
2009-12-19 11:03 . 2009-12-12 08:26 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2009-12-19 11:03 . 2009-12-12 08:26 294680 ----a-w- c:\programdata\avg9\update\backup\avglngx.dll
2009-12-19 06:57 . 2009-12-19 06:57 -------- d-----w- c:\program files\Microsoft Works
2009-12-19 06:56 . 2009-12-19 06:56 -------- d-----w- c:\program files\Microsoft.NET
2009-12-19 06:54 . 2009-12-19 06:54 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-12-16 16:52 . 2003-06-05 16:15 57436 ----a-w- c:\windows\DASShp.dll
2009-12-13 17:19 . 2009-12-13 17:19 -------- d-----w- C:\temp
2009-12-13 13:47 . 2009-12-13 13:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-13 13:47 . 2009-12-13 13:48 -------- d-----w- c:\program files\NVIDIA Corporation
2009-12-12 18:01 . 2009-12-12 18:01 -------- d-----w- c:\users\Etienne\AppData\Local\Microsoft Games
2009-12-12 15:36 . 2009-12-13 17:27 -------- d-----w- c:\windows\WindowsMobile
2009-12-12 15:02 . 2009-12-12 15:02 -------- d-----w- c:\users\Etienne\AppData\Roaming\Ashampoo
2009-12-12 14:57 . 2009-12-20 07:48 -------- d-----w- c:\users\Etienne\Tracing
2009-12-12 14:57 . 2009-12-12 14:57 -------- d-----w- c:\program files\Microsoft
2009-12-12 14:56 . 2009-12-12 14:56 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-12 14:56 . 2009-12-12 14:57 -------- d-----w- c:\program files\Windows Live
2009-12-12 09:39 . 2009-12-12 09:45 -------- d-----w- c:\users\Etienne\AppData\Local\Adobe
2009-12-12 09:38 . 2009-12-12 09:38 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-12 08:36 . 2009-12-12 08:36 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-12 08:34 . 2009-12-12 08:34 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2009-12-12 08:27 . 2009-12-16 18:37 -------- d-----w- C:\$AVG
2009-12-12 08:27 . 2009-12-12 08:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-12 08:27 . 2009-12-12 08:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-12 08:27 . 2009-12-12 08:27 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-12 08:26 . 2009-12-20 07:41 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-12 08:26 . 2009-12-12 08:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-12 08:26 . 2009-12-12 08:26 -------- d-----w- c:\programdata\avg9
2009-12-12 08:26 . 2009-12-12 08:26 -------- d-----w- c:\program files\AVG
2009-12-12 07:42 . 2009-12-12 07:42 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-12 07:42 . 2009-12-12 07:42 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-12 07:42 . 2009-12-12 07:42 -------- d-----w- c:\program files\OpenAL
2009-12-12 07:42 . 2009-12-12 07:42 -------- d-----w- c:\windows\system32\Futuremark
2009-12-12 07:42 . 2009-12-12 07:42 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-12-12 07:42 . 2008-09-17 13:14 27672 ----a-r- c:\windows\system32\drivers\Entech.sys
2009-12-12 07:22 . 2009-12-13 13:47 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-12 07:22 . 2009-12-12 07:22 -------- d-----w- c:\windows\system32\AGEIA
2009-12-12 05:18 . 2009-12-12 05:18 -------- d-----w- c:\programdata\KONAMI
2009-12-11 00:09 . 2009-12-10 15:15 -------- d-----w- c:\windows\Panther
2009-12-11 00:08 . 2009-12-11 00:08 -------- d-----w- C:\Boot
2009-12-10 18:29 . 2009-12-10 18:29 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-10 17:43 . 2009-12-10 17:43 -------- d-----w- c:\programdata\Hewlett-Packard
2009-12-10 17:43 . 2009-07-14 01:15 280064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzppw71.dll
2009-12-10 17:12 . 2009-12-10 17:12 -------- d-----w- c:\users\Etienne\AppData\Roaming\Malwarebytes
2009-12-10 17:12 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-10 17:12 . 2009-12-10 17:12 -------- d-----w- c:\programdata\Malwarebytes
2009-12-10 17:12 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-10 16:57 . 2004-11-01 23:47 327168 ----a-w- c:\windows\IsUninst.exe
2009-12-10 16:57 . 2009-12-10 16:57 -------- d-----w- c:\windows\system32\IoSubSys
2009-12-10 16:50 . 2009-12-10 16:50 -------- d-----w- c:\windows\system32\Macromed
2009-12-10 16:48 . 2009-12-10 16:49 -------- d-----w- c:\users\Etienne\AppData\Local\Google
2009-12-10 16:47 . 2009-12-10 16:47 -------- d-----w- c:\users\Etienne\AppData\Local\Apps
2009-12-10 16:47 . 2009-12-10 16:48 -------- d-----w- c:\users\Etienne\AppData\Local\Deployment
2009-12-10 16:47 . 2009-12-10 16:48 -------- d-----w- c:\program files\Analog Devices
2009-12-10 16:46 . 2009-12-10 16:46 -------- d-----w- c:\users\Etienne\AppData\Roaming\InstallShield
2009-12-10 16:30 . 2007-01-18 11:14 45056 ----a-w- c:\windows\p3xunist.exe
2009-12-10 16:30 . 2009-12-16 16:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-10 16:30 . 2009-12-10 16:30 -------- d-----w- c:\program files\CONCEPTRONIC Multimedia
2009-12-10 16:30 . 2009-12-13 17:09 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-10 16:26 . 2009-12-19 07:06 123224 ----a-w- c:\users\Etienne\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-10 16:25 . 2009-12-10 16:25 -------- d-----w- C:\conceptronic
2009-12-10 16:22 . 2009-12-20 08:16 -------- d-----w- c:\users\Etienne\AppData\Roaming\BitTorrent
2009-12-10 16:19 . 2009-12-12 05:13 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-10 16:16 . 2009-12-10 16:16 -------- d-----w- c:\users\Etienne\AppData\Local\ashampoo
2009-12-10 16:16 . 2009-12-10 16:16 -------- d-----w- c:\programdata\ashampoo
2009-12-10 16:14 . 2009-12-10 16:14 -------- d-----w- c:\users\Etienne\AppData\Local\Ares
2009-12-10 16:09 . 2006-10-26 18:58 30512 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2009-12-10 16:09 . 2006-10-26 18:58 30512 ----a-w- c:\windows\system32\mdimon.dll
2009-12-10 16:09 . 2006-10-26 18:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2009-12-10 16:09 . 2006-10-26 18:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-12-10 16:08 . 2009-12-10 16:08 -------- d-----w- c:\windows\PCHEALTH
2009-12-10 16:06 . 2009-12-10 16:06 -------- d-----w- c:\users\Etienne\AppData\Local\Microsoft Help
2009-12-10 16:06 . 2009-12-19 16:42 -------- d-----w- c:\programdata\Microsoft Help
2009-12-10 16:06 . 2009-12-10 16:06 -------- d-----r- C:\MSOCache
2009-12-10 15:57 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-12-10 15:56 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-10 15:56 . 2009-12-20 07:09 -------- d-----w- c:\programdata\NVIDIA
2009-12-10 15:55 . 2009-12-19 16:42 -------- d-sh--w- c:\windows\Installer
2009-12-10 15:55 . 2009-11-19 20:42 592488 ----a-w- c:\windows\system32\nvuninst.exe
2009-12-10 15:32 . 2009-11-02 19:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-10 15:18 . 2009-12-20 07:13 -------- d-----w- c:\windows\system32\wbem\Performance
2009-11-20 19:33 . 2009-11-20 19:33 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-20 19:33 . 2009-11-20 19:33 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-20 19:33 . 2009-11-20 19:33 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-20 19:33 . 2009-11-20 19:33 110184 ----a-w- c:\windows\system32\nvmctray.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 06:56 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2009-12-12 15:52 . 2009-12-12 15:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-12-12 15:37 . 2009-12-12 15:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2009-12-11 00:11 . 2009-12-11 00:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-10 16:46 . 2006-12-15 00:21 30208 ----a-w- c:\windows\system32\SmaxCo.dll
2009-12-10 16:46 . 2007-01-16 11:16 318464 ----a-w- c:\windows\system32\drivers\ADIHdAud.sys
2009-12-10 16:46 . 2006-12-14 23:29 593920 ----a-w- c:\windows\system32\AEADIExt.dll
2009-12-10 16:46 . 2006-12-14 23:24 119808 ----a-w- c:\windows\system32\AEADIAPO.dll
2009-10-02 04:06 . 2009-12-10 15:54 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-27 22:12 . 2009-09-27 22:12 795104 ----a-w- c:\windows\system32\dpinst.exe
2009-09-27 22:12 . 2009-09-27 22:12 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-09-27 16:47 . 2009-09-27 16:47 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 16:47 . 2009-09-27 16:47 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 16:47 . 2009-09-27 16:47 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 16:47 . 2009-09-27 16:47 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 16:47 . 2009-09-27 16:47 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 16:47 . 2009-09-27 16:47 150120 ----a-w- c:\windows\system32\nvshext.dll
2009-09-27 16:47 . 2009-09-27 16:47 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-27 16:47 . 2009-09-27 16:47 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 16:46 . 2009-09-27 16:46 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-12-20_06.51.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-10 16:00 . 2009-12-20 07:10 17928 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2009-12-20 07:10 35668 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 04:55 . 2009-12-20 06:39 35668 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-12-11 00:14 . 2009-12-19 16:28 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-11 00:14 . 2009-12-20 08:09 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-11 00:14 . 2009-12-20 08:09 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-11 00:14 . 2009-12-19 16:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2009-12-20 08:09 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2009-12-19 16:28 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-10 15:17 . 2009-12-20 07:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-10 15:17 . 2009-12-20 06:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-12 08:00 . 2009-12-19 16:08 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 08:00 . 2009-12-20 08:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-12 08:00 . 2009-12-19 16:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-12-12 08:00 . 2009-12-20 08:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-12-12 08:00 . 2009-12-19 16:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-12-12 08:00 . 2009-12-20 08:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-12-10 15:17 . 2009-12-20 08:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-10 15:17 . 2009-12-20 06:40 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-10 15:17 . 2009-12-20 07:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-10 15:17 . 2009-12-20 06:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-10 15:35 . 2009-12-20 07:10 6216 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2892283828-576049475-3074606464-1001_UserData.bin
- 2009-12-20 06:37 . 2009-12-20 06:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-20 07:09 . 2009-12-20 07:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-20 06:37 . 2009-12-20 06:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-20 07:09 . 2009-12-20 07:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:05 . 2009-12-20 06:42 618026 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2009-12-20 07:13 618026 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2009-12-20 07:13 104340 c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2009-12-20 06:42 104340 c:\windows\System32\perfc009.dat
- 2009-12-10 15:18 . 2009-12-19 16:28 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-12-10 15:18 . 2009-12-20 08:09 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 02:03 . 2009-12-20 06:51 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2009-12-20 08:02 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Etienne\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-10 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-12-10 868352]
"RivaTunerStartupDaemon"="d:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" [2009-08-22 24576]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12685928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Remote Control.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Remote Control.lnk
backup=c:\windows\pss\Remote Control.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR Agent]
2006-04-14 23:11 759296 ----a-w- d:\program files\CONCEPTRONIC Multimedia\PVR Plus\TVR\Scheduled.exe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [12/12/2009 9:27 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [12/12/2009 9:27 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/12/2009 9:26 AM 285392]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [11/20/2009 7:17 PM 240232]
R3 3xHybrid;3xHybrid service;c:\windows\System32\drivers\3xHybrid.sys [1/18/2007 7:15 PM 670592]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\System32\drivers\Rt86win7.sys [6/10/2009 10:18 PM 139776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091210075554
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2009-12-20 09:23:45
ComboFix-quarantined-files.txt 2009-12-20 08:23
ComboFix2.txt 2009-12-20 06:53
ComboFix3.txt 2009-12-19 16:25

Pre-Run: 145,886,478,336 bytes free
Post-Run: 145,706,909,696 bytes free

- - End Of File - - 7636129771B92A94DE500FF9353FC573

 

[johnb35]

Download Filefind By Attribune.

•Unzip the file and save it to your desktop.
•Double-click on FileFind.exe
•In the box labeled "Enter the directory to search" type C:\
•(note if your default Windows boot drive is not drive C, substitute your drive letter).
•In the box labeled "Enter the file to search" type atapi.sys
•Click on the Find button.
•Once the utility has found the files click on Export. This will save a text file to your C:\ drive (or your default Windows drive) as Export.txt.

Add the C:\Export.txt log to your next message.

 

[psaila]

I tried what you told. It found 4 atapi.sys files and when I clicked on the one giving trouble or on any one of them it said cannot find C:\Export.txt file. What shall I do????

 

[johnb35]

Are you navigating to your c drive to the find the file? Open my computer, double click on C drive, find file named export.txt.

 

[psaila]

Ok all I had to do is run the app as administrator. This is the file it exported:

C:\Windows\ERDNT\cache\atapi.sys - 21584 Bytes
C:\Windows\System32\drivers\atapi.sys - 21584 Bytes
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys - 21584 Bytes
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys - 21584 Bytes

Now what? Anything looks wrong???