Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: infected atapi.sys file  (Read 8080 times)

0 Members and 1 Guest are viewing this topic.

gange

    Topic Starter


    Greenhorn

    infected atapi.sys file
    « on: February 20, 2010, 10:15:02 AM »
    received a warning from avg that atapi.sys had a trojan horse rootkit agent EF

    this was not found by malwarebyte. checked http://virusscan.jotti.org/ and found this file had several infections.
    now i cant delete atapi.sys but i do have a clean file i could use (and registry keys), was wondering if anyone knew how to replace old atapi.sys with new one (cannot find windows installation cd )
    or is their an easier way to replace this file using combofix (already used this to clean file but still infected).
    any help greatly appreciated

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Re: infected atapi.sys file
    « Reply #1 on: February 20, 2010, 10:28:03 AM »
    Quote
    now i cant delete atapi.sys but i do have a clean file i could use (and registry keys), was wondering if anyone knew how to replace old atapi.sys with new one (cannot find windows installation cd )

    DO NOT delete it! Your computer will no longer boot.

    If you already have ComboFix be sure to delete it and download a new copy.

    Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

    Link #1
    Link #2

    **Note:  It is important that it is saved directly to your Desktop

    Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

    Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
     
    Double click combofix.exe & follow the prompts.
    Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
    When finished ComboFix will produce a log for you.
    Post the ComboFix log in your next reply.

    Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

    Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

    If you have problems with ComboFix usage, see How to use ComboFix

    gange

      Topic Starter


      Greenhorn

      Re: infected atapi.sys file
      « Reply #2 on: February 20, 2010, 11:10:25 AM »
      thanks for reply

      here is combofix log (had already downloaded version from where you suggested earlier today)

      ComboFix 10-02-19.04 - Owner 0-Feb-2010  15:25:29.1.1 - x86
      Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
      AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\documents and settings\Owner\Application Data\BITS
      c:\documents and settings\Owner\Application Data\BITS\BITS.ini
      c:\documents and settings\Owner\Application Data\BITS\DHTTable.dat
      c:\documents and settings\Owner\Application Data\BITS\pl.dat
      c:\documents and settings\Owner\Application Data\BITS\ProxyList.ini
      c:\documents and settings\Owner\Application Data\FlashGetBHO
      c:\documents and settings\Owner\Application Data\FlashGetBHO\FlashGetBHO3.dll
      c:\documents and settings\Owner\Application Data\FlashGetBHO\GetAllUrl.htm
      c:\documents and settings\Owner\Application Data\FlashGetBHO\GetUrl.htm
      c:\documents and settings\Owner\Start Menu\Programs\Mafia
      C:\Documents
      C:\System
      c:\windows\Downloaded Program Files\dlhelper.dll
      c:\windows\Mafia
      c:\windows\struct~.ini
      c:\windows\system32\18467.exe
      c:\windows\system32\6334.exe
      c:\windows\system32\iAlmcoin.dll
      c:\windows\system32\ps2.bat
      c:\windows\system32\secustat.dat
      D:\Autorun.inf

      .
      (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      -------\Legacy_NET_MESSAGE_SERVICE


      (((((((((((((((((((((((((   Files Created from 2010-01-20 to 2010-02-20  )))))))))))))))))))))))))))))))
      .

      2010-02-20 10:14 . 2010-02-20 10:14   --------   d-----w-   C:\Team17
      2010-02-16 23:05 . 2010-02-17 00:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
      2010-02-16 23:05 . 2010-02-17 00:14   --------   d-----w-   c:\program files\NCH Swift Sound
      2010-02-08 23:56 . 2010-02-08 23:56   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
      2010-02-08 23:24 . 2010-02-08 23:57   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
      2010-02-08 22:20 . 2010-02-08 22:20   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
      2010-02-08 22:20 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
      2010-02-08 22:20 . 2010-02-08 22:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
      2010-02-08 22:20 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
      2010-02-08 22:20 . 2010-02-08 22:20   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
      2010-02-08 20:54 . 2010-02-09 10:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
      2010-02-03 13:45 . 2010-02-08 20:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\TuneUp Software
      2010-02-03 13:31 . 2010-02-03 13:32   --------   d-----w-   c:\documents and settings\Owner\Application Data\HpUpdate

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2010-02-20 15:10 . 2009-11-11 09:40   --------   d-----w-   c:\documents and settings\Owner\Application Data\vlc
      2010-02-20 10:14 . 2003-01-01 10:50   --------   d--h--w-   c:\program files\InstallShield Installation Information
      2010-02-17 11:50 . 2007-10-01 13:18   --------   d-----w-   c:\documents and settings\Owner\Application Data\uTorrent
      2010-02-16 23:07 . 2006-08-26 22:08   --------   d-----w-   c:\documents and settings\Owner\Application Data\NCH Swift Sound
      2010-02-13 13:12 . 2004-04-22 17:38   --------   d-----w-   c:\program files\Common Files\Adobe
      2010-02-06 19:46 . 2009-12-13 10:19   --------   d-----w-   c:\program files\The KMPlayer
      2010-02-03 16:51 . 2003-01-01 10:05   --------   d-----w-   c:\program files\HP
      2010-02-03 13:31 . 2003-01-01 10:05   --------   d-----w-   c:\program files\Hewlett-Packard
      2010-02-03 13:21 . 2004-04-23 07:27   55176   -c--a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
      2009-12-21 19:14 . 2004-02-06 17:05   916480   ----a-w-   c:\windows\system32\wininet.dll
      2009-11-27 14:17 . 2009-11-27 14:17   134072   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
      2009-11-27 13:52 . 2009-11-27 13:52   721904   ----a-w-   c:\windows\system32\drivers\sptd.sys
      2006-02-21 14:59 . 2006-02-21 14:59   524300   -c--a-w-   c:\program files\position.bin
      2005-02-25 20:21 . 2005-02-25 20:21   1179648   -c--a-w-   c:\program files\book.bin
      2004-05-06 12:11 . 2005-02-07 10:36   777   -c--a-w-   c:\program files\trial_setup.ini
      2004-04-23 14:22 . 2004-04-23 14:22   0   -csha-w-   c:\windows\SMINST\HPCD.sys
      2005-06-11 13:14 . 2005-03-24 10:58   56   -csh--r-   c:\windows\system32\71E772F4EB.sys
      2005-07-14 18:31 . 2006-05-24 16:37   27648   -csha-w-   c:\windows\system32\AVSredirect.dll
      2005-06-26 21:32 . 2006-05-08 17:07   616448   -csha-r-   c:\windows\system32\cygwin1.dll
      2005-06-22 04:37 . 2006-05-24 16:37   45568   -csha-r-   c:\windows\system32\cygz.dll
      2006-08-04 08:30 . 2004-08-13 21:52   13146   -csha-w-   c:\windows\system32\KGyGaAvL.sys
      .

      ------- Sigcheck -------

      [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
      [-] 2008-04-13 18:40 . B0FBED8C149D3D9E08962A8E8E864F79 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
      [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
      [-] 2003-09-23 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtUninstallQ331958$\atapi.sys

      [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
      [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
      [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
      [-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
      [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
      [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
      [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
      [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
      [-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
      [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
      [-] 2006-08-19 . DE891AD282E856ACFD40990094A63B6F . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
      [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
      [-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
      [-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
      [-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
      [-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
      [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
      .
      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
      "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

      [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
      2009-10-16 12:12   1119488   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

      [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
      "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
      "PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920]
      "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
      2009-11-10 22:43   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
      SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
      backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
      backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
      backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
      backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it Software Notes Lite.lnk]
      backup=c:\windows\pss\Post-it Software Notes Lite.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^.lnk]
      backup=c:\windows\pss\.lnkStartup
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgsystray
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TudouVAStart
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
      2003-01-01 11:13   159744   -c--a-w-   c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
      2009-12-11 15:57   948672   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
      2009-12-22 01:57   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
      2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
      2003-04-07 07:07   114688   ----a-w-   c:\windows\system32\hkcmd.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
      2003-02-11 20:02   61440   ----a-w-   c:\hp\KBD\kbd.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
      2004-01-28 08:19   159744   -c--a-w-   c:\program files\Saitek\Software\Profiler.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
      2007-08-07 00:05   200704   -c--a-w-   c:\program files\PowerISO\PWRISOVM.EXE

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
      2004-01-28 08:19   98304   -c--a-w-   c:\program files\Saitek\Software\SaiSmart.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
      2007-04-16 15:28   577536   ----a-w-   c:\windows\soundman.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
      2007-03-14 03:43   83608   -c--a-w-   c:\program files\Java\jre1.6.0_01\bin\jusched.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
      "iPodService"=3 (0x3)
      "UserAccess7"=2 (0x2)
      "MDM"=2 (0x2)
      "Net message Service"=2 (0x2)
      "KService"=2 (0x2)
      "iPod Service"=3 (0x3)
      "Apple Mobile Device"=2 (0x2)
      "WLSetupSvc"=3 (0x3)
      "idsvc"=3 (0x3)

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
      "Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
      "ctfmon.exe"=c:\windows\system32\CTFMON.EXE
      "NVIEW"=rundll32.exe nview.dll,nViewLoadHook

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
      "OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
      "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe
      "InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
      "IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
      "nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
      "AlcxMonitor"=ALCXMNTR.EXE
      "HPHmon05"=c:\windows\System32\hphmon05.exe
      "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "c:\\Program Files\\uTorrent\\uTorrent.exe"=
      "c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
      "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
      "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
      "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
      "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
      "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
      "c:\\Program Files\\Opera\\opera.exe"=

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "7354:TCP"= 7354:TCP:ppLive
      "6461:UDP"= 6461:UDP:ppLive
      "21780:TCP"= 21780:TCP:BitComet 21780 TCP
      "21780:UDP"= 21780:UDP:BitComet 21780 UDP
      "6881:TCP"= 6881:TCP:BitComet 6881 TCP
      "6881:UDP"= 6881:UDP:BitComet 6881 UDP

      R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904]
      R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192]
      R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584]
      R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520]
      R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392]
      R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656]
      R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936]
      R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456]
      S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?]
      S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?]
      S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512]
      S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704]
      S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?]
      .
      Contents of the 'Scheduled Tasks' folder

      2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job
      - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

      2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job
      - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

      2009-04-08 c:\windows\Tasks\shutdown.job
      - c:\windows\system32\shutdown.exe [2003-01-01 00:12]

      2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job
      - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05]
      .
      .
      ------- Supplementary Scan -------
      .
      uStart Page = hxxp://www.ask.com?o=15187&l=dis
      uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
      mSearch Bar = hxxp://srch-qgb10.hpwis.com/
      uInternet Connection Wizard,ShellNext = iexplore
      uInternet Settings,ProxyOverride = 127.0.0.1
      uSearchAssistant = hxxp://www.google.com/ie
      uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
      Trusted Zone: apple.com\phobos
      Trusted Zone: apple.com\www
      Trusted Zone: barclaycard.co.uk\www
      Trusted Zone: buy-internetsecurity10.com
      Trusted Zone: buy-is2010.com
      Trusted Zone: capitalfm.com\www
      Trusted Zone: denness.net\tracker
      Trusted Zone: is-software-download.com
      Trusted Zone: is-software-download25.com
      Trusted Zone: is10-soft-download.com
      Trusted Zone: mlb.com\mlb
      Trusted Zone: buy-internetsecurity10.com
      Trusted Zone: buy-is2010.com
      DPF: Microsoft XML Parser for Java
      DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
      DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx
      .
      - - - - ORPHANS REMOVED - - - -

      BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
      Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
      MSConfigStartUp-goxtRTinQ - setrsptb.exe
      MSConfigStartUp-Motive SmartBridge - c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
      MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
      MSConfigStartUp-xFEj33O - shlhupnp.exe



      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2010-02-20 15:37
      Windows 5.1.2600 Service Pack 3 NTFS

      scanning hidden processes ... 

      scanning hidden autostart entries ...

      scanning hidden files ... 

      scan completed successfully
      hidden files: 0

      **************************************************************************

      Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

      device: opened successfully
      user: MBR read successfully
      called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys sprz.sys >>UNKNOWN [0x82EA8938]<<
      kernel: MBR read successfully
      detected MBR rootkit hooks:
      \Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
      \Driver\ACPI -> ACPI.sys @ 0xf833dcb8
      \Driver\atapi -> prosync1.sys @ 0xf89a76c1
      IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
      \Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
      NDIS:  -> SendCompleteHandler -> 0x0
       PacketIndicateHandler -> 0x0
       SendHandler -> 0x0
      user & kernel MBR OK

      **************************************************************************
      .
      --------------------- LOCKED REGISTRY KEYS ---------------------

      [HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
      "GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games"
      "ShortlistDir"=""
      "ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008"
      "SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\"
      "HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points"
      "LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat"
      "LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm"
      "Language"="English"
      "LoadLangDB"=dword:00000001
      "CompressHistoryPoints"=dword:00000000
      "HighlightedAttributes"=dword:00000000
      "MinCondition"=dword:00000032
      "SkinID"=dword:00000001
      "LastUpdateCheck"=dword:00000000
      "HighQualityGUI"=dword:00000001
      "AutomaticallyUpdateCheck"=dword:00000001
      "AdvancedGeneration"=dword:00000000
      "TranslateStaffSkills"=dword:00000001
      "TranslatePlayerSkills"=dword:00000001
      "TranslatePositions"=dword:00000001
      "ShowHistory"=dword:00000001
      "WindowState"=dword:00000002
      "Currency"=dword:00000056
      "WindowHeight"=dword:0000026d
      "WindowWidth"=dword:000003fc
      "WindowLeft"=dword:00000002
      "WindowTop"=dword:0000004a
      "UseProxy"=dword:00000000
      "ProxyHost"=""
      "ProxyPort"=""
      "UseAuthentication"=dword:00000000
      "UserName"=""
      "UserPassword"=""


      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(896)
      c:\windows\System32\Ati2evxx.dll

      - - - - - - - > 'explorer.exe'(1432)
      c:\windows\system32\WININET.dll
      c:\progra~1\WINDOW~2\wmpband.dll
      c:\windows\system32\ieframe.dll
      c:\windows\system32\webcheck.dll
      c:\windows\system32\WPDShServiceObj.dll
      c:\windows\system32\PortableDeviceTypes.dll
      c:\windows\system32\PortableDeviceApi.dll
      .
      ------------------------ Other Running Processes ------------------------
      .
      c:\windows\system32\Ati2evxx.exe
      c:\program files\AVG\AVG9\avgrsx.exe
      c:\program files\AVG\AVG9\avgcsrvx.exe
      c:\windows\system32\LEXBCES.EXE
      c:\windows\System32\Ati2evxx.exe
      c:\program files\AVG\AVG9\avgnsx.exe
      c:\program files\AVG\AVG9\avgcsrvx.exe
      c:\windows\System32\logon.scr
      .
      **************************************************************************
      .
      Completion time: 2010-02-20  15:48:21 - machine was rebooted
      ComboFix-quarantined-files.txt  2010-02-20 15:48

      Pre-Run: 31,553,204,224 bytes free
      Post-Run: 31,483,396,096 bytes free

      - - End Of File - - C3400B7FC6FEF597D794892895B05586

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Re: infected atapi.sys file
      « Reply #3 on: February 20, 2010, 11:29:16 AM »
      Please go to Jotti's malware scan
      (If more than one file needs scanned they must be done separately and logs posted for each one)

      * Copy the file path in the below Code box:
      Code: [Select]
      c:\windows\system32\drivers\xrhdbctp.sys* At the upload site, click once inside the window next to Browse.
      * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      * Next click Submit file
      * Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      * This will perform a scan across multiple different virus scanning engines.
      * Important: Wait for all of the scanning engines to complete.
      * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

      Also scan this file and post the link to the results.

      Code: [Select]
      c:\windows\system32\drivers\etqmhlnl.sys
      ----------

      Download GMER Rootkit Detector and save it your desktop.
       
      * Extract it to your desktop and double-click GMER.exe
      * Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
      * Click the Rootkit tab and then Scan.
      * Don't check the Show All box while scanning in progress!
      * When scanning is finished click Copy.
      * This copies the log to clipboard
      * Post the log in your reply.

      gange

        Topic Starter


        Greenhorn

        Re: infected atapi.sys file
        « Reply #4 on: February 20, 2010, 12:45:27 PM »
        tried doing what u suggested but on that website it just says that ive specified one or more files that could not be found.
        those two files dont exist anymore - have no idea why
        searching them only finds C:\WINDOWS\system32\MpEngineStore\RebootActions\xrhdbctp.dat - did a check on this filepath - http://virusscan.jotti.org/en-GB/scanresult/90cfb4f593083172c1c9abf7cb5d557ebb7c7dd7

        and the second one is exactly the same  C:\WINDOWS\system32\MpEngineStore\RebootActions\etqmhlnl.dat
         - http://virusscan.jotti.org/en-GB/scanresult/237b4d2126087569093d75d59bfbed8e07d3ece1

        both scans reveal nothing found

        as for the GMER log  -- have started scan - hopefully wont take much longer
        will post log shortly



        thanks for your help
        its much appreciated!

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 489
        • Experience: Familiar
        • OS: Windows 10
        Re: infected atapi.sys file
        « Reply #5 on: February 20, 2010, 02:30:44 PM »
        How is the GMER scan coming?

        Be sure to do this. Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".

        gange

          Topic Starter


          Greenhorn

          Re: infected atapi.sys file
          « Reply #6 on: February 20, 2010, 06:59:26 PM »
          ok so while i was doing the gmer scan the power for the whole neighbourhood went out - great

          now eventually here  is the log
          obvious issue with atapi.sys which i.m still getting warnings about
          hope you can help (will be offline for a few hours while i get some sleep (2am in uk)



          GMER 1.0.15.15281 - http://www.gmer.net
          Rootkit scan 2010-02-21 01:46:28
          Windows 5.1.2600 Service Pack 3
          Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgtdapoc.sys


          ---- System - GMER 1.0.15 ----

          SSDT            spit.sys                                                                                              ZwCreateKey [0xF837E0E0]
          SSDT            spit.sys                                                                                              ZwEnumerateKey [0xF839CCA4]
          SSDT            spit.sys                                                                                              ZwEnumerateValueKey [0xF839D032]
          SSDT            spit.sys                                                                                              ZwOpenKey [0xF837E0C0]
          SSDT            spit.sys                                                                                              ZwQueryKey [0xF839D10A]
          SSDT            spit.sys                                                                                              ZwQueryValueKey [0xF839CF8A]
          SSDT            spit.sys                                                                                              ZwSetValueKey [0xF839D19C]

          INT 0x62        ?                                                                                                     82EF6BF8
          INT 0x82        ?                                                                                                     82EF6BF8
          INT 0x83        ?                                                                                                     82C4CBF8
          INT 0xA4        ?                                                                                                     82C4CBF8
          INT 0xB4        ?                                                                                                     82C4CBF8

          ---- Kernel code sections - GMER 1.0.15 ----

          .text           ntoskrnl.exe!_abnormal_termination + 169                                                              804E27C5 3 Bytes  [CC, 39, F8] {INT 3 ; CMP EAX, EDI}
          ?               spit.sys                                                                                              The system cannot find the file specified. !
          .rsrc           C:\WINDOWS\system32\drivers\atapi.sys                                                                 entry point in ".rsrc" section [0xF83057A4]
          .text           USBPORT.SYS!DllUnload                                                                                 F78588AC 5 Bytes  JMP 82C4C1D8

          ---- Kernel IAT/EAT - GMER 1.0.15 ----

          IAT             \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint]                                    82EF82D8
          IAT             pci.sys[ntoskrnl.exe!IoDetachDevice]                                                                  [F83AFC4C] spit.sys
          IAT             pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack]                                                     [F83AFCA0] spit.sys
          IAT             \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint]                                  82C4C2D8
          IAT             \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                    [F838EE9C] spit.sys

          ---- Devices - GMER 1.0.15 ----

          Device          \FileSystem\Ntfs \Ntfs                                                                                82EF51F8
          Device          \FileSystem\Fastfat \FatCdrom                                                                         82C041F8

          AttachedDevice  \Driver\Tcpip \Device\Ip                                                                              avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

          Device          \Driver\NetBT \Device\NetBT_Tcpip_{B9CCBD70-9E0C-484E-9FF4-5963A29B4F59}                              82B16500
          Device          \Driver\usbuhci \Device\USBPDO-0                                                                      82C4B1F8
          Device          \Driver\usbuhci \Device\USBPDO-1                                                                      82C4B1F8
          Device          \Driver\usbuhci \Device\USBPDO-2                                                                      82C4B1F8
          Device          \Driver\usbehci \Device\USBPDO-3                                                                      82C29500
          Device          \Driver\NetBT \Device\NetBT_Tcpip_{FD9B5674-C527-4B71-ABEA-C86624BE26AD}                              82B16500

          AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                             avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

          Device          \Driver\prodrv06 \Device\ProDrv06                                                                     E1D06008
          Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                82E891F8
          Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                82E891F8
          Device          \Driver\Cdrom \Device\CdRom0                                                                          82B431F8
          Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                           [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
          Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                           prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
          Device          \Driver\atapi \Device\Ide\IdePort0                                                                    [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
          Device          \Driver\atapi \Device\Ide\IdePort0                                                                    prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
          Device          \Driver\atapi \Device\Ide\IdePort1                                                                    [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
          Device          \Driver\atapi \Device\Ide\IdePort1                                                                    prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
          Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e                                                           [F82F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
          Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e                                                           prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
          Device          \Driver\prohlp02 \Device\ProHlp02                                                                     E1008360
          Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                               82B16500
          Device          \Driver\NetBT \Device\NetbiosSmb                                                                      82B16500

          AttachedDevice  \Driver\Tcpip \Device\Udp                                                                             avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
          AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                           avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

          Device          \Driver\usbuhci \Device\USBFDO-0                                                                      82C4B1F8
          Device          \Driver\usbuhci \Device\USBFDO-1                                                                      82C4B1F8
          Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                     829581F8
          Device          \Driver\usbuhci \Device\USBFDO-2                                                                      82C4B1F8
          Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                           829581F8
          Device          \Driver\usbehci \Device\USBFDO-3                                                                      82C29500
          Device          \Driver\Ftdisk \Device\FtControl                                                                      82E891F8
          Device          \FileSystem\Fastfat \Fat                                                                              82C041F8

          AttachedDevice  \FileSystem\Fastfat \Fat                                                                              fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

          Device          \FileSystem\Cdfs \Cdfs                                                                                823DB1F8

          ---- Registry - GMER 1.0.15 ----

          Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected]                                                    771343423
          Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected]                                                    285507792
          Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected]                                                    1
          Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04                     
          Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected]                   0
          Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected]                0x58 0x00 0x6B 0x85 ...
          Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) 
          Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[email protected]                       0
          Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[email protected]                    0x58 0x00 0x6B 0x85 ...

          ---- Files - GMER 1.0.15 ----

          File            C:\WINDOWS\system32\drivers\atapi.sys                                                                 suspicious modification

          ---- EOF - GMER 1.0.15 ----

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          Re: infected atapi.sys file
          « Reply #7 on: February 20, 2010, 07:09:17 PM »
          Quote
          hope you can help (will be offline for a few hours while i get some sleep (2am in uk)

          No worries. Get some rest so you can have a clear head. I'll be around whenever you get back to it.



          1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
          It must be Notepad, not Wordpad.
          2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

          Code: [Select]
          KillAll::

          FCopy::
          c:\windows\$NtServicePackUninstall$\atapi.sys | c:\windows\system32\drivers\atapi.sys
          c:\windows\$NtServicePackUninstall$\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys
          c:\windows\$NtServicePackUninstall$\tcpip.sys | c:\windows\system32\drivers\tcpip.sys


          3. Go to the Notepad window and click Edit > Paste
          4. Then click File > Save
          5. Name the file CFScript.txt - Save the file to your Desktop
          6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



          ComboFix will begin to execute, just follow the prompts.
          After reboot (in case it asks to reboot), it will produce a log for you.
          Post that log (Combofix.txt) in your next reply.

          Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

          =----------

          RootRepeal - Rootkit Detector

          * Download the following tool: RootRepeal - Rootkit Detector
          * Direct download link is here: RootRepeal.zip

          * Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
          * Click this link to see a list of such programs and how to disable them.

          * Extract the program file to a new folder such as C:\RootRepeal
          * Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
          * Select ALL of the checkboxes and then click OK and it will start scanning your system.
          * If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
          * When done, click on Save Report
          * Save it to the same location where you ran it from, such as C:RootRepeal
          * Save it as rootrepeal.txt
          * Then open that log and select all and copy/paste it back on your next reply please.
          * Close RootRepeal.

          ----------

          Next post please add:

          • New ComboFix log
          • RootRepeal log

          gange

            Topic Starter


            Greenhorn

            Re: infected atapi.sys file
            « Reply #8 on: February 21, 2010, 03:51:46 AM »
            ok so the atapi.sys file seems to be clean now after that combo fix

            tried doing the rootrepeal exactly as you showed but grey block comes up saying please wait, initializing - this stays the same for over 20 mins (i gave up) page file maxxes out and cpu usage is 100% for all this time - so maybe i need to be more patient but it seemed unneccessary to hog so much resources for all that time (could have gone on forever)

            i hope you can tell me if there's anything else i can do as an alternative, and whether the combofix log below shows up any other problems.

            thanks again.




            ComboFix 10-02-19.04 - Owner 1-Feb-2010   9:37.2.1 - x86
            Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
            Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
            AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
            .

            (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
            .

            .
            --------------- FCopy ---------------

            c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys
            c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\dllcache\tcpip.sys
            c:\windows\$NtServicePackUninstall$\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
            .
            (((((((((((((((((((((((((   Files Created from 2010-01-21 to 2010-02-21  )))))))))))))))))))))))))))))))
            .

            2010-02-21 09:27 . 2004-08-04 05:00   95360   ----a-w-   C:\atapi.sys
            2010-02-20 16:06 . 2010-02-20 16:06   --------   d-----w-   c:\documents and settings\Owner\Application Data\AVG9
            2010-02-20 10:14 . 2010-02-20 10:14   --------   d-----w-   C:\Team17
            2010-02-16 23:05 . 2010-02-17 00:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
            2010-02-16 23:05 . 2010-02-17 00:14   --------   d-----w-   c:\program files\NCH Swift Sound
            2010-02-08 23:56 . 2010-02-08 23:56   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
            2010-02-08 23:24 . 2010-02-08 23:57   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
            2010-02-08 22:20 . 2010-02-08 22:20   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
            2010-02-08 22:20 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
            2010-02-08 22:20 . 2010-02-08 22:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
            2010-02-08 22:20 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
            2010-02-08 22:20 . 2010-02-08 22:20   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
            2010-02-08 20:54 . 2010-02-09 10:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
            2010-02-03 13:45 . 2010-02-08 20:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\TuneUp Software
            2010-02-03 13:31 . 2010-02-03 13:32   --------   d-----w-   c:\documents and settings\Owner\Application Data\HpUpdate

            .
            ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            2010-02-20 19:03 . 2009-11-11 09:40   --------   d-----w-   c:\documents and settings\Owner\Application Data\vlc
            2010-02-20 10:14 . 2003-01-01 10:50   --------   d--h--w-   c:\program files\InstallShield Installation Information
            2010-02-17 11:50 . 2007-10-01 13:18   --------   d-----w-   c:\documents and settings\Owner\Application Data\uTorrent
            2010-02-16 23:07 . 2006-08-26 22:08   --------   d-----w-   c:\documents and settings\Owner\Application Data\NCH Swift Sound
            2010-02-13 13:12 . 2004-04-22 17:38   --------   d-----w-   c:\program files\Common Files\Adobe
            2010-02-06 19:46 . 2009-12-13 10:19   --------   d-----w-   c:\program files\The KMPlayer
            2010-02-03 16:51 . 2003-01-01 10:05   --------   d-----w-   c:\program files\HP
            2010-02-03 13:31 . 2003-01-01 10:05   --------   d-----w-   c:\program files\Hewlett-Packard
            2010-02-03 13:21 . 2004-04-23 07:27   55176   -c--a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
            2009-12-21 19:14 . 2004-02-06 17:05   916480   ------w-   c:\windows\system32\wininet.dll
            2009-11-27 14:17 . 2009-11-27 14:17   134072   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
            2009-11-27 13:52 . 2009-11-27 13:52   721904   ----a-w-   c:\windows\system32\drivers\sptd.sys
            2006-02-21 14:59 . 2006-02-21 14:59   524300   -c--a-w-   c:\program files\position.bin
            2005-02-25 20:21 . 2005-02-25 20:21   1179648   -c--a-w-   c:\program files\book.bin
            2004-05-06 12:11 . 2005-02-07 10:36   777   -c--a-w-   c:\program files\trial_setup.ini
            2004-04-23 14:22 . 2004-04-23 14:22   0   -csha-w-   c:\windows\SMINST\HPCD.sys
            2005-06-11 13:14 . 2005-03-24 10:58   56   -csh--r-   c:\windows\system32\71E772F4EB.sys
            2005-07-14 18:31 . 2006-05-24 16:37   27648   -csha-w-   c:\windows\system32\AVSredirect.dll
            2005-06-26 21:32 . 2006-05-08 17:07   616448   -csha-r-   c:\windows\system32\cygwin1.dll
            2005-06-22 04:37 . 2006-05-24 16:37   45568   -csha-r-   c:\windows\system32\cygz.dll
            2006-08-04 08:30 . 2004-08-13 21:52   13146   -csha-w-   c:\windows\system32\KGyGaAvL.sys
            .

            (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            *Note* empty entries & legit default entries are not shown
            REGEDIT4

            [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
            "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

            [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

            [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
            2009-10-16 12:12   1119488   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
            "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

            [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

            [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744]

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
            "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
            "PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920]
            "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
            2009-11-10 22:43   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

            [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
            SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
            backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
            backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
            backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup

            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
            backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it Software Notes Lite.lnk]
            backup=c:\windows\pss\Post-it Software Notes Lite.lnkCommon Startup

            [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^.lnk]
            backup=c:\windows\pss\.lnkStartup

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
            2003-01-01 11:13   159744   -c--a-w-   c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
            2009-12-11 15:57   948672   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
            2009-12-22 01:57   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
            2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
            2003-04-07 07:07   114688   ----a-w-   c:\windows\system32\hkcmd.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
            2003-02-11 20:02   61440   ----a-w-   c:\hp\KBD\kbd.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
            2004-01-28 08:19   159744   -c--a-w-   c:\program files\Saitek\Software\Profiler.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
            2007-08-07 00:05   200704   -c--a-w-   c:\program files\PowerISO\PWRISOVM.EXE

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
            2004-01-28 08:19   98304   -c--a-w-   c:\program files\Saitek\Software\SaiSmart.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
            2007-04-16 15:28   577536   ----a-w-   c:\windows\soundman.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
            2007-03-14 03:43   83608   -c--a-w-   c:\program files\Java\jre1.6.0_01\bin\jusched.exe

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
            "iPodService"=3 (0x3)
            "UserAccess7"=2 (0x2)
            "MDM"=2 (0x2)
            "Net message Service"=2 (0x2)
            "KService"=2 (0x2)
            "iPod Service"=3 (0x3)
            "Apple Mobile Device"=2 (0x2)
            "WLSetupSvc"=3 (0x3)
            "idsvc"=3 (0x3)

            [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
            "Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
            "ctfmon.exe"=c:\windows\system32\CTFMON.EXE
            "NVIEW"=rundll32.exe nview.dll,nViewLoadHook

            [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
            "OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
            "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe
            "InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
            "IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
            "nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
            "AlcxMonitor"=ALCXMNTR.EXE
            "HPHmon05"=c:\windows\System32\hphmon05.exe
            "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

            [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
            "DisableMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
            "DisableMonitoring"=dword:00000001

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
            "c:\\Program Files\\uTorrent\\uTorrent.exe"=
            "c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
            "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
            "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
            "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
            "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
            "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
            "c:\\Program Files\\Opera\\opera.exe"=

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
            "7354:TCP"= 7354:TCP:ppLive
            "6461:UDP"= 6461:UDP:ppLive
            "21780:TCP"= 21780:TCP:BitComet 21780 TCP
            "21780:UDP"= 21780:UDP:BitComet 21780 UDP
            "6881:TCP"= 6881:TCP:BitComet 6881 TCP
            "6881:UDP"= 6881:UDP:BitComet 6881 UDP

            R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904]
            R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192]
            R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584]
            R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520]
            R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392]
            R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656]
            R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936]
            R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456]
            S1 etqmhlnl;etqmhlnl;\??\c:\windows\system32\drivers\etqmhlnl.sys --> c:\windows\system32\drivers\etqmhlnl.sys [?]
            S1 xrhdbctp;xrhdbctp;\??\c:\windows\system32\drivers\xrhdbctp.sys --> c:\windows\system32\drivers\xrhdbctp.sys [?]
            S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512]
            S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704]
            S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?]
            .
            Contents of the 'Scheduled Tasks' folder

            2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job
            - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

            2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job
            - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

            2009-04-08 c:\windows\Tasks\shutdown.job
            - c:\windows\system32\shutdown.exe [2003-01-01 00:12]

            2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job
            - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05]
            .
            .
            ------- Supplementary Scan -------
            .
            uStart Page = hxxp://www.ask.com?o=15187&l=dis
            uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
            mSearch Bar = hxxp://srch-qgb10.hpwis.com/
            uInternet Connection Wizard,ShellNext = iexplore
            uInternet Settings,ProxyOverride = 127.0.0.1
            uSearchAssistant = hxxp://www.google.com/ie
            uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
            Trusted Zone: apple.com\phobos
            Trusted Zone: apple.com\www
            Trusted Zone: barclaycard.co.uk\www
            Trusted Zone: buy-internetsecurity10.com
            Trusted Zone: buy-is2010.com
            Trusted Zone: capitalfm.com\www
            Trusted Zone: denness.net\tracker
            Trusted Zone: is-software-download.com
            Trusted Zone: is-software-download25.com
            Trusted Zone: is10-soft-download.com
            Trusted Zone: mlb.com\mlb
            Trusted Zone: buy-internetsecurity10.com
            Trusted Zone: buy-is2010.com
            DPF: Microsoft XML Parser for Java
            DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
            DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx
            .

            **************************************************************************

            catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
            Rootkit scan 2010-02-21 09:48
            Windows 5.1.2600 Service Pack 3 NTFS

            scanning hidden processes ... 

            scanning hidden autostart entries ...

            scanning hidden files ... 

            scan completed successfully
            hidden files: 0

            **************************************************************************

            Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

            device: opened successfully
            user: MBR read successfully
            called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82EF61F8]<<
            kernel: MBR read successfully
            detected MBR rootkit hooks:
            \Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
            \Driver\ACPI -> ACPI.sys @ 0xf833dcb8
            \Driver\atapi -> prosync1.sys @ 0xf89a76c1
            IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
            \Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
            NDIS:  -> SendCompleteHandler -> 0x0
             PacketIndicateHandler -> 0x0
             SendHandler -> 0x0
            user & kernel MBR OK

            **************************************************************************
            .
            --------------------- LOCKED REGISTRY KEYS ---------------------

            [HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
            "GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games"
            "ShortlistDir"=""
            "ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008"
            "SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\"
            "HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points"
            "LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat"
            "LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm"
            "Language"="English"
            "LoadLangDB"=dword:00000001
            "CompressHistoryPoints"=dword:00000000
            "HighlightedAttributes"=dword:00000000
            "MinCondition"=dword:00000032
            "SkinID"=dword:00000001
            "LastUpdateCheck"=dword:00000000
            "HighQualityGUI"=dword:00000001
            "AutomaticallyUpdateCheck"=dword:00000001
            "AdvancedGeneration"=dword:00000000
            "TranslateStaffSkills"=dword:00000001
            "TranslatePlayerSkills"=dword:00000001
            "TranslatePositions"=dword:00000001
            "ShowHistory"=dword:00000001
            "WindowState"=dword:00000002
            "Currency"=dword:00000056
            "WindowHeight"=dword:0000026d
            "WindowWidth"=dword:000003fc
            "WindowLeft"=dword:00000002
            "WindowTop"=dword:0000004a
            "UseProxy"=dword:00000000
            "ProxyHost"=""
            "ProxyPort"=""
            "UseAuthentication"=dword:00000000
            "UserName"=""
            "UserPassword"=""

            --------------------- DLLs Loaded Under Running Processes ---------------------

            - - - - - - - > 'winlogon.exe'(576)
            c:\windows\System32\Ati2evxx.dll

            - - - - - - - > 'explorer.exe'(1592)
            c:\windows\system32\WININET.dll
            c:\progra~1\WINDOW~2\wmpband.dll
            c:\windows\system32\ieframe.dll
            c:\windows\system32\webcheck.dll
            c:\windows\system32\WPDShServiceObj.dll
            c:\windows\system32\PortableDeviceTypes.dll
            c:\windows\system32\PortableDeviceApi.dll
            .
            ------------------------ Other Running Processes ------------------------
            .
            c:\windows\system32\Ati2evxx.exe
            c:\program files\AVG\AVG9\avgrsx.exe
            c:\program files\AVG\AVG9\avgcsrvx.exe
            c:\windows\system32\LEXBCES.EXE
            c:\windows\System32\Ati2evxx.exe
            c:\program files\AVG\AVG9\avgnsx.exe
            c:\program files\AVG\AVG9\avgcsrvx.exe
            c:\windows\System32\logon.scr
            .
            **************************************************************************
            .
            Completion time: 2010-02-21  09:57:19 - machine was rebooted
            ComboFix-quarantined-files.txt  2010-02-21 09:57
            ComboFix2.txt  2010-02-20 15:48

            Pre-Run: 31,761,469,440 bytes free
            Post-Run: 31,720,009,728 bytes free

            - - End Of File - - 7325B3571794845FC4525A152B369C4A

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Re: infected atapi.sys file
            « Reply #9 on: February 21, 2010, 11:21:27 AM »
            I left something out of the fix. Sorry...

            1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
            It must be Notepad, not Wordpad.
            2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

            Code: [Select]
            KillAll::

            Driver::
            etqmhlnl
            xrhdbctp

            DDS::
            Trusted Zone: apple.com\phobos
            Trusted Zone: apple.com\www
            Trusted Zone: barclaycard.co.uk\www
            Trusted Zone: buy-internetsecurity10.com
            Trusted Zone: buy-is2010.com
            Trusted Zone: capitalfm.com\www
            Trusted Zone: denness.net\tracker
            Trusted Zone: is-software-download.com
            Trusted Zone: is-software-download25.com
            Trusted Zone: is10-soft-download.com
            Trusted Zone: mlb.com\mlb
            Trusted Zone: buy-internetsecurity10.com
            Trusted Zone: buy-is2010.com


            3. Go to the Notepad window and click Edit > Paste
            4. Then click File > Save
            5. Name the file CFScript.txt - Save the file to your Desktop
            6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



            ComboFix will begin to execute, just follow the prompts.
            After reboot (in case it asks to reboot), it will produce a log for you.
            Post that log (Combofix.txt) in your next reply.

            Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

            gange

              Topic Starter


              Greenhorn

              Re: infected atapi.sys file
              « Reply #10 on: February 21, 2010, 12:47:56 PM »
              ok so here is the latest combofix log-


              ComboFix 10-02-19.04 - Owner 1-Feb-2010  19:17:47.3.1 - x86
              Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
              Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
              AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
              .

              (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
              .

              .
              (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
              .

              -------\Service_etqmhlnl
              -------\Service_xrhdbctp


              (((((((((((((((((((((((((   Files Created from 2010-01-21 to 2010-02-21  )))))))))))))))))))))))))))))))
              .

              2010-02-21 10:12 . 2010-02-21 10:13   --------   d-----w-   C:\RootRepeal
              2010-02-21 09:27 . 2004-08-04 05:00   95360   ----a-w-   C:\atapi.sys
              2010-02-20 16:06 . 2010-02-20 16:06   --------   d-----w-   c:\documents and settings\Owner\Application Data\AVG9
              2010-02-20 10:14 . 2010-02-20 10:14   --------   d-----w-   C:\Team17
              2010-02-16 23:05 . 2010-02-17 00:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
              2010-02-16 23:05 . 2010-02-17 00:14   --------   d-----w-   c:\program files\NCH Swift Sound
              2010-02-08 23:56 . 2010-02-08 23:56   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
              2010-02-08 23:24 . 2010-02-08 23:57   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
              2010-02-08 22:20 . 2010-02-08 22:20   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
              2010-02-08 22:20 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
              2010-02-08 22:20 . 2010-02-08 22:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
              2010-02-08 22:20 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
              2010-02-08 22:20 . 2010-02-08 22:20   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
              2010-02-08 20:54 . 2010-02-09 10:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
              2010-02-03 13:45 . 2010-02-08 20:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\TuneUp Software
              2010-02-03 13:31 . 2010-02-03 13:32   --------   d-----w-   c:\documents and settings\Owner\Application Data\HpUpdate

              .
              ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              2010-02-21 19:08 . 2009-11-11 09:40   --------   d-----w-   c:\documents and settings\Owner\Application Data\vlc
              2010-02-20 10:14 . 2003-01-01 10:50   --------   d--h--w-   c:\program files\InstallShield Installation Information
              2010-02-17 11:50 . 2007-10-01 13:18   --------   d-----w-   c:\documents and settings\Owner\Application Data\uTorrent
              2010-02-16 23:07 . 2006-08-26 22:08   --------   d-----w-   c:\documents and settings\Owner\Application Data\NCH Swift Sound
              2010-02-13 13:12 . 2004-04-22 17:38   --------   d-----w-   c:\program files\Common Files\Adobe
              2010-02-06 19:46 . 2009-12-13 10:19   --------   d-----w-   c:\program files\The KMPlayer
              2010-02-03 16:51 . 2003-01-01 10:05   --------   d-----w-   c:\program files\HP
              2010-02-03 13:31 . 2003-01-01 10:05   --------   d-----w-   c:\program files\Hewlett-Packard
              2010-02-03 13:21 . 2004-04-23 07:27   55176   -c--a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
              2009-12-31 16:50 . 2003-01-01 15:41   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
              2009-12-21 19:14 . 2004-02-06 17:05   916480   ------w-   c:\windows\system32\wininet.dll
              2009-12-16 18:43 . 2003-01-01 22:38   343040   ----a-w-   c:\windows\system32\mspaint.exe
              2009-12-14 07:08 . 2003-01-01 22:37   33280   ----a-w-   c:\windows\system32\csrsrv.dll
              2009-12-08 19:27 . 2003-01-01 22:38   2189184   ------w-   c:\windows\system32\ntoskrnl.exe
              2009-12-08 18:43 . 2002-08-29 08:04   2066048   ------w-   c:\windows\system32\ntkrnlpa.exe
              2009-12-04 18:22 . 2003-01-01 15:40   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
              2009-11-27 17:11 . 2003-05-30 16:00   1291776   ----a-w-   c:\windows\system32\quartz.dll
              2009-11-27 17:11 . 2003-01-01 09:32   17920   ----a-w-   c:\windows\system32\msyuv.dll
              2009-11-27 16:07 . 2003-01-01 22:38   28672   ----a-w-   c:\windows\system32\msvidc32.dll
              2009-11-27 16:07 . 2001-08-18 05:36   8704   ----a-w-   c:\windows\system32\tsbyuv.dll
              2009-11-27 16:07 . 2003-01-01 22:38   11264   ----a-w-   c:\windows\system32\msrle32.dll
              2009-11-27 16:07 . 2003-01-01 22:36   84992   ----a-w-   c:\windows\system32\avifil32.dll
              2009-11-27 16:07 . 2001-08-18 05:36   48128   ----a-w-   c:\windows\system32\iyuv_32.dll
              2009-11-27 14:17 . 2009-11-27 14:17   134072   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
              2009-11-27 13:52 . 2009-11-27 13:52   721904   ----a-w-   c:\windows\system32\drivers\sptd.sys
              2006-02-21 14:59 . 2006-02-21 14:59   524300   -c--a-w-   c:\program files\position.bin
              2005-02-25 20:21 . 2005-02-25 20:21   1179648   -c--a-w-   c:\program files\book.bin
              2004-05-06 12:11 . 2005-02-07 10:36   777   -c--a-w-   c:\program files\trial_setup.ini
              2004-04-23 14:22 . 2004-04-23 14:22   0   -csha-w-   c:\windows\SMINST\HPCD.sys
              2005-06-11 13:14 . 2005-03-24 10:58   56   -csh--r-   c:\windows\system32\71E772F4EB.sys
              2005-07-14 18:31 . 2006-05-24 16:37   27648   -csha-w-   c:\windows\system32\AVSredirect.dll
              2005-06-26 21:32 . 2006-05-08 17:07   616448   -csha-r-   c:\windows\system32\cygwin1.dll
              2005-06-22 04:37 . 2006-05-24 16:37   45568   -csha-r-   c:\windows\system32\cygz.dll
              2006-08-04 08:30 . 2004-08-13 21:52   13146   -csha-w-   c:\windows\system32\KGyGaAvL.sys
              .

              (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              .
              *Note* empty entries & legit default entries are not shown
              REGEDIT4

              [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
              "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

              [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

              [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
              2009-10-16 12:12   1119488   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
              "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

              [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "Acme.PCHButton"="c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-01-01 159744]

              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
              "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
              "PS2"="c:\windows\system32\ps2.exe" [2002-07-31 81920]
              "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

              c:\documents and settings\All Users\Start Menu\Programs\Startup\
              Shortcut to avgtray.exe.lnk - c:\program files\AVG\AVG9\avgtray.exe [2009-11-10 2033432]

              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
              2009-11-10 22:43   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

              [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
              SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

              [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
              backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

              [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
              backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

              [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
              backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup

              [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
              backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

              [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it Software Notes Lite.lnk]
              backup=c:\windows\pss\Post-it Software Notes Lite.lnkCommon Startup

              [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^.lnk]
              backup=c:\windows\pss\.lnkStartup

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
              2003-01-01 11:13   159744   -c--a-w-   c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
              2009-12-11 15:57   948672   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
              2009-12-22 01:57   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
              2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
              2003-04-07 07:07   114688   ----a-w-   c:\windows\system32\hkcmd.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
              2003-02-11 20:02   61440   ----a-w-   c:\hp\KBD\kbd.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
              2004-01-28 08:19   159744   -c--a-w-   c:\program files\Saitek\Software\Profiler.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
              2007-08-07 00:05   200704   -c--a-w-   c:\program files\PowerISO\PWRISOVM.EXE

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
              2004-01-28 08:19   98304   -c--a-w-   c:\program files\Saitek\Software\SaiSmart.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
              2007-04-16 15:28   577536   ----a-w-   c:\windows\soundman.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
              2007-03-14 03:43   83608   -c--a-w-   c:\program files\Java\jre1.6.0_01\bin\jusched.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
              "iPodService"=3 (0x3)
              "UserAccess7"=2 (0x2)
              "MDM"=2 (0x2)
              "Net message Service"=2 (0x2)
              "KService"=2 (0x2)
              "iPod Service"=3 (0x3)
              "Apple Mobile Device"=2 (0x2)
              "WLSetupSvc"=3 (0x3)
              "idsvc"=3 (0x3)

              [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
              "Acme.PCHButton"=c:\progra~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe
              "ctfmon.exe"=c:\windows\system32\CTFMON.EXE
              "NVIEW"=rundll32.exe nview.dll,nViewLoadHook

              [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
              "OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe"
              "SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_06\bin\jusched.exe
              "InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
              "IndexSearch"=c:\program files\Scansoft\PaperPort\IndexSearch.exe
              "nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
              "AlcxMonitor"=ALCXMNTR.EXE
              "HPHmon05"=c:\windows\System32\hphmon05.exe
              "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

              [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
              "DisableMonitoring"=dword:00000001

              [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
              "DisableMonitoring"=dword:00000001

              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
              "c:\\Program Files\\uTorrent\\uTorrent.exe"=
              "c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
              "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
              "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
              "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
              "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
              "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
              "c:\\Program Files\\Opera\\opera.exe"=

              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
              "7354:TCP"= 7354:TCP:ppLive
              "6461:UDP"= 6461:UDP:ppLive
              "21780:TCP"= 21780:TCP:BitComet 21780 TCP
              "21780:UDP"= 21780:UDP:BitComet 21780 UDP
              "6881:TCP"= 6881:TCP:BitComet 6881 TCP
              "6881:UDP"= 6881:UDP:BitComet 6881 UDP

              R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27-Nov-2009 13:52 721904]
              R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10-Nov-2009 21:46 333192]
              R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10-Nov-2009 21:46 360584]
              R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10-Nov-2009 22:42 906520]
              R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10-Nov-2009 22:42 285392]
              R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [29-Aug-2008 07:57 26656]
              R3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [26-Jul-2004 11:54 55936]
              R3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [26-Jul-2004 11:54 19456]
              S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [28-Sep-2006 11:08 16512]
              S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23-Dec-2008 15:35 50704]
              S3 zlportio;zlportio;\??\c:\windows\Temp\tmp000041190\zlportio.sys --> c:\windows\Temp\tmp000041190\zlportio.sys [?]
              .
              Contents of the 'Scheduled Tasks' folder

              2010-02-16 c:\windows\Tasks\mixpadSevenDaysInit.job
              - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

              2010-02-18 c:\windows\Tasks\mixpadShakeIcon.job
              - c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-02-16 23:05]

              2009-04-08 c:\windows\Tasks\shutdown.job
              - c:\windows\system32\shutdown.exe [2003-01-01 00:12]

              2010-02-18 c:\windows\Tasks\wavepadShakeIcon.job
              - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-16 23:05]
              .
              .
              ------- Supplementary Scan -------
              .
              uStart Page = hxxp://www.ask.com?o=15187&l=dis
              uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
              mSearch Bar = hxxp://srch-qgb10.hpwis.com/
              uInternet Connection Wizard,ShellNext = iexplore
              uInternet Settings,ProxyOverride = 127.0.0.1
              uSearchAssistant = hxxp://www.google.com/ie
              uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
              DPF: Microsoft XML Parser for Java
              DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
              DPF: {AA44D0B1-B2B4-4BCC-B710-CB45C6C2C270} - file:///C:/CoralGreyhoundInstallation/GreyhoundsViewer.ocx
              .

              **************************************************************************

              catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
              Rootkit scan 2010-02-21 19:29
              Windows 5.1.2600 Service Pack 3 NTFS

              scanning hidden processes ... 

              scanning hidden autostart entries ...

              scanning hidden files ... 

              scan completed successfully
              hidden files: 0

              **************************************************************************

              Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

              device: opened successfully
              user: MBR read successfully
              called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x82E881F8]<<
              kernel: MBR read successfully
              detected MBR rootkit hooks:
              \Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
              \Driver\ACPI -> ACPI.sys @ 0xf833dcb8
              \Driver\atapi -> prosync1.sys @ 0xf89a76c1
              IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
              \Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
              NDIS:  -> SendCompleteHandler -> 0x0
               PacketIndicateHandler -> 0x0
               SendHandler -> 0x0
              user & kernel MBR OK

              **************************************************************************
              .
              --------------------- LOCKED REGISTRY KEYS ---------------------

              [HKEY_USERS\S-1-5-21-1002633438-1285766612-3330700345-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
              "GameDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games"
              "ShortlistDir"=""
              "ScreenshotsDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008"
              "SaveDir"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\"
              "HistoryDir"="c:\\Documents and Settings\\Owner\\Desktop\\New Folder (2)\\New Folder\\FM Genie Scout 2008\\History Points"
              "LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2008\\data\\updates\\update-802\\db\\802\\lang_db.dat"
              "LastSaveGame"="c:\\Documents and Settings\\Owner\\My Documents\\Sports Interactive\\Football Manager 2008\\games\\burnley2.fm"
              "Language"="English"
              "LoadLangDB"=dword:00000001
              "CompressHistoryPoints"=dword:00000000
              "HighlightedAttributes"=dword:00000000
              "MinCondition"=dword:00000032
              "SkinID"=dword:00000001
              "LastUpdateCheck"=dword:00000000
              "HighQualityGUI"=dword:00000001
              "AutomaticallyUpdateCheck"=dword:00000001
              "AdvancedGeneration"=dword:00000000
              "TranslateStaffSkills"=dword:00000001
              "TranslatePlayerSkills"=dword:00000001
              "TranslatePositions"=dword:00000001
              "ShowHistory"=dword:00000001
              "WindowState"=dword:00000002
              "Currency"=dword:00000056
              "WindowHeight"=dword:0000026d
              "WindowWidth"=dword:000003fc
              "WindowLeft"=dword:00000002
              "WindowTop"=dword:0000004a
              "UseProxy"=dword:00000000
              "ProxyHost"=""
              "ProxyPort"=""
              "UseAuthentication"=dword:00000000
              "UserName"=""
              "UserPassword"=""


              --------------------- DLLs Loaded Under Running Processes ---------------------

              - - - - - - - > 'winlogon.exe'(1360)
              c:\windows\System32\Ati2evxx.dll

              - - - - - - - > 'explorer.exe'(1048)
              c:\windows\system32\WININET.dll
              c:\progra~1\WINDOW~2\wmpband.dll
              c:\windows\system32\ieframe.dll
              c:\windows\system32\webcheck.dll
              c:\windows\system32\WPDShServiceObj.dll
              c:\windows\system32\PortableDeviceTypes.dll
              c:\windows\system32\PortableDeviceApi.dll
              .
              ------------------------ Other Running Processes ------------------------
              .
              c:\windows\system32\Ati2evxx.exe
              c:\program files\AVG\AVG9\avgrsx.exe
              c:\program files\AVG\AVG9\avgcsrvx.exe
              c:\windows\system32\LEXBCES.EXE
              c:\program files\AVG\AVG9\avgnsx.exe
              c:\windows\System32\Ati2evxx.exe
              c:\program files\AVG\AVG9\avgcsrvx.exe
              c:\windows\System32\logon.scr
              .
              **************************************************************************
              .
              Completion time: 2010-02-21  19:37:14 - machine was rebooted
              ComboFix-quarantined-files.txt  2010-02-21 19:37
              ComboFix2.txt  2010-02-21 09:57
              ComboFix3.txt  2010-02-20 15:48

              Pre-Run: 29,495,021,568 bytes free
              Post-Run: 29,456,936,960 bytes free

              - - End Of File - - 7DAE080EA2C29390E10A5EC440EFD8CC

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 489
              • Experience: Familiar
              • OS: Windows 10
              Re: infected atapi.sys file
              « Reply #11 on: February 21, 2010, 12:53:50 PM »
              Hopefully we are about done.

              * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
              * Now type Combofix /Uninstall in the runbox
              * Make sure there's a space between Combofix and /Uninstall
              * Then hit Enter

              * The above procedure will:
              * Delete the following:
              * ComboFix and its associated files and folders.
              * Reset the clock settings.
              * Hide file extensions, if required.
              * Hide System/Hidden files, if required.
              * Set a new, clean Restore Point.

              ----------

              Clean out your temporary internet files and temp files.

              Download TFC by OldTimer to your desktop.

              Double-click TFC.exe to run it.

              Note: If you are running on Vista, right-click on the file and choose Run As Administrator

              TFC will close all programs when run, so make sure you have saved all your work before you begin.

              * Click the Start button to begin the cleaning process.
              * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
              * Please let TFC run uninterrupted until it is finished.

              Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

              ----------

              ESET Online Scan

              Scan your computer with the ESET FREE Online Virus Scan

              * Click the ESET Online Scanner button.

              * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
              * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
              * Double click on the esetsmartinstaller_enu.exe icon on your desktop.
              * Place a check mark next to YES, I accept the Terms of Use.

              * Click the Start button.
              * Accept any security warnings from your browser.
              * Leave the check mark next to Remove found threats and place a check next to Scan archives.
              * Click the Start button.
              * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
              * When the scan completes, click List of found threats.
              * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
              * Click the <<Back button then click Finish.

              In your next reply please include the ESET Online Scan Log

              gange

                Topic Starter


                Greenhorn

                Re: infected atapi.sys file
                « Reply #12 on: February 21, 2010, 04:14:33 PM »
                this is the esetscan log

                 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir   Win32/Olmarik.RF virus   deleted - quarantined

                so i checked the box to have eset remove this quarantined file

                the uninstall combofix didnt seem to get rid off qoobox so i guess i should just delete the qoobox folder

                is there anything else i need to do

                thanks again for the help

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 489
                • Experience: Familiar
                • OS: Windows 10
                Re: infected atapi.sys file
                « Reply #13 on: February 21, 2010, 04:24:08 PM »
                Yes you can delete the qoobox folder manually. It isn't removed automatically like the other files are.


                Final suggestions.


                Use the Secunia Software Inspector to check for out of date software.

                * Click Start Now
                * Check the box next to Enable thorough system inspection.
                * Click Start
                * Allow the scan to finish and scroll down to see if any updates are needed.
                * Update anything listed.

                ----------

                Go to Microsoft Windows Update and get all critical updates.

                ----------

                If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

                ----------

                I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

                I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

                SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
                * Using SpywareBlaster to protect your computer from Spyware and Malware
                * If you don't know what ActiveX controls are, see here

                Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
                * Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

                Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

                Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.