Jump to content

Recommended Posts

I am running windows 7 ultimate 32 bit and i installed avg internet security 9.0. i found this threat in my computer

\"C:\\WINDOWS\\system32\\drivers\\atapi.sys\";\"Tr ojan horse Rootkit-Pakes.U\";\"Object is white-listed (critical/system file that should not be removed)\".

I try to use malwarebytes and is says its clean.. but when i scan with virustotal.com, it detects a trojan... they say that this site can help me fix my problem. i don't now how to remove the trojan....

hope you can HELP me...

This is the result of my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:10:31 PM, on 1/15/2010

Platform: Unknown Windows (WinNT 6.01.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Back DAN\leftsider103\leftsider.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\BitComet\BitComet.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

R3 - URLSearchHook: Download Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P1.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Download Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P1.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll

O3 - Toolbar: Download Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P1.dll

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [leftsider] C:\Back DAN\leftsider103\leftsider.exe

O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O13 - Gopher Prefix:

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe

O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe

O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 8262 bytes

this is the latest scan of malwarebytes

Malwarebytes' Anti-Malware 1.44

Database version: 3568

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

1/15/2010 8:54:59 PM

mbam-log-2010-01-15 (20-54-59).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 209301

Time elapsed: 35 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

this is also the result of my latest scan of virus total

File atapi.sys received on 2010.01.15 14:29:39 (UTC)

Current status: finished

Result: 32/41 (78.05%)

Compact Compact

Print results Print results

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.01.15 Rootkit.Win32.TDSS!IK

AhnLab-V3 5.0.0.2 2010.01.14 Win-Trojan/Patched.X

AntiVir 7.9.1.142 2010.01.15 TR/Patched.Gen

Antiy-AVL 2.0.3.7 2010.01.12 -

Authentium 5.2.0.5 2010.01.15 -

Avast 4.8.1351.0 2010.01.15 Win32:Patched-LF

AVG 9.0.0.730 2010.01.15 Rootkit-Pakes.U

BitDefender 7.2 2010.01.15 Rootkit.TDSS.AH

CAT-QuickHeal 10.00 2010.01.15 -

ClamAV 0.94.1 2010.01.15 -

Comodo 3592 2010.01.15 Virus.Win32.Olmarik.OF0

DrWeb 5.0.1.12222 2010.01.15 BackDoor.Tdss.565

eSafe 7.0.17.0 2010.01.14 Win32.TRPatched

eTrust-Vet 35.2.7239 2010.01.15 -

F-Prot 4.5.1.85 2010.01.14 -

F-Secure 9.0.15370.0 2010.01.15 Trojan:W32/TDSS.gen!Z

Fortinet 4.0.14.0 2010.01.15 -

GData 19 2010.01.15 Rootkit.TDSS.AH

Ikarus T3.1.1.80.0 2010.01.15 Rootkit.Win32.TDSS

Jiangmin 13.0.900 2010.01.15 Rootkit.TDSS.ctw

K7AntiVirus 7.10.948 2010.01.15 Rootkit.Win32.TDSS.u

Kaspersky 7.0.0.125 2010.01.15 Rootkit.Win32.TDSS.u

McAfee 5861 2010.01.14 Patched-SYSFile

McAfee+Artemis 5861 2010.01.14 Patched-SYSFile

McAfee-GW-Edition 6.8.5 2010.01.15 Heuristic.LooksLike.Trojan.Patched.H

Microsoft 1.5302 2010.01.14 Virus:Win32/Alureon.A

NOD32 4774 2010.01.15 Win32/Olmarik.OF

Norman 6.04.03 2010.01.14 W32/TDSS.drv.gen4.A

nProtect 2009.1.8.0 2010.01.15 Trojan/W32.Rootkit.21584

Panda 10.0.2.2 2010.01.15 Adware/SystemGuard2009

PCTools 7.0.3.5 2010.01.15 Backdoor.Tidserv

Prevx 3.0 2010.01.15 High Risk Rootkit

Rising 22.30.04.04 2010.01.15 -

Sophos 4.49.0 2010.01.15 Mal/TDSSPack-V

Sunbelt 3.2.1858.2 2010.01.15 Trojan.Win32.Olmarik.of!damaged (V)

Symantec 20091.2.0.41 2010.01.15 Backdoor.Tidserv.H!inf

TheHacker 6.5.0.4.151 2010.01.15 Trojan/TDSS.u

TrendMicro 9.120.0.1004 2010.01.15 Cryp_TIDIES-12

VBA32 3.12.12.1 2010.01.15 Rootkit.Win32.TDSL

ViRobot 2010.1.15.2138 2010.01.15 -

VirusBuster 5.0.21.0 2010.01.15 Rootkit.Alureon.Gen!Pac.7

Additional information

File size: 21584 bytes

MD5 : 0978022ca6bec9fe7fc4c28ff9187cd4

SHA1 : e4812c7bf7ba150496692533eb5ad40583e2ba34

SHA256: 86cf4c77ecf01f08617fbc1b9be166aa2c765df996ff4045f5c502ff64adf23d

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x7000

timedatestamp.....: 0x4A5BBF13 (Tue Jul 14 01:11:15 2009)

machinetype.......: 0x14C (Intel I386)

( 6 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x2472 0x2600 6.22 9b9f242740c0a1c2494b23ae50935e6d

.rdata 0x4000 0xAE 0x200 1.54 1833a5650ae0f8256ba78bf8ed79d6e1

.data 0x5000 0xC 0x200 0.18 7c80b151582aa6280e754b477343e54e

INIT 0x6000 0x38C 0x400 4.66 392ce67c807da67e018ad9cf892fde4c

.rsrc 0x7000 0x3F0 0x400 5.35 939aa0f7636513af755445a05f2c200d

.reloc 0x8000 0xD2 0x200 2.47 035f51da8bf9893e51952ac185994f14

( 2 imports )

> ataport.sys: AtaPortNotification, AtaPortQuerySystemTime, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortCopyMemory, AtaPortEtwTraceLog, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange

> ntoskrnl.exe: KeTickCount

( 0 exports )

TrID : File type identification

Win64 Executable Generic (95.5%)

Generic Win/DOS Executable (2.2%)

DOS Executable Generic (2.2%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

ssdeep: 384:iN+KUt2BtUXbyTHoCtGRZjNVAsRMNSChq3BrLQu5VpBjbOjBMmhyMD:KdUtytUXbyTICtGjNMNbc

xAudkMmwMD

Prevx Info: http://info.prevx.com/aboutprogramtext.asp...977E000E31C7318

PEiD : -

RDS : NSRL Reference Data Set

hope you can help me. thank you so much

Link to post
Share on other sites

  • 2 weeks later...

Hello and welcome to Malwarebytes.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please take a read in this thread on instructions on running the tools and posting the logs for instructions: http://www.malwarebytes.org/forums/index.php?showtopic=9573

In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please note that the forum is very busy and if I don

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.