avg trojan horse pakes whitelisted

**nawoo** · 27-10-2009

Avg scan shows:
"Trojan horse Rootkit-Pakes.U";"C:\WINDOWS\system32\drivers\atapi.sys";"Object is white-listed (critical/system file that should not be removed)

I'm using Windows XP SP2. I noticed this problem after installing several Windows updates last week.

I'm not very comfortable with trying to fix this sort of thing, but have researched and, hopefully, am doing the right thing by posting these logs:

Malwarebytes' Anti-Malware 1.41
Database version: 3039
Windows 5.1.2600 Service Pack 2

10/27/2009 9:30:28 AM
mbam-log-2009-10-27 (09-30-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182680
Time elapsed: 1 hour(s), 30 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

And combofix:

ComboFix 09-10-20.03 - nancy 10/23/2009 22:51.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.1931 [GMT -4:00]
Running from: c:\documents and settings\nancy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-23 16:43 . 2009-10-23 16:43 -------- d-----w- c:\documents and settings\nancy\Application Data\AVG8
2009-10-22 15:34 . 2009-10-22 15:35 105104 ----a-w- C:\MGlogs.zip
2009-10-22 15:34 . 2009-10-22 15:35 -------- d-----w- C:\MGtools
2009-10-21 14:05 . 2009-10-21 14:05 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Xobni
2009-10-21 06:07 . 2009-10-21 06:07 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes
2009-10-21 01:50 . 2009-10-21 01:50 -------- d-----w- c:\documents and settings\Junkie\Application Data\Malwarebytes
2009-10-20 18:06 . 2009-10-20 18:06 -------- d-----w- c:\documents and settings\nancy\Application Data\Malwarebytes
2009-10-20 18:05 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 18:05 . 2009-10-20 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 18:05 . 2009-10-22 14:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 18:05 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-16 01:42 . 2009-10-16 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Xobni
2009-10-14 14:12 . 2009-10-14 14:12 -------- d-s---w- c:\documents and settings\john\UserData
2009-10-14 14:12 . 2009-10-14 14:12 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\P2P_Torrent
2009-10-13 12:00 . 2009-10-13 12:00 -------- d-----w- c:\documents and settings\john\Application Data\IObit
2009-10-11 23:00 . 2009-10-11 23:00 -------- d-----w- c:\documents and settings\Junkie\Application Data\IObit
2009-10-11 17:36 . 2009-10-11 17:36 -------- d-----w- c:\documents and settings\nancy\Application Data\IObit
2009-10-10 18:32 . 2009-10-10 18:32 -------- d-----w- c:\documents and settings\Junkie\Application Data\SUPERAntiSpyware.com
2009-10-10 13:15 . 2009-10-10 13:15 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-10 01:42 . 2009-10-10 13:14 -------- d-----w- c:\program files\Accessories

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 03:06 . 2009-01-28 04:29 -------- d-----w- c:\documents and settings\Junkie\Application Data\uTorrent
2009-10-23 17:40 . 2009-01-28 00:08 -------- d-----w- c:\program files\AVG
2009-10-23 17:39 . 2009-01-28 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-23 12:29 . 2009-01-28 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-22 13:23 . 2009-08-03 15:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:23 . 2009-03-19 22:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-22 13:21 . 2009-04-04 03:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-22 13:20 . 2009-01-28 16:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-22 13:20 . 2009-01-28 16:16 -------- d-----w- c:\program files\SpywareBlaster
2009-10-16 01:42 . 2009-07-27 18:13 -------- d-----w- c:\program files\Xobni
2009-10-15 20:59 . 2009-02-11 14:51 -------- d-----w- c:\documents and settings\nancy\Application Data\LimeWire
2009-10-15 12:58 . 2009-02-11 22:13 -------- d-----w- c:\program files\P2P_Torrent
2009-10-10 18:36 . 2009-07-27 18:12 -------- d-----w- c:\program files\Vuze
2009-10-10 18:34 . 2009-01-28 21:50 -------- d-----w- c:\program files\Total Video Converter
2009-10-10 18:34 . 2009-05-24 16:48 -------- d-----w- c:\program files\TeamViewer
2009-10-10 18:28 . 2009-02-11 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-10-10 13:46 . 2009-01-27 23:51 87832 ----a-w- c:\documents and settings\nancy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 11:06 . 2009-02-01 18:34 87832 ----a-w- c:\documents and settings\john\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 19:31 . 2009-01-28 05:59 -------- d-----w- c:\documents and settings\Junkie\Application Data\U3
2009-09-25 05:56 . 2006-03-04 03:33 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 18:44 . 2009-04-04 23:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-21 22:40 . 2009-09-21 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-21 21:08 . 2009-02-11 22:17 -------- d-----w- c:\documents and settings\Junkie\Application Data\LimeWire
2009-09-11 14:03 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 19:20 . 2009-01-28 04:25 87832 ----a-w- c:\documents and settings\Junkie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 20:45 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 23:56 . 2009-09-03 23:56 -------- d-----w- c:\documents and settings\Junkie\Application Data\GRETECH
2009-09-03 23:24 . 2009-09-03 23:24 -------- d-----w- c:\program files\GRETECH
2009-08-31 03:25 . 2009-08-31 03:13 -------- d-----w- c:\documents and settings\Junkie\Application Data\Steinberg
2009-08-31 03:15 . 2009-08-31 03:10 -------- d-----w- c:\program files\Lexicon
2009-08-31 03:14 . 2009-08-31 03:13 -------- d-----w- c:\program files\Steinberg
2009-08-31 03:13 . 2009-08-31 03:12 -------- d-----w- c:\program files\Syncrosoft
2009-08-31 03:13 . 2009-08-31 03:13 2892 ----a-w- c:\windows\system32\audcon.sys
2009-08-31 03:13 . 2009-08-31 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Syncrosoft
2009-08-26 08:16 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 05:49 . 2009-08-25 05:49 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-08-19 13:03 . 2009-01-28 15:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-19 13:03 . 2009-01-28 15:25 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-19 13:03 . 2009-01-28 15:25 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 12:51 . 2005-03-30 01:23 2185984 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 12:02 . 2005-03-30 01:01 2062976 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-03-16 01:48 . 2009-02-11 03:18 10856 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"Zone Labs Client"="c:\progra~1\ZONELA~1\ZONEAL~1\zlclient.exe" [2004-04-01 693520]
"WINCINEMAMGR"="c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2005-09-27 266240]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-09-27 106496]
"CTSysVol"="c:\program files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe" [2003-05-02 57344]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\Junkie\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-7-26 576000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-27 23:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 13:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15607:TCP"= 15607:TCP:BitComet 15607 TCP
"15607:UDP"= 15607:UDP:BitComet 15607 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/28/2009 11:25 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/28/2009 11:25 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/28/2009 11:25 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/27/2009 10:56 PM 297752]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [5/6/2009 9:21 PM 46824]
R3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [11/8/2007 4:51 PM 10880]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [7/18/2009 1:58 AM 234888]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe --> c:\program files\MAGIX\Common\Database\bin\fbserver.exe [?]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [8/30/2009 11:12 PM 18432]
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-19 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-10-11 13:22]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file://e:\setup\RiffLick.cab
FF - ProfilePath - c:\documents and settings\nancy\Application Data\Mozilla\Firefox\Profiles\lw63vwtn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 23:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Componen ts\ð•€|ÿÿÿÿ.•€|þ»Ôw*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'winlogon.exe'(1524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-10-24 23:08
ComboFix-quarantined-files.txt 2009-10-24 03:08

Pre-Run: 55,701,790,720 bytes free
Post-Run: 55,754,956,800 bytes free

- - End Of File - - 74D9DD5439EFBAC2DB3881202A030155

If there's a way to get rid of the trojan, could you please be very specific? It's ok to treat me like a dummy haha.

Thank you so much.

**Xan** · 03-11-2009

Rootkits are hard to detect by some antivirus check here for more What is Rootkit. How to remove it. and You can also solve the problem manually by deleting all registry keys and files connected with Win32.Trojan.Pakes check here How to remove Trojan horse Rootkit-Pakes.U

**nawoo** · 03-11-2009

Thanks for your post. I need some direction to remedy this. Would you please elaborate on the following?

[QUOTE]I think that one of your file that is infected by that trojan needs to be deleted because it happened to me last week that I also got this same virus and the atapi.sys file of my Intel ICH8M 3 port Serial ATA controller was infected. The only thing that I did was uninstalled the drivers for it and then deleted the folder manually and reinstalled the again and my problem was solved. I hope that it helps you. [QUOTE]

I'm not computer literate, which drivers would I uninstall and how would I do that? Also, how to delete a folder manually and reinstall again?

Sorry to be dense, this is all new to me...

**Solomon** · 04-11-2009

Go to device manager and there find serial ata controller. Click on it and press delete. Now confirm delete and click No if asked for reboot. Go to the folder where this file exist [generally c:\windows\system or c:\windows\system32] and delete atapi.sys file. Use Shift key + Delete key to delete it permanently. Then reboot your computer...

**nawoo** · 04-11-2009

I looked in Device Manager: under IDE ATA/ATAPI controllers there are the following folders:

IntelCR 82801EB ultra ATA storage controllers (this is listed twice)

Primary IDE channel
Secondary channel

I clicked on the Intel ATA controller and there isn't a delete option My options are to update, disable or uninstall.

In the meantime my avg scan is loading with the same pakes trojan horse over and over today, usually there's only one.

Thanks for any help.

Also, if I am to uninstall the driver, don't I need that driver?

**Zachary** · 05-11-2009

Win32.Trojan.Pakes copies its file(s) to your hard disk. Its typical file name is (*.*). Win32.Trojan.Pakes Removal Tool will find and fully remove Win32.Trojan.Pakes and all problems associated with Win32.Trojan.Pakes virus. If you cannot download or update the utils on the infected system try downloading both the programs and their updates on another computer and then copy them to a CD, DVD or USB disk to use on the infected system. Then it creates new startup key with name Win32.Trojan.Pakes and value (*.*). You can also find it in your processes list with name (*.*) or Win32.Trojan.Pakes. You can check out the following link.

How to remove Trojan horse Rootkit-Pakes.U

Trojan horse Rootkit-Pakes.M

**nawoo** · 05-11-2009

Sigh I don't understand what you're telling me to do. I'm sorry! Is there a pakes removal tool I'm supposed to download???

I am clueless about removing files manually and clueless on finding half the things (files) mentioned. Can someone be very specific?

I've cleaned up the computer and did the Malwarebytes and combofix scans posted above but don't know what the results mean.

In spyware S&D I can't find any info about rootkits.

And I don't even know what DLL's are.

Sorry to be so dense...