Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)

During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details

Spyware, Viruses, & Security forum

General discussion

Windows 7 Trojan horse Rootkit-Pakes.U C:\WINDOWS\system32\d

by harolddan / January 12, 2010 3:13 PM PST

I am running windows 7 ultimate 32 bit and i installed avg internet security 9.0. i found this threat in my computer

\"C:\\WINDOWS\\system32\\drivers\\atapi.sys\";\"Tr ojan horse Rootkit-Pakes.U\";\"Object is white-listed (critical/system file that should not be removed)\".

I try to use malwarebytes and is says its clean.. but when i scan with, it detects a trojan... they say that this site can help me fix my problem. i don't now how to remove the trojan....

hope you can HELP me...


This is the result of my VirusTotal

Antivirus Version Last Update Result
a-squared 2010.01.13 Rootkit.Win32.TDSS!IK
AhnLab-V3 2010.01.12 Win-Trojan/Patched.X
AntiVir 2010.01.12 TR/Patched.Gen
Antiy-AVL 2010.01.12 -
Authentium 2010.01.12 -
Avast 4.8.1351.0 2010.01.12 Win32:Patched-LF
AVG 2010.01.12 Rootkit-Pakes.U
BitDefender 7.2 2010.01.13 Rootkit.TDSS.AH
CAT-QuickHeal 10.00 2010.01.13 -
ClamAV 0.94.1 2010.01.13 -
Comodo 3565 2010.01.13 Virus.Win32.Olmarik.OF0
DrWeb 2010.01.13 BackDoor.Tdss.565
eSafe 2010.01.12 -
eTrust-Vet 35.2.7234 2010.01.13 -
F-Prot 2010.01.12 -
F-Secure 9.0.15370.0 2010.01.13 Trojan:W32/TDSS.gen!Z
Fortinet 2010.01.13 -
GData 19 2010.01.13 Rootkit.TDSS.AH
Ikarus T3. 2010.01.13 Rootkit.Win32.TDSS
Jiangmin 13.0.900 2010.01.13 Rootkit.TDSS.ctw
K7AntiVirus 7.10.944 2010.01.11 -
Kaspersky 2010.01.13 Rootkit.Win32.TDSS.u
McAfee 5859 2010.01.12 Patched-SYSFile
McAfee+Artemis 5859 2010.01.12 Patched-SYSFile
McAfee-GW-Edition 6.8.5 2010.01.13 Heuristic.LooksLike.Trojan.Patched.H
Microsoft 1.5302 2010.01.13 Virus:Win32/Alureon.A
NOD32 4765 2010.01.12 Win32/Olmarik.OF
Norman 6.04.03 2010.01.12 W32/TDSS.drv.gen4.A
nProtect 2009.1.8.0 2010.01.13 Trojan/W32.Rootkit.21584
Panda 2010.01.12 Trj/CI.A
PCTools 2010.01.13 Backdoor.Tidserv
Prevx 3.0 2010.01.13 High Risk Rootkit
Rising 2010.01.13 -
Sophos 4.49.0 2010.01.13 Mal/TDSSPack-V
Sunbelt 3.2.1858.2 2010.01.13 Trojan.Win32.Olmarik.of!damaged (V)
Symantec 20091.2.0.41 2010.01.13 Backdoor.Tidserv.H!inf
TheHacker 2010.01.13 -
TrendMicro 2010.01.13 Cryp_TIDIES-12
VBA32 2010.01.13 Rootkit.Win32.TDSL
ViRobot 2010.1.13.2133 2010.01.13 -
VirusBuster 2010.01.12 Rootkit.Alureon.Gen!Pac.7
Additional information
File size: 21584 bytes
MD5...: 0978022ca6bec9fe7fc4c28ff9187cd4
SHA1..: e4812c7bf7ba150496692533eb5ad40583e2ba34
SHA256: 86cf4c77ecf01f08617fbc1b9be166aa2c765df996ff4045f5c502ff64adf23d
ssdeep: 384:iN+KUt2BtUXbyTHoCtGRZjNVAsRMNSChq3BrLQu5VpBjbOjBMmhyMD:KdUty
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7000
timedatestamp.....: 0x4a5bbf13 (Mon Jul 13 23:11:15 2009)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2472 0x2600 6.22 9b9f242740c0a1c2494b23ae50935e6d
.rdata 0x4000 0xae 0x200 1.54 1833a5650ae0f8256ba78bf8ed79d6e1
.data 0x5000 0xc 0x200 0.18 7c80b151582aa6280e754b477343e54e
INIT 0x6000 0x38c 0x400 4.66 392ce67c807da67e018ad9cf892fde4c
.rsrc 0x7000 0x3f0 0x400 5.35 939aa0f7636513af755445a05f2c200d
.reloc 0x8000 0xd2 0x200 2.47 035f51da8bf9893e51952ac185994f14

( 2 imports )
> ataport.SYS: AtaPortNotification, AtaPortQuerySystemTime, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortCopyMemory, AtaPortEtwTraceLog, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange
> NTOSKRNL.exe: KeTickCount

( 0 exports )
RDS...: NSRL Reference Data Set
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
<a href='' target='_blank'></a>

Discussion is locked
You are posting a reply to: Windows 7 Trojan horse Rootkit-Pakes.U C:\WINDOWS\system32\d
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Windows 7 Trojan horse Rootkit-Pakes.U C:\WINDOWS\system32\d
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I would suggest.....
Collapse -
Result of scan for secure
by harolddan / January 13, 2010 3:20 AM PST
In reply to: I would suggest.....

Scanning Report

Thursday, January 14, 2010 02:09:20 - 02:14:05

Computer name: ADMIN-PC
Scanning type: Quick scan
Target: System

9 malware found

TrackingCookie.Adinterax (spyware)
System (Disinfected)
TrackingCookie.2o7 (spyware)
System (Disinfected)
TrackingCookie.Advertising (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Revsci (spyware)
System (Disinfected)
TrackingCookie.Xiti (spyware)
System (Disinfected)
TrackingCookie.Statcounter (spyware)
System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)
Trojan:W32/TDSS.gen!Z (spyware)
System (Disinfected)

Files: 4680
System: 4680
Not scanned: 0
Disinfected: 9
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0

Scanning engines:

Collapse -
result of in scan in windows/system32/drivers
by harolddan / January 13, 2010 3:26 AM PST
In reply to: I would suggest.....

Scanning Report

Thursday, January 14, 2010 02:18:57 - 02:21:47

Computer name: ADMIN-PC
Scanning type: Scan target for malware, spyware and rootkits
Target: C:\Windows\System32\drivers

2 malware found

Trojan:W32/TDSS.gen!Z (spyware)
System (Disinfected)
Trojan:W32/TDSS.gen!Z (virus)
C:\Windows\System32\drivers\atapi.sys (Not cleaned & Submitted)

Files: 5128
System: 4701
Not scanned: 0
Disinfected: 1
Renamed: 0
Deleted: 0
Not cleaned: 1
Submitted: 1

Scanning engines:
Scanning options:
Scan all files
Scan inside archives
Use advanced heuristics

Collapse -
so...... one cleaned and still one to go.....
by Marianna Schmudlach / January 13, 2010 4:48 AM PST

Trojan:W32/TDSS.gen!Z (spyware)
System (Disinfected)

Trojan:W32/TDSS.gen!Z (virus)
C:\Windows\System32\drivers\atapi.sys (Not cleaned & Submitted)

Maybe it would be best to download HijackThis from here:

Using HijackThis
To analyze your computer, start HijackThis and run a scan. See the Quick Start Guide for help in running a scan. HijackThis will display a list of areas on your computer that might have been changed by spyware. Do not change any settings if you are unsure of what to do. There are many popular support forums on the web that provide free technical assistance by using HijackThis log files to diagnose an infected computer.

After you read the Quick Start Guide, pls. post your HJT log at ONE of the following HJT forums:

They for sure will help you to get rid of that last infection.

Good Luck !

Collapse -
tnx for the info but....
by harolddan / January 13, 2010 4:27 PM PST

i am not really good in computer...

i dont know how to use highjackthis..

is thier any way to solve the problem aside from highjackthis?

hope for your rply.. tnx

Collapse -
by Marianna Schmudlach / January 13, 2010 10:41 PM PST

Unfortunately the infection left at your computer has to be removed with special tools available in the HJT forums.

Have a look at the "Quick Start Guide", it will exactly explain WHAT you have to do to download and run HJT.

Is really NOT "that difficult" to download and run HJT. The helpers on the HJT forum will tell you exactly what you have to do to remove the infection.

Good Luck and.......... "take it easy" Wink

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!