Win32/Olmarik.TM trojan in atapi.sys

Lizard of Oz · 07-02-10, 17:11

Hi,

It's already been a while since I started getting the "threat found alert by NOD32. It seems that I have a Trojan in the file atapi.sys, which is in the directory

C:\Windows\System32\drivers

The option "clean" is grayed out, and when I press "delete" it tells me "error deleting"

I can't really do anything to clean it with my anti virus. I tried manual scans and everything, but it shows the same thing.

I was going to delete the file atapi.sys manually, but when I did a little research in Google I found out that that file is official for windows. Would it be dangerous to delete it as far as system stability?

EscondeR · 07-02-10, 17:45

I highly recommend you to go to Kaspersky site and use Kaspersky file scanner given the fact that you know the exact path to the file.
Manually check the file size, it must be: 95,360 bytes (95% of all occurrence) or 96,512 bytes.

My strong opinion this is just another false positive of crappy NOD32.

BTW, run ARDiag.exe and post the report. Let's check your system on active infection trails

jamieoliver22 · 07-02-10, 18:04

^ NOD32 isn't 'crappy'.

And the fact it can't do anything with it is because it being used by Explorer, and hence it will be locked from editing. The file atapi.sys is a system file which is used for controlling IDE hard drives and the like, so you don't want to remove it.

As with most virus problems, it would be best if you tried to clean it within Safe Mode (keep tapping F8 as your computer is booting up, and choose 'Safe Mode' from the list).

EscondeR · 07-02-10, 18:09

If you're anxious about that file, boot from Windows distribution CD, choose Recovery Console and rewrite the file on HDD with it's clean copy from distribution CD.

Lizard of Oz · 07-02-10, 19:48

I just got back from shopping

Anyways, the file size is 22 kb o.0

When I try to scan it with kaspersky file scanner, it says I don't have permission to open that file, even though I am logged as an administrator and the user account control is disabled.

here is the report:

---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------

Code:

 
Program: 
N/A
Publisher: 
N/A
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
AfaService
Program path & name: 
c:\windows\system32\afasrv32.exe"
Enabled: [V]
 
 
Program: 
"Provides the interface to Apple mobile devices."
Publisher: 
"(Verified) Apple Inc."
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
Apple Mobile Device
Program path & name: 
"c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe"
Enabled: [V]
 
 
Program: 
"Anchor service for Autodesk products licensed with SafeCast"
Publisher: 
"(Not verified) Autodesk"
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
Autodesk Licensing Service
Program path & name: 
"c:\program files\common files\autodesk shared\service\adskscsrv.exe"
Enabled: [V]
 
 
Program: 
"Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network.  Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour
Publisher: 
 any network service that explicitly depends on it will fail to start."
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
Bonjour Service
Program path & name: 
"(Verified) Apple Inc.""c:\program files\bonjour\mdnsresponder.exe"
Enabled: [V]
 
 
Program: 
"ESET Service"
Publisher: 
"(Verified) ESET spol. s r.o."
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
ekrn
Program path & name: 
"c:\program files\eset\eset nod32 antivirus\ekrn.exe"
Enabled: [V]
 
 
Program: 
"app_filter Module"
Publisher: 
"(Verified) NVIDIA Corporation"
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
ForceWare Intelligent Application Manager (IAM)
Program path & name: 
"c:\program files\nvidia corporation\networkaccessmanager\bin32\nsvcappflt.exe"
Enabled: [V]
 
 
Program: 
"mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit"
Publisher: 
N/A
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
mi-raysat_3dsMax2009_32
Program path & name: 
c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsmax2009_32server.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
"(Verified) Numedia Soft Inc."
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
NMSAccessU
Program path & name: 
"c:\program files\cdburnerxp\nmsaccessu.exe"
Enabled: [V]
 
 
Program: 
"NVIDIA Corporation"
Publisher: 
"(Verified) NVIDIA Corporation"
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
nSvcIp
Program path & name: 
"c:\program files\nvidia corporation\networkaccessmanager\bin32\nsvcip.exe"
Enabled: [V]
 
 
Program: 
"Provides system and desktop level support to the NVIDIA display driver"
Publisher: 
"(Verified) NVIDIA Corporation"
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
nvsvc
Program path & name: 
"c:\windows\system32\nvvsvc.exe"
Enabled: [V]
 
 
Program: 
"Keeps your favorite Yahoo! software up-to-date with the latest features
Publisher: 
 tools and enhancements."
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
YahooAUService
Program path & name: 
"(Verified) Yahoo! Inc.""c:\program files\yahoo!\softwareupdate\yahooauservice.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
atapi
Program path & name: 
c:\windows\system32\drivers\atapi.sys"
Enabled: [V]
 
 
Program: 
"Eset Helper driver"
Publisher: 
"(Verified) ESET spol. s r.o."
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
ehdrv
Program path & name: 
"c:\windows\system32\drivers\ehdrv.sys"
Enabled: [V]
 
 
Program: 
"EPFW Filter Driver"
Publisher: 
"(Verified) ESET spol. s r.o."
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
epfwwfpr
Program path & name: 
"c:\windows\system32\drivers\epfwwfpr.sys"
Enabled: [V]
 
 
Program: 
"MagicISO SCSI Host Controller"
Publisher: 
"(Not verified) MagicISO Inc."
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
mcdbus
Program path & name: 
"c:\windows\system32\drivers\mcdbus.sys"
Enabled: [V]
 
 
Program: 
"NVIDIA Display Properties Extension"
Publisher: 
"(Verified) NVIDIA Corporation"
Entry path: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name: 
NvCplDaemon
Program path & name: 
"c:\windows\system32\nvcpl.dll"
Enabled: [V]
 
 
Program: 
"ESET GUI"
Publisher: 
"(Verified) ESET spol. s r.o."
Entry path: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name: 
egui
Program path & name: 
"c:\program files\eset\eset nod32 antivirus\egui.exe"
Enabled: [V]
 
 
Program: 
"Adobe CS4 Service Manager"
Publisher: 
"(Verified) Adobe Systems Incorporated"
Entry path: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name: 
AdobeCS4ServiceManager
Program path & name: 
"c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe"
Enabled: [V]
 
 
Program: 
"Java(TM) Platform SE binary"
Publisher: 
"(Verified) Sun Microsystems Inc."
Entry path: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name: 
SunJavaUpdateSched
Program path & name: 
"c:\program files\java\jre6\bin\jusched.exe"
Enabled: [V]
 
 
Program: 
"QuickTime Task"
Publisher: 
"(Not verified) Apple Inc."
Entry path: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name: 
QuickTime Task
Program path & name: 
"c:\program files\quicktime\qttask.exe"
Enabled: [V]
 
 
Program: 
"iTunesHelper"
Publisher: 
"(Verified) Apple Inc."
Entry path: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name: 
iTunesHelper
Program path & name: 
"c:\program files\itunes\ituneshelper.exe"
Enabled: [V]
 
 
Program: 
"IconCS card reader Application"
Publisher: 
N/A
Entry path: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name: 
USBestCR
Program path & name: 
c:\program files\usim editor\iconcs86224576.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Entry name: 
WebCheck
Program path & name: 
File not found: CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name: 
BMIMZMHMFM
Program path & name: 
File not found: C:\Users\DANIEL~1\AppData\Local\Temp\Lsb.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name: 
WS9E3IQBKY
Program path & name: 
File not found: C:\Windows\msa.exe"
Enabled: [V]
 
 
Program: 
"Google Installer"
Publisher: 
"(Verified) Google Inc"
Entry path: 
Task Scheduler
Entry name: 
GoogleUpdateTaskUserS-1-5-21-3374997619-213647828-3621620831-1000Core.job
Program path & name: 
"c:\users\daniel almanza\appdata\local\google\update\googleupdate.exe"
Enabled: [V]
 
 
Program: 
"Google Installer"
Publisher: 
"(Verified) Google Inc"
Entry path: 
Task Scheduler
Entry name: 
GoogleUpdateTaskUserS-1-5-21-3374997619-213647828-3621620831-1000UA.job
Program path & name: 
"c:\users\daniel almanza\appdata\local\google\update\googleupdate.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
Task Scheduler
Entry name: 
{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Program path & name: 
File not found: C:\Windows\msa.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
Task Scheduler
Entry name: 
{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
Program path & name: 
File not found: C:\Users\DANIEL~1\AppData\Local\Temp\Lsb.exe"
Enabled: [V]
 
 
Program: 
"Yahoo! Toolbar"
Publisher: 
"(Verified) Yahoo! Inc."
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Entry name: 
&Yahoo! Toolbar Helper
Program path & name: 
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]
 
 
Program: 
"Java(TM) Platform SE binary"
Publisher: 
"(Verified) Sun Microsystems Inc."
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Entry name: 
Java(tm) Plug-In SSV Helper
Program path & name: 
"c:\program files\java\jre6\bin\ssv.dll"
Enabled: [V]
 
 
Program: 
"Java(TM) Platform SE binary"
Publisher: 
"(Not verified) Sun Microsystems Inc."
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Entry name: 
Java(tm) Plug-In 2 SSV Helper
Program path & name: 
"c:\program files\java\jre6\bin\jp2ssv.dll"
Enabled: [V]
 
 
Program: 
"Yahoo! Single Instance for Mail"
Publisher: 
"(Verified) Yahoo! Inc."
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Entry name: 
SingleInstance Class
Program path & name: 
"c:\program files\yahoo!\companion\installs\cpn\ytsingleinstance.dll"
Enabled: [V]
 
 
Program: 
"NVIDIA Display Properties Extension"
Publisher: 
"(Verified) NVIDIA Corporation"
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Entry name: 
NvCpl DesktopContext Class
Program path & name: 
"c:\windows\system32\nvcpl.dll"
Enabled: [V]
 
 
Program: 
"NVIDIA Display Properties Extension"
Publisher: 
"(Verified) NVIDIA Corporation"
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Entry name: 
Play on my TV helper
Program path & name: 
"c:\windows\system32\nvcpl.dll"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
"(Not verified) NVIDIA Corporation"
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Entry name: 
NVIDIA Play On My TV Context Menu Extension
Program path & name: 
"c:\windows\system32\nvshext.dll"
Enabled: [V]
 
 
Program: 
"Shell Extension"
Publisher: 
"(Verified) ESET spol. s r.o."
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Entry name: 
ESET Smart Security - Context Menu Shell Extension
Program path & name: 
"c:\program files\eset\eset nod32 antivirus\shellext.dll"
Enabled: [V]
 
 
Program: 
"7-Zip Shell Extension"
Publisher: 
"(Not verified) Igor Pavlov"
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Entry name: 
7-Zip Shell Extension
Program path & name: 
"c:\program files\7-zip\7-zip.dll"
Enabled: [V]
 
 
Program: 
"iTunes Mini Player DLL"
Publisher: 
"(Verified) Apple Inc."
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Entry name: 
iTunes
Program path & name: 
"c:\program files\itunes\itunesminiplayer.dll"
Enabled: [V]
 
 
Program: 
"SimpleExt Module"
Publisher: 
N/A
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Entry name: 
SimpleShlExt extension
Program path & name: 
c:\program files\turbo squid tentacles\savetotentacles32.dll"
Enabled: [V]
 
 
Program: 
"Yahoo! Toolbar"
Publisher: 
"(Verified) Yahoo! Inc."
Entry path: 
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name: 
yt.dll
Program path & name: 
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]

I will try cleaning the file with NOD32 in safe-mode.

EscondeR · 07-02-10, 20:06

1. Download Autoruns
2. Reboot in Safe mode
3. Run Autoruns, let it scan, then kill the following entries:

Code:

Program: 
N/A
Publisher: 
N/A
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
AfaService
Program path & name: 
c:\windows\system32\afasrv32.exe"
Enabled: [V]
 
 
Program: 
"Keeps your favorite Yahoo! software up-to-date with the latest features
Publisher: 
 tools and enhancements."
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
YahooAUService
Program path & name: 
"(Verified) Yahoo! Inc.""c:\program files\yahoo!\softwareupdate\yahooauservice.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
HKLM\System\CurrentControlSet\Services
Entry name: 
atapi
Program path & name: 
c:\windows\system32\drivers\atapi.sys"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Entry name: 
WebCheck
Program path & name: 
File not found: CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name: 
BMIMZMHMFM
Program path & name: 
File not found: C:\Users\DANIEL~1\AppData\Local\Temp\Lsb.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name: 
WS9E3IQBKY
Program path & name: 
File not found: C:\Windows\msa.exe"
Enabled: [V]
 
 
Program: 
"Google Installer"
Publisher: 
"(Verified) Google Inc"
Entry path: 
Task Scheduler
Entry name: 
GoogleUpdateTaskUserS-1-5-21-3374997619-213647828-3621620831-1000Core.job
Program path & name: 
"c:\users\daniel almanza\appdata\local\google\update\googleupdate.exe"
Enabled: [V]
 
 
Program: 
"Google Installer"
Publisher: 
"(Verified) Google Inc"
Entry path: 
Task Scheduler
Entry name: 
GoogleUpdateTaskUserS-1-5-21-3374997619-213647828-3621620831-1000UA.job
Program path & name: 
"c:\users\daniel almanza\appdata\local\google\update\googleupdate.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
Task Scheduler
Entry name: 
{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Program path & name: 
File not found: C:\Windows\msa.exe"
Enabled: [V]
 
 
Program: 
N/A
Publisher: 
N/A
Entry path: 
Task Scheduler
Entry name: 
{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
Program path & name: 
File not found: C:\Users\DANIEL~1\AppData\Local\Temp\Lsb.exe"
Enabled: [V]
 
 
Program: 
"Yahoo! Toolbar"
Publisher: 
"(Verified) Yahoo! Inc."
Entry path: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Entry name: 
&Yahoo! Toolbar Helper
Program path & name: 
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]
 
 
Program: 
"Yahoo! Toolbar"
Publisher: 
"(Verified) Yahoo! Inc."
Entry path: 
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name: 
yt.dll
Program path & name: 
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]

4. Then delete the following files:
c:\windows\system32\drivers\atapi.sys
c:\windows\system32\afasrv32.exe

5. Reboot in normal mode and perform full system antivirus scan.

6. If I were you, I'd seriously consider changing antivirus as it hasn't protected you from actual infection.

Lizard of Oz · 09-02-10, 21:23

I finally got to do the safemode and autoruns thing. I could not delete a couple of entries because I did not found them. I also could not delete the file atapi.sys, it said I needed permission from "TrustedInstaller." That sounds pretty suspicious...

I also no longer get the Threat Detected warning anymore, and the atapi.sys doesn't seem to be infected. Though It still can't be deleted and is 22 kb.

I think the virus is gone. I'm not 100% sure but your solutions appears to have worked.

Thank you very much, EscondeR

EscondeR · 10-02-10, 05:55

BTW, TrustedInstaller is a native Windows process, which may cause inconvenience (not a surprise - it's Windows, man - we have DEP, UAC, WF, etc

)

Quote:

Are you getting "Unable to save permission changes on file_name. Access is denied." error messages when trying to modify a file or change permissions on a file that has TrustedInstaller as its owner? It is possible to take ownership away from TrustedInstaller, and give it to your Administrative account, but it is not wise to mess with System Files. TrustedInstaller is a special service that manages essential resources (system files, folders, and registry keys) that are critical to the operation of Windows Vista. To prevent application and operating system failure, these resources are protected using Windows File Protection (WFP) in such a way that applications or users cannot modify these resources. The way this protection is implemented is by setting an ACL on these resources only to allow only the TrustedInstaller user to modify them. When setup applications try to modify a protected system resource it will not get an error as mentioned above, however Vista will detect the installation program, and the request will be accepted and a success code will be returned, but the resource will not be modified. This is why you may have the need to take permission of a system resource, so you can modify it manually.

To you gave ownership of a system resource to yourself, so you could modify the resource, simply follow these steps:

Right-click on the file and choose Properties
Click Security tab
Click Advanced button
Click Owner tab
Delete NT SERVICE\TrustedInstaller entry from there
Click Edit button
Click Other User or Group and add your account there

Press Ok on all dialogs until all property dialogs are closed

Do you have SP1 installed on your Vista PC?

07-02-10, 17:11	#1
Lizard of Oz Archaeologist Join Date: Sep 2009 Location: In the good side of people. Posts: 1,367	Win32/Olmarik.TM trojan in atapi.sys Hi, It's already been a while since I started getting the "threat found alert by NOD32. It seems that I have a Trojan in the file atapi.sys, which is in the directory C:\Windows\System32\drivers The option "clean" is grayed out, and when I press "delete" it tells me "error deleting" I can't really do anything to clean it with my anti virus. I tried manual scans and everything, but it shows the same thing. I was going to delete the file atapi.sys manually, but when I did a little research in Google I found out that that file is official for windows. Would it be dangerous to delete it as far as system stability? __________________ Love and be lovable.

07-02-10, 17:45	#2
EscondeR Moderator Join Date: Jan 2005 Location: Russia Posts: 48,787	I highly recommend you to go to Kaspersky site and use Kaspersky file scanner given the fact that you know the exact path to the file. Manually check the file size, it must be: 95,360 bytes (95% of all occurrence) or 96,512 bytes. My strong opinion this is just another false positive of crappy NOD32. BTW, run ARDiag.exe and post the report. Let's check your system on active infection trails __________________ The Truth Is Out There...

07-02-10, 18:04	#3
jamieoliver22 Technical Cheese Join Date: Aug 2005 Location: Stoke, England Gender: Male Posts: 8,413	^ NOD32 isn't 'crappy'. And the fact it can't do anything with it is because it being used by Explorer, and hence it will be locked from editing. The file atapi.sys is a system file which is used for controlling IDE hard drives and the like, so you don't want to remove it. As with most virus problems, it would be best if you tried to clean it within Safe Mode (keep tapping F8 as your computer is booting up, and choose 'Safe Mode' from the list). __________________ I love cheese =]

07-02-10, 18:09	#4
EscondeR Moderator Join Date: Jan 2005 Location: Russia Posts: 48,787	If you're anxious about that file, boot from Windows distribution CD, choose Recovery Console and rewrite the file on HDD with it's clean copy from distribution CD. __________________ The Truth Is Out There...

09-02-10, 21:23	#7
Lizard of Oz Archaeologist Join Date: Sep 2009 Location: In the good side of people. Posts: 1,367	I finally got to do the safemode and autoruns thing. I could not delete a couple of entries because I did not found them. I also could not delete the file atapi.sys, it said I needed permission from "TrustedInstaller." That sounds pretty suspicious... I also no longer get the Threat Detected warning anymore, and the atapi.sys doesn't seem to be infected. Though It still can't be deleted and is 22 kb. I think the virus is gone. I'm not 100% sure but your solutions appears to have worked. Thank you very much, EscondeR __________________ Love and be lovable.