It was an empty folder which is gone now. I ran AVG and had it just can C:\Windows\System32\drivers\ and it came back clean. I also had VirusTotal scan the new atapi.sys which came back clean as well. I'm currently running MBAM and a full AVG scan and installing CCleaner. I'll also run an online scan after CCleaner is installed and ran and let you know, but as of right now seems like it's gone.

I have a question though. I obviously tried the ComboFix to try to replace atapi.sys and when I got the warning I decided to come here. My first instict after that though was to get into safe mode with command prompt and copy the files that way. Would it have worked? and if not would running a command prompt from a restore cd/flash drive and copying the file have worked?Yes you most likely could have copied it a number of ways. You just have to be very careful with that file. Without it Windows will not boot. Which is why AVG wouldn't remove it.

Hopefully nothing else will be found but since the other file that we deleted was there then you never know what else might come up. And as a precaution we should run a scanner that doesn't remove what it finds to be on the safe side.

Use Panda instead of ESET.

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

;*****************************************************************************
ANALYSIS: 2009-11-15 02:48:51
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 3
;*****************************************************************************
PROTECTIONS
Description Version Active UPDATED
;====================================================================
AVG Anti-Virus Free Yes Yes
;====================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;====================================================================
00020386 Application/MotherboardMonitor.A HackTools No 0 Yes No c:\program files\mirc\moo.dll
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[emailprotected][1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[emailprotected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[emailprotected][2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\[emailprotected][2].txt
00815304 mIRC/Gen Virus/Worm No 0 Yes No c:\program files\mirc\backups\aliases.ini
00954094 Rootkit/Bagle.UV Virus/Worm No 1 Yes No c:\avenger\utizmjqx.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\avenger\atapi.sys
;====================================================================
SUSPECTS
Sent Location
;====================================================================
No c:\program files\mirc\backups\mirc.exe
No c:\program files\mirc\mirc-keygen\keygen.exe
No c:\users\stillborn\documents\utilities and installers\uniblue powersuite 2009\setup.exe
;====================================================================
VULNERABILITIES
Id Severity Description
;====================================================================
Using cracks will get you infected every time...



Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and PRESSING CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]:Processes
explorer.exe

:services

:reg

:files
c:\program files\mirc
c:\avenger\utizmjqx.sys
c:\avenger\atapi.sys

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for ITEMS to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy EVERYTHING in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. The system required reboot so I wasn't able to copy the results and post them. I checked everything under the "files" list and they're all gone. Sounds good. Time to finish up.

1. Double click OTM to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.