Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91682 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]áI think I have a virus.


  • This topic is locked This topic is locked
48 replies to this topic

#16 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 20 November 2009 - 09:08 PM

RPinney, Several hours aren't unusual.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

    Advertisements

Register to Remove


#17 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 20 November 2009 - 10:10 PM

Finally, here it is -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Friday, November 20, 2009 Operating system: Microsoft Professional (build 7600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, November 21, 2009 00:13:37 Records in database: 3252592 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ F:\ Scan statistics: Objects scanned: 113583 Threats found: 1 Infected objects found: 1 Suspicious objects found: 0 Scan duration: 01:39:31 File name / Threat / Threats count C:\Windows\System32\drivers\atapi.sys Infected: Rootkit.Win32.TDSS.u 1 Selected area has been scanned.

#18 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 20 November 2009 - 10:19 PM

RPinney,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#19 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 20 November 2009 - 10:44 PM

SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 22:43 on 20/11/2009 by Ryan Pinney (Administrator - Elevation successful) ========== filefind ========== Searching for "*atapi.sys" C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E C:\Windows\System32\drivers\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] CC866C9DACA268746BEC8FF6A084FC44 C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E -=End Of File=-

#20 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 20 November 2009 - 11:13 PM

RPinney,

Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.
    Copy and Paste everything from the Quote box into Notepad:

    @echo off
    COPY /Y/B/V C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys C:\atapi.sys

  • Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes. Once saved, the icon to click should look like this on your desktop:Posted Image
  • Double click fix.bat.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\Atapi.sys|C:\Windows\System32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerĺs actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


Then

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#21 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 21 November 2009 - 12:22 AM

Logfile of The Avenger Version 2.0, ę by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Atapi.sys" not found!
File move operation "C:\Atapi.sys|C:\Windows\System32\drivers\atapi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


________________________________________________________________________________

And now SystemLook
________________________________________________________________________________




SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 00:19 on 21/11/2009 by Ryan Pinney (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys"
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] CC866C9DACA268746BEC8FF6A084FC44
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-

Edited by RPinney, 21 November 2009 - 12:33 AM.


#22 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 21 November 2009 - 12:29 AM

edit: nevermind I have nothing to say. Thanks for helping me along so far =)

Edited by RPinney, 21 November 2009 - 12:33 AM.


#23 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 21 November 2009 - 12:44 AM

RPinney, I know this is a bit of a dumb question, but did you run fix.bat ?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#24 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 21 November 2009 - 08:16 PM

Yes, I ran fix.bat

#25 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 21 November 2009 - 10:15 PM

RPinney,

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

    Advertisements

Register to Remove


#26 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 22 November 2009 - 11:45 PM

SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 23:44 on 22/11/2009 by Ryan Pinney (Administrator - Elevation successful) ========== filefind ========== Searching for "*atapi.sys" C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E C:\Windows\System32\drivers\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] CC866C9DACA268746BEC8FF6A084FC44 C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E -=End Of File=-

#27 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 23 November 2009 - 11:42 AM

RPinney,

Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.
    Copy and Paste everything from the Quote box into Notepad:

    @echo off
    COPY /Y/B/V C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys C:\atapi.sys

  • Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes. Once saved, the icon to click should look like this on your desktop:Posted Image
  • Double click fix.bat.


1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\Atapi.sys|C:\Windows\System32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerĺs actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


Then

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#28 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 25 November 2009 - 02:14 AM

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\Atapi.sys" not found!
File move operation "C:\Atapi.sys|C:\Windows\System32\drivers\atapi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

and

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 02:08 on 25/11/2009 by Ryan Pinney (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys"
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] CC866C9DACA268746BEC8FF6A084FC44
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-

also note (just to update) I'm still having the same problem. Whenever I insert any type of media into my optical drive I get a blue screen. Using driver genius professional all my drivers are up to date.

Edited by RPinney, 25 November 2009 - 02:16 AM.


#29 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 25 November 2009 - 10:24 AM

RPinney,

I can't seem to get the batch file to copy the file you need. We are going to have to copy it by hand.

Please navigate to the C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81 folder and find the atapi.sys file. Right click on it and select copy.

Then go back to your desktop, right click anywhere in an open space on your desktop and select paste.

Then try running Avenger again using this script:

Files to move:
%userprofile%\desktop\atapi.sys|C:\Windows\System32\drivers\atapi.sys

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#30 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 25 November 2009 - 09:34 PM

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  could not move file "C:\Users\Ryan Pinney\desktop\atapi.sys"
File move operation "C:\Users\Ryan Pinney\desktop\atapi.sys|C:\Windows\System32\drivers\atapi.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished!  Terminate.

and

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:31 on 25/11/2009 by Ryan Pinney (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys"
C:\Users\Ryan Pinney\Desktop\atapi.sys	--a--- 21584 bytes	[23:07 25/11/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] CC866C9DACA268746BEC8FF6A084FC44
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users