Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91977 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] I think I have a virus.


  • This topic is locked This topic is locked
48 replies to this topic

#31 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 26 November 2009 - 12:08 AM

RPinney,

Download Inherit and save it to your desk top
Drag atapi.sys into Inherit.exe. Wait until it says OK.

Then please run the last Avenger script again.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

    Advertisements

Register to Remove


#32 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 29 November 2009 - 06:42 AM

Holiday delay, I'm back. Here's the results after following your last directions.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\Atapi.sys" not found!
File move operation "C:\Atapi.sys|C:\Windows\System32\drivers\atapi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

and

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 06:40 on 29/11/2009 by Ryan Pinney (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys"
C:\Users\Ryan Pinney\Desktop\atapi.sys	--a--- 21584 bytes	[23:07 25/11/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] CC866C9DACA268746BEC8FF6A084FC44
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-


#33 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 29 November 2009 - 09:08 AM

RPinney,

Holiday delay,

I trust is was a good one. :thumbup:

Woops. You ran the wrong Avenger script.

We need this one:
Files to move:
%userprofile%\desktop\atapi.sys|C:\Windows\System32\drivers\atapi.sys

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#34 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 29 November 2009 - 06:32 PM

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  could not move file "C:\Users\Ryan Pinney\desktop\atapi.sys"
File move operation "C:\Users\Ryan Pinney\desktop\atapi.sys|C:\Windows\System32\drivers\atapi.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished!  Terminate.

and

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:31 on 29/11/2009 by Ryan Pinney (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys"
C:\Users\Ryan Pinney\Desktop\atapi.sys	--a--- 21584 bytes	[23:07 25/11/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] CC866C9DACA268746BEC8FF6A084FC44
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys	--a--- 21584 bytes	[23:11 13/07/2009]	[01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-


#35 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 29 November 2009 - 10:05 PM

RPinney,

OK. I'd like you to try something for me. I'm not sure it will work but so far, what I thought would work didn't. :blush:

I need you to right click on atapi.sys on your desktop and select copy.

Then navigate to your C:\Windows\System32\drivers folder, right click somewhere in the open and select paste. Your computer will tell you that the file already exists and asks if you want to overwrite it. Select yes.

Let me know how it goes.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#36 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 29 November 2009 - 10:26 PM

ok and you want me to run the previous script afterwards?

edit:

Here is a screen cap of the results (hitting 'try again' only refreshes the same error):

Posted Image

Posted Image

Posted Image

Posted Image

Edited by RPinney, 29 November 2009 - 10:40 PM.


#37 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 29 November 2009 - 10:55 PM

RPinney,

If we can get this to work, we don't need to run the scripts.

Unfortunately I don't have a Vista machine to try this on but tell me if this works:

This time when you right click the file on the desktop, can you select Run as Administrator... first before copying?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#38 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 29 November 2009 - 11:22 PM

No, there is no "run as administrator" options in windows 7 (in my experience).

Edited by RPinney, 29 November 2009 - 11:24 PM.


#39 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 29 November 2009 - 11:31 PM

RPinney,

Right click the drivers folder. Select Properties, look at Sharing and Security tabs and set the variables that allow you to share/gain permission to the folder.
(Make note of how permissions were set first as you will want to return them to that when we are done.)

Then try copying the file there again.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#40 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 29 November 2009 - 11:41 PM

Ok I tried that, here's what I got:

Posted Image

As you can see, the boxes are grayed out meaning I am unable to edit the settings. Why would that be...I am the only user on this computer and I'm pretty sure I am the administrator - I installed the OS.


edit: google searched and I found this as sort of an explanation

http://www.sevenforums.com/system-security/2267-disable-forever-special-permissions.html

same as the guy, I have uac settings on lowest/off (user account control settings)

also, this article explains more

http://www.mydigitallife.info/2009/05/21/take-and-grant-full-control-permissions-and-ownership-in-windows-7-or-vista-right-click-menu/

my response: wow, lame

Should I follow the directions of the article?

Edited by RPinney, 29 November 2009 - 11:53 PM.

    Advertisements

Register to Remove


#41 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 30 November 2009 - 10:47 AM

RPinney,

I got some advice from some colleagues. We should be able to work from the Recovery Environment.

Please put your Vista DVD in your drive and reboot your system.

A message should come up to "Press any key to boot from CD or DVD". Do that.

After some loading, the Windows install window will come up and ask you to choose your language. Do so and click next.

On the next screen, choose Repair your computer.

It will then ask you to choose your operating system. Vista will be your only choice.

You will then be given a bunch of options. Choose "Command Prompt"

At the command prompt, enter the following:
copy "C:\Users\Ryan Pinney\desktop\atapi.sys" c:\windows\system32\drivers

You should get a notice that 1 file was copied.

Reboot as normal and let me know how it went.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#42 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 02 December 2009 - 11:04 AM

RPinney,

I got some advice from some colleagues. We should be able to work from the Recovery Environment.

Please put your Vista DVD in your drive and reboot your system.

A message should come up to "Press any key to boot from CD or DVD". Do that.

After some loading, the Windows install window will come up and ask you to choose your language. Do so and click next.

On the next screen, choose Repair your computer.

It will then ask you to choose your operating system. Vista will be your only choice.

You will then be given a bunch of options. Choose "Command Prompt"

At the command prompt, enter the following:
copy "C:\Users\Ryan Pinney\desktop\atapi.sys" c:\windows\system32\drivers

You should get a notice that 1 file was copied.

Reboot as normal and let me know how it went.


Awesome, it worked!!!

Thanks so much, especially for replying in such a timely manner even when I would take days to get back to it. If there's some kind of award around here you deserve it =p

#43 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 02 December 2009 - 11:12 AM

RPinney, Great. :thumbup: I'm just sorry it took so many tries to get it to work. I guess that makes you my guinea pig for Windows 7. :wacko: Now... the important part... how are things running?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#44 RPinney

RPinney

    Authentic Member

  • Authentic Member
  • PipPip
  • 75 posts

Posted 02 December 2009 - 11:01 PM

So far, it's running like it always had been. Same performance as when I first installed windows 7 Posted Image

#45 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 02 December 2009 - 11:25 PM

RPinney,

Looks good :D


You need to create a new Clean restore point:

  • Download SysRestorePoint to your desktop and unzip it to it's own folder.
  • Double click SysRestorePoint.exe so that we can make a new system restore point.
  • A box will pop up after it has made a new point, usually after a few seconds. Close that window and exit the program.
Remove all previous Restore Points
Click Start Menu > Run > copy and paste

cleanmgr

You may be asked to choose drive. Choose C: At top, click on More Options tab. Click Clean up... button in the System Restore box. Click on Yes button. When finished, click on Cancel button to exit.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

  • Double click on OTL to run it.
  • Click on CleanUp!
  • When done, you will be prompted to restart your computer. Please restart your computer.

Go ahead and delete any tools that are left.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbup:

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users