[UnbidPaladin]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sy s"
File move operation "C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sy s|C:\WINDOWS\System32\drivers\atapi.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

[NeonFx]

I'll have to give this a think and get back to you.

[UnbidPaladin]

Alright take you're time I really appreciate you're help. I just want to get this thing off of here before it causes more problems :\

[NeonFx]

Do you have your Vista DVD handy or can you get one?

[UnbidPaladin]

unfortunatly im not sure if i'll be able to find it but i can try to find it if not i can probably get one from a friend.

[NeonFx]

I wanted to use a feature that those recovery cd's/dvd's come with that will allow me to edit the system without booting into Windows.

See if you can get one, if not, I'll have something else we can try tomorrow, I just need to write up the steps for you first.

[UnbidPaladin]

I was wondering should I try running Combofix in safe mode?

[NeonFx]

The problem with ComboFix is not that it isn't doing its job, but that it can't because it is made to function best in Windows XP, in this case with Windows XPs Recovery Console.

Let's try the following one more time with a different file because I had luck yesterday using Avenger in another system with the same infection:

STEP 1

Open notepad
Copy and Paste the below lines of code to notepad:

Code:

@echo off
copy /V /L C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys c:\atapi.sys

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop.

Double-click on fixes.bat to execute it.


STEP 2

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Files to move:
C:\atapi.sys | C:\WINDOWS\System32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

5. Please copy/paste the content of c:\avenger.txt into your reply.

[UnbidPaladin]

Ok so I tried it once and no dice but I decided I'd try it again and I got this.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\WINDOWS\System32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[UnbidPaladin]

If we can't get this off of here, I actually have a friend who owns a computer repair business. He said he would take my main hard drive and fix it pro bono, if we can't figure it out, Although lol I don't even know if he could figure it out he's kinda ditzy.

[NeonFx]

I'll have to remember to try it again when it doesn't work I'm glad to see those results.

I'm going to need two things:

Please run ComboFix again by double clicking on the icon and attach C:\ComboFix.txt to your next reply.

Please run OTS.exe again and under the Custom Scans section please copy and paste the following:

%SYSTEMDRIVE%\atapi.sys /s /md5

Then click on the Quick Scan button. Attach the results to your next reply.

[UnbidPaladin]

Mmm so while the OTS scanner was going avg detected tdlwsp.dll again

[NeonFx]

Alright. If that happened then the infection has gotten a hold of the other backups on your system. Instead of using an older version of the file (which might work but it's better to have up to date versions of everything on a system) let's use a copy from a clean Vista computer.

Please delete C:\atapi.sys by right clicking on it, holding down your Shift key, and selecting "Delete" from the menu. This will delete the file without sending it to the recycle bin.


Please download a clean copy of atapi.sys from HERE . Unzip the contents of that file and copy and paste or move atapi.sys so that it's where the one you deleted was ( C:\atapi.sys )

Then run the following script in Avenger:

Code:

Files to move:
C:\atapi.sys | C:\WINDOWS\System32\drivers\atapi.sys

Files to delete:
c:\windows\system32\tdlwsp.dll

Get me the results of C:\Avenger.txt

===============

After doing that, run the following CFScript by saving it as CFScript.txt and dragging it onto ComboFix.exe

Code:

KillAll::

MBR::

File::
c:\windows\system32\tdlwsp.dll

Attach C:\ComboFix.txt to your next reply

=======

Then run OTS.exe again and under the Custom Scans section please copy and paste the following:

%SYSTEMDRIVE%\atapi.sys /s /md5

Then click on the Quick Scan button. Attach the results to your next reply.


Let me know if you need help at any step.

[UnbidPaladin]

Should I bother doing all this since my computer was pretty infected? I just don't wanna go through all this and then have my computer be more vulnerable because some jerk messed with my settings to allow easier access. Or should I let my friend take out the HD and fix it?

[NeonFx]

This is a really new infection so none of the general scanners will pick the infection up. Or if they do, they wont be able to do anything about it. Even if your friend ran a battery of antiviral/antimalware tests on it there's probably not much he would be able to do short of cleaning it out and reinstalling windows from scratch.

I think it's worth it to try this. This infection has not been seen to be used as a backdoor to a system, all it has been seen to do is redirect your online search results and similar relatively innocuous but annoying behavior.

But of course, cleaning out a system and reinstalling windows from scratch is the most efficient way to eradicate infections. That could take at most a couple hours where attempting to clean it might take considerably longer as you've seen.

It's your call.