BleepingComputer.com: Firefox is hijacked! Help!

farbar, on Nov 5 2009, 07:28 PM, said:

No, I didn't delete anything on purpose. It was probably spyware doctor (it scans automatically after each reboot).

farbar, on Nov 4 2009, 02:36 AM, said:

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: C:\Windows\System32\drivers\atapi(252).sys

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
NT SERVICE\TrustedInstaller
Allowed Full Control This Folder/File Only
NT AUTHORITY\SYSTEM
Allowed Full Control This Folder/File Only
JAYSON-PC\Users
Allowed Read and Execute This Folder/File Only

No Auditing set

Owner: TrustedInstaller (NT SERVICE\TrustedInstaller)
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: C:\Windows\System32\drivers\atapi.sys

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
\Everyone
Allowed Full Control This Folder/File Only
NT AUTHORITY\SYSTEM
Allowed Full Control This Folder/File Only (Inherited)
JAYSON-PC\Administrators
Allowed Full Control This Folder/File Only (Inherited)
JAYSON-PC\Users
Allowed Read and Execute This Folder/File Only (Inherited)

No Auditing set

Owner: Administrators (JAYSON-PC\Administrators)
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
File: C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
NT SERVICE\TrustedInstaller
Allowed Full Control This Folder/File Only
NT AUTHORITY\SYSTEM
Allowed Read and Execute This Folder/File Only
JAYSON-PC\Administrators
Allowed Read and Execute This Folder/File Only
JAYSON-PC\Users
Allowed Read and Execute This Folder/File Only

No Auditing set

Owner: TrustedInstaller (NT SERVICE\TrustedInstaller)

Please do the the second step too.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 06:16 on 06/11/2009 by Jayson (Administrator - Elevation successful)

========== filefind ==========

Searching for "mini*"
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-Bold.otf -ra--- 210112 bytes [21:36 20/06/2005] [21:36 20/06/2005] 461035AE352489B959C1C0FB4B1A9E92
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-BoldIt.otf -ra--- 250828 bytes [21:36 20/06/2005] [21:36 20/06/2005] 10479EFEA7FE48FE8DD68BCDF4858507
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-It.otf -ra--- 250708 bytes [21:36 20/06/2005] [21:36 20/06/2005] 7FF2CA4E3F783746056E1DBCDD8E1F0E
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-Regular.otf -ra--- 205608 bytes [21:36 20/06/2005] [21:36 20/06/2005] B6F4CD55AA101BF9D77DC4D7D24C9C26
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf -ra--- 234868 bytes [16:18 19/10/2007] [16:18 19/10/2007] CC92D64C25A9BC31B02CF546141C8160
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf -ra--- 280820 bytes [16:18 19/10/2007] [16:18 19/10/2007] 7FAB3A102794493CFCB127DB5BB9D11F
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf -ra--- 280924 bytes [16:18 19/10/2007] [16:18 19/10/2007] E99344C69074A8232DD3E170721EDB61
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf -ra--- 235436 bytes [16:18 19/10/2007] [16:18 19/10/2007] 6AFA563A0D68F5896022E5632F521FA1
C:\Program Files\ATI Technologies\ATI.ACE\Skins\CATALYST_Quicksilver\minimize2.bmp --a--- 9488 bytes [21:53 25/08/2006] [21:53 25/08/2006] C205BE13C77F6B3DFF287462FBC8962D
C:\Program Files\ATI Technologies\ATI.ACE\Skins\CATALYST_SteelBlue\minimize2.bmp --a--- 9488 bytes [21:53 25/08/2006] [21:53 25/08/2006] 7CE338F442A5D963213F9519D38B160B
C:\Program Files\Common Files\Remote Control Software Common\jre\lib\javaws\miniSplash.jpg --a--- 5076 bytes [20:14 24/08/2009] [17:57 31/08/2007] BBECFA736F500255E27A0FC73D0C9763
C:\Program Files\GRETECH\GomPlayer\skins\default\PL\MINIMIZE.BMP --a--- 3128 bytes [06:00 04/04/2003] [06:00 04/04/2003] 7FD8D0ABBE2808655BCFEB59E9AE1367
C:\Program Files\Logitech\Logitech Harmony Remote Software 7\jre\lib\javaws\miniSplash.jpg --a--- 5076 bytes [20:14 24/08/2009] [17:58 31/08/2007] BBECFA736F500255E27A0FC73D0C9763
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_Handlers\minimize.png --a--- 3121 bytes [16:01 11/10/2005] [16:01 11/10/2005] 3F8511F24989AE70387C2FC2F037F0A8
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_Handlers\minimize_fullscreen.png --a--- 3121 bytes [22:13 30/11/2005] [22:13 30/11/2005] 3F8511F24989AE70387C2FC2F037F0A8
C:\Windows.old.000\Windows\System32\DriverStore\FileRepository\tape.inf_7704b87a\miniqic.sys --a--- 8192 bytes [10:25 02/11/2006] [08:52 02/11/2006] 20601B0651994CF74E4A451C326D58CD
C:\Windows\System32\DriverStore\FileRepository\tape.inf_69d57dbc\miniqic.sys --a--- 8192 bytes [00:11 04/10/2009] [01:50 19/01/2008] 3A8E54290CD06F78F9D2E8C66A0AB456
C:\Windows\System32\DriverStore\FileRepository\tape.inf_7704b87a\miniqic.sys --a--- 8192 bytes [10:25 02/11/2006] [08:52 02/11/2006] 20601B0651994CF74E4A451C326D58CD
C:\Windows\winsxs\x86_tape.inf_31bf3856ad364e35_6.0.6001.18000_none_e67ad7997d7e1e1f\miniqic.sys --a--- 8192 bytes [00:11 04/10/2009] [01:50 19/01/2008] 3A8E54290CD06F78F9D2E8C66A0AB456

========== dir ==========

C:\Qoobox\Quarantine - Unable to find folder.

-=End Of File=-

We are going to replace atapi.sys.

• Download the attached batch file, right-click and select "Run as administrator".
  A log file will opens. Only if it says: "1 file(s) copied" proceed to the next step.
  
  
  
• Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
    
  • Double click on avenger.exe to run The Avenger.
    
  • Click OK.
    
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    

    Files to delete:
    C:\Windows\System32\drivers\atapi(252).sys
    
    Folders to delete:
    C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726\Quarantine
    C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726
    
    Files to Move:
    c:\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    

    
    
  • In the avenger window, click the Paste Script from Clipboard, button.
    
  • Click the Execute button.
    
  • You will be asked Are you sure you want to execute the current script?.
    
  • Click Yes.
    
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    
  • Click Yes.
    
  • Your PC will now be rebooted.
    
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    
  • Please post this log in your next reply.

This post has been edited by farbar: 06 November 2009 - 02:57 PM

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:16:55 2009

17:16:55: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:17:34 2009

17:17:34: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:18:55 2009

17:18:55: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:26:03 2009

17:26:03: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

This is from copy.bat:

Overwrite C:\atapi.sys (Yes/No/All)?

Actually you were supposed to do the second step only if the file was copied. Could it be that you run copy.bat twice?

Please remove atapi.sys from C drive.

Then redo both the steps. Please make sure you copy the whole content of the codebox (without the word "Code") to The Avenger.

farbar, on Nov 6 2009, 05:49 PM, said:

I can't get the proper permission access to delete the file.

This is the message that popped up in copy.bat:


C:\Windows\system32>xcopy /h "C:\Windows\System32\DriverStore\FileRepository\msh
dc.inf_cc18792d\atapi.sys" c:\ 1>log.txt & start log.txt


How do I delete the atapsi file in Vista?

To delete a file you right-click the file and select Delete from the context menu. But you don't need to do that. Please do the following:
Delete the copy.bat file from your desktop.
Download the attached file and right-click it, select "run as Administrator".
A log file opens, if it reads "1 file(s) copied" do the Avenger step.

Please make sure you copy the whole content of the codebox (without the word "Code") to The Avenger.

C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
1 File(s) copied

Okay, I did the Avenger step.

I keep getting an error message from Avenger "Error: Invalid script. A valid script must begin with a command directive. Aborting execution!"

Just to make sure I'm following instruction, I copied and pasted this into Avenger "Files to delete:C:\Windows\System32\drivers\atapi(252).sysFolders to delete:C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726\QuarantineC:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726Files to Move:c:\atapi.sys | C:\Windows\System32\drivers\atapi.sys"

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:16:55 2009

17:16:55: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:17:34 2009

17:17:34: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:18:55 2009

17:18:55: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:26:03 2009

17:26:03: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:40:03 2009

17:40:03: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:46:49 2009

17:46:49: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Fri Nov 06 17:47:20 2009

17:47:20: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Sat Nov 07 07:26:11 2009

07:26:11: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Sat Nov 07 07:29:45 2009

07:29:45: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Sat Nov 07 07:30:05 2009

07:30:05: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Sat Nov 07 07:30:17 2009

07:30:17: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Sat Nov 07 07:32:54 2009

07:32:54: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Sat Nov 07 07:34:19 2009

07:34:11: Error: Invalid syntax in command:
"c:\atapi.sys |"
Skipping line. (File move mode)
07:34:19: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Sat Nov 07 07:35:26 2009

07:34:50: Error: Invalid syntax in command:
"c:\atapi.sys"
Skipping line. (File move mode)
07:35:20: Error: Invalid syntax in command:
"C:\Windows\System32\drivers\atapi.sys"
Skipping line. (File move mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\System32\drivers\atapi(252).sys" deleted successfully.

Error: could not open folder "C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726\Quarantine"
Deletion of folder "C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726\Quarantine" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: folder "C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726" not found!
Deletion of folder "C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Thanks for posting your script. I will explain it:

Your Script:

Quote

A correct script:

Quote

In your script there is no return or space and all the lines are after each other. I don't now how you mange to do it, perhaps you copy line by line instead of copying all the text.

Now please redo the first step to make sure and then use this script for the Avenger part:

Quote

Make sure Files to Move: is on the first line and the rest on the second line.

farbar, on Nov 7 2009, 09:07 AM, said:

Thanks again! I sincerely appreciate your time, effort, and patience!

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Windows\System32\drivers\atapi(252).sys" not found!
Deletion of file "C:\Windows\System32\drivers\atapi(252).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open folder "C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726\Quarantine"
Deletion of folder "C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726\Quarantine" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: folder "C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726" not found!
Deletion of folder "C:\$Recycle.Bin\S-1-5-21-176149683-1902691030-2524617907-1000\$RKY2726" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File move operation "c:\atapi.sys|C:\Windows\System32\drivers\atapi.sys" completed successfully.

Error: file "c:\atapi.sys" not found!
File move operation "c:\atapi.sys|C:\Windows\System32\drivers\atapi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.