Worst virus (malware?) I've ever had ....

[dsc123]

Ok, here it the Totalvirus Log:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.12 -
AhnLab-V3 5.0.0.2 2009.11.11 -
AntiVir 7.9.1.65 2009.11.11 -
Antiy-AVL 2.0.3.7 2009.11.11 -
Authentium 5.2.0.5 2009.11.12 -
Avast 4.8.1351.0 2009.11.11 -
AVG 8.5.0.426 2009.11.11 -
BitDefender 7.2 2009.11.12 -
CAT-QuickHeal 10.00 2009.11.11 -
ClamAV 0.94.1 2009.11.12 -
Comodo 2922 2009.11.12 -
DrWeb 5.0.0.12182 2009.11.12 -
eSafe 7.0.17.0 2009.11.11 -
eTrust-Vet 35.1.7116 2009.11.11 -
F-Prot 4.5.1.85 2009.11.11 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.11 -
GData 19 2009.11.11 -
Ikarus T3.1.1.74.0 2009.11.12 -
Jiangmin 11.0.800 2009.11.11 -
K7AntiVirus 7.10.894 2009.11.11 -
Kaspersky 7.0.0.125 2009.11.11 -
McAfee 5799 2009.11.11 -
McAfee+Artemis 5799 2009.11.11 -
McAfee-GW-Edition 6.8.5 2009.11.11 -
Microsoft 1.5202 2009.11.11 -
NOD32 4597 2009.11.11 -
Norman 6.03.02 2009.11.11 -
nProtect 2009.1.8.0 2009.11.11 -
Panda 10.0.2.2 2009.11.11 -
PCTools 7.0.3.5 2009.11.11 -
Prevx 3.0 2009.11.12 -
Rising 22.21.03.01 2009.11.12 -
Sophos 4.47.0 2009.11.11 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.12 -
TheHacker 6.5.0.2.066 2009.11.11 -
TrendMicro 9.0.0.1003 2009.11.11 -
VBA32 3.12.10.11 2009.11.11 -
ViRobot 2009.11.12.2032 2009.11.12 -
VirusBuster 4.6.5.0 2009.11.11 -
Additional information
File size: 4096 bytes
MD5...: 8a0f7a7b693054319a2d3e6bdd9a5b16
SHA1..: 480f64cbc00cf8436abfb64908b6e2b8b97a3e5f
SHA256: 305893245c644ade47f2135b381a49af7c7c454df7fcd62702164d2ba7b0f968
ssdeep: 48:iTQ+gU6Z9am3IwRdkhHiSHcvXow3vr+yStVz4RS:qLd6v3IwRmhVHezX5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4005
timedatestamp.....: 0x46fa14da (Wed Sep 26 08:14:18 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2f1 0x400 4.58 da266b5817fc681f2e1bda5c3103ecf0
.rdata 0x2000 0xe1 0x200 2.34 0764cabd120f8b9902dbb7a4f1bc90aa
.data 0x3000 0x28 0x200 0.23 fadaf50a84c8799fcd7ab24c013d47e2
INIT 0x4000 0x16e 0x200 4.05 1fb90c278ba4c3da0728f376da13fbac
.reloc 0x5000 0x98 0x200 1.46 892a6f3fc72b2233bc1c1fff122a563f

( 1 imports )
> ntoskrnl.exe: IofCompleteRequest, ZwTerminateProcess, sprintf, ZwOpenProcess, IoDeleteDevice, IoDeleteSymbolicLink, IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, KeTickCount

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

[Blade81]

Hi,

EDIT: Ignore Avenger steps below (under ------). I didn't remember you had Acronis True Image installed there. Please take copies of your important documents to CD/DVD or removable storage drive and then restore system with Acronis to state before system got infected. That's best thing to do at this point since the issue causer appears to be hard to track down and we can't leave system to state in which it can't be trusted.


-----------
Skip first two steps if you still have Avenger present.

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  Code:

  Files to move:
  c:\iastor.sys|C:\Windows\system32\drivers\iastor.sys

• In the avenger window, click the Paste Script from Clipboard, button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

[dsc123]

Blade,

My last Acronis backup image is way, way out of date. Any way I can safely back up my more recent data?

[Blade81]

Hi,

It's no use creating new image in current situation cos it wouldn't help in any way. As I said, it would be recommended to backup important stuff and then restore earlier image you have there.