Not Sure what I got but dont like it!!!

**CDaddy_20** · 2009-11-30, 03:19

ok everything worked great up until the C:windows prompt. I typed everything in exactly like it looks several different times and it kept telling me specifed file could not be found. So I am lost again.....

I am so sorry I am so much trouble.

**Blade81** · 2009-11-30, 06:40

Hi,

Please write these commands in recovery console's command prompt:
c:
cd\windows\system32\drivers
dir iaStor.sys

Does it list you any files?

**CDaddy_20** · 2009-11-30, 15:31

It said no files found

**Blade81** · 2009-11-30, 16:21

Hi,

Please run ComboFix and let it update itself. Post back the resultant log.

**CDaddy_20** · 2009-12-01, 06:50

ComboFix 09-11-30.02 - Brian2 11/30/2009 23:37.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.694 [GMT -5:00]
Running from: c:\documents and settings\Brian2\Desktop\ComboFix.exe
AV: Defender Pro Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-11-27 00:37 . 2009-11-27 00:37 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-11-27 00:37 . 2009-11-27 00:37 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2009-11-27 00:37 . 2009-11-27 00:37 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-11-26 23:55 . 2008-11-25 01:44 34062 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\Uninst.exe
2009-11-26 23:55 . 2008-11-25 01:44 1011800 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\MoveMediaPlayer_071102000005.exe
2009-11-26 23:55 . 2008-10-26 01:38 976248 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\qsp2ie071102000005.dll
2009-11-26 23:55 . 2009-11-27 00:02 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Move Networks
2009-11-26 23:55 . 2008-10-26 01:38 99704 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-11-26 23:55 . 2008-11-08 06:47 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\UNINST_Uninstall_D_81F0161832F944B0B60442148DFCFD8A.exe
2009-11-26 23:55 . 2008-11-08 06:47 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\ARPPRODUCTICON.exe
2009-11-26 23:55 . 2009-02-28 16:04 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\UNINST_Uninstall_A_6C907FAEC47248AAB58EC428360E8FCD.exe
2009-11-26 23:55 . 2009-02-28 16:04 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\ARPPRODUCTICON.exe
2009-11-26 23:55 . 2009-11-26 23:55 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Malwarebytes
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Corel
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\ArcSoft
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Apple Computer
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\AdobeUM
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2009-11-26 14:42 . 2004-06-29 17:17 477952 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-24 16:41 . 2009-11-24 16:41 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 16:40 . 2009-11-24 16:40 79488 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 05:07 . 2008-11-23 23:33 89109024 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-01 04:34 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-01 04:34 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-01 04:34 . 2008-11-23 23:33 2978080 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-01 04:34 . 2008-11-23 23:33 279524 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-01 04:34 . 2008-11-23 23:33 1193348 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-01 04:16 . 2008-11-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Defender Pro
2009-11-13 01:30 . 2008-04-26 11:44 -------- d-----w- c:\program files\rFactor
2009-10-16 00:31 . 2007-08-01 05:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-15 07:55 . 2008-11-23 23:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 07:55 . 2008-11-23 23:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-11 09:17 . 2008-11-23 02:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 01:24 . 2008-12-07 23:39 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-19 01:24 . 2009-11-27 00:02 152576 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-19 01:24 . 2009-09-19 01:24 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:33 . 2004-08-04 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-11-23 03:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-11-23 03:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-11-20 14:42 . 2009-04-04 04:00 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-20 14:42 . 2009-04-04 04:00 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-20 14:42 . 2009-04-04 04:00 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-20 14:42 . 2009-04-04 04:00 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-20 14:42 . 2009-04-04 04:00 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-09-24 00:33 . 2005-09-24 00:33 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-24_19.54.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-01 04:35 . 2009-12-01 04:35 16384 c:\windows\temp\Perflib_Perfdata_5dc.dat
- 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 429568 c:\windows\Installer\387b6.msi
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\SYSTEM32\msxml4.dll
+ 2004-08-04 11:00 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\msxml3.dll
+ 2006-09-13 05:01 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\DTR2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\Server.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:Remote Desktop

S3 danceflt;XboxCtrl_filt_Service;c:\windows\SYSTEM32\DRIVERS\danceflt.sys [5/27/2008 5:06 PM 31183]
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys [?]
S3 samhid;samhid;c:\windows\SYSTEM32\DRIVERS\Samhid.sys [1/23/2007 2:42 PM 7548]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\SYSTEM32\DRIVERS\w300mgmt.sys [3/22/2007 7:45 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\SYSTEM32\DRIVERS\w300obex.sys [3/22/2007 7:45 PM 85696]
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: { - c:\program files\Messenger\msmsgs.exe
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxp://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Brian2\Application Data\Mozilla\Firefox\Profiles\cjltoakj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\kodak-companion@mozilla.com\platform\WINNT\components\pickup.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 00:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86789F30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d6fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74147b4
\Driver\iaStor -> 0x86789f30
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\klogon.dll
.
Completion time: 2009-12-01 00:10
ComboFix-quarantined-files.txt 2009-12-01 05:10
ComboFix2.txt 2009-11-26 14:56
ComboFix3.txt 2009-11-24 20:14

Pre-Run: 105,213,042,688 bytes free
Post-Run: 105,127,309,312 bytes free

- - End Of File - - DD7B7347BBAC8F0567B0126FBED97C5E

**Blade81** · 2009-12-01, 17:45

Hi,

Please try this:

1. Go to the c:\windows\system32\drivers folder

2. Locate the file - iaStor.sys

3. Drag and move the file to Desktop

4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder

5a. If a fresh copy is regenerated, reboot the machine

5b. If a fresh copy ISNT regenerated, move the copy from Desktop back to c:\windows\system32\drivers folder.

If 5a was carried out, run GMER and attach the report.

If instead 5b was carried out, let me know.

**CDaddy_20** · 2009-12-02, 05:00

ok did all that and it did not regenerate the file.

**Blade81** · 2009-12-02, 07:51

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
iastor.sys
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

**CDaddy_20** · 2009-12-02, 15:58

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:52 on 02/12/2009 by Brian2 (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\DRIVERS\STORAGE\SATA\ONBOARD\IASTOR.SYS --a--c 477952 bytes [17:17 29/06/2004] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7
C:\I386\iaStor.sys --a--c 477952 bytes [14:07 06/03/2005] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7
C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys --a--- 477952 bytes [14:42 26/11/2009] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7

-=End Of File=-

**Blade81** · 2009-12-02, 17:33

Hi again,

Navigate to C:\Windows, create a new folder and call it lastgood. If lastgood or lastgood.tmp folders already exists, please rename the folder to oldlastgood.

When you have done this, open the lastgood folder and create a folder called System32, and in that folder create another folder called Drivers

Then navigate to the following bolded file, and place a copy of it in that Drivers folder:

C:\I386\iaStor.sys

So after that you should have:

C:\Windows\lastgood\System32\Drivers\iastor.sys

----------------

Then restart the computer, and as it boots up tap the F8 key to access the startup menu (where you can make Safe Mode selections). From that menu select the following:

Last Known Good Configuration

After the reboot, run ComboFix and post back its log, please.

Thread: Not Sure what I got but dont like it!!!

Thread Tools

Display

Posting Permissions