ok everything worked great up until the C:windows prompt. I typed everything in exactly like it looks several different times and it kept telling me specifed file could not be found. So I am lost again.....
I am so sorry I am so much trouble.
ok everything worked great up until the C:windows prompt. I typed everything in exactly like it looks several different times and it kept telling me specifed file could not be found. So I am lost again.....
I am so sorry I am so much trouble.
Hi,
Please write these commands in recovery console's command prompt:
c:
cd\windows\system32\drivers
dir iaStor.sys
Does it list you any files?
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
It said no files found
Hi,
Please run ComboFix and let it update itself. Post back the resultant log.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
ComboFix 09-11-30.02 - Brian2 11/30/2009 23:37.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.694 [GMT -5:00]
Running from: c:\documents and settings\Brian2\Desktop\ComboFix.exe
AV: Defender Pro Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\twain_32.dll
.
((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.
2009-11-27 00:37 . 2009-11-27 00:37 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-11-27 00:37 . 2009-11-27 00:37 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2009-11-27 00:37 . 2009-11-27 00:37 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-11-26 23:55 . 2008-11-25 01:44 34062 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\Uninst.exe
2009-11-26 23:55 . 2008-11-25 01:44 1011800 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\MoveMediaPlayer_071102000005.exe
2009-11-26 23:55 . 2008-10-26 01:38 976248 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\qsp2ie071102000005.dll
2009-11-26 23:55 . 2009-11-27 00:02 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Move Networks
2009-11-26 23:55 . 2008-10-26 01:38 99704 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-11-26 23:55 . 2008-11-08 06:47 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\UNINST_Uninstall_D_81F0161832F944B0B60442148DFCFD8A.exe
2009-11-26 23:55 . 2008-11-08 06:47 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\ARPPRODUCTICON.exe
2009-11-26 23:55 . 2009-02-28 16:04 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\UNINST_Uninstall_A_6C907FAEC47248AAB58EC428360E8FCD.exe
2009-11-26 23:55 . 2009-02-28 16:04 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\ARPPRODUCTICON.exe
2009-11-26 23:55 . 2009-11-26 23:55 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Malwarebytes
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Corel
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\ArcSoft
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Apple Computer
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\AdobeUM
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2009-11-26 14:42 . 2004-06-29 17:17 477952 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-24 16:41 . 2009-11-24 16:41 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 16:40 . 2009-11-24 16:40 79488 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 05:07 . 2008-11-23 23:33 89109024 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-01 04:34 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-01 04:34 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-01 04:34 . 2008-11-23 23:33 2978080 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-01 04:34 . 2008-11-23 23:33 279524 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-01 04:34 . 2008-11-23 23:33 1193348 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-01 04:16 . 2008-11-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Defender Pro
2009-11-13 01:30 . 2008-04-26 11:44 -------- d-----w- c:\program files\rFactor
2009-10-16 00:31 . 2007-08-01 05:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-15 07:55 . 2008-11-23 23:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 07:55 . 2008-11-23 23:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-11 09:17 . 2008-11-23 02:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 01:24 . 2008-12-07 23:39 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-19 01:24 . 2009-11-27 00:02 152576 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-19 01:24 . 2009-09-19 01:24 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:33 . 2004-08-04 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-11-23 03:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-11-23 03:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-11-20 14:42 . 2009-04-04 04:00 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-20 14:42 . 2009-04-04 04:00 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-20 14:42 . 2009-04-04 04:00 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-20 14:42 . 2009-04-04 04:00 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-20 14:42 . 2009-04-04 04:00 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-09-24 00:33 . 2005-09-24 00:33 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-24_19.54.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-01 04:35 . 2009-12-01 04:35 16384 c:\windows\temp\Perflib_Perfdata_5dc.dat
- 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 429568 c:\windows\Installer\387b6.msi
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\SYSTEM32\msxml4.dll
+ 2004-08-04 11:00 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\msxml3.dll
+ 2006-09-13 05:01 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\DTR2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\Server.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:Remote Desktop
S3 danceflt;XboxCtrl_filt_Service;c:\windows\SYSTEM32\DRIVERS\danceflt.sys [5/27/2008 5:06 PM 31183]
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys [?]
S3 samhid;samhid;c:\windows\SYSTEM32\DRIVERS\Samhid.sys [1/23/2007 2:42 PM 7548]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\SYSTEM32\DRIVERS\w300mgmt.sys [3/22/2007 7:45 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\SYSTEM32\DRIVERS\w300obex.sys [3/22/2007 7:45 PM 85696]
.
Contents of the 'Scheduled Tasks' folder
2009-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: { - c:\program files\Messenger\msmsgs.exe
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxp://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Brian2\Application Data\Mozilla\Firefox\Profiles\cjltoakj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\kodak-companion@mozilla.com\platform\WINNT\components\pickup.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 00:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86789F30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d6fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74147b4
\Driver\iaStor -> 0x86789f30
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\klogon.dll
.
Completion time: 2009-12-01 00:10
ComboFix-quarantined-files.txt 2009-12-01 05:10
ComboFix2.txt 2009-11-26 14:56
ComboFix3.txt 2009-11-24 20:14
Pre-Run: 105,213,042,688 bytes free
Post-Run: 105,127,309,312 bytes free
- - End Of File - - DD7B7347BBAC8F0567B0126FBED97C5E
Hi,
Please try this:
1. Go to the c:\windows\system32\drivers folder
2. Locate the file - iaStor.sys
3. Drag and move the file to Desktop
4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder
5a. If a fresh copy is regenerated, reboot the machine
5b. If a fresh copy ISNT regenerated, move the copy from Desktop back to c:\windows\system32\drivers folder.
If 5a was carried out, run GMER and attach the report.
If instead 5b was carried out, let me know.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
ok did all that and it did not regenerate the file.
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Note: The log can also be found on your Desktop entitled SystemLook.txt
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
Code::filefind iastor.sys- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:52 on 02/12/2009 by Brian2 (Administrator - Elevation successful)
========== filefind ==========
Searching for "iastor.sys"
C:\DRIVERS\STORAGE\SATA\ONBOARD\IASTOR.SYS --a--c 477952 bytes [17:17 29/06/2004] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7
C:\I386\iaStor.sys --a--c 477952 bytes [14:07 06/03/2005] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7
C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys --a--- 477952 bytes [14:42 26/11/2009] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7
-=End Of File=-
Hi again,
Navigate to C:\Windows, create a new folder and call it lastgood. If lastgood or lastgood.tmp folders already exists, please rename the folder to oldlastgood.
When you have done this, open the lastgood folder and create a folder called System32, and in that folder create another folder called Drivers
Then navigate to the following bolded file, and place a copy of it in that Drivers folder:
C:\I386\iaStor.sys
So after that you should have:
C:\Windows\lastgood\System32\Drivers\iastor.sys
----------------
Then restart the computer, and as it boots up tap the F8 key to access the startup menu (where you can make Safe Mode selections). From that menu select the following:
Last Known Good Configuration
After the reboot, run ComboFix and post back its log, please.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.