Browser Hijacked

Please run GMER again and attach its log to your post (better use file attachment if log is long).
 
GMER log is much shorter this time.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-02 10:47:27
Windows 6.0.6001 Service Pack 1
Running: zz84t86t.exe; Driver: C:\Users\THECOP~1\AppData\Local\Temp\awlyrkow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x82906CDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x82906ED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x82906984]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x829070D8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 43C 81EBCA00 3 Bytes [DE, 6C, 90]
.text ntkrnlpa.exe!KeSetTimerEx + 440 81EBCA04 3 Bytes [D0, 6E, 90] {SHR BYTE [ESI-0x70], 0x1}
.text ntkrnlpa.exe!KeSetTimerEx + 854 81EBCE18 4 Bytes [84, 69, 90, 82]
.text ntkrnlpa.exe!KeSetTimerEx + 918 81EBCEDC 4 Bytes [D8, 70, 90, 82]
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x828C402C]
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Spyware Doctor\pctsTray.exe[3324] kernel32.dll!CreateThread + 1A 767446E2 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Spyware Doctor\pctsTray.exe[3324] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[3324] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 
Hi,

Please run SystemLook now (instructions for that a few posts earlier).
 
Here is that log you wanted.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 11:48 on 02/12/2009 by The Coppola's (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\hp\DRIVERS\Intel_raid\iastor.sys --a--- 250368 bytes [11:38 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 382488 bytes [10:48 12/09/2008] [22:50 02/06/2008] 3C4CD264B04D79A43A0F124C067BA08E
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys --a--- 305688 bytes [10:48 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_6a23f079\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_0afadd92\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_27dcf4f5\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_ee67416f\iaStor.sys --a--- 250368 bytes [13:01 07/06/2007] [18:46 31/10/2006] DE01BF14FFB150C779FD561BD0E3C5C5
C:\Windows\System32\drivers\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 505903740473BB08BA8593CBCC7DEB5D

-=End Of File=-
 
Here are the results from the iastor.sys scan at virustotal.

a-squared 4.5.0.43 2009.12.02 -
AhnLab-V3 5.0.0.2 2009.12.02 -
AntiVir 7.9.1.92 2009.12.02 -
Antiy-AVL 2.0.3.7 2009.12.02 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.02 -
AVG 8.5.0.426 2009.12.02 -
BitDefender 7.2 2009.12.02 -
CAT-QuickHeal 10.00 2009.12.02 -
ClamAV 0.94.1 2009.12.02 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.02 -
eSafe 7.0.17.0 2009.12.02 -
eTrust-Vet None 2009.12.02 -
F-Prot 4.5.1.85 2009.12.02 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.12.02 -
GData 19 2009.12.02 -
Ikarus T3.1.1.74.0 2009.12.02 -
K7AntiVirus 7.10.910 2009.12.02 -
Kaspersky 7.0.0.125 2009.12.02 -
McAfee 5819 2009.12.01 -
McAfee+Artemis 5819 2009.12.01 -
McAfee-GW-Edition 6.8.5 2009.12.02 Heuristic.BehavesLike.Exploit.CodeExec.NLLG
Microsoft 1.5302 2009.12.02 -
NOD32 4655 2009.12.02 -
Norman 6.03.02 2009.12.02 -
nProtect 2009.1.8.0 2009.12.02 -
Panda 10.0.2.2 2009.12.02 -
PCTools 7.0.3.5 2009.12.02 -
Prevx 3.0 2009.12.02 -
Rising 22.24.02.09 2009.12.02 -
Sophos 4.48.0 2009.12.02 -
Sunbelt 3.2.1858.2 2009.12.02 -
Symantec 1.4.4.12 2009.12.02 -
TheHacker 6.5.0.2.083 2009.12.01 -
TrendMicro 9.100.0.1001 2009.12.02 -
VBA32 3.12.12.0 2009.12.02 -
ViRobot 2009.12.2.2068 2009.12.02 -
Additional information
File size: 305688 bytes
MD5...: 505903740473bb08ba8593cbcc7deb5d
SHA1..: 17f92ddd356ada6b3e1d8ebb4dd4fe7c9380907b
SHA256: 9d3b1bfbfba89f0e61bed8d3f29472bc05b11074aa3843adcb5c168d0abc709d
ssdeep: 6144:5sS1uALz2gAgZG0Dw2kyUrSC7NAbnBpaWF:rz28rRUrSdbP

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Autodesk FLIC Image File (extensions: flc, fli, cel) (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /a c:\windows\lastgood >Log.txt
START Log.txt
DEL %0

Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
 
Hi,

Open notepad and then copy and paste lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
Code: 
@ECHO OFF
MKDIR "c:\windows\lastgood\system32\drivers"
COPY /Y "C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys" "C:\Windows\lastgood\System32\Drivers\iastor.sys" >Log.txt 2>&1
START Log.txt
DEL %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
 
Hi,

Then restart the computer, and as it boots up tap the F8 key to access the startup menu. From that menu select the following:

Last Known Good Configuration

After the reboot run ComboFix and post back the log.
 
Hey,

Funny, ComboFix only seems to work after midnight! Sorry it took so long, but here is the new ComboFix log. Thanks for the patience.

ComboFix 09-12-04.02 - The Coppola's 12/05/2009 0:11.38.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.433 [GMT -5:00]
Running from: c:\users\The Coppola's\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\WLSetup
c:\programdata\Microsoft\WLSetup\Logs\2009-04-08_20-41_14b4-cxj3timt.log
c:\programdata\Microsoft\WLSetup\wlt5BBA.tmp

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-05 05:27 . 2009-12-05 05:33 -------- d-----w- c:\users\The Coppola's\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-02 05:42 . 2009-12-05 04:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-29 13:58 . 2009-11-29 13:58 -------- d-----w- c:\users\The Coppola's\AppData\Local\Apps
2009-11-27 07:15 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-25 08:01 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-20 01:50 . 2009-11-20 01:56 4096 d-----w- c:\program files\ERUNT
2009-11-20 01:14 . 2009-11-20 01:14 -------- d-----w- c:\users\The Coppola's\AppData\Local\PackageAware
2009-11-20 01:07 . 2001-10-04 05:14 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-19 14:55 . 2009-11-19 14:55 439816 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\setup.exe
2009-11-19 14:55 . 2009-11-19 14:55 118784 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\install.dll
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\programdata\IObit
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\program files\IObit
2009-11-16 21:03 . 2009-11-16 21:03 -------- d-----w- c:\program files\Trend Micro
2009-11-11 04:19 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:19 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 14:09 . 2009-11-05 14:12 4096 d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 14:09 . 2009-11-05 14:09 -------- d-----w- c:\users\The Coppola's\AppData\Roaming\TweakNow PowerPack 2009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 19:55 . 2008-11-26 04:33 4096 d-----w- c:\programdata\Google Updater
2009-12-04 14:32 . 2008-11-26 04:33 4096 d-----w- c:\program files\Google
2009-11-27 02:31 . 2007-10-17 21:01 4096 d-----w- c:\programdata\McAfee
2009-11-27 02:27 . 2007-03-09 11:38 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-11-27 02:26 . 2007-03-09 12:04 16384 d-----w- c:\program files\Common Files\Symantec Shared
2009-11-27 02:26 . 2007-03-09 12:04 4096 d-----w- c:\programdata\Symantec
2009-11-27 02:21 . 2007-06-08 00:09 12288 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-27 02:20 . 2007-06-08 00:09 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-27 02:14 . 2007-06-08 00:16 4096 d-----w- c:\programdata\Lavasoft
2009-11-11 08:20 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 08:04 . 2009-04-08 21:59 12288 d-----w- c:\programdata\Microsoft Help
2009-11-05 01:11 . 2009-11-05 01:11 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-20 21:46 . 2009-10-09 03:47 7 ----a-w- c:\windows\sbacknt.bin
2009-10-20 18:07 . 2009-10-20 15:31 -------- d-----w- c:\program files\adnqbh
2009-10-16 07:07 . 2007-03-09 11:57 24576 d-----w- c:\program files\Microsoft Works
2009-10-09 03:47 . 2009-10-09 03:47 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-14 09:44 . 2009-10-16 03:05 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:30 . 2009-10-16 03:06 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:21 . 2009-10-28 02:35 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:21 . 2009-10-28 02:35 310784 ----a-w- c:\windows\system32\unregmp2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-05-07 380928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-19 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-19 133656]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [9/3/2006 1:32 PM 208896]
S2 gupdate1c9e122120b6107;Google Update Service (gupdate1c9e122120b6107);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2009 7:27 AM 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [5/10/2006 12:13 PM 29696]
S3 FlyUsb;FLY Fusion;c:\windows\System32\drivers\FlyUsb.sys [11/25/2008 12:39 PM 19456]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [4/8/2009 7:50 PM 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2009-12-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-26 22:35]

2009-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 12:27]

2009-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 12:27]

2009-12-04 c:\windows\Tasks\User_Feed_Synchronization-{9F21EFA2-5087-4B5C-8230-A912354043C1}.job
- c:\windows\system32\msfeedssync.exe [2009-10-16 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 00:30
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x844D450C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x861a3322
\Driver\ACPI -> acpi.sys @ 0x8069dd4c
\Driver\atapi -> ataport.SYS @ 0x828d79a8
\Driver\iaStor -> iastor.sys @ 0x8283ed94
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3772)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-12-05 00:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 05:41

Pre-Run: 95,390,457,856 bytes free
Post-Run: 95,339,704,320 bytes free

- - End Of File - - BAADF4E2C548029ECD550E695D3C1E37
 
Hi,

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
iastor.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Run also new GMER scan and post back its log.
 
Last edited:
Hey,

Here's the systemlook and GMER logs.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-05 19:57:28
Windows 6.0.6001 Service Pack 1
Running: zz84t86t.exe; Driver: C:\Users\THECOP~1\AppData\Local\Temp\awlyrkow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x828C802C]
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!SetWindowsHookExW 76E17B69 5 Bytes JMP 6A4297F5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!CallNextHookEx 76E18C33 5 Bytes JMP 6A41CE79 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxIndirectParamW 76E1BD25 5 Bytes JMP 6A52418F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!CreateWindowExW 76E23D67 5 Bytes JMP 6A42D67C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxParamW 76E31FD5 5 Bytes JMP 6A355435 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!UnhookWindowsHookEx 76E408BE 5 Bytes JMP 6A39466C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxParamA 76E580B2 5 Bytes JMP 6A52412C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxIndirectParamA 76E583DD 5 Bytes JMP 6A5241F2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxIndirectA 76E6D471 5 Bytes JMP 6A5240C1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxIndirectW 76E6D56B 5 Bytes JMP 6A524056 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxExA 76E6D5D1 5 Bytes JMP 6A523FF4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxExW 76E6D5F5 5 Bytes JMP 6A523F92 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] ole32.dll!OleLoadFromStream 77329726 5 Bytes JMP 6A5244F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] ole32.dll!CoCreateInstance 7735E188 5 Bytes JMP 6A42D6D8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!closesocket 76B9330C 5 Bytes JMP 6FE0EEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!recv 76B9343A 5 Bytes JMP 6FE0F1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!socket 76B936D1 5 Bytes JMP 6FE0E59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!connect 76B940D9 5 Bytes JMP 6FE0E62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!getaddrinfo 76B9418A 5 Bytes JMP 6FE0E71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!send 76B9659B 5 Bytes JMP 6FE0E9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!DialogBoxIndirectParamW 76E1BD25 5 Bytes JMP 6A52418F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!CreateWindowExW 76E23D67 5 Bytes JMP 6A42D67C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!DialogBoxParamW 76E31FD5 5 Bytes JMP 6A355435 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!DialogBoxParamA 76E580B2 5 Bytes JMP 6A52412C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!DialogBoxIndirectParamA 76E583DD 5 Bytes JMP 6A5241F2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!MessageBoxIndirectA 76E6D471 5 Bytes JMP 6A5240C1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!MessageBoxIndirectW 76E6D56B 5 Bytes JMP 6A524056 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!MessageBoxExA 76E6D5D1 5 Bytes JMP 6A523FF4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!MessageBoxExW 76E6D5F5 5 Bytes JMP 6A523F92 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\00000585 -> \Driver\iaStor \Device\Harddisk0\DR0 844D450C

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----





SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:24 on 05/12/2009 by The Coppola's (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\hp\DRIVERS\Intel_raid\iastor.sys --a--- 250368 bytes [11:38 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 382488 bytes [10:48 12/09/2008] [22:50 02/06/2008] 3C4CD264B04D79A43A0F124C067BA08E
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys --a--- 305688 bytes [10:48 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_6a23f079\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_0afadd92\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_27dcf4f5\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_ee67416f\iaStor.sys --a--- 250368 bytes [13:01 07/06/2007] [18:46 31/10/2006] DE01BF14FFB150C779FD561BD0E3C5C5
C:\Windows\System32\drivers\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 505903740473BB08BA8593CBCC7DEB5D

-=End Of File=-
 
Hi,

Open notepad and then copy and paste lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
Code: 
@ECHO OFF
COPY /Y C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys c:\IaStor.sys
DEL %0
Double-click on fixes.bat file to execute it. Verify that c:\IaStor.sys file exists.

---

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Code: 
    Files to move:
c:\IaStor.sys|C:\Windows\System32\drivers\iaStor.sys
  • In the avenger window, click the Paste Script from Clipboard,
    pastets4.png
    button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new GMER log in your next reply.
 
hi, here is the GMER log and the Avenger log
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 12:19:03
Windows 6.0.6001 Service Pack 1
Running: y0fhczjm.exe; Driver: C:\Users\THECOP~1\AppData\Local\Temp\awlyrkow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x82AD202C]

---- Devices - GMER 1.0.15 ----

Device \Driver\00000653 -> \Driver\iaStor \Device\Harddisk0\DR0 844D350C

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\IaStor.sys" not found!
File move operation "c:\IaStor.sys|C:\Windows\System32\drivers\iaStor.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
 
Hi,

Click start->all programs->accessories, right click command prompt and select run as administrator. In the opened command prompt, type this (press enter after):
Code: 
copy /y C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys c:\IaStor.sys

You should get "1 file(s) copied." -message. After that, run Avenger again as instructed.
 
Run SystemLook with this contents again:
Code: 
:filefind
iastor.sys
 
You must log in or register to reply here.
Back
Top