Not Sure what I got but dont like it!!!

ok everything worked great up until the C:windows prompt. I typed everything in exactly like it looks several different times and it kept telling me specifed file could not be found. So I am lost again.....

I am so sorry I am so much trouble.
 
Hi,

Please write these commands in recovery console's command prompt:
c:
cd\windows\system32\drivers
dir iaStor.sys

Does it list you any files?
 
Hi,

Please run ComboFix and let it update itself. Post back the resultant log.
 
ComboFix 09-11-30.02 - Brian2 11/30/2009 23:37.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.694 [GMT -5:00]
Running from: c:\documents and settings\Brian2\Desktop\ComboFix.exe
AV: Defender Pro Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-11-27 00:37 . 2009-11-27 00:37 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-11-27 00:37 . 2009-11-27 00:37 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2009-11-27 00:37 . 2009-11-27 00:37 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-11-26 23:55 . 2008-11-25 01:44 34062 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\Uninst.exe
2009-11-26 23:55 . 2008-11-25 01:44 1011800 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\MoveMediaPlayer_071102000005.exe
2009-11-26 23:55 . 2008-10-26 01:38 976248 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\qsp2ie071102000005.dll
2009-11-26 23:55 . 2009-11-27 00:02 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Move Networks
2009-11-26 23:55 . 2008-10-26 01:38 99704 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-11-26 23:55 . 2008-11-08 06:47 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\UNINST_Uninstall_D_81F0161832F944B0B60442148DFCFD8A.exe
2009-11-26 23:55 . 2008-11-08 06:47 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\ARPPRODUCTICON.exe
2009-11-26 23:55 . 2009-02-28 16:04 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\UNINST_Uninstall_A_6C907FAEC47248AAB58EC428360E8FCD.exe
2009-11-26 23:55 . 2009-02-28 16:04 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\ARPPRODUCTICON.exe
2009-11-26 23:55 . 2009-11-26 23:55 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Malwarebytes
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Corel
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\ArcSoft
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Apple Computer
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\AdobeUM
2009-11-26 23:53 . 2009-11-26 23:53 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2009-11-26 14:42 . 2004-06-29 17:17 477952 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-24 16:41 . 2009-11-24 16:41 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 16:40 . 2009-11-24 16:40 79488 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 05:07 . 2008-11-23 23:33 89109024 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-01 04:34 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-01 04:34 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-01 04:34 . 2008-11-23 23:33 2978080 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-01 04:34 . 2008-11-23 23:33 279524 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-01 04:34 . 2008-11-23 23:33 1193348 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-01 04:16 . 2008-11-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Defender Pro
2009-11-13 01:30 . 2008-04-26 11:44 -------- d-----w- c:\program files\rFactor
2009-10-16 00:31 . 2007-08-01 05:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-15 07:55 . 2008-11-23 23:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 07:55 . 2008-11-23 23:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-11 09:17 . 2008-11-23 02:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 01:24 . 2008-12-07 23:39 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-19 01:24 . 2009-11-27 00:02 152576 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-19 01:24 . 2009-09-19 01:24 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:33 . 2004-08-04 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-11-23 03:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-11-23 03:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-11-20 14:42 . 2009-04-04 04:00 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-20 14:42 . 2009-04-04 04:00 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-20 14:42 . 2009-04-04 04:00 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-20 14:42 . 2009-04-04 04:00 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-20 14:42 . 2009-04-04 04:00 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-09-24 00:33 . 2005-09-24 00:33 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-24_19.54.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-01 04:35 . 2009-12-01 04:35 16384 c:\windows\temp\Perflib_Perfdata_5dc.dat
- 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 429568 c:\windows\Installer\387b6.msi
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\SYSTEM32\msxml4.dll
+ 2004-08-04 11:00 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\msxml3.dll
+ 2006-09-13 05:01 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\DTR2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\Server.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:Remote Desktop

S3 danceflt;XboxCtrl_filt_Service;c:\windows\SYSTEM32\DRIVERS\danceflt.sys [5/27/2008 5:06 PM 31183]
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys [?]
S3 samhid;samhid;c:\windows\SYSTEM32\DRIVERS\Samhid.sys [1/23/2007 2:42 PM 7548]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\SYSTEM32\DRIVERS\w300mgmt.sys [3/22/2007 7:45 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\SYSTEM32\DRIVERS\w300obex.sys [3/22/2007 7:45 PM 85696]
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: { - c:\program files\Messenger\msmsgs.exe
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxp://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Brian2\Application Data\Mozilla\Firefox\Profiles\cjltoakj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\kodak-companion@mozilla.com\platform\WINNT\components\pickup.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 00:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86789F30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d6fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74147b4
\Driver\iaStor -> 0x86789f30
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\klogon.dll
.
Completion time: 2009-12-01 00:10
ComboFix-quarantined-files.txt 2009-12-01 05:10
ComboFix2.txt 2009-11-26 14:56
ComboFix3.txt 2009-11-24 20:14

Pre-Run: 105,213,042,688 bytes free
Post-Run: 105,127,309,312 bytes free

- - End Of File - - DD7B7347BBAC8F0567B0126FBED97C5E
 
Hi,

Please try this:

1. Go to the c:\windows\system32\drivers folder

2. Locate the file - iaStor.sys

3. Drag and move the file to Desktop

4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder

5a. If a fresh copy is regenerated, reboot the machine

5b. If a fresh copy ISNT regenerated, move the copy from Desktop back to c:\windows\system32\drivers folder.


If 5a was carried out, run GMER and attach the report.

If instead 5b was carried out, let me know.
 
Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
iastor.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:52 on 02/12/2009 by Brian2 (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\DRIVERS\STORAGE\SATA\ONBOARD\IASTOR.SYS --a--c 477952 bytes [17:17 29/06/2004] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7
C:\I386\iaStor.sys --a--c 477952 bytes [14:07 06/03/2005] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7
C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys --a--- 477952 bytes [14:42 26/11/2009] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7

-=End Of File=-
 
Hi again,

Navigate to C:\Windows, create a new folder and call it lastgood. If lastgood or lastgood.tmp folders already exists, please rename the folder to oldlastgood.

When you have done this, open the lastgood folder and create a folder called System32, and in that folder create another folder called Drivers

Then navigate to the following bolded file, and place a copy of it in that Drivers folder:

C:\I386\iaStor.sys

So after that you should have:

C:\Windows\lastgood\System32\Drivers\iastor.sys

----------------

Then restart the computer, and as it boots up tap the F8 key to access the startup menu (where you can make Safe Mode selections). From that menu select the following:

Last Known Good Configuration

After the reboot, run ComboFix and post back its log, please.
 
ok did all that and on the reboot after I selected last known good config. I kept getting the bsod... So I had to start it normally to get it to come back on.
 
ComboFix 09-12-02.03 - Brian2 12/02/2009 15:13.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.686 [GMT -5:00]
Running from: c:\documents and settings\Brian2\Desktop\ComboFix.exe
AV: Defender Pro Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-02 20:14 . 2008-11-25 01:44 34062 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\Uninst.exe
2009-12-02 20:14 . 2008-11-25 01:44 1011800 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\MoveMediaPlayer_071102000005.exe
2009-12-02 20:14 . 2009-12-02 20:16 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Move Networks
2009-12-02 20:14 . 2008-10-26 01:38 99704 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-02 20:14 . 2008-10-26 01:38 976248 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\qsp2ie071102000005.dll
2009-12-02 20:14 . 2009-02-28 16:04 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\UNINST_Uninstall_A_6C907FAEC47248AAB58EC428360E8FCD.exe
2009-12-02 20:14 . 2009-02-28 16:04 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{6C907FAE-C472-48AA-B58E-C428360E8FCD}\ARPPRODUCTICON.exe
2009-12-02 20:14 . 2008-11-08 06:47 8854 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\UNINST_Uninstall_D_81F0161832F944B0B60442148DFCFD8A.exe
2009-12-02 20:14 . 2008-11-08 06:47 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{81F01618-32F9-44B0-B604-42148DFCFD8A}\ARPPRODUCTICON.exe
2009-12-02 20:14 . 2009-12-02 20:14 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Malwarebytes
2009-12-02 20:12 . 2009-12-02 20:12 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\AdobeUM
2009-11-26 14:42 . 2004-06-29 17:17 477952 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-26 14:42 . 2001-08-17 19:52 13952 ----a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-24 16:41 . 2009-11-24 16:41 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 16:40 . 2009-11-24 16:40 79488 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 20:39 . 2008-11-23 23:33 90148384 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-02 20:17 . 2009-12-02 20:17 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Ventrilo
2009-12-02 20:17 . 2009-12-02 20:17 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\U3
2009-12-02 20:17 . 2009-12-02 20:17 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Teleca
2009-12-02 20:17 . 2009-12-02 20:17 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\teamspeak2
2009-12-02 20:16 . 2009-12-02 20:12 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Sonic
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Leadertech
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\InstallShield
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\GTek
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\EPSON
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\DivX
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Defender Pro
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Corel
2009-12-02 20:13 . 2009-12-02 20:13 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\ArcSoft
2009-12-02 20:13 . 2009-12-02 20:12 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Apple Computer
2009-12-02 20:08 . 2008-11-23 23:33 2978080 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-02 20:08 . 2008-11-23 23:33 279524 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-02 20:08 . 2008-11-23 23:33 1201364 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-02 20:08 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-02 20:08 . 2005-02-23 13:40 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-12-01 04:16 . 2008-11-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Defender Pro
2009-11-24 16:42 . 2005-02-23 13:37 -------- d-----w- c:\program files\Java
2009-11-24 16:41 . 2009-12-02 20:17 152576 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 16:40 . 2009-12-02 20:17 79488 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-13 01:30 . 2008-04-26 11:44 -------- d-----w- c:\program files\rFactor
2009-10-16 00:31 . 2007-08-01 05:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-15 07:55 . 2008-11-23 23:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 07:55 . 2008-11-23 23:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-11 09:17 . 2008-11-23 02:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 01:24 . 2008-12-07 23:39 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-19 01:24 . 2009-12-02 20:17 152576 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-19 01:24 . 2009-09-19 01:24 152576 ----a-w- c:\documents and settings\Brian2\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:33 . 2004-08-04 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-11-23 03:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-11-23 03:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-11-20 14:42 . 2009-04-04 04:00 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-20 14:42 . 2009-04-04 04:00 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-20 14:42 . 2009-04-04 04:00 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-20 14:42 . 2009-04-04 04:00 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-20 14:42 . 2009-04-04 04:00 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-09-24 00:33 . 2005-09-24 00:33 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-24_19.54.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-02 20:10 . 2009-12-02 20:10 16384 c:\windows\temp\Perflib_Perfdata_23c.dat
- 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2009-11-26 14:29 . 2009-11-26 14:29 429568 c:\windows\Installer\387b6.msi
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\SYSTEM32\msxml4.dll
+ 2004-08-04 11:00 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\msxml3.dll
+ 2006-09-13 05:01 . 2009-07-31 04:57 1172480 c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\DTR2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Games\\Infogrames\\Dirt Track Racing 2\\Server.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:Remote Desktop

S3 danceflt;XboxCtrl_filt_Service;c:\windows\SYSTEM32\DRIVERS\danceflt.sys [5/27/2008 5:06 PM 31183]
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys [?]
S3 samhid;samhid;c:\windows\SYSTEM32\DRIVERS\Samhid.sys [1/23/2007 2:42 PM 7548]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\SYSTEM32\DRIVERS\w300mgmt.sys [3/22/2007 7:45 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\SYSTEM32\DRIVERS\w300obex.sys [3/22/2007 7:45 PM 85696]
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: { - c:\program files\Messenger\msmsgs.exe
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxp://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Brian2\Application Data\Mozilla\Firefox\Profiles\cjltoakj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\kodak-companion@mozilla.com\platform\WINNT\components\pickup.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 15:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86780F30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d6fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74147b4
\Driver\iaStor -> 0x86780f30
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\klogon.dll
c:\program files\Defender Pro\Defender Pro Internet Security 6.0\adialhk.dll
.
Completion time: 2009-12-02 15:44
ComboFix-quarantined-files.txt 2009-12-02 20:44
ComboFix2.txt 2009-12-01 05:10
ComboFix3.txt 2009-11-26 14:56
ComboFix4.txt 2009-11-24 20:14

Pre-Run: 106,618,408,960 bytes free
Post-Run: 104,992,325,632 bytes free

- - End Of File - - 843B790857FCAC071B6A041BD114DA3E
 
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /a c:\windows\lastgood >Log.txt
START Log.txt
DEL %0

Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
 
Hi,

Open notepad and then copy and paste lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
Code: 
@ECHO OFF
MKDIR "c:\windows\lastgood\system32\drivers"
COPY /Y "C:\I386\iaStor.sys" "C:\Windows\lastgood\System32\Drivers\iastor.sys" >Log.txt 2>&1
START Log.txt
DEL %0
Double-click on fixes.bat file to execute it. Notepad should open up. If it says "1 file(s) copied." continue on next steps. Otherwise stop here and let me know.


Then restart the computer, and as it boots up tap the F8 key to access the startup menu (where you can make Safe Mode selections). From that menu select the following:

Last Known Good Configuration

After the reboot, run ComboFix and post back its log, please.
 
Hi,

Ok. Please do this:
click start->run->type cmd.exe and press enter. In command prompt type this bolded command (and press enter):
COPY /Y C:\I386\iaStor.sys C:\iaStor.sys

That should give you a message of successful file copy.


  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Code: 
    Files to move:
c:\iaStor.sys|C:\Windows\System32\Drivers\iaStor.sys
  • In the avenger window, click the Paste Script from Clipboard,
    pastets4.png
    button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
 
ok did the first part and it said no file found.

I did another system look to see if it found it there again and this is what it gave me...

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:15 on 03/12/2009 by Brian2 (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\DRIVERS\STORAGE\SATA\ONBOARD\IASTOR.SYS --a--c 477952 bytes [17:17 29/06/2004] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7
C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys --a--- 477952 bytes [14:42 26/11/2009] [17:17 29/06/2004] D7731536E183B4397402CA6F9E1D52F7

-=End Of File=-
 
Hi,

Ok. I don't know in which point did C:\I386\iaStor.sys got lost. It existed earlier.

Anyway, let's change instructions a bit. Please do this:
click start->run->type cmd.exe and press enter. In command prompt type this bolded command (and press enter):
COPY /Y C:\DRIVERS\STORAGE\SATA\ONBOARD\IASTOR.SYS C:\iaStor.sys

That should give you a message of successful file copy.


  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Code: 
    Files to move:
c:\iaStor.sys|C:\Windows\System32\Drivers\iaStor.sys
  • In the avenger window, click the Paste Script from Clipboard,
    pastets4.png
    button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
 
You must log in or register to reply here.
Back
Top