Tech Support Forum banner
Status
Not open for further replies.
1 - 14 of 14 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
Yesterday AVG detected a virus, generic15.bpbt. I immediately got rid of it, and scanned again, and AVG came up clear. But my browser is still getting hijacked and sent to random sites. Everything I've checked has come up clean, AVG, Malwarebytes, Ad-Aware, cwshredder, etc. So I have no idea what to do now, or which things to get rid of in Hijackthis. :sigh: Oh, I'm running XP and I don't have access to a Windows CD, this in on a Toughbook laptop with no cd drive.

-------------------------------------------------

DDS (Ver_09-11-24.02) - NTFSx86
Run by Katrina at 20:07:40.14 on Wed 11/25/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1275 [GMT -10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\EtmService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe
C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Panasonic\DispRot\IDRot.exe
C:\Program Files\Panasonic\HPLSMAN\hplskey.exe
C:\Program Files\Panasonic\WSwitch\WSwitch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\FIDTPU\WIN2K\FTMSFLTU.EXE
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\Writing\Writing.exe
C:\Program Files\Panasonic\MEISKB\meiskb.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Katrina\Desktop\dds.scr

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IDRot] c:\program files\panasonic\disprot\IDRot.exe
mRun: [HPlsKey] c:\program files\panasonic\hplsman\hplskey.exe
mRun: [PRunOnce] c:\util\prunonce\PRunOnce.exe
mRun: [WSwitch] c:\program files\panasonic\wswitch\WSwitch.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Panasonic Hotkey Manager] c:\program files\panasonic\hotkey appendix\HKEYAPP.EXE
mRun: [PCinfo] c:\program files\panasonic\pcinfo\PcInfoUt.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [FTMSFLT(USB)] c:\program files\fidtpu\win2k\FTMSFLTU.EXE
mRun: [IntelWireless] c:\program files\intel\wireless\bin\iFrmewrk.exe /tf Intel PROSet/Wireless
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\katrina\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\katrina\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\panaso~1.lnk - c:\program files\panasonic\writing\Writing.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\softwa~1.lnk - c:\program files\panasonic\meiskb\meiskb.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\katrina\applic~1\mozilla\firefox\profiles\so7iuuhv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-25 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-25 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-25 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-25 285392]
R2 ETMService;Intel(R) Extended Thermal Model Service Application;c:\windows\system32\etmservice.exe [2007-9-26 217088]
R2 PcInfoPi;Panasonic PC Information Viewer Service 2;c:\program files\panasonic\pcinfo\PCInfoPi.exe [2007-9-26 54664]
R2 PcInfoSV;Panasonic PC Information Viewer;c:\program files\panasonic\pcinfo\PCInfoSV.exe [2007-9-26 185736]
R2 SDKEY;Panasonic SD Misc. Function Driver;c:\program files\panasonic\sdkey\SDKEY.sys [2007-9-26 13704]
R3 Etm;Etm;c:\windows\system32\drivers\EtmDrvMgr.sys [2007-9-26 40448]
R3 EtmCpu;EtmCpu;c:\windows\system32\drivers\EtmDevCpu.sys [2007-9-26 19712]
R3 EtmGmchMem;EtmGmchMem;c:\windows\system32\drivers\EtmDevGmch.sys [2007-9-26 36480]
R3 EtmTempSense;EtmTempSense;c:\windows\system32\drivers\EtmTempSense.sys [2007-9-26 12288]
R3 FIDMOU;Fujitsu touchpad;c:\windows\system32\drivers\Fidmou.sys [2007-9-25 23463]
R3 FIDTPU;Fujitsu Touch Panel (USB);c:\windows\system32\drivers\FIDTPU.sys [2007-9-25 27030]
R3 HOTKEY;Panasonic Hotkey Driver;c:\windows\system32\drivers\hotkey.sys [2007-9-25 19840]
R3 HTKPLUS;Panasonic Hotkey PLUS Driver;c:\windows\system32\drivers\HTKPLUS.SYS [2007-9-25 7936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-9-25 36352]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [2007-9-25 42624]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [2007-11-10 31375]

=============== Created Last 30 ================

2009-11-26 05:59:38 0 d--h--w- C:\$AVG
2009-11-26 05:59:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-26 05:59:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-26 05:59:20 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-26 05:59:14 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-26 05:58:59 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-26 03:29:35 0 d-----w- c:\windows\system32\appmgmt
2009-11-25 14:35:30 0 d-sha-r- C:\cmdcons
2009-11-25 14:33:10 98816 ----a-w- c:\windows\sed.exe
2009-11-25 14:33:10 77312 ----a-w- c:\windows\MBR.exe
2009-11-25 14:33:10 260608 ----a-w- c:\windows\PEV.exe
2009-11-25 14:33:10 161792 ----a-w- c:\windows\SWREG.exe
2009-11-25 14:24:23 0 d-----w- c:\docume~1\katrina\applic~1\Malwarebytes
2009-11-25 14:24:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 14:24:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 14:24:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-25 14:24:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 14:20:05 0 d-s---w- c:\documents and settings\katrina\UserData
2009-11-25 13:53:07 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-25 13:37:42 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-25 13:37:18 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-25 13:36:56 0 d-----w- c:\program files\Lavasoft
2009-11-25 13:12:00 0 d-----w- c:\program files\Trend Micro
2009-11-14 08:18:51 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-11-14 08:18:44 0 d-----w- c:\program files\Windows Media Connect 2
2009-11-14 08:17:01 0 d-----w- c:\windows\system32\LogFiles
2009-11-03 14:37:14 0 d-----w- c:\program files\Ogg Codecs
2009-11-02 02:57:58 0 d-----w- c:\docume~1\katrina\applic~1\Mobipocket Reader
2009-11-02 02:50:24 0 d-----w- c:\program files\Mobipocket Creator
2009-11-02 02:50:24 0 d-----w- c:\program files\common files\Mobipocket Shared

==================== Find3M ====================

2009-10-21 10:46:39 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

============= FINISH: 20:08:45.65 ===============
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
 

·
Registered
Joined
·
6 Posts
Thanks, here's the combofix log.

ComboFix 09-11-28.03 - Katrina 11/28/2009 21:08.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1319 [GMT -10:00]
Running from: c:\documents and settings\Katrina\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-26 18:59 . 2009-11-26 05:59 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-26 18:59 . 2009-11-26 05:59 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-26 18:58 . 2009-11-26 05:59 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-26 18:58 . 2009-11-26 05:59 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-26 08:02 . 2009-11-26 08:02 152576 ----a-w- c:\documents and settings\Katrina\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-26 05:59 . 2009-11-26 05:59 -------- d-----w- C:\$AVG
2009-11-26 05:59 . 2009-11-26 05:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-26 05:59 . 2009-11-26 05:59 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-26 05:59 . 2009-11-26 05:59 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-26 05:59 . 2009-11-26 05:59 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-26 05:59 . 2009-11-29 04:02 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-26 05:58 . 2009-11-26 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-26 01:57 . 2009-11-26 08:02 79488 ----a-w- c:\documents and settings\Katrina\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-25 14:24 . 2009-11-25 14:24 -------- d-----w- c:\documents and settings\Katrina\Application Data\Malwarebytes
2009-11-25 14:24 . 2009-09-11 00:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 14:24 . 2009-11-25 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 14:24 . 2009-09-11 00:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 14:24 . 2009-11-25 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 14:20 . 2009-11-25 14:20 -------- d-s---w- c:\documents and settings\Katrina\UserData
2009-11-25 13:53 . 2009-11-25 13:52 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-25 13:51 . 2009-11-25 13:51 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-25 13:51 . 2009-11-25 13:51 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-25 13:51 . 2009-11-25 13:51 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-25 13:50 . 2009-11-25 13:51 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-25 13:50 . 2009-11-25 13:50 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-25 13:50 . 2009-11-25 13:50 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-25 13:50 . 2009-11-25 13:50 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-25 13:50 . 2009-11-25 13:50 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-25 13:49 . 2009-11-25 13:50 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-25 13:49 . 2009-11-25 13:49 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-25 13:37 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-25 13:37 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-25 13:37 . 2009-11-25 13:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-25 13:36 . 2009-11-25 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-25 13:36 . 2009-11-25 13:36 -------- d-----w- c:\program files\Lavasoft
2009-11-25 13:12 . 2009-11-25 13:12 -------- d-----w- c:\program files\Trend Micro
2009-11-23 02:37 . 2004-08-04 21:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-11-14 08:18 . 2004-08-04 21:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-11-14 08:18 . 2009-11-14 08:18 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-14 08:17 . 2009-11-14 08:17 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-11-14 08:17 . 2009-11-14 08:17 -------- d-----w- c:\windows\system32\LogFiles
2009-11-05 07:19 . 2004-08-05 04:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2009-11-05 07:19 . 2004-08-05 04:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2009-11-05 07:19 . 2004-08-05 04:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0401.dll
2009-11-05 07:19 . 2004-08-05 04:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2009-11-05 07:19 . 2004-08-05 04:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2009-11-05 07:19 . 2004-08-05 04:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll
2009-11-05 07:19 . 2004-08-05 04:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2009-11-05 07:19 . 2004-08-05 04:00 19456 -c--a-w- c:\windows\system32\dllcache\agt040d.dll
2009-11-05 07:19 . 2004-08-05 04:00 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll
2009-11-05 07:19 . 2004-08-05 04:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2009-11-04 15:17 . 2009-11-29 04:27 0 ----a-w- c:\documents and settings\Katrina\Local Settings\Application Data\prvlcl.dat
2009-11-03 14:37 . 2009-11-03 14:37 -------- d-----w- c:\program files\Ogg Codecs
2009-11-02 02:57 . 2009-11-02 02:57 -------- d-----w- c:\documents and settings\Katrina\Application Data\Mobipocket Reader
2009-11-02 02:50 . 2009-11-02 02:50 10134 ----a-r- c:\documents and settings\Katrina\Application Data\Microsoft\Installer\{AFE499B5-FCC4-45E6-A1A5-3C51AE0E539B}\_84000D6CB79D945CDB36F8.exe
2009-11-02 02:50 . 2009-11-02 02:50 10134 ----a-r- c:\documents and settings\Katrina\Application Data\Microsoft\Installer\{AFE499B5-FCC4-45E6-A1A5-3C51AE0E539B}\_42B7FFA7C5763E138691B2.exe
2009-11-02 02:50 . 2009-11-02 02:50 -------- d-----w- c:\program files\Mobipocket Creator
2009-11-02 02:50 . 2009-11-02 02:50 -------- d-----w- c:\program files\Common Files\Mobipocket Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 03:06 . 2007-09-25 17:48 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-26 08:03 . 2009-06-10 06:44 -------- d-----w- c:\program files\Java
2009-11-26 07:45 . 2009-10-18 11:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-11-26 06:06 . 2009-04-12 09:39 -------- d-----w- c:\program files\MagicISO
2009-11-26 05:15 . 2009-08-03 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-26 04:52 . 2009-08-05 06:45 -------- d-----w- c:\program files\Audacity
2009-11-26 04:48 . 2009-09-04 02:57 -------- d-----w- c:\program files\SlySoft
2009-11-18 02:17 . 2009-04-12 08:11 -------- d-----w- c:\documents and settings\Katrina\Application Data\U3
2009-11-05 07:22 . 2009-04-12 09:06 83392 ----a-w- c:\documents and settings\Katrina\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-31 02:17 . 2009-04-09 01:53 -------- d-----w- c:\program files\AVG
2009-10-23 02:10 . 2009-09-29 11:17 -------- d-----w- c:\documents and settings\Katrina\Application Data\Skype
2009-10-23 02:09 . 2009-09-29 11:17 -------- d-----w- c:\documents and settings\Katrina\Application Data\skypePM
2009-10-21 10:49 . 2009-10-21 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-10-21 10:46 . 2009-10-21 10:46 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-21 10:46 . 2009-10-21 10:41 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-10-21 10:42 . 2009-10-21 10:42 10134 ----a-r- c:\documents and settings\Katrina\Application Data\Microsoft\Installer\{35725FBC-A136-4A46-9F29-091759D9BB93}\ARPPRODUCTICON.exe
2009-10-21 10:41 . 2009-10-21 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-10-21 10:41 . 2009-10-21 10:41 -------- d-----w- c:\program files\Logitech
2009-10-20 12:53 . 2009-10-20 12:53 45056 ----a-r- c:\documents and settings\Katrina\Application Data\Microsoft\Installer\{9CDEC547-A505-47CA-991C-DB65F3C0CB87}\NewShortcut1_9CDEC547A50547CA991CDB65F3C0CB87_4.exe
2009-10-20 12:53 . 2009-10-20 12:53 45056 ----a-r- c:\documents and settings\Katrina\Application Data\Microsoft\Installer\{9CDEC547-A505-47CA-991C-DB65F3C0CB87}\cit200.exe1_9CDEC547A50547CA991CDB65F3C0CB87.exe
2009-10-20 12:53 . 2009-10-20 12:53 45056 ----a-r- c:\documents and settings\Katrina\Application Data\Microsoft\Installer\{9CDEC547-A505-47CA-991C-DB65F3C0CB87}\cit200.exe_9CDEC547A50547CA991CDB65F3C0CB87_1.exe
2009-10-20 12:53 . 2009-10-20 12:53 45056 ----a-r- c:\documents and settings\Katrina\Application Data\Microsoft\Installer\{9CDEC547-A505-47CA-991C-DB65F3C0CB87}\ARPPRODUCTICON.exe
2009-10-20 12:53 . 2009-10-20 12:53 -------- d-----w- c:\program files\Linksys
2009-10-11 14:17 . 2009-06-10 06:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-29 11:18 . 2009-09-29 11:18 56 ---ha-w- c:\windows\system32\ezsidmv.dat
.

((((((((((((((((((((((((((((( [email protected]_14.54.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-26 08:04 . 2009-11-26 08:04 16384 c:\windows\Temp\Perflib_Perfdata_c18.dat
- 2007-09-26 17:31 . 2009-11-25 13:53 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-26 17:31 . 2009-11-26 07:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-26 17:31 . 2009-11-26 07:55 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-26 17:31 . 2009-11-25 13:53 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-09-26 17:31 . 2009-11-26 07:55 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-09-26 17:31 . 2009-11-25 13:53 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-26 08:04 . 2009-10-11 14:17 149280 c:\windows\system32\javaws.exe
+ 2009-11-26 08:04 . 2009-10-11 14:17 145184 c:\windows\system32\javaw.exe
+ 2009-11-26 08:04 . 2009-10-11 14:17 145184 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-12 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-12 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-12 138008]
"IDRot"="c:\program files\Panasonic\DispRot\IDRot.exe" [2007-10-14 222600]
"HPlsKey"="c:\program files\Panasonic\HPLSMAN\hplskey.exe" [2005-06-01 61440]
"PRunOnce"="c:\util\prunonce\PRunOnce.exe" [2004-08-06 110592]
"WSwitch"="c:\program files\Panasonic\WSwitch\WSwitch.exe" [2007-10-11 734600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]
"Panasonic Hotkey Manager"="c:\program files\Panasonic\Hotkey Appendix\HKEYAPP.EXE" [2007-08-23 976264]
"PCinfo"="c:\program files\Panasonic\pcinfo\PcInfoUt.exe" [2007-08-09 91528]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"FTMSFLT(USB)"="c:\program files\FIDTPU\WIN2K\FTMSFLTU.EXE" [2005-06-23 82063]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\iFrmewrk.exe" [2007-07-25 974848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-26 563984]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-26 2020120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Katrina\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-4-11 3450608]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-12-5 421888]
Panasonic Hand Writing.lnk - c:\program files\Panasonic\Writing\Writing.exe [2007-9-26 365960]
Software Keyboard.lnk - c:\program files\Panasonic\MEISKB\meiskb.exe [2007-9-26 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-26 05:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Katrina^Start Menu^Programs^Startup^CIT200.lnk]
path=c:\documents and settings\Katrina\Start Menu\Programs\Startup\CIT200.lnk
backup=c:\windows\pss\CIT200.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Katrina^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Katrina\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/25/2009 3:37 AM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/25/2009 7:59 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/25/2009 7:59 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/25/2009 7:59 PM 285392]
R2 ETMService;Intel(R) Extended Thermal Model Service Application;c:\windows\system32\etmservice.exe [9/26/2007 7:35 AM 217088]
R2 PcInfoPi;Panasonic PC Information Viewer Service 2;c:\program files\Panasonic\pcinfo\PCInfoPi.exe [9/26/2007 9:06 AM 54664]
R2 PcInfoSV;Panasonic PC Information Viewer;c:\program files\Panasonic\pcinfo\PCInfoSV.exe [9/26/2007 9:06 AM 185736]
R2 SDKEY;Panasonic SD Misc. Function Driver;c:\program files\Panasonic\SDKEY\SDKEY.sys [9/26/2007 8:45 AM 13704]
R3 Etm;Etm;c:\windows\system32\drivers\EtmDrvMgr.sys [9/26/2007 7:35 AM 40448]
R3 EtmCpu;EtmCpu;c:\windows\system32\drivers\EtmDevCpu.sys [9/26/2007 7:35 AM 19712]
R3 EtmGmchMem;EtmGmchMem;c:\windows\system32\drivers\EtmDevGmch.sys [9/26/2007 7:35 AM 36480]
R3 EtmTempSense;EtmTempSense;c:\windows\system32\drivers\EtmTempSense.sys [9/26/2007 7:35 AM 12288]
R3 FIDMOU;Fujitsu touchpad;c:\windows\system32\drivers\Fidmou.sys [9/25/2007 7:35 AM 23463]
R3 FIDTPU;Fujitsu Touch Panel (USB);c:\windows\system32\drivers\FIDTPU.sys [9/25/2007 7:37 AM 27030]
R3 HTKPLUS;Panasonic Hotkey PLUS Driver;c:\windows\system32\drivers\HTKPLUS.SYS [9/25/2007 7:35 AM 7936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [9/25/2007 7:36 AM 36352]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [9/25/2007 7:36 AM 42624]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 1:17 AM 1184912]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [11/10/2007 6:25 PM 31375]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:50]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Katrina\Application Data\Mozilla\Firefox\Profiles\so7iuuhv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 21:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FTMSFLT(USB) = c:\program files\FIDTPU\WIN2K\FTMSFLTU.EXE?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D61369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef37b4
\Driver\iaStor -> iaStor.sys @ 0xb9e38c1a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582490
ParseProcedure -> ntkrnlpa.exe @ 0x805815d0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582490
ParseProcedure -> ntkrnlpa.exe @ 0x805815d0
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(7996)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-28 21:23
ComboFix-quarantined-files.txt 2009-11-29 07:23
ComboFix2.txt 2009-11-29 07:03
ComboFix3.txt 2009-11-26 05:34
ComboFix4.txt 2009-11-26 04:29
ComboFix5.txt 2009-11-29 07:07

Pre-Run: 52,034,498,560 bytes free
Post-Run: 52,024,446,976 bytes free

- - End Of File - - ACF9C87E1DBE84DA57D694AF55DE084D
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello beepboop. No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

I failed to notice you previously ran ComboFix, no less than 5 times. Who instructed you to run ComboFix? Are you being helped elsewhere?

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
peV -c##5#b#f# %systemdrive%\iaStor.sys > log.txt
notepad log.txt
exit
Save this as peek.bat Choose to Save type as - All Files then close the Notepad file.
It should look like this:


Double-click on peek.bat and allow it to run.

A Notepad file will open. Copy/paste that information into your next reply, please.

------------------------------------------------------
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #5 ·
No one else is helping me, it was on a website with a list of things to do if your browser was hijacked, I found it before I found this forum. I ran it a couple times before because I thought I had turned off my anti-virus but some stuff was still running so I turned everything off and ran it again. Then this time I did kind of the same thing, I had shut off AVG but forgot about ad-aware so I ran it again before posting the log here. Hope I didn't mess anything up.

-------------------------

FD7F9D74C2B35DBDA400804A3F5ED5D8 C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys
2EE127D5407DA3957EE54711C9AED6EC C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
FD7F9D74C2B35DBDA400804A3F5ED5D8 C:\WINDOWS\OemDir\iaStor.sys
FD7F9D74C2B35DBDA400804A3F5ED5D8 C:\WINDOWS\system32\drivers\iaStor.sys
FD7F9D74C2B35DBDA400804A3F5ED5D8 C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\iaStor.sys
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, beepboop.

Open Notepad and copy/paste the entire contents of the quotebox below into Notepad:

@echo off
copy /y C:\WINDOWS\OemDir\iaStor.sys c:\
copy /y c:\windows\system32\drivers\iastor.sys c:\iastor.sys.vir
del %0
Save this Notepad file as replace.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:


Double-click on replace.bat to run it. A DOS window will open and close again, this is normal.

------------------------------------------------------

Double-click on peek.bat and allow it to run.

A Notepad file will open. Copy/paste that information into your next reply, please.

------------------------------------------------------
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #7 ·
I saved the replace.bat to the desktop; was it supposed to disappear after I clicked it?

FD7F9D74C2B35DBDA400804A3F5ED5D8 C:\iaStor.sys
FD7F9D74C2B35DBDA400804A3F5ED5D8 C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys
2EE127D5407DA3957EE54711C9AED6EC C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
FD7F9D74C2B35DBDA400804A3F5ED5D8 C:\WINDOWS\OemDir\iaStor.sys
FD7F9D74C2B35DBDA400804A3F5ED5D8 C:\WINDOWS\system32\drivers\iaStor.sys
FD7F9D74C2B35DBDA400804A3F5ED5D8 C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\iaStor.sys
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, beepboop. Yes, replace.bat was supposed to disappear.

Print out these instructions to use while in the Recovery Console:

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter'(note the spaces):

cd \

copy c:\iastor.sys c:\windows\system32\drivers\

6. Type y to the prompt and press 'Enter'.

7. Type exit and press 'Enter'. Your computer should reboot.

Let me know if the redirects have stopped.

------------------------------------------------------
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #9 ·
I tried to restart in Recovery Mode a few times. Every time I got a blue screen saying "a problem has been detected and Windows has shut down to prevent damage" and then it says to run CHKDSK /F. Shutting down the computer and starting Windows normally still works OK.

I'm also still getting browser redirects.
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, beepboop.

Download The Avenger2 by Swandog46 from here
  • Unzip/extract it to a folder on your desktop.
  • Double-click on avenger.exe to run The Avenger
  • Click OK
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy/paste the following text in the codebox below into the 'Input script here:' box.

    Code:
    files to move:
    c:\iastor.sys|c:\windows\system32\drivers\iastor.sys
  • Click Execute
  • Click Yes
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
  • Click Yes
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
------------------------------------------------------

No matter how many times Avenger rebooted your computer, please reboot your machine once more. This is important.

------------------------------------------------------
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #11 ·
Ok, I ran the Avenger and restarted again after everything was done.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "c:\iastor.sys"
File move operation "c:\iastor.sys|c:\windows\system32\drivers\iastor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, beepboop. Let's try another approach.

Download this file and extract TDSSKiller_2.0.0 RC3.exe to your Desktop.

Right-click TDSSKiller_2.0.0 RC3.exe and rename it to TDSSKiller.exe

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the quotebox below into Notepad:

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0
Save this as peek.bat Choose to Save type as - All Files then close the Notepad file.
It should look like this:


Place peek.bat next to TDSSKiller.exe

Double-click on peek.bat and allow it to run. A Notepad file will open. Please attach that information to your next reply. Please delete the file afterwards.

------------------------------------------------------
 

·
Premium Member
Joined
·
29,790 Posts
Still with us, beepoop? Any trouble with those last instructions?
 

·
Premium Member
Joined
·
29,790 Posts
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
 
1 - 14 of 14 Posts
Status
Not open for further replies.
Top