well, avast kept getting an error and reporting alureon-fr. I tried to boot into safe mode and now the machine will not boot up...I get to the screen with a choice of safe mode, etc. but no matter what I choose it just reboots over and over to that screen.

any advice? thanks in advance!!

any advice? thanks in advance!!

Do you have your Windows disk?

If not, are you able to burn an ISO for a bootable disk?

Let me know and we'll see what we can do.

Cheers :)
PP

it's crazy...I made the choice to reboot to a previous version and there's no sign of the worm so far...hope it continues...I'll get back if it does but now I've got to leave out of town and was just trying to get my email back before I left...since that's OK at the moment, I appreciate your attention and I'll keep you posted on this thread in about 3 days...again, MANY thanks.

since that's OK at the moment, I appreciate your attention and I'll keep you posted on this thread in about 3 days...again, MANY thanks.

Happy to help!


Bear in mind that this family of malware is often rootkitted - not a good thing to leave unattended. I would definitely recommend that you run an ARK tool along with your AV and an anti-malware app such as MBAM and see what they turn up.....

Cheers :)
PP

Which os is this you don't say.
if you have a windows disk boot from it and go into recovery console or repair and type; fixboot then enter
if xp then type; fixmbr then enter
this will repair your boot files if they are repairable the try and boot up.

I have been working professionally against spyware and virus’. One trick is to turn off the computer. If the computer has a battery or battery backup, remove or unplug the source. Then hold down the power button for approximately 30 seconds. Then try to get into your OS. Some virus and spy-ware will use power to stay stored in the ram even if the computer is turned off.

The next step I try is trying to booting with “Last known good configuration” in safe mode. This also has proven to work.

Now a lot of anti-virus and anti-spy ware programs will let you make a boot disk. This boot disk will boot into an operating system that runs off the CD and off just the RAM. This will alow the anti-virus to scan without any program trying to block it.

Which os is this you don't say.

CP Pro 5.`.2600 ServPak 3.0

HP so O/S is on D: no boot disk

The worm is also back...starts appearing on reboot...taking no action at least allows me to run some diagnostics.

PP - running MalWareBytes no....is that MBAM? Anyway, last time I ran it nothing was found...

Also, what is an ARK tool please?

Many thanks,
meksikatsi

PP - running MalWareBytes no....is that MBAM? Anyway, last time I ran it nothing was found...

Also, what is an ARK tool please?

Anti-Rootkit tool (GMER, for example).

At this point, I would suggest a run of Combofix, if you are able:
-- If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

I'll try to check back in a timely manner - been pretty busy these days and my online time is limited.

Cheers :)
PP

PP, I ran Combofix and it got stuck for a few hours after running the 50 steps and deleting some files...so no log!

I had to cold start the system and choose an earlier configuration to get the machine started again but it has now been stable (no avast messages) for about 12 hours so hopefully the nasty was contained in those deleted files...there were 4.

However, on a google search just now, it was redirected, so I may go through the combofix sequence again since it did not complete normally. Many thanks...

meksikatsi

meksikatsi, if Combofix didn't terminate with a log you need to run it again. If the worm is still on the machine, it will just regenerate itself even though files containing iterations were removed. Good luck!

OK, guys, I ran it again and this time it didn't take very long and Windows did not go away. I assume it just recaptured the results of the last run and the log file seems to bear this out.

So here's the log file - I look forward to an analysis! And thanks again!!

*********************

ComboFix 10-03-25.06 - HP_Administrator 03/26/2010 5:46.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2754 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 100325-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
.
---- Previous Run -------
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
C:\Thumbs.db
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-25 23:30 . 2010-03-25 23:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 23:30 . 2010-03-25 23:30 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-16 19:08 . 2010-03-16 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-10 03:04 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 09:54 . 2008-09-12 16:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2010-03-26 04:01 . 2008-09-12 17:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2010-03-25 22:43 . 2005-06-17 13:33 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-25 22:21 . 2009-02-02 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-10 08:03 . 2009-08-08 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-02 12:16 . 2008-09-13 21:37 -------- d-----w- c:\program files\QuickDESIGN
2010-01-31 14:03 . 2009-02-02 20:10 -------- d-----w- c:\program files\Google
2010-01-07 21:07 . 2010-01-24 12:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-24 12:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-10 04:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 04:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-10 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-01 180269]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-1 36903]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TOPO! Explorer\\te.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash-bin.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/12/2008 8:21 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/12/2008 8:21 AM 20560]
R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [3/24/2009 10:13 AM 5365]
S2 gupdate1c98572486c5d2f;Google Update Service (gupdate1c98572486c5d2f);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 4:10 PM 133104]
S3 USBBULK;USB Bulk device driver;c:\windows\system32\drivers\USBBulk.sys [12/24/2008 6:39 PM 20992]
.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 18:56]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 20:10]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 20:10]

2010-03-26 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\program files\SmartDraw 2009\Messages\SDNotify.exe [2009-02-28 11:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\izkwi3ur.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 05:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B507CA1]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9e5a852
\Driver\iaStor -> iastor.sys @ 0xb9e74f80
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Intel(R) 82562V 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d66bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d73a21
SendHandler -> NDIS.sys @ 0xb9d5187b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MysqlInventime]
"ImagePath"="c:\progra~1\MYSOFT~1\SMALLB~1\mysql\bin\mysqld-nt \"--defaults-file=c:\program files\MySoftware\Small Business Pro\mysql\my.ini\" MysqlInventime"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(860)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3500)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-26 06:11:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-26 10:11

Pre-Run: 198,136,209,408 bytes free
Post-Run: 198,096,777,216 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - 7C9BEF552B13432F76281C20C536AB6D

I had to cold start the system and choose an earlier configuration to get the machine started again but it has now been stable (no avast messages) for about 12 hours so hopefully the nasty was contained in those deleted files...there were 4.

Hi meksikatsi,

Those deletions look pretty benign to me - It's the MBR rootkit that we need to be concerned with.
-- Honestly, in these cases I recommend wiping the hard drive and reinstalling Windows. It is easiest and most effective.

-- Also, Combofix should be run from the Desktop


Anyhoo, if you want to take a whack at removing this infection, let's try the following:

* Since I anticipate limited availability over the weekend, I'd like to run both of these steps at the same time.

FIRST:
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php
or
http://majorgeeks.com/GMER_d5198.html --> You'll need to extract it from the ZIP if you DL from MGs.

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
* When GMER opens, it should automatically do a quick scan for rootkits.
When the quick scan finishes, click the Save Button and save the scanlog to your Desktop as GMER One.log.

-- If upon running GMER you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes (GMER GUI). Please Uncheck the following:
- Sections
- IAT/EAT
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then click the save button and name the log GMER Two.log and save it to where you can easily find it and post it for me along with the first log.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.


THEN:
Please download TDSSKiller.zip and Extract TDSSKiller.exe from the ZIP to your Desktop.
-- Click START > RUN and type or Copy&Paste the following command into the Run Box and hit ENTER.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\LogIt.txt -v

Let the tool run. If you get a Hidden service detected message, DO NOT take any action. Just press ENTER and allow the tool to continue.

Once it finishes, please post the C:\LogIt.txt for me along with the two GMER scanlogs.


**
If GMER gives you trouble and does not run, please go ahead with TDSS Killer steps and post that log.

Best Luck :)
PP

I agree with the start over with a reformated hard drive. When I get to the replicating worm stage I usually don't waste my time trying to fight it. Just get all the file that you need off the computer and start from scratch. If it is a production machine that isn't an easy task.

Find the worm in the registry does work but that also seem like a lost cause.

Finding an anti-virust that boots from a disc and runs in the rams is a good idea but not the easiest thing to do. Kaspersky has a good recovery disc.

The best suggestion is my first. Start from scratch.

Find the worm in the registry does work but that also seem like a lost cause.

Not in this case - here we are looking at infected system files. Most likely atapi.sys and/or iastor.sys.
TDSSKiller ought to address that and disinfect them - if we're lucky...

I'll keep my fingers crossed :)

-- But, yeah - if starting from scratch is a viable option, then that is the best course of action.

PP-

Here are the GMER file at last...took most of the day

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-27 10:24:22
Windows 5.1.2600 Service Pack 3
Running: o3r6gc4j.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\afloypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 8B4ADCA1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-27 14:30:19
Windows 5.1.2600 Service Pack 3
Running: o3r6gc4j.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\afloypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x99BCF6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x99BCF574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x99BCFA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x99BCF14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x99BCF64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x99BCF08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x99BCF0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x99BCF76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x99BCF72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x99BCF8AE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 8B4ADCA1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

AND here's the Logit file:

15:36:12:421 1072 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
15:36:12:421 1072 ================================================================================
15:36:12:421 1072 SystemInfo:

15:36:12:421 1072 OS Version: 5.1.2600 ServicePack: 3.0
15:36:12:421 1072 Product type: Workstation
15:36:12:421 1072 ComputerName: MEKSIKATSI
15:36:12:421 1072 UserName: HP_Administrator
15:36:12:421 1072 Windows directory: C:\WINDOWS
15:36:12:421 1072 Processor architecture: Intel x86
15:36:12:421 1072 Number of processors: 2
15:36:12:421 1072 Page size: 0x1000
15:36:12:421 1072 Boot type: Normal boot
15:36:12:421 1072 ================================================================================
15:36:12:421 1072 UnloadDriverW: NtUnloadDriver error 2
15:36:12:421 1072 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:36:12:437 1072 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:36:12:437 1072 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:36:12:437 1072 wfopen_ex: Trying to KLMD file open
15:36:12:437 1072 wfopen_ex: File opened ok (Flags 2)
15:36:12:437 1072 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:36:12:437 1072 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:36:12:437 1072 wfopen_ex: Trying to KLMD file open
15:36:12:437 1072 wfopen_ex: File opened ok (Flags 2)
15:36:12:437 1072 Initialize success
15:36:12:437 1072
15:36:12:437 1072 Scanning Services ...
15:36:12:500 1072 Raw services enum returned 376 services
15:36:12:500 1072
15:36:12:500 1072 Scanning Kernel memory ...
15:36:12:500 1072 Devices to scan: 11
15:36:12:500 1072
15:36:12:515 1072 Driver Name: Disk
15:36:12:515 1072 IRP_MJ_CREATE : BA10EBB0
15:36:12:515 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:515 1072 IRP_MJ_CLOSE : BA10EBB0
15:36:12:515 1072 IRP_MJ_READ : BA108D1F
15:36:12:515 1072 IRP_MJ_WRITE : BA108D1F
15:36:12:515 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:515 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:515 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:515 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:515 1072 IRP_MJ_FLUSH_BUFFERS : BA1092E2
15:36:12:515 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:515 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:515 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:515 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:515 1072 IRP_MJ_DEVICE_CONTROL : BA1093BB
15:36:12:515 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
15:36:12:515 1072 IRP_MJ_SHUTDOWN : BA1092E2
15:36:12:515 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:515 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:515 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:515 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:515 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:515 1072 IRP_MJ_POWER : BA10AC82
15:36:12:515 1072 IRP_MJ_SYSTEM_CONTROL : BA10F99E
15:36:12:515 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:515 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:515 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:531 1072 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:36:12:531 1072
15:36:12:531 1072 Driver Name: Disk
15:36:12:531 1072 IRP_MJ_CREATE : BA10EBB0
15:36:12:531 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:531 1072 IRP_MJ_CLOSE : BA10EBB0
15:36:12:531 1072 IRP_MJ_READ : BA108D1F
15:36:12:531 1072 IRP_MJ_WRITE : BA108D1F
15:36:12:531 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:531 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:531 1072 IRP_MJ_FLUSH_BUFFERS : BA1092E2
15:36:12:531 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:531 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:531 1072 IRP_MJ_DEVICE_CONTROL : BA1093BB
15:36:12:531 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
15:36:12:531 1072 IRP_MJ_SHUTDOWN : BA1092E2
15:36:12:531 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:531 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:531 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:531 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:531 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:531 1072 IRP_MJ_POWER : BA10AC82
15:36:12:531 1072 IRP_MJ_SYSTEM_CONTROL : BA10F99E
15:36:12:531 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:531 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:531 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:531 1072 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:36:12:531 1072
15:36:12:531 1072 Driver Name: Disk
15:36:12:531 1072 IRP_MJ_CREATE : BA10EBB0
15:36:12:531 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:531 1072 IRP_MJ_CLOSE : BA10EBB0
15:36:12:531 1072 IRP_MJ_READ : BA108D1F
15:36:12:531 1072 IRP_MJ_WRITE : BA108D1F
15:36:12:531 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:531 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:531 1072 IRP_MJ_FLUSH_BUFFERS : BA1092E2
15:36:12:531 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:531 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:531 1072 IRP_MJ_DEVICE_CONTROL : BA1093BB
15:36:12:531 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
15:36:12:531 1072 IRP_MJ_SHUTDOWN : BA1092E2
15:36:12:531 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:531 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:531 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:531 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:531 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:531 1072 IRP_MJ_POWER : BA10AC82
15:36:12:531 1072 IRP_MJ_SYSTEM_CONTROL : BA10F99E
15:36:12:531 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:531 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:531 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:531 1072 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:36:12:531 1072
15:36:12:531 1072 Driver Name: Disk
15:36:12:531 1072 IRP_MJ_CREATE : BA10EBB0
15:36:12:531 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:531 1072 IRP_MJ_CLOSE : BA10EBB0
15:36:12:531 1072 IRP_MJ_READ : BA108D1F
15:36:12:531 1072 IRP_MJ_WRITE : BA108D1F
15:36:12:531 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:531 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:531 1072 IRP_MJ_FLUSH_BUFFERS : BA1092E2
15:36:12:531 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:531 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:531 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:546 1072 IRP_MJ_DEVICE_CONTROL : BA1093BB
15:36:12:546 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
15:36:12:546 1072 IRP_MJ_SHUTDOWN : BA1092E2
15:36:12:546 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:546 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:546 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:546 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:546 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:546 1072 IRP_MJ_POWER : BA10AC82
15:36:12:546 1072 IRP_MJ_SYSTEM_CONTROL : BA10F99E
15:36:12:546 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:546 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:546 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:546 1072 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:36:12:546 1072
15:36:12:546 1072 Driver Name: usbstor
15:36:12:546 1072 IRP_MJ_CREATE : B2565218
15:36:12:546 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:546 1072 IRP_MJ_CLOSE : B2565218
15:36:12:546 1072 IRP_MJ_READ : B256523C
15:36:12:546 1072 IRP_MJ_WRITE : B256523C
15:36:12:546 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:546 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:546 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:546 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:546 1072 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:36:12:546 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:546 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:546 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:546 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:546 1072 IRP_MJ_DEVICE_CONTROL : B2565180
15:36:12:546 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : B25609E6
15:36:12:546 1072 IRP_MJ_SHUTDOWN : 804F4562
15:36:12:546 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:546 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:546 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:546 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:546 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:546 1072 IRP_MJ_POWER : B25645F0
15:36:12:546 1072 IRP_MJ_SYSTEM_CONTROL : B2562A6E
15:36:12:546 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:546 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:546 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:562 1072 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
15:36:12:562 1072
15:36:12:562 1072 Driver Name: usbstor
15:36:12:562 1072 IRP_MJ_CREATE : B2565218
15:36:12:562 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:562 1072 IRP_MJ_CLOSE : B2565218
15:36:12:562 1072 IRP_MJ_READ : B256523C
15:36:12:562 1072 IRP_MJ_WRITE : B256523C
15:36:12:562 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:562 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:562 1072 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:562 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:562 1072 IRP_MJ_DEVICE_CONTROL : B2565180
15:36:12:562 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : B25609E6
15:36:12:562 1072 IRP_MJ_SHUTDOWN : 804F4562
15:36:12:562 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:562 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:562 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:562 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:562 1072 IRP_MJ_POWER : B25645F0
15:36:12:562 1072 IRP_MJ_SYSTEM_CONTROL : B2562A6E
15:36:12:562 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:562 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:562 1072 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
15:36:12:562 1072
15:36:12:562 1072 Driver Name: usbstor
15:36:12:562 1072 IRP_MJ_CREATE : B2565218
15:36:12:562 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:562 1072 IRP_MJ_CLOSE : B2565218
15:36:12:562 1072 IRP_MJ_READ : B256523C
15:36:12:562 1072 IRP_MJ_WRITE : B256523C
15:36:12:562 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:562 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:562 1072 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:562 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:562 1072 IRP_MJ_DEVICE_CONTROL : B2565180
15:36:12:562 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : B25609E6
15:36:12:562 1072 IRP_MJ_SHUTDOWN : 804F4562
15:36:12:562 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:562 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:562 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:562 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:562 1072 IRP_MJ_POWER : B25645F0
15:36:12:562 1072 IRP_MJ_SYSTEM_CONTROL : B2562A6E
15:36:12:562 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:562 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:562 1072 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
15:36:12:562 1072
15:36:12:562 1072 Driver Name: usbstor
15:36:12:562 1072 IRP_MJ_CREATE : B2565218
15:36:12:562 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:562 1072 IRP_MJ_CLOSE : B2565218
15:36:12:562 1072 IRP_MJ_READ : B256523C
15:36:12:562 1072 IRP_MJ_WRITE : B256523C
15:36:12:562 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:562 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:562 1072 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:562 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:562 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:562 1072 IRP_MJ_DEVICE_CONTROL : B2565180
15:36:12:562 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : B25609E6
15:36:12:562 1072 IRP_MJ_SHUTDOWN : 804F4562
15:36:12:562 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:562 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:562 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:562 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:562 1072 IRP_MJ_POWER : B25645F0
15:36:12:562 1072 IRP_MJ_SYSTEM_CONTROL : B2562A6E
15:36:12:562 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:562 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:562 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:578 1072 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
15:36:12:578 1072
15:36:12:578 1072 Driver Name: Disk
15:36:12:578 1072 IRP_MJ_CREATE : BA10EBB0
15:36:12:578 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:578 1072 IRP_MJ_CLOSE : BA10EBB0
15:36:12:578 1072 IRP_MJ_READ : BA108D1F
15:36:12:578 1072 IRP_MJ_WRITE : BA108D1F
15:36:12:578 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:578 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:578 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:578 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:578 1072 IRP_MJ_FLUSH_BUFFERS : BA1092E2
15:36:12:578 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:578 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:578 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:578 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:578 1072 IRP_MJ_DEVICE_CONTROL : BA1093BB
15:36:12:578 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
15:36:12:578 1072 IRP_MJ_SHUTDOWN : BA1092E2
15:36:12:578 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:578 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:578 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:578 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:578 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:578 1072 IRP_MJ_POWER : BA10AC82
15:36:12:578 1072 IRP_MJ_SYSTEM_CONTROL : BA10F99E
15:36:12:578 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:578 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:578 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:578 1072 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:36:12:578 1072
15:36:12:578 1072 Driver Name: Disk
15:36:12:578 1072 IRP_MJ_CREATE : BA10EBB0
15:36:12:578 1072 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:36:12:578 1072 IRP_MJ_CLOSE : BA10EBB0
15:36:12:578 1072 IRP_MJ_READ : BA108D1F
15:36:12:578 1072 IRP_MJ_WRITE : BA108D1F
15:36:12:578 1072 IRP_MJ_QUERY_INFORMATION : 804F4562
15:36:12:578 1072 IRP_MJ_SET_INFORMATION : 804F4562
15:36:12:578 1072 IRP_MJ_QUERY_EA : 804F4562
15:36:12:578 1072 IRP_MJ_SET_EA : 804F4562
15:36:12:578 1072 IRP_MJ_FLUSH_BUFFERS : BA1092E2
15:36:12:578 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:36:12:578 1072 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:36:12:578 1072 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:36:12:578 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:36:12:578 1072 IRP_MJ_DEVICE_CONTROL : BA1093BB
15:36:12:578 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
15:36:12:578 1072 IRP_MJ_SHUTDOWN : BA1092E2
15:36:12:578 1072 IRP_MJ_LOCK_CONTROL : 804F4562
15:36:12:578 1072 IRP_MJ_CLEANUP : 804F4562
15:36:12:578 1072 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:36:12:578 1072 IRP_MJ_QUERY_SECURITY : 804F4562
15:36:12:578 1072 IRP_MJ_SET_SECURITY : 804F4562
15:36:12:578 1072 IRP_MJ_POWER : BA10AC82
15:36:12:578 1072 IRP_MJ_SYSTEM_CONTROL : BA10F99E
15:36:12:578 1072 IRP_MJ_DEVICE_CHANGE : 804F4562
15:36:12:578 1072 IRP_MJ_QUERY_QUOTA : 804F4562
15:36:12:578 1072 IRP_MJ_SET_QUOTA : 804F4562
15:36:12:578 1072 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:36:12:578 1072
15:36:12:578 1072 Driver Name: iaStor
15:36:12:578 1072 IRP_MJ_CREATE : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_CREATE_NAMED_PIPE : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_CLOSE : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_READ : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_WRITE : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_QUERY_INFORMATION : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_SET_INFORMATION : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_QUERY_EA : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_SET_EA : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_FLUSH_BUFFERS : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_QUERY_VOLUME_INFORMATION : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_SET_VOLUME_INFORMATION : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_DIRECTORY_CONTROL : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_FILE_SYSTEM_CONTROL : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_DEVICE_CONTROL : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_SHUTDOWN : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_LOCK_CONTROL : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_CLEANUP : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_CREATE_MAILSLOT : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_QUERY_SECURITY : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_SET_SECURITY : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_POWER : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_SYSTEM_CONTROL : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_DEVICE_CHANGE : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_QUERY_QUOTA : 8B4D0CA1
15:36:12:578 1072 IRP_MJ_SET_QUOTA : 8B4D0CA1
15:36:12:578 1072 Driver "iaStor" infected by TDSS rootkit!
15:36:12:578 1072 C:\WINDOWS\system32\DRIVERS\iastor.sys - Verdict: 1
15:36:12:578 1072 File "C:\WINDOWS\system32\DRIVERS\iastor.sys" infected by TDSS rootkit ... 15:36:12:578 1072 Processing driver file: C:\WINDOWS\system32\DRIVERS\iastor.sys
15:36:12:578 1072 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
15:36:12:609 1072 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
15:36:12:625 1072 !fdfb7
15:36:12:625 1072 !vdf5
15:36:12:625 1072 Backup copy not found, trying to cure infected file..
15:36:12:625 1072 C:\WINDOWS\system32\DRIVERS\iastor.sys - Verdict: Cure failed (0)
15:36:12:625 1072 cure failed
15:36:12:625 1072
15:36:12:625 1072 Completed
15:36:12:625 1072
15:36:12:625 1072 Results:
15:36:12:625 1072 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
15:36:12:625 1072 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:36:12:625 1072 File objects infected / cured / cured on reboot: 1 / 0 / 0
15:36:12:625 1072
15:36:12:625 1072 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:36:12:625 1072 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:36:12:625 1072 KLMD(ARK) unloaded successfully

Ok. After the reboot, did the scan work?

Hey meksikatsi,

Can you open a command prompt and type or copy&paste

dir /a /s iastor.sys > C:\loggit.txt ENTER

And post me the Loggit.txt please.


As you can see from the previous logs, iaStor.sys is infected. But TDSSKiller could not disinfect it and it could not find a clean copy to replace it.
If we can't find a clean copy on your compy, you'll need to come up with one - either from Windows disk or DL or from another compy.

PP:)

the first time I ran GMER it hung up. I rebooted and ran it again and these are those logs. The first preliminary log didn't change from the two runs so I only included the second one.

I did reboot before running TDSSKiller because I had to disconnect from the internet while running GMER and could not get it reconnected (message saying cable unplugged...but it was plugged) until I rebooted and it came up normally.

the first time I ran GMER it hung up. I rebooted and ran it again and these are those log..........

No worries on any of that - we just need to get ahold of a clean copy of iastor.sys and replace the infected one.

PP:)

Volume in drive C is HP_PAVILION
Volume Serial Number is 18D0-9135


that's it....here's what DOS did:

File not found

I'll look for the file on another computer

I'll look for the file on another computer

Good luck - I'd attach it for you, but I don't have it on my machines.
Neither does Judy.
Plus, I am not sure about the legality of us distributing it......

I think you can download IATA96ENU.exe from here and then extract iaStor.sys from the installation package. It says IATA88ENU.exe, but it has been updated......

Download IATA96ENU.exe to the C:\ Drive. Then, to extract the files to a folder (c:\Files), the command line would be something like this:
c:\iata96enu.exe -a -a -p c:\files

Look in C:\files\drivers\x32 for iaStor.sys

If you are able to do that, let me know and we'll have a go at replacing this - that will be a bit more complex than you might think....

PP:)

PP, I've now got iastor.sys on a flash drive ready to go...

I'll be ecstatic if we're this close - this machine would be HARD to duplicate.

But I admit I'm intrigued on how you're going to replace a .sys file.

meksikatsi

I'll be ecstatic if we're this close - this machine would be HARD to duplicate.
But I admit I'm intrigued on how you're going to replace a .sys file.

Hopefully this is the only infected file - when dealing with rootkits, it's tough to smoke them all out.....

Swandog46's Avenger is good for replacing these drivers. Let's give it a go and see how it shakes out:

-- Place iaStor.sys on the C:\ Drive

-- Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight Everything in Red below and copy it using Ctrl+C or RightClick > Copy:


Files to move:
C:\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys


-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

Will check back as time permits.

PP:)

I finally got to it, sorry! something went wrong...it's asking for a disk?

WINDOWS - No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6b7c 75b6bf7c

here's the logfile:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\iaStor.sys"
File move operation "C:\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

I finally got to it, sorry! something went wrong...it's asking for a disk?
WINDOWS - No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6b7c 75b6bf7c

That is odd - haven't seen that one before. Could it be referencing the HD because of the infected iaStor.sys? I wonder . . . . .

Try rebooting and then trying the Avenger step again. If that fails, we can try another avenue....

PP:)

I already tried, so I tried once again and unchecked the check for rootkits, since it already had done that clean. No change...

what would happen if I just tried to delete that file and copy the new copy over?

what would happen if I just tried to delete that file and copy the new copy over?

Access would likely be denied - you'd need to try a more circuitous route:
-- Rename the existing iaStor.sys to iaStor.sys.OLD
if it will allow you to rename it....
-- Then, copy the clean version into the folder.
-- Reboot
-- Now, you ought to be able to delete iaStor.sys.OLD

You could give that a go.

-- Can you burn an ISO? If the above doesn't work, maybe we can bypass Windows altogether and operate via boot CD?

PP:)

PP-
Well, maybe we've made some progress...I haven't seen any screens announcing the virus for a couple of days.

I'll try to explain because I had to take several steps before I could replace the bad iaStor file. Here's what finally worked...all other attempts to erase a replace resulted in a virus screen.

I had to rename the bad file. Then I renamed the good file and copied it into the driver folder. Then I moved the bad file into the recycle bin and got rid of it. Then I renamed the good file to iaStor.sys...

no other combination worked. And like I said, I'm not certain this worked, however, no more notifications. I have had some issues with Firefox redirecting, though - BUT Firefox has now downloaded a new security version (it said). That hasn't helped the redirecting...but IE doesn't seem to redirect...I hardly ever use IE until I just tried it to see if it was stable.

Any further suggestions on diagnostics would be welcome...and thanks again for your patience so far.

meksikatsi

Any further suggestions on diagnostics would be welcome...and thanks again for your patience so far.

Well . .. we may need to backtrack a bit - I wonder if there are more infected files.

Let's cover a bunch of bases at once and see what shakes out:

1) Please download jpshortstuff's GooredFix.exe to your Desktop.
-- Make sure all browsers are Closed and then DoubleClick GooredFix.exe to run it.
A dialog box should pop up:
"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit."
-- Click Yes and allow the tool to run. It should go pretty quickly.
-- Look for GooredFix.txt on your Desktop and post that log for me.


2) Please download mbr.exe and place it in your C:\ Drive
-- Click START > RUN > type cmd ENTER
At the prompt, type or Copy and Paste: mbr -t > C:\Logit.txt
Let it run and please post the C:\Logit.txt


3) Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choose to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me.

4) Please go to http://virusscan.jotti.org/en and upload these for analysis:
C:\WINDOWS\system32\DRIVERS\iastor.sys
C:\WINDOWS\system32\DRIVERS\atapi.sys

Link or C&P the results for me.

Due to my limited availability, I figure it'll save some time doing all these at once.

**If you feel like really covering the bases, you could do fresh GMER and TDSSKiller runs. If you do that, download fresh copies of each tool before running them again.
If those logs still show infection, post them for me.

Cheers :)
PP

Thanks, PP - it took me a while but here is the first part of your instructions:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 17:43 on 07/04/2010 (HP_Administrator)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:49 12/09/2008]
{B13721C7-F507-4982-B2E5-502A71474FED} [04:24 01/04/2009]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [21:37 29/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [00:56 06/05/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [12:18 10/06/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [15:26 08/08/2009]

C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\izkwi3ur.default\extensions\
[email]addon@privacychoice.org[/email] [13:19 21/12/2009]
TFToolbarX@torrent-finder [19:56 15/05/2009]
{20a82645-c095-46ed-80e3-08825760534b} [19:49 03/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [07:03 08/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:37 29/03/2009]

-=E.O.F=-

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [url]http://www.gmer.net[/url]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B398CA1]<< 
kernel: MBR read successfully
user & kernel MBR OK 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Thursday, April 8, 2010
 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Wednesday, April 07, 2010 20:02:47
 Records in database: 3918834
--------------------------------------------------------------------------------

Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

Scan statistics:
    Objects scanned: 205370
    Threats found: 3
    Infected objects found: 5
    Suspicious objects found: 0
    Scan duration: 03:15:19


File name / Threat / Threats count
C:\HP\bin\wbug\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
C:\Program Files\Alwil Software\Avast4\DATA\moved\iaStor.sys.vir    Infected: Rootkit.Win32.Tdss.ai 1
D:\I386\APPS\APP11700\src\CompaqPresario_Spring06.exe   Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\APPS\APP11700\src\HPPavillion_Spring06.exe  Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
E:\4-Common Software\TFTP Server\SolarWinds\OEM-TFTP-Server.EXE Infected: not-a-virus:Server-FTP.Win32.Tftp.400 1

Selected area has been scanned.
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.