0

here's the jotti scans results:

for iastor.sys:

Jotti's malware scan
Filename: iaStor.sys.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 8 Apr 2010 13:08:32 (CET) Permalink

Additional info
File size: 872064 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 9a65e42664d1534b68512caad0efe963
SHA1: ca3b5fb10f27f0a83f60beae10c2ef188787aa22


Scanners
[ArcaVir]
2010-04-07 Found nothing
[F-Secure Anti-Virus]
2010-04-08 Found nothing
[A-Squared]
2010-04-08 Found nothing
[G DATA]
2010-04-08 Found nothing
[Avast! antivirus]
2010-04-08 Found nothing
[Ikarus]
2010-04-08 Found nothing
[Grisoft AVG Anti-Virus]
2010-04-08 Found nothing
[Kaspersky Anti-Virus]
2010-04-07 Found nothing
[Avira AntiVir]
2010-04-08 Found nothing
[ESET NOD32]
2010-04-08 Found nothing
[Softwin BitDefender]
2010-04-08 Found nothing
[Panda Antivirus]
2010-04-07 Found nothing
[ClamAV]
2010-04-08 Found nothing
[Quick Heal]
2010-04-08 Found nothing
[CPsecure]
2010-04-06 Found nothing
[Sophos]
2010-04-08 Found nothing
[Dr.Web]
2010-04-08 Found nothing
[VirusBlokAda VBA32]
2010-04-07 Found nothing
[Frisk F-Prot Antivirus]
2010-04-07 Found nothing
[VirusBuster]
2010-04-07 Found nothing

for atapi.sys: (it's reporting atapi512.sys but it downloaded atapi.sys)

Jotti logo


Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.


Filename: atapi512.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 7 Apr 2010 07:48:50 (CET) Permalink

Additional info
File size: 96512 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 9f3a2f5aa6875c72bf062c712cfa2674
SHA1: a719156e8ad67456556a02c34e762944234e7a44
Packer (Kaspersky): PE_Patch


Scanners
[ArcaVir]
2010-04-06 Found nothing
[F-Secure Anti-Virus]
2010-04-07 Found nothing
[A-Squared]
2010-04-07 Found nothing
[G DATA]
2010-04-07 Found nothing
[Avast! antivirus]
2010-04-06 Found nothing
[Ikarus]
2010-04-07 Found nothing
[Grisoft AVG Anti-Virus]
2010-04-06 Found nothing
[Kaspersky Anti-Virus]
2010-04-06 Found nothing
[Avira AntiVir]
2010-04-06 Found nothing
[ESET NOD32]
2010-04-06 Found nothing
[Softwin BitDefender]
2010-04-07 Found nothing
[Panda Antivirus]
2010-04-06 Found nothing
[ClamAV]
2010-04-07 Found nothing
[Quick Heal]
2010-04-07 Found nothing
[CPsecure]
2010-04-06 Found nothing
[Sophos]
2010-04-07 Found nothing
[Dr.Web]
2010-04-07 Found nothing
[VirusBlokAda VBA32]
2010-04-06 Found nothing
[Frisk F-Prot Antivirus]
2010-04-06 Found nothing
[VirusBuster]
2010-04-06 Found nothing

0

for atapi.sys: (it's reporting atapi512.sys but it downloaded atapi.sys)
Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.

Those all look good.
Though, previous scan results for atapi.sys are useless since it is normally a legit file and modifications are case by case. Make sure you scan your copy and get those results - though sometimes even this yields no flags on an infected file....

-- Did you run GMER and TDSSKiller again? Clean? Judging from what you posted, I would imagine that they would be.

Still being redirected? Maybe we can try flushing DNS....

PP:)

0

did you see the Kaspersky's results in the previous page of the thread? Sorry but I put the results you wanted in two different posts... I have just flushed the dns to see that yields results.

Kaspersky found a few files I cannot get rid of...including one rootkit

Edited by meksikatsi: n/a

0

Kaspersky found a few files I cannot get rid of...including one rootkit

This one obviously is Avast quarantine - renamed with that .vir extension. You ought to be able to empty the quarantine /delete it with no problem.
C:\Program Files\Alwil Software\Avast4\DATA\moved\iaStor.sys.vir Infected: Rootkit.Win32.Tdss.ai 1

The others don't bother me - HP bundles that Weatherbug and it's merely mild adware.

Your MBR looks OK - I'm not seeing anything in the logs. 'Course, I might be missing something or this particular malware family has evolved yet again.


-- If you are still having issues, perhaps you could try a fresh run of Combofix. If you do that, delete your old copy and download a fresh one to the Desktop and run it from there.

PP:)

0

Here's a fresh run of combofix...


ComboFix 10-04-08.02 - HP_Administrator 04/09/2010 4:29.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.3021 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 100408-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db

Infected copy of c:\windows\system32\DRIVERS\iastor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-07 21:45 . 2010-04-07 21:45 77312 ----a-w- C:\mbr.exe
2010-04-02 11:08 . 2005-06-17 13:33 872064 ----a-w- c:\windows\system32\drivers\iaStor.sys.sys
2010-03-30 18:24 . 2005-06-17 13:33 872064 ----a-w- C:\iaStor.sys
2010-03-28 11:33 . 2010-03-28 11:34 -------- d-----w- C:\Images for internet sites
2010-03-27 22:59 . 2010-03-30 18:18 -------- d-----w- C:\Leads
2010-03-25 23:30 . 2010-03-25 23:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 23:30 . 2010-03-25 23:30 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-16 19:08 . 2010-03-16 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 08:26 . 2008-09-12 16:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2010-04-09 04:06 . 2008-09-12 17:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2010-04-08 11:34 . 2009-02-02 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-04 08:24 . 2005-06-17 13:33 246784 ----a-w- c:\windows\system32\drivers\iastor.sys
2010-03-30 18:54 . 2010-01-24 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 18:53 . 2010-03-30 18:53 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 04:46 . 2010-01-24 12:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-01-24 12:18 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-08-10 04:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-10 04:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-10 08:03 . 2009-08-08 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-1 36903]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TOPO! Explorer\\te.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash-bin.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/12/2008 8:21 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/12/2008 8:21 AM 20560]
R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [3/24/2009 10:13 AM 5365]
S2 gupdate1c98572486c5d2f;Google Update Service (gupdate1c98572486c5d2f);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 4:10 PM 133104]
S3 USBBULK;USB Bulk device driver;c:\windows\system32\drivers\USBBulk.sys [12/24/2008 6:39 PM 20992]
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 18:56]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 20:10]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 20:10]

2010-04-09 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\program files\SmartDraw 2009\Messages\SDNotify.exe [2009-02-28 11:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\izkwi3ur.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-09 04:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MysqlInventime]
"ImagePath"="c:\progra~1\MYSOFT~1\SMALLB~1\mysql\bin\mysqld-nt \"--defaults-file=c:\program files\MySoftware\Small Business Pro\mysql\my.ini\" MysqlInventime"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-09 04:50:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-09 08:50
ComboFix2.txt 2010-03-26 10:11

Pre-Run: 194,883,264,512 bytes free
Post-Run: 195,209,408,512 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=,1,2,3,4,5
- - End Of File - - 9615343EF9E66C84C4BD0D0C298D15D1

0

Here's a fresh run of combofix...

That looks good - apparently iaStor.sys was still the culprit but combofix was able to replace it.

I wonder if it got re-infected after you replaced it the first time or if there was a problem with the replacement...?

Anyhoo, how are things looking now?

PP:)

0

That looks good - apparently iaStor.sys was still the culprit but combofix was able to replace it.

I wonder if it got re-infected after you replaced it the first time or if there was a problem with the replacement...?

Anyhoo, how are things looking now?

PP:)

Yeah, I think the combofix got it...doesn't seem to be redirecting at this point. I'll see what it looks like by tomorrow and if nothing new crops up I'll mark this thread solved.

Many thanks for sticking with me on this...I sure didn't want to have to reload this guy. I suppose I should consider a mirror backup or something, any suggestions?

0

Many thanks for sticking with me on this...I sure didn't want to have to reload this guy. I suppose I should consider a mirror backup or something, any suggestions?

You're welcome :)

-- I don't actually use any imaging software. I just have a number of hard drives that I use back up stuff I can't afford to lose.
I know Acronis is a popular option. You may want to have a look at these options and see if anything appeals to you.

Cheers :)
PP

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.