Posts by PhilliePhan

Alright, I got them burned to ISO! Ready for the next step. :)

OK - Since you have your Windows disk for the Dell, let's work on that compy.

Since we are in a forum setting, these types of problems can be a bit tricky. What I want to do is use the Ubuntu CD to poke around and see if there are any issues since you had trouble getting the Windows CD to work.
If need be, I think we can reformat the hard drive via the Ubunto CD as well - never tried that before, though.
Course, if the Windows CD still doesn't work . . . . well, then you've got a problem :)

Anyhoo:

Pop in the Ubuntu Live CD and boot to it and select the option to Try Ubuntu without any change to your computer

Then, click the Places tab and select Computer.
It should list all of the drives connected to your compy. See if you are able to access/navigate your folders and data with no problems.

If that works, then we'll go from there.

I am going to be around off and on for the next week or so - will try to check back in a timely manner.

PP:)

what would happen if I just tried to delete that file and copy the new copy over?

Access would likely be denied - you'd need to try a more circuitous route:
-- Rename the existing iaStor.sys to iaStor.sys.OLD
if it will allow you to rename it....
-- Then, copy the clean version into the folder.
-- Reboot
-- Now, you ought to be able to delete iaStor.sys.OLD

You could give that a go.

-- Can you burn an ISO? If the above doesn't work, maybe we can bypass Windows altogether and operate via boot CD?

PP:)

I finally got to it, sorry! something went wrong...it's asking for a disk?
WINDOWS - No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6b7c 75b6bf7c

That is odd - haven't seen that one before. Could it be referencing the HD because of the infected iaStor.sys? I wonder . . . . .

Try rebooting and then trying the Avenger step again. If that fails, we can try another avenue....

PP:)

I'll be ecstatic if we're this close - this machine would be HARD to duplicate.
But I admit I'm intrigued on how you're going to replace a .sys file.

Hopefully this is the only infected file - when dealing with rootkits, it's tough to smoke them all out.....

Swandog46's Avenger is good for replacing these drivers. Let's give it a go and see how it shakes out:

-- Place iaStor.sys on the C:\ Drive

-- Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight Everything in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

Will check back as time permits.

PP:)

I'll look for the file on another computer

Good luck - I'd attach it for you, but I don't have it on my machines.
Neither does Judy.
Plus, I am not sure about the legality of us distributing it......

I think you can download IATA96ENU.exe from here and then extract iaStor.sys from the installation package. It says IATA88ENU.exe, but it has been updated......

Download IATA96ENU.exe to the C:\ Drive. Then, to extract the files to a folder (c:\Files), the command line would be something like this:
c:\iata96enu.exe -a -a -p c:\files

Look in C:\files\drivers\x32 for iaStor.sys

If you are able to do that, let me know and we'll have a go at replacing this - that will be a bit more complex than you might think....

PP:)

Hi Karen,

The problem that we are running into is that 64-bit Vista is a difficult animal with which to deal in a forum setting. Most of the tools we use are just not compatible....

-- Did you download this ---> 360Safe ?
-- How are things running after Judy's last set of instructions?
-- What about the programs that were giving you trouble? Are they working now?

PP:)

the first time I ran GMER it hung up. I rebooted and ran it again and these are those log..........

No worries on any of that - we just need to get ahold of a clean copy of iastor.sys and replace the infected one.

PP:)

Hey meksikatsi,

Can you open a command prompt and type or copy&paste

dir /a /s iastor.sys > C:\loggit.txt ENTER

And post me the Loggit.txt please.

As you can see from the previous logs, iaStor.sys is infected. But TDSSKiller could not disinfect it and it could not find a clean copy to replace it.
If we can't find a clean copy on your compy, you'll need to come up with one - either from Windows disk or DL or from another compy.

PP:)

Find the worm in the registry does work but that also seem like a lost cause.

Not in this case - here we are looking at infected system files. Most likely atapi.sys and/or iastor.sys.
TDSSKiller ought to address that and disinfect them - if we're lucky...

I'll keep my fingers crossed :)

-- But, yeah - if starting from scratch is a viable option, then that is the best course of action.

I had to cold start the system and choose an earlier configuration to get the machine started again but it has now been stable (no avast messages) for about 12 hours so hopefully the nasty was contained in those deleted files...there were 4.

Hi meksikatsi,

Those deletions look pretty benign to me - It's the MBR rootkit that we need to be concerned with.
-- Honestly, in these cases I recommend wiping the hard drive and reinstalling Windows. It is easiest and most effective.

-- Also, Combofix should be run from the Desktop

Anyhoo, if you want to take a whack at removing this infection, let's try the following:

* Since I anticipate limited availability over the weekend, I'd like to run both of these steps at the same time.

FIRST:
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php
or
http://majorgeeks.com/GMER_d5198.html --> You'll need to extract it from the ZIP if you DL from MGs.

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
* When GMER opens, it should automatically do a quick scan for rootkits.
When the quick scan finishes, click the Save Button and save the scanlog to your Desktop as GMER One.log.

-- If upon running GMER you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected …

Thanks in advance for any future help!

Happy to try! :)

Sounds like something's cattywampus here. Can be tough to deduce in a forum setting.

To save time, please burn these three ISOs to CDs for me:

1 - UBUNTU CD IMAGE
2 - Darik's Boot and Nuke
3 - Recovery Console ISO

Once you've got those, let me know and we'll have a stab at this.

Cheers :)
PP

Any thoughts? Anything I can try? I'm fine reformatting, but I'm not fine just tossing the computers out the window, you know? There must be SOMETHING I can do. *nail bite* Halp!

Reformatting might be the fastest / easiest / best course of action.
However, there are some things that we can try.

-- Do you have a lot of data on the machines that you want to save?
-- If so, do you have an external hard drive?

-- Are you able to burn an ISO to CD?
-- If so, download and burn UBUNTU CD IMAGE to a disk.

-- So, just to be certain, you are unable to get into Recovery Console via your Windows disk?

Let me know - Will check back as time permits. Awfully busy these days.

PP:)

PP - running MalWareBytes no....is that MBAM? Anyway, last time I ran it nothing was found...

Also, what is an ARK tool please?

Anti-Rootkit tool (GMER, for example).

At this point, I would suggest a run of Combofix, if you are able:
-- If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

I'll try to check back in a timely manner - been pretty busy these days and my online time is limited.

Cheers :)
PP

Can anyone please tell me if you have experienced a file called YAT32.exe automatically placed on your desktop?

In addition to what Judy said, I suggest uploading it for analysis at http://virusscan.jotti.org/

Let us know what you find.

-- Are you sure it's not YATS32?

Best Luck :)
PP

since that's OK at the moment, I appreciate your attention and I'll keep you posted on this thread in about 3 days...again, MANY thanks.

Happy to help!

Bear in mind that this family of malware is often rootkitted - not a good thing to leave unattended. I would definitely recommend that you run an ARK tool along with your AV and an anti-malware app such as MBAM and see what they turn up.....

Cheers :)
PP

any advice? thanks in advance!!

Do you have your Windows disk?

If not, are you able to burn an ISO for a bootable disk?

Let me know and we'll see what we can do.

Cheers :)
PP

Hi Nancy,

Are you sure this isn't due to a sticky keyboard?
Kind of odd behavior for malware - do you have a different keyboard to try?

-- To rule out malware, please post the requested scanlogs from the steps linked below:

http://www.daniweb.com/forums/thread134865.html

Hopefully a volunteer will be able to have a look and get back to you in a timely manner - this seems to be a busy time of the year for many volunteers.

Cheers :)
PP

Download the free version of Mal-ware Bytes and install and run it in safe mode till you get not more infections showing up.

Run MBAM in Normal Windows boot - if it doesn't run in normal boot, then try Safe Mode. Be sure to Reboot after running MBAM.

Ideally, I would recommend posting the logs requested in the steps linked below:

http://www.daniweb.com/forums/thread134865.html

With any luck, a volunteer will be able to advise you further.

Cheers :)
PP

Thanks for the update, Paul - Surf safely.

PP:)

You have lost me. What are you asking?

Oh for crying out loud . . . . It's as plain as the nose on your face!

How can you not see that, in 2005, they had a program installed?
-- It was somehow deleted.
Accidentally.
Now, they would like to have reinstalled for free.

Sounds pretty straightforward to me - all you have to do is reinstall the program.

;)

Some says that Windows System Restore can reolved the problems.

That is not the best course of actions in these cases.

The "solution" that you linked advises the use of MBAM - That is the best way to start to attack these malware.

@ Paul

Can you give us a status update? Post the MBAM log?

PP:)

Is it possible to download Malwarebytes to the flashdrive and just run it to clear this up?

Hi Paul,

That would be a good first step - Transfer MBAM from the flash drive to the ill compy and give it a go.
Have MBAM fix what it finds and then REBOOT.

Post the log and we'll go from there.

Cheers :)
PP

thanks anyway PhilliePhan

Happy to try to help!

Good luck to you :)
PP

heh my computer is somewhere between 6 and 8 years old. in fact i wouldnt be that surprised if its age was the cause of this.

Well, it probably has accumulated a lot of dust.
You could try cleaning it - I'm sure there are a number of "how to" threads on the web....

so if its a hardware issue i guess this is the wrong forum. what hardware specifically would it be? im pretty sure its not the power supply because i bought a new one a couple months ago.

It is hard to say - these things are tough to deduce in a forum setting. I am fairly certain it is not malware based on the steps you took and the way the machines still locks up in safe mode.
Overheating is a likely culprit, but I could be wrong there - again, hard to say.
At this point, I'd just be guessing. Sorry.

... or am i just better off getting a new computer already

Everybody that I talk to seems to like Windows 7. Wish I had the cash to upgrade my ancient machine....

PP:)

Hey PP! Your right I should have shot this past you. I guess I got to excited.

Any clue how this might have been downloaded?

You are in good hands with Judy - she is probably more up to date than I am on the latest threats.

If I am not mistaken, this is part of an older family of password logging malware. I have no idea how long it could've been on the machine.
If this compy was one that we/you dealt with during the last infection, then I imagine it would've been between now and then.

If this was part of your employee network, well. . . it could've come from anywhere.

I am starting to hit one of my "busy periods," but will be around if you and Judy need a second opinion. At this point, my only suggestion would be to run some sort of ARK tool, but I'm sure Judy has that covered.

Cheers :)
PP

hmmmm while idle in safemode my cpu is 58 degrees Celsius. that seems high, am i right?

I am not sure what the specs are for VAIO, but laptops do run hot.

I will say that that does seem awfully hot for idle + safe mode. I would expect in the 40s - but I am not an expert in this area and could be wrong.
Were you able to test it under load? Maybe process some video?
-- If it is 58 idle, it probably jumps to the 70s under load and that is waay high.

-- How old is the VAIO?

The thing that bothers me is that you would have noticed performance issues before this last minor malware attack if it were a heat issue.
I suppose we could try a few more anti-malware tools - assuming we can get them to run. But the fact that it lock up in Safe Mode with only the "bare bones" running makes me believe it's a hardware/heat issue......

PP:)

Hey Scott,

I didn't see you were back - should've dropped a PM on me :)

Looks like you and Judy are cruising along.

-- That baddie removed by MBAM is an older "banker" trojan designed to harvest passwords and other sensitive info. We couldn't tell you what or how much data has been compromised, but you should be aware that this was on one of your compys.....

Best :)
PP

i dont think its overheating, then again i dont know how to test if it is.
and yes i have safe mode with networking available.

-- A friend of mine likes Speedfan to look for overheating issues, but I've never tried it myself.....

-- Fire up Safe Mode with Networking and see if you can surf around without locking up and let us know. We'll go from there.

PP:)

ok PP. It looks like things are working alright now. I am still not real confident about using the system for online purchases etc.... Maybe with time. lol I sure appreciate all your help and want to thank the folks who make this forum possible.

Happy to help!

-- Infections like this can be worrisome - can't really trust the machine and you don't really know just what info has been compromised.
Malware evolves so rapidly that wiping the infected drive is often the easiest and certainly the most effective course of action.
'Course, you also need to address compromised accounts/passwords/etc...

Vigilance is the key.

Cheers :)
PP

So, this behavior started immediately after the infection was cleaned?
-- You can pretty much rule out other causes such as overheating?
-- Do you have a viable System Restore point from before the infection?

I really don't see anything there that would cause the problems you are having. Certainly not the malware previously removed by MBA-M.

What about my questions above?

It could very well be an issue with a legitimate program on your machine - especially if it works fine in Safe Mode.

-- Do you have Safe Mode with Networking available? Does it still freeze up?

PP:)

So, this behavior started immediately after the infection was cleaned?
-- You can pretty much rule out other causes such as overheating?

Are you able to run MBA-M and DDS as per the linky below?

http://www.daniweb.com/forums/thread134865.html

If so, please post those logs for me.

-- Do you have a viable System Restore point from before the infection?

Let us know.

Cheers :)
PP

sent you a private message earlier today PP, not sure you got it. Ready to wrap it up. If you didnt get my message pls let me know. Thx !

PM sent.

Let me know if you have any trouble with the last steps or if there are any issues remaining.

Cheers :)
PP

I think you are right about these files being FPs. Oh well....

OK - That looks good. How are things running now?

-- You can get into C:\Qoobox\Quarantine and restore those deleted files if you so desire.
I would definitely recommend scanning them at
Just upload them for analysis.

Outside of that, you are probably good to go. Once you have restored those deletions, remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Cheers :)
PP

what are FPs?

False positives.

We get those a lot - thing is, with the volume of infected users in all the security forums, the FPs often get chalked up as "collateral damage in the malware wars."

Unless, of course, removing them borks your machine... ;)

I reinstalled zonealarm as it wouldnt update after the problems.

This folder was installed right about the time I was infected:
C:\Program Files\NOS\bin It is something to do with Adobe. getPlusPlus_Adobe.exe Do you think it is legit. Also, are you familiar with these? \Administrator\Local Settings\Application Data\BVRP Software c:\documents and settings\Administrator\PrivacIE and c:\documents and settings\Administrator\IETldCache ?

Going to scan with Malwarebytes now. Thanks !

Adobe just recently started using NOS download manager.

The others are benign - don't know if they are needed, but they are legit.

Looking more closely at the last batch of combofix deletions, I wonder if they really are baddies or FPs....:
c:\windows\system32\GWFSPidGen.DLL
c:\windows\system32\MSIMRT.DLL
c:\windows\system32\MSIMRT32.DLL
c:\windows\system32\MSIMUSIC.DLL

PP:)

PLease let me know if there is anything I can do toget rid of this stupid thing.

At quick glance, I do not see any malware in that log.

Can you tell us what you are trying to remove?

-- Are you able to provide any of the scanlogs from the linky below?

http://www.daniweb.com/forums/thread134865.html

PP:)

Lastly, you have to be wondering: "Is this guy going to ever go away?". lol

HA!
Allow me to refer you to This Thread....

I'm a pitbull, I tell ya.......

Anyhoo, that looks a bit better.

-- The GMER is popping up with the possible MBR issue again, but again is saying user & kernel MBR OK .

-- Is your ZoneAlarm operating properly? All these
vsmon_2nd_2010_03_02_14_11_11_small.dmp.zip in the combofix log make me wonder if it is experiencing some issues....

-- This one bothers me a bit, but it is probably just a remnant: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
regidsvr REG_SZ c:\windows\system32\cmdlhost.dll

Please update and run your MBA-M - have it remove what it finds.
Post me that log.
Don't forget to reboot after running MBA-M.

Let's see if MBA-M still detects that threat.

Cheers :)
PP

i was unable to locate and fisprml.dll. Where would I find this file?

Most likely in System32 folder.

You can use a command prompt (START > RUN > cmd ENTER)
and type dir /a /s fisprml.dll to locate it if it is still on the machine.

I would also suggest (without getting in Judy's way too much, I hope) that you try and ARK tool. GMER is good.
Combofix may be a good call at this point as well - we'll see what Judy thinks....

Try this:
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
* When GMER opens, it should automatically do a quick scan for rootkits.
When the quick scan finishes, click the Save Button and save the scanlog to your Desktop as GMER One.log.

-- If upon running GMER you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes (GMER GUI). Please Uncheck the following:
- Sections
- IAT/EAT
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
…

Run another HiJackThis and post the log.

Why not run an ARK tool, as well?

Plus, there are some odd items that bear scrutiny:

LSA: Notification Packages = scecli fisprml.dll
c:\windows\Mxaleter.dat
c:\windows\Fkeyiresoxiwuvur.bin

You might scan these at Jotti - if they are infected, they could point you in the right direction....

Best Luck :)
PP

windows installer would not let me remove the programs you instructed me to install....

I'm confused - did you mean "uninstall?"
If so, that's odd - those should go easily.

--- W/ regard to MBR, there are a number of easy ways go about that.
Personally, I prefer recovery console, but it can also be done with GMER's mbr.exe

I am not so sure there was an active MBR rootkit since the scan did say "user & kernel MBR OK." Still, better safe than sorry.

Will check for the new logs when I get home.

Cheers :)
PP

Yes, have the Windows CD. Thx PP !

Recovery Console ought to just show as an option before Windows boots normally.

No worries - let's just go ahead and use the Windows CD.

Rather than me just confusing you, please follow the steps in this linky to fix the Master Boot Record.

Then, pick up at the new combofix step I posted previously and run from there and post the requested logs.

Let me know if you hit any turbulence along the way.

Cheers :)
PP

Also, to answer your previous question about the Zan Image Printer. I am not familiar with it so dont know that it is necessary. I clicked on the properties and it didnt have any info.

OK - You can probably safely delete that file. No worries.

-- You ought to now have the option to choose the Recovery Console on restart since you installed it when you ran combofix.

If still no joy, we'll use a different method to fix the Master Boot Record.

BTW - Do you have your Windows CD?

PP:)

Are you able to post the requested scanlogs as per the linky below?

http://www.daniweb.com/forums/thread134865.html

Give that a try and hopefully one of our volunteers will be able to aid you in fixing this.

Cheers :)
PP

If all else fails, you'll have to nuke the system and reinstall your OS.

Indeed - but let's remember that "all else" encompasses a whole lot of options and reinstalling OS is not always a practical option if the user does not have a copy of the OS.....

Frankly, I'd start by transferring MBAM to the ill compy via a flash drive or CD and running that.........

Cheers :)
PP

Hi Nathan,

Let's see if we can wrap this up, shall we?

-- Do you use or have you used Zan Image Printer?
I would like to see if this file is legit:
c:\windows\system32\winzvprt5.sys
Can you locate it and tell me if it belongs to Zan. (RightClick and look at properties) You'll need to enable the viewing of hidden files to see it.

Here are the next cleaning steps:

FIRST:
-- Reboot your machine and select the option for the Recovery Console.
Once in Recovery Console, type fixmbr at the command prompt and hit ENTER.

REBOOT.

NEXT:
Remove the following via Add/Remove Programs:
Adobe Reader 7.0
MyWay Search Assistant

Then, download and install the updated and more secure Adobe Reader 9

THEN:
Please download JavaRa.zip to your Desktop and Extract it to its own folder.
-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

THEN:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached …

Hi Nathan,

That looks better, but there is still a bunch left to address.

I'll have to get back to you over the weekend with the rest of the cleaning steps. Please do not use the ill computer until I can post the next steps to avoid re-infection.

PP:)

yeah i tried that too.. it just didn't want to run.. so i booted the XP cd and tried a new set up.. and that seems to have worked.. but it required me to delete the partitions.. now upon start up it gives me the selection of three Windows XP's to choose from.. *shrugz* if i choose the 1st one it is working alright for what i wanted it for i guess.. . .
Thanks again for all your help DoubleP.. I sure do appreciate it..!!
*Hugz*

Happy to help!

That is odd, since you deleted the partitions before reinstalling.
I doubt is it a big deal - just a nuisance.

Let's have a quick look:
Click START > RUN > type cmd ENTER
At the prompt, type or copy&paste: TYPE Boot.ini > "%userprofile%\desktop\log.txt"

Log.txt should be on the Desktop - post that for me.

Best :)
PP

Looks like you have a backdoor trojan that possibly has compromised any sensitive data on your machine. If you do online banking, etc..., you may want to monitor your accounts and change passwords via a clean computer.

--Please attach this file for me:
c:\windows\system32\fjhdyfhsn.bat

It's a baddie, so you can then delete it.

THEN:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Let me know if you run into any trouble along the way.

PP:)

It has taken a week of afternoons but I finally got my computer back online and have updated malwarebytes, will run scans and then post logs and hope that I can get everything back to normal. Disregard my request for info on "services list" at this time. Thanks for this forum !

Great - post the logs when you can.

Let us know if you run into any more problems along the way.

PP:)

Would it do any good to delete the file by going through the process found at the following link (tells how to take control of a file and then you can delete it).? http://www.howtogeek.com/howto/windows-vista/how-to-delete-a-system-file-in-windows-vista/
Thx in advance for any assistance you might be able to offer.

Hi Nathan,

Sounds like you've got quite a mess going there.

-- Is System Restore an option? Do you have any viable Restore points?
What about "Last Known Good Configuration?"
If we can get your compy into a workable state, then we can move on from there.

-- Do you have a usb thumbdrive? External Hard Drive?

Let us know and we'll go from there.

PP:)