Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware causing browser hijack [Solved]

Started by HelBel65 , Dec 18 2009 06:02 PM

This topic is locked

#1
HelBel65

Posted 18 December 2009 - 06:02 PM

Member

Member
34 posts

Hi all

I have a reasonable amount of experience at dealing with this kind of problem and have usually managed to sort it out on my own but this one has defeated me so your help would be greatly appreciated.

I have run SpyBot, Adaware, SAS, AVG and MBAM. They all found stuff and removed it, and are all reporting no infection now. Housecall crashes the system completely while loading and ComboFix crashes the system before it can even complete the very 1st progress bar. I went to your Malware Cleaning Guide page and have done everything there, and am about to attach those logs. I had one serious problem which was that GMER crashes when it reaches the very first file of the scan, at least 10 or 15 mins into the scan. It crashes at iaStor.sys and the comment is 'suspicious modification'. This crash has now happened 3 times at exactly the same moment, so I have to do a hard reboot. So I have no log from GMER, but I could set it to do a scan and uncheck Files on the right hand menu to try to stop it getting to that point if it would help. You could then at least see what the scan found up to that point.

I looked up iaStor.sys and it seems to be something to do with Intel drivers but this PC has been working fine for years, and there is certainly something infecting it. The browser hijacks are happening randomly, usually after clicking on a Google search link, and taking me to a host of different sites, none of which seem that dodgy (smartbizsearch is a regular treat) and similar. Taking ages to load a webpage is common, as are full system crashes. Lost count of the number of hard reboots I've done in the past few days.

That's as much info as I can think of for now. Here are the 3 logs from OTL and MBAM.

Many thanks for your help.

Helen

OTL.Txt 129.9KB 226 downloads

mbam_log_2009_12_18__23_16_08_.txt 868bytes 194 downloads

Extras.Txt 60.88KB 381 downloads

#2
CatByte

Posted 19 December 2009 - 11:45 AM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

Do you have the Recovery Console Installed? If not, you will need your installation disk, or you will need to follow these directions on how to install the recovery console as we need to use it to replace that infected IASTOR.SYS file:

http://www.bleepingc...utorial117.html

Once you have the Recovery Console installed, please do the following:

Go to Start->Run and type in notepad and hit OK.
Then copy and paste the content of the following codebox into Notepad:
```
@echo off
copy /y C:\I386\IASTOR.SYS c:\
del %0
```
Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes.
Once saved, the icon to click should look like this on your desktop:
Double click fix.bat. to run it. A small black box should open and close - this is normal.

NEXT

Print out these instructions to use while in the Recovery Console:

Restart your computer.
Before Windows loads, you will be prompted to choose which Operating System to start.
Use the up and down arrow key to select Microsoft Windows Recovery Console
You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):

cd c:\windows\system32\drivers
ren iastor.sys iastor.old
copy c:\iastor.sys c:\windows\system32\drivers
exit

You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.
(if you do not see 1 file copied on the screen, even after ensuring the commands are correct, rename the file back to it's original name by typing the following command then hitting Enter.
ren iastor.old iastor.sys
you should NOT be prompted to overwrite an existing file, but if you are, select No then type exit to restart and notify me of your results)
Type exit and press 'Enter'. Your computer should reboot. Boot into Normal mode.

Then try and run the GMER program again.

Try running it in safe mode.

#3
HelBel65

Posted 19 December 2009 - 03:30 PM

Member

Topic Starter
Member
34 posts

Hi and thanks so much for your reply.

Having eventually managed to install the Recovery Console (no XP cd - working it out was an adventure in itself!), it starts ok and then I get the dreaded blue screen.

Here is the technical info in case it is relevant

0x0000007B (OxF7CAF524, OxC0000034, 0x00000000, 0x00000000

I ran Chkdsk as it suggested, it didn't seem to find anything.

Such a shame, I was so excited to get RC installed and to try your solution!

Any other ways of repairing the iaStor.sys file?

Thanks

Helen

Incidentally, the computer is working fairly normally apart from the irritating redirects, which seem to be google-related ie if I type the same web address into the address bar, I seem to get to the site ok. Having said that, web pages still hang for ages....so all is not well by any means....

#4
CatByte

Posted 19 December 2009 - 04:14 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

try this:

Download ComboFix from HERE

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

#5
HelBel65

Posted 19 December 2009 - 04:21 PM

Member

Topic Starter
Member
34 posts

Thank you again.

I tried the beta of ComboFix before I first posted here, and it crashed my system as it was trying to load. However I will try it again after my machine finishes its current full version of Chkdsk.

Will post back.

Helen

#6
CatByte

Posted 19 December 2009 - 04:34 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

Try running ComboFix in safe mode

you have a disk controller hijacker - chkdsk will not accomplish anything.

If we can't get ComboFix to run in safe mode, we can try another tool that has had some success, but this is a very difficult infection to deal with.

#7
HelBel65

Posted 19 December 2009 - 06:06 PM

Member

Topic Starter
Member
34 posts

Hi

Not good news. I can't boot up into Safe Mode. Blue Screen.

PAGE_FAULT_IN_NONPAGED_AREA

Is it nearly time to give up?

Helen

#8
CatByte

Posted 19 December 2009 - 06:57 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hmm,

Let's give this tool a try:

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

If that doesn't work,

make yourself a Hiren's Boot CD

Please download the Hiren's BootCD v10.0 + Keyboard Patch iso image from the following link, then extract the contents to a folder of it's own.

http://www.hirensbootcd.net/

Next download and install the ISO Recorder version for your operating system (the operating system used to burn the cd).

Once ISO Recorder is installed, insert a blank cd then right click the Hiren'sBootCD.iso file in the Hiren's folder.
Select Copy Image to CD from the right click context menu.
Leave all settings to default in the CD Recording Wizard that opens and burn the disc.
When complete, insert the cd into your computer and restart.
You should be presented with a boot menu.
Select Start Mini Windows XP

Let me know if successful.

#9
HelBel65

Posted 19 December 2009 - 07:11 PM

Member

Topic Starter
Member
34 posts

I have a good feeling about this!

TDSSKiller ran fine and here is the log attached - it seems to have repaired the iaStor.sys file and (fingers crossed) things seem back to normal...is it that easy though? Should I now try to do the GMER scan again?

Thank you!

Helen

Attached Files

TDSSKiller.txt 27.67KB 218 downloads

#10
CatByte

Posted 19 December 2009 - 07:29 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Lets see what has been changed by TDSSKiller first:

Please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:filefind
*iastor*
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

#11
HelBel65

Posted 19 December 2009 - 08:04 PM

Member

Topic Starter
Member
34 posts

Here it is, together with the log from ComboFix which is now working fine...
How does it look to you?
Helen

Attached Files

SystemLook.txt 2.62KB 164 downloads
ComboFix.txt 26.43KB 175 downloads

#12
CatByte

Posted 19 December 2009 - 09:31 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

Please do the following:

Go to Start > Run type cmd press OK

a command window will open.

copy/paste the following into the command window:

ren C:\WINDOWS\SYSTEM32\DRIVERS\iastor.sys iastor.old
copy /y C:\I386\IASTOR.SYS C:\WINDOWS\SYSTEM32\DRIVERS
dir C:\WINDOWS\SYSTEM32\DRIVERS\iastor*>log.txt
reg add HKLM\SYSTEM\CurrentControlSet\Services\iastor /v imagepath /t REG_EXPAND_SZ /d system32\drivers\iastor.sys
req query HKLM\SYSTEM\CurrentControlSet\Services\iastor /v imagepath >>log.txt
start notepad log.txt

Hit enter:

Please post the content of log.txt in your next reply.

#13
HelBel65

Posted 20 December 2009 - 04:21 AM

Member

Topic Starter
Member
34 posts

Here it is:

Volume in drive C has no label.
Volume Serial Number is A017-9C1C

Directory of C:\WINDOWS\SYSTEM32\DRIVERS

20/12/2009 01:04 477,952 iastor.old
29/06/2004 10:17 477,952 IASTOR.SYS
2 File(s) 955,904 bytes
0 Dir(s) 239,571,206,144 bytes free

Helen

#14
CatByte

Posted 20 December 2009 - 07:17 AM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

Please run the GMER scan and post the log:

I will give you the download and directions again in case it was deleted.

Posted Image

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Also please advise how your computer is running now and if there are any outstanding issues. Are you able to boot into safe mode now? Are there any redirects?

Edited by CatByte, 20 December 2009 - 07:18 AM.

#15
HelBel65

Posted 20 December 2009 - 08:09 AM

Member

Topic Starter
Member
34 posts

Hi

It's a mixed picture now.

On the bright side

There have been no redirects and no more endless waiting for hanging web pages
Boot up happens in normal time (took up to 20 mins before and sometimes stopped before Windows was fully loaded)
I can get into Safe Mode

On the less bright side

I can't get into Recovery Console (blue screen after it tries to load)
The GMER scan has just resulted in a blue screen (it was somewhere in Documents and Settings when this happened I think)

Technical info on the blue screen says

win32k.sys - Address BF80173D base at BF800000, Datestamp 4a8564c7

Any thoughts?

Thanks

Helen