Another Google redirect virus prob, All steps completed

Status
Not open for further replies.

bbbfalcs

Posts: 34   +0
Same symptom as everyone else.No additional symptoms that I have noticed.

Programs didn't find anything noteworthy on my system.

Only some "Hot Bar" junk program that piggy-backed on the Videolan VLC convertor I downloaded the other day. Got rid of that though.


Something worth mentioning is that I tried to load windows in Safe Mode it goes to blue screen for a SPLIT second and then reboots to the load screen. Never seen that happen before. I can choose to load up normally and no issues.
 

Attachments

  • hijackthis.log
    9 KB · Views: 5
Hi bbbfalcs,

Please Download ESET and run it when you are done. Scan and see if it finds anything. Otherwise, you may have to wait for a more experienced member to help.
 
No offense Anonymous but I would prefer to stick to the program here and wait for my first instructions from a designated member

nothing personal, and thank you for trying to get me started!
 
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


[CENTER]
RC1.png
[/CENTER]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
 
Directly from the HijackThis team on the file following.
  • O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c =Q306&bd=pavilion&pf=laptop
This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.

It says it's safe but has that description, so do you what you feel is necessary. If you are in association with that address at all, I would say not to delete it. Otherwise, I would delete. What was your homepage originally set at?
 
Thanks anonymous

replying so that the most recent reply is my own

hoping this will get a response more quickly

although this process has bee interesting I have not felt safe using my computer for over 5 days now, awfully frustrating


Combofix logs are in my above post
 
Anonymous, please stop posting useless advice.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    gmer_zip.gif

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
 
GMER failed to open properly on first try

Tried to restart in Safe Mode and can not. Goes to blue screen for less than a split second and then goes back to F8/Safe Mode selection screen. Starts up in normal mode fine.

Ran GMER after restart. Ran through all the way OK on this second attempt. Log attached.

Restarted after saving the log and closing GMER and computer failed to start on initial attempt, went to the F8/Safe mode selection screen. Started in normal mode fine after.


Waiting for next move...
 

Attachments

  • GMER Log 11-28-09.log
    1.2 KB · Views: 7
new symptom:

when just browsing (this site mostly) using Firefox I am getting random additional tabs opening up. Even an additional window with multiple tabs opening


fun times
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    *iastor.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
I don't mean to be a bugger but tomorrow my work week begins again and it is going to be very distracting to be still dealing with this issue

kritius has been very generous with his time, but is there a way to get more help on this tonight, possibly from another QUALIFIED member?!


thanks in advance
 
copy the following into notepad and save it as iastor.bat,

@echo off
copy C:\SWSETUP\HDD\iastor.sys c:\iastor.sys
del "%0"
exit


Double click the batch file to run it.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Begin copying here:
Files to move:
c:\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


Then re run GMER again.
 
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "c:\iastor.sys"
File move operation "c:\iastor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.
 
That didn't work.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Begin copying here:
Files to move:
C:\SWSETUP\HDD\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log .
 
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\SWSETUP\HDD\iastor.sys"
File move operation "C:\SWSETUP\HDD\iastor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.
 
Something that just occurred to me that might be useful, my downloads automatically go to the "Downloads" folder in My Documents.

I have been cutting and pasting the downloaded files to my desktop before running them.

Not sure if this could affect the results....


EDIT: Deleted the original downloads, restarted, re-downloaded directly to desktop, re-ran steps. Same results....




anticipating your next reply, and thank you for your diligence!
 
Nasty little git this.

1. Restart your computer.
2. Before Windows loads there will be a screen asking you to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter'(note the spaces):

cd \

copy c:\iastor.sys c:\windows\system32\drivers\


6. Type y to the prompt and press 'Enter'.
7. Type exit and press 'Enter'. Your computer should reboot.
 
Cannot boot into Windows Recovery

I get a blue screen that tells me that windows did not shut down properly or something of this nature.

At the bottom it said:

***STOP: 0x0000007B (0xF78D2524, 0xc0000034, 0x00000000, 0x00000000)
 
Status
Not open for further replies.
Back