TechSpot

Another Google redirect virus prob, All steps completed

By bbbfalcs
Nov 23, 2009
  1. Same symptom as everyone else.No additional symptoms that I have noticed.

    Programs didn't find anything noteworthy on my system.

    Only some "Hot Bar" junk program that piggy-backed on the Videolan VLC convertor I downloaded the other day. Got rid of that though.


    Something worth mentioning is that I tried to load windows in Safe Mode it goes to blue screen for a SPLIT second and then reboots to the load screen. Never seen that happen before. I can choose to load up normally and no issues.
     

    Attached Files:

  2. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    Hi bbbfalcs,

    Please Download ESET and run it when you are done. Scan and see if it finds anything. Otherwise, you may have to wait for a more experienced member to help.
     
  3. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    No offense Anonymous but I would prefer to stick to the program here and wait for my first instructions from a designated member

    nothing personal, and thank you for trying to get me started!
     
  4. kritius

    kritius TS Guru Posts: 2,084

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  5. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Combofix completed
     

    Attached Files:

  6. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Oh and problem persists
     
  7. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    Directly from the HijackThis team on the file following.
    • O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c =Q306&bd=pavilion&pf=laptop
    It says it's safe but has that description, so do you what you feel is necessary. If you are in association with that address at all, I would say not to delete it. Otherwise, I would delete. What was your homepage originally set at?
     
  8. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Thanks anonymous

    replying so that the most recent reply is my own

    hoping this will get a response more quickly

    although this process has bee interesting I have not felt safe using my computer for over 5 days now, awfully frustrating


    Combofix logs are in my above post
     
  9. kritius

    kritius TS Guru Posts: 2,084

    Anonymous, please stop posting useless advice.

    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      [​IMG]
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
    -- If you encounter any problems, try running GMER in Safe Mode.
     
  10. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    GMER failed to open properly on first try

    Tried to restart in Safe Mode and can not. Goes to blue screen for less than a split second and then goes back to F8/Safe Mode selection screen. Starts up in normal mode fine.

    Ran GMER after restart. Ran through all the way OK on this second attempt. Log attached.

    Restarted after saving the log and closing GMER and computer failed to start on initial attempt, went to the F8/Safe mode selection screen. Started in normal mode fine after.


    Waiting for next move...
     

    Attached Files:

  11. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    new symptom:

    when just browsing (this site mostly) using Firefox I am getting random additional tabs opening up. Even an additional window with multiple tabs opening


    fun times
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      *iastor.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  13. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Log attached
     
  14. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    I don't mean to be a bugger but tomorrow my work week begins again and it is going to be very distracting to be still dealing with this issue

    kritius has been very generous with his time, but is there a way to get more help on this tonight, possibly from another QUALIFIED member?!


    thanks in advance
     
  15. kritius

    kritius TS Guru Posts: 2,084

    copy the following into notepad and save it as iastor.bat,


    Double click the batch file to run it.

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Begin copying here:
    Files to move:
    c:\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.


    Then re run GMER again.
     
  16. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Error: could not move file "c:\iastor.sys"
    File move operation "c:\iastor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed!
    Status: 0xc0000022 (STATUS_ACCESS_DENIED)


    Completed script processing.

    *******************

    Finished! Terminate.
     
  17. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    GMER run after
     
  18. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Thought this might be worth a look...
     
  19. stellarPCserv

    stellarPCserv TS Rookie

    you need to run a antivirus program off a boot disk,, if windows is running durring any scan it will just come back..
     
  20. kritius

    kritius TS Guru Posts: 2,084

    That didn't work.

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Begin copying here:
    Files to move:
    C:\SWSETUP\HDD\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log .
     
  21. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Error: could not move file "C:\SWSETUP\HDD\iastor.sys"
    File move operation "C:\SWSETUP\HDD\iastor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed!
    Status: 0xc0000022 (STATUS_ACCESS_DENIED)


    Completed script processing.

    *******************

    Finished! Terminate.
     
  22. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Not sure what an OTL log is but a quick search suggested it was the same as a Hijack log...
     
  23. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Something that just occurred to me that might be useful, my downloads automatically go to the "Downloads" folder in My Documents.

    I have been cutting and pasting the downloaded files to my desktop before running them.

    Not sure if this could affect the results....


    EDIT: Deleted the original downloads, restarted, re-downloaded directly to desktop, re-ran steps. Same results....




    anticipating your next reply, and thank you for your diligence!
     
  24. kritius

    kritius TS Guru Posts: 2,084

    Nasty little git this.

    1. Restart your computer.
    2. Before Windows loads there will be a screen asking you to choose which Operating System to start.
    3. Use the up and down arrow key to select Microsoft Windows Recovery Console
    4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
    5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter'(note the spaces):

    cd \

    copy c:\iastor.sys c:\windows\system32\drivers\


    6. Type y to the prompt and press 'Enter'.
    7. Type exit and press 'Enter'. Your computer should reboot.
     
  25. bbbfalcs

    bbbfalcs TS Rookie Topic Starter Posts: 34

    Cannot boot into Windows Recovery

    I get a blue screen that tells me that windows did not shut down properly or something of this nature.

    At the bottom it said:

    ***STOP: 0x0000007B (0xF78D2524, 0xc0000034, 0x00000000, 0x00000000)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...